37 lines
4.2 KiB
TeX
37 lines
4.2 KiB
TeX
In the last two decades, the use of cryptography has shifted from military and commercial secrets to a broader public.
|
|
For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26).
|
|
As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}).
|
|
|
|
At the same time, the growth of exchanged data and the sensitivity of this information make it more and more important to protect these data efficiently.
|
|
While we are reaching the Moore's law barrier, other threats exist against nowadays cryptosystems.
|
|
For instance, the eventuality of the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions.
|
|
In this context, it becomes important to design cryptographic schemes that are believed to be quantum-resistant.
|
|
|
|
To address this problem, \textit{post-quantum cryptography} arose in the early 2000s.
|
|
The different candidates relies on different mathematical objects, such as lattices, error-correcting codes or systems of multivariate polynomials.
|
|
Recently, the National Institute of Standards and Technology (or \textit{NIST}) organised a competition to evaluates different post-quantum schemes for encryption and signatures~\cite{NIS17}.
|
|
In this competition, 82 protocols have been submitted out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left are categorized as ``other''.
|
|
|
|
Though, real-world cryptography mainly aim at digital signatures and encryption schemes, as the NIST competition emphasize it.
|
|
Meanwhile, research in cryptology proposes different solutions to respond to more specific problems, such as designing electronic-cash system\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which is the digital analogue of real money that are delivered by an authority (the bank) and for which the use remains non-traceable by anyone.
|
|
|
|
Such cryptographic constructions should moreover verifies some security requirements.
|
|
For instance, an encryption scheme has to hide a message in the presence of an eavedropper, or even an active adversary.
|
|
To guarantee these requirements, we also make security proofs. They mainly state that a cryptographic scheme is secure if some problems remain hard.
|
|
|
|
At last but not least, the importance of privacy and data protection have been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is finally implemented since may 25th.
|
|
Hence, it looks appealing to have privacy-preserving cryptographic constructions that would ideally resist to the eventuality of a quantum computer.
|
|
Nevertheless, the construction of such protocols mainly relies on ``zero-knowledge proofs'', which is a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement.
|
|
In the context of post-quantum cryptography, such proofs systems are still limited in power or costly to implement.
|
|
|
|
\section{Privacy-Preserving Cryptography}
|
|
|
|
In this context, privacy-preserving refers to the fact that a primitive should provide some functionality while holding sensitive information private.
|
|
An example of such primitives are \textit{anonymous credentials}.
|
|
This systems involves one (or more) credential issuer(s) and a set of users who have their own secret keys and pseudonyms that are bound to their secret.
|
|
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret key as well as a set of attributes.
|
|
Later on, users can let themselves know to verifiers under a different pseudonym and demonstrate possession of a certification from the issuer, without revealing neither the signature nor the secret key.
|
|
This primitive thus allow a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity.
|
|
In addition, the system is guaranteed that users indeed possess a valid credential.
|
|
|