thesis/chap-conclusion.tex
2018-06-16 16:34:41 +02:00

70 lines
5.1 KiB
TeX

\begin{comment}
\section %hack for vim-latexsuite
\end{comment}
In this thesis, we presented new cryptographic schemes that relies on lattice or pairing assumptions.
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
In pairing-related cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
It relies on broadly used assumptions with simple statements that exists for more than ten years.
This work is also supported by an implementation in C.
Our work in the lattice work give rise of three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving primitives.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.
In the way of doing it, improvements have been made in the state of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, which have been used to provide a lattice-based e-cash system~\cite{LLNW17}.
All these works are proven under strong security model within simple assumptions.
This made a breeding ground for new theoretical constructions, as well as going toward practicality.
\section*{Open Problems}
The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.
The most obvious questions that stem from this work are about how to tackle the compromises we made in the design of those primitives.
\begin{question}
Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
\end{question}
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this problem arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.
Then, the main difficulty is to have compatible zero-knowledge proof with the access control and the encryption layers.
\begin{question}
Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
\end{question}
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
Recent line of work goes toward this direction~\cite{RSS18}, but relies on non-existing primitive yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
This proves to be a real bottleneck in the efficiency of such proof systems.
\begin{question}
Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
\end{question}
As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
Thus, a natural question may be:
\begin{question}
Does a trapdoor-free (H)IBE exists?
\end{question}
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transformations generically transform an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
\begin{question}
\end{question}