85 lines
6.5 KiB
TeX
85 lines
6.5 KiB
TeX
\begin{comment}
|
|
\section %hack for vim-latexsuite
|
|
\end{comment}
|
|
|
|
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
|
|
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
|
|
|
|
In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.
|
|
It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.
|
|
This work is also supported by an implementation in \texttt{C}.
|
|
|
|
The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
|
|
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.
|
|
|
|
On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
|
|
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
|
|
|
|
All these works are proven under strong security models under simple assumptions.
|
|
This provides a breeding ground for new theoretical constructions.
|
|
|
|
\section*{Open Problems}
|
|
|
|
The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.
|
|
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
|
|
|
|
\begin{question}
|
|
Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
|
|
\end{question}
|
|
|
|
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
|
|
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
|
|
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
|
|
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
|
|
|
|
\subsection*{Zero-Knowledge Proofs}
|
|
|
|
\begin{question}
|
|
Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
|
|
\end{question}
|
|
|
|
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
|
|
This question remains open for more than $10$ years~\cite{KW18}.
|
|
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
|
|
|
|
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
|
|
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
|
|
This proves to be a real bottleneck in the efficiency of such proof systems.
|
|
|
|
\begin{question}
|
|
Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
|
|
\end{question}
|
|
|
|
As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
|
|
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
|
|
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
|
|
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
|
|
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
|
|
|
|
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
|
|
Thus, a natural question may be:
|
|
|
|
\subsection*{Cryptographic Constructions}
|
|
|
|
\begin{question}
|
|
Does an efficient trapdoor-free (H)IBE exists?
|
|
\end{question}
|
|
|
|
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
|
|
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
|
|
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
|
|
%Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
|
|
Actually, a recent construction from Brakerski, Lombardi, Segev and Vaikuntanathan~\cite{BLSV18} gives a candidate which relies on garble circuits, and is fairly inefficient compared to IBEs with trapdoors.
|
|
Even the question of an \textsf{IND-CCA2} public key encryption still does not have a satisfactory response.
|
|
The construction of Peikert and Waters~\cite{PW08} is indeed trapdoor-free, but is still less efficient than trapdoor-based ones.
|
|
|
|
\begin{question}
|
|
Can we achieve better security proofs for cryptographic schemes?
|
|
\end{question}
|
|
|
|
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
|
|
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
|
|
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
|
|
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
|
|
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.
|