,
,
, The same string x is used in all steps while enabling dichotomic searches; (ii) At each step, the prover indeed uses some coordinate of x (without revealing which one), the choice of which is dictated by a path in the tree determined by var(?). public, both parties can deterministically compute the root u tree of the Merkle tree. For each ? ? [L], we consider the binary representation d ?,1 ,. .. , d ?,?? of var(?), which is part of the encoding of BP deened in (9.11), The Merkle tree will actually serve as a "bridge" ensuring that: (i)
, Now, our task can be divided into 3 steps: (i) Proving that the searches on Merkle tree yield y 1
The Peikert-VaikuntanathanWaters [PVW08] construction, based on dual-mode encryption, achieves 1-out-of-2 composable oblivious transfer (which can be generalized to 1-out-of-2 t OT), without relying on zero-knowledge proofs, but it does not imply OT with adaptive queries (i.e., where each index ? i may depend on messages received in previous transfers). Actually, the use of ZK proofs is not ruled out in this setting ,
, However, this protocol uses the trapdoor extractability of
, Groth-Sahai proofs [GS08] to achieve straight-line extraction
, As explained in the introduction, it is the digital equivalent of real-life money. A body of research followed its introduction [CFN88, OO91, CP92, FY93, Oka95, Tsi97], and the rst compact realization was given by Camenisch, Hohenberger and Lysyanskaya, Question 3. Can we obtain a more eecient compact e-cash system from lattice assumptions? Another privacy-preserving primitive is compact e-cash [Cha82, Cha83, CHL05b
, A recent line of work makes steps forward in this direction
, The Stern-like proof systems we studied in this thesis, despite being exible enough to prove a large variety of statements, suuer from the stiiness of being combinatorial. The choice of permutations used to ensure the zero-knowledge property (and thus witnessindistinguishability) is quite strict, and forces the challenge space to be ternary
, Computational Complexity: A Modern Approach, p.13, 2009.
EEcient lattice (H)IBE in the standard model, Citations: § xviii, vol.6110, p.154, 2010. ,
Universally composable adaptive oblivious transfer (with access control) from standard assumptions, ACM Workshop on Digital Identity Management, vol.7, p.187, 2013. ,
A practical and provably secure coalition-resistant group signature scheme, Crypto, volume 1880 of LNCS, p.43, 2000. ,
Solving the Shortest Vector Problem in 2 n Time Using Discrete Gaussian Sampling, STOC, p.22, 2015. ,
Solving the Closest Vector Problem in 2 n Time-The Discrete Gaussian Strikes Again! In FOCS, p.22, 2015. ,
Structurepreserving signatures and commitments to group elements, Crypto, vol.6223, p.96, 2010. ,
On the EEcacy of Solving LWE by Reduction to Unique-SVP, ICISC 2013, p.22, 2014. ,
RELIC is an EEcient LIbrary for Cryptography ,
Priced oblivious transfer: How to sell digital goods, Eurocrypt, vol.146, p.147, 2001. ,
Multiparty computation with low communication, computation and interaction via threshold FHE, Eurocrypt, vol.7237, p.158, 2012. ,
Generating Hard Instances of Lattice Problems, ACM, editor, STOC, p.23, 1996. ,
Adapting Lyubashevsky's Signature Schemes to the Ring Signature Setting, Africacrypt, vol.7918, p.118, 2013. ,
Generating shorter bases for hard random lattices, STACS, vol.3, p.184, 2009. ,
URL : https://hal.archives-ouvertes.fr/inria-00359718
New bounds in some transference theorems in the geometry of number, vol.296, p.23, 1993. ,
Bounded-width polynomial-size branching programs recognize exactly those languages in nc1, STOC'86, p.146, 1986. ,
EEcient selective-ID secure identity-based encryption without random oracles, Eurocrypt, vol.3027, p.53, 2004. ,
Key-Privacy in Public-Key Encryption, PKC, p.131, 2001. ,
Multirecipient Encryption Schemes: How to Save on Bandwidth and Computation Without Sacriicing Security, IEEE Trans. on Information Theory, vol.53, issue.11, p.66, 2007. ,
Short group signatures, Crypto, vol.3152, p.74, 2004. ,
Randomizable Proofs and Delegatable Anonymous Credentials, Crypto, vol.5677, pp.108-125, 2009. ,
Foundations of Fully Dynamic Group Signatures, ACNS, p.44, 2016. ,
Better zeroknowledge proofs for lattice encryption and their application to group signatures, Asiacrypt, number 8873 in LNCS, p.118, 2014. ,
URL : https://hal.archives-ouvertes.fr/hal-01084737
P-signatures and Noninteractive Anonymous Credentials, TCC, number 4948 in LNCS, pp.356-374 ,
Citations: § xviii, 4, and 54, 2008. ,
Compact E-Cash and Simulatable VRFs Revisited, Pairing, vol.5671, pp.114-131, 2009. ,
Get Shorty via Group Signatures without Encryption, SCN, p.75, 2010. ,
Updating Key Size Estimations for Pairings, Citations: § xix, 4, and 21, pp.1-39, 2018. ,
URL : https://hal.archives-ouvertes.fr/hal-01534101
FHE Circuit Privacy Almost for Free, Crypto, number 9815 in LNCS, vol.158, p.190, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01360110
Identity-based encryption from the weil pairing, vol.21, p.192, 2001. ,
On Deening Proofs of Knowledge, Crypto, vol.740, p.28, 1992. ,
Correlation-resistant storage via keyword-searchable encryption, Cryptology ePrint Archive, 2005. ,
Connned guessing: New signatures from standard assumptions, Citations: § xviii, vol.28, p.153, 2015. ,
EEcient zero-knowledge proofs for commitments from learning with errors over rings, ESORICS, vol.9326, pp.305-325, 2015. ,
Improved security proofs in lattice-based cryptography: Using the Rényi divergence rather than the statistical distance, Citations: § 18, vol.9452, p.91, 2015. ,
On the classical hardness of learning with errors, STOC, p.25, 2013. ,
Short signatures from the Weil pairing, In Asiacrypt, p.192, 2001. ,
, Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions. In Eurocrypt, p.192, 2018.
Coin Flipping by Telephone, Crypto, p.29, 1981. ,
Foundations of group signatures: Formal deenitions, simpliied requirements, and a construction based on general assumptions, Eurocrypt, vol.3376, p.44, 2003. ,
Pairing-friendly elliptic curves of prime order, Selected Areas in Cryptography, pp.319-331 ,
Citations: § xviii, 4, 21, 71, 72, p.75, 2006. ,
Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more, Citations: § xviii, xix, vol.6056, p.154, 2010. ,
Design validations for discrete logarithm based signature schemes, PKC, vol.1751, pp.276-292 ,
, Citations: § 103, vol.106, p.185, 2000.
Random Oracles Are Practical: A Paradigm for Designing EEcient Protocols, CCS. ACM, 1993. Citations: § 16, p.51 ,
Advances in elliptic curve cryptography, vol.317, p.53, 2005. ,
Foundations of group signatures: The case of dynamic groups, CT-RSA, volume 2656 of LNCS, vol.44, p.99, 2005. ,
EEcient fully homomorphic encryption from (standard) LWE, Citations: § xviii, p.4, 2011. ,
Universally composable security: A new paradigm for cryptographic protocols, Citations: § 11, vol.19, p.148, 2001. ,
Oblivious transfer with hidden access control from attribute-based encryption, SCN, vol.7485, p.187, 2012. ,
EEcient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions, PKC, p.67, 2000. ,
Oblivious transfer with access control, Citations: § xxii, p.187, 2009. ,
Oblivious transfer with hidden access control policies, Citations: § xxii, vol.6571, p.187, 2011. ,
Universally composable commitments, Crypto, p.20, 2001. ,
Untraceable electronic cash, Crypto, vol.403, p.190, 1988. ,
The random oracle methodology, revisited, STOC, vol.45, p.16, 1998. ,
Controlling access to an oblivious database using stateful anonymous credentials, PKC, number 5443 in LNCS, p.147, 2009. ,
Private information retrieval, FOCS, p.146, 1995. ,
Blind signatures for untraceable payments, Citations: § xvi, vol.2, p.190, 1982. ,
Blind signature system, In Crypto, p.190, 1983. ,
Security without Identiication: Transactions System to Make Big Brother Obsolete, Citations: § xvi, vol.28, p.51, 1985. ,
Security analysis of the strong diie-hellman problem, Eurocrypt, vol.4004, p.22, 2006. ,
Chosen-Ciphertext Security from Identity-Based Encryption, Eurocrypt, vol.77, p.192, 2004. ,
Bonsai trees, or how to delegate a lattice basis, Citations: § xix, vol.6110, p.80, 2010. ,
Balancing Accountability and Privacy Using E-Cash, SCN, number 4116 in LNCS, p.53, 2005. ,
Compact e-cash, Eurocrypt, number 3494 in LNCS, vol.27, p.190, 2005. ,
Cryptanalysis of the Multilinear Map over the Integers, Eurocrypt, 2015. Citations: § xvii and ,
URL : https://hal.archives-ouvertes.fr/hal-01240445
On the limitations of universally composable two-party computation without set-up assumptions, Journal of Cryptology, vol.19, issue.2, p.11, 2006. ,
Formal treatment of privacy-enhancing credential systems, SAC, vol.87, p.90, 2015. ,
An eecient system for non-transferable anonymous credentials with optional anonymity revocation, Eurocrypt, number 2045 in LNCS, vol.2, p.51, 2001. ,
A signature scheme with eecient protocols, Security and Cryptography for Networks (SCN'02), vol.53, p.79, 2002. ,
A signature scheme with eecient protocols, SCN, number 2576 in LNCS, vol.78, p.118, 2002. ,
A Signature Scheme with EEcient Protocols, SCN, p.51, 2004. ,
Signature Schemes and Anonymous Credentials from Bilinear Maps, Crypto, number 3152 in LNCS, vol.51, p.52, 2004. ,
Group Encryption: Non-Interactive Realization in the Standard Model, Asiacrypt, number 5912 in LNCS, vol.119, p.121, 2009. ,
Fully anonymous attribute tokens from lattices, SCN, vol.7485, p.78, 2012. ,
Simulatable adaptive oblivious transfer, Citations: § 145, vol.4515, p.186, 2007. ,
The complexity of theorem-proving procedures, Proceedings of the Third Annual ACM Symposium on Theory of Computing, STOC '71, pp.151-158 ,
Transferred Cash Grows in Size, Eurocrypt, vol.658, pp.390-407 ,
Modular Design of Secure, yet Practical Cryptographic Protocols, p.29, 1996. ,
A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack, Crypto, p.66, 1998. ,
Group signatures, Eurocrypt, vol.547, p.117, 1991. ,
A Design Principle for Hash Functions, Crypto, p.30, 1989. ,
EEcient concurrent zero-knowledge in the auxiliary string model, Eurocrypt, volume 1807 of LNCS, vol.89, p.141, 2000. ,
Conditional oblivious transfer and timed-release encryption, Eurocrypt'99, number 1592 in LNCS, p.147, 1999. ,
Two-message, oblivious evaluation of cryptographic functionalities, Crypto, number 9816 in LNCS, p.147, 2016. ,
From Selective IBE to Full IBE and Selective HIBE, TCC, p.192, 2017. ,
Identity-Based Encryption from the Diie-Hellman Assumption, Crypto, vol.10401, p.4, 2017. ,
Public-key encryption with non-interactive opening, CT-RSA, vol.4964, p.99, 2008. ,
Improved Short Lattice Signatures in the Standard Model, Crypto, p.191, 2014. ,
Universally composable eecient multiparty computation from threshold homomorphic encryption, Crypto, number 2729 in LNCS, p.146, 2003. ,
Dynamic fully anonymous short group signatures, VietCrypt, vol.4341, p.75, 2006. ,
Practical Quantum-Safe Voting from Lattices, CCS, 2017. Citations: § xviii, p.35 ,
Sanitization of FHE ciphertexts, Eurocrypt, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01394216
Toward Practical Group Encryption, ACNS 2013, vol.7954, p.119, 2013. ,
A randomized protocol for signing contracts, Citations: § xxi, vol.28, issue.6, p.145, 1985. ,
A provably secure group signature scheme from code-based assumptions, Asiacrypt'15, vol.9452, p.128, 2015. ,
Keyword search and oblivious pseudorandom functions, TCC, vol.3378, p.147, 2005. ,
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups, In Eurocrypt, p.52, 2010. ,
How to prove yourself: Practical solutions to identiication and signature problems, Citations: § 16, vol.27, p.160, 1986. ,
Witness Indistinguishable and Witness Hiding Protocols, ACM, editor, STOC, vol.28, p.34, 1990. ,
Secure and eecient oo-line digital money, ICALP, vol.700, p.190, 1993. ,
Fully homomorphic encryption using ideal lattices, Citations: § xix, 4, p.22, 2009. ,
Blind identity-based encryption and simulatable oblivious transfer, Citations: § 145, vol.4833, p.180, 2007. ,
Universally Composable Adaptive Oblivious Transfer, Asiacrypt, number 5350 in LNCS, vol.147, p.190, 2008. ,
Practical adaptive oblivious transfer from simple assumptions, TCC, vol.6597, p.186, 2011. ,
Computational Complexity of Probabilistic Turing Machines, SIAM J. on Computing, vol.6, issue.4, p.13, 1977. ,
A group signature scheme from lattice assumptions, Asiacrypt, volume 2647 of LNCS, vol.78, p.184, 2010. ,
Dual Form Signatures: An Approach for Proving Security from Static Assumptions, Asiacrypt, p.52, 2012. ,
Probabilistic encryption & how to play mental poker keeping secret all partial information, Citations: § xvi, vol.2, p.19, 1982. ,
The knowledge complexity of interactive proof-systems, ACM, 1985. Citations: § 27, vol.28, p.118 ,
How to play any mental game or a completeness theorem for protocols with honest majority, STOC, p.145, 1987. ,
Strengthening Zero-Knowledge Protocols Using Signatures, Eurocrypt, p.28, 2003. ,
Basic Applications, Foundations of Cryptography, vol.2, p.19, 2004. ,
Perfect Non-interactive Zero Knowledge for NP, Eurocrypt, 2006. Citations: § xvii, p.190 ,
Identiication Protocols and Signature Schemes Based on Supersingular Isogeny Problems, Asiacrypt, p.191, 2017. ,
Trapdoors for hard lattices and new cryptographic constructions, Citations: § xviii, xix, vol.87, p.132, 2008. ,
Fully anonymous group signatures without random oracles, Citations: § xviii and 4, vol.4833, pp.164-180, 2007. ,
EEcient non-interactive proof systems for bilinear groups, Eurocrypt, vol.4965, pp.415-432, 2008. ,
Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, Crypto, number 8042 in LNCS, pp.75-92, 2013. ,
Packing messages and optimizing bootstrapping in GSW-FHE, PKC, number 9020 in LNCS, p.158, 2015. ,
Restricted adaptive oblivious transfer, Theoretical Computer Science, vol.412, issue.46, p.147, 2011. ,
Improved algorithms for the approximate k-list problem in Euclidean norm, PKC'17, p.22, 2017. ,
Short and stateless signatures from the RSA assumption, Crypto, vol.5677, p.154, 2009. ,
Zero-knowledge from Secure Multiparty Computation, STOC, p.191, 2007. ,
Mediated traceable anonymous encryption, LATINCRYPT 2010, vol.6212, p.119, 2010. ,
Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies, PQCrypto, p.191, 2011. ,
URL : https://hal.archives-ouvertes.fr/hal-00652846
Commitments and eecient zeroknowledge proofs from learning parity with noise, Asiacrypt, vol.7658, p.118, 2012. ,
EEcient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection, Citations: § 147, vol.5444, p.186, 2009. ,
A one round protocol for tripartite diie-hellman, Algorithmic Number Theory, pp.385-393, 2000. ,
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces, Asiacrypt, vol.32, p.54, 2013. ,
Switching Lemma for Bilinear Tests and Constant-Size NIZK Proofs for Linear Subspaces, Crypto, vol.8617, p.53, 2014. ,
Extended tower number eld sieve: A new complexity for the medium prime case, pp.543-571 ,
Citations: § xix, 4, and 21, 2016. ,
Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series), vol.15, p.16, 2007. ,
EEciency-improved fully simulatable adaptive OT under the DDH assumption, SCN, vol.6280, p.186, 2010. ,
Generic fully simulatable adaptive oblivious transfer, ACNS, vol.6715, p.186, 2011. ,
Constructing brezing-weng pairing-friendly elliptic curves using elements in the cyclotomic eld, Pairing-Based Cryptography-Pairing, pp.126-135, 2008. ,
Concurrently secure identiication schemes based on the worst-case hardness of lattice problems, Citations: § xvii, xviii, vol.5350, p.185, 2008. ,
Traceable signatures, LNCS, vol.3027, p.119, 2004. ,
Group encryption, Asiacrypt, number 4833 in LNCS, vol.6, p.132, 2007. ,
EEciency improvements for signature schemes with tight security reductions, CCS, pp.155-164, 2003. ,
Quasi-Adaptive NIZK for Linear Subspaces Revisited, Eurocrypt, 2015. Citations: § 32, vol.52, p.69 ,
URL : https://hal.archives-ouvertes.fr/hal-01220192
Multi-Theorem Preprocessing NIZKs from Lattices, Crypto ,
Group signatures with eecient concurrent join, Eurocrypt, number 3494 in LNCS, vol.96, p.119, 2005. ,
Secure scalable group signature with dynamic joins and separable authorities, Citations: § 43, vol.1, p.99, 2006. ,
EEcient fully-simulatable oblivious transfer, CT-RSA, p.146, 2008. ,
Lattice-based group signatures with logarithmic signature size, Asiacrypt, vol.8270, pp.41-61 ,
URL : https://hal.archives-ouvertes.fr/hal-00920420
, Citations: § 77, vol.78, p.118, 2013.
Signature schemes with eecient protocols and dynamic group signatures from lattice assumptions, Asiacrypt, 2016. Citations: § xx, vol.5, p.169 ,
Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption, Asiacrypt, 2016. Citations: § xx, xxi, vol.5, p.174 ,
URL : https://hal.archives-ouvertes.fr/hal-01394087
Adaptive oblivious transfer with access control from lattice assumptions, Asiacrypt, p.168, 2017. ,
URL : https://hal.archives-ouvertes.fr/hal-01622197
Lattice-Based Group Signature Scheme with Veriier-Local Revocation, PKC, vol.8383, p.118, 2014. ,
Zero-Knowledge Arguments for LatticeBased Accumulators: Logarithmic-size Ring Signatures and Group Signatures Without Trapdoors, Citations: § xix, vol.9666, p.174, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01314642
Zero-Knowledge Arguments for LatticeBased PRFs and Applications to E-Cash, In Asiacrypt, vol.35, p.190, 2017. ,
URL : https://hal.archives-ouvertes.fr/hal-01621027
Asymptotically EEcient Lattice-Based Digital Signatures, TCC, p.191, 2008. ,
Practical "signatures with eecient protocols" from simple assumptions, AsiaCCS, vol.5, p.16, 2016. ,
Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications, Citations: § 35, vol.7778, p.169, 2013. ,
URL : https://hal.archives-ouvertes.fr/hal-00767548
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based, Citations: § 43, vol.9020, p.169, 2015. ,
, Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease. In ACNS, p.44, 2017.
, Constant-Size Group Signatures from Lattices. In PKC, p.191, 2018.
An eecient protocol for secure two-party computation in the presence of malicious adversaries, Eurocrypt, p.11, 2007. ,
, Linearly Homomorphic StructurePreserving Signatures and Their Applications. In Crypto, p.57, 2013.
Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures, Eurocrypt, vol.53, p.54, 2014. ,
URL : https://hal.archives-ouvertes.fr/hal-00983147
Compactly Hiding Linear Spans: Tightly Secure Constant-Size Simulation-Sound QA-NIZK Proofs and Applications, Asiacrypt, p.32, 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01225363
Structure-Preserving Chosen-Ciphertext Security with Shorter Veriiable Ciphertexts, PKC, vol.10174, pp.247-276 ,
Citations: § xviii and 4, 2017. ,
Short group signatures via structure-preserving signatures: Standard model security from simple assumptions, Citations: § xviii, vol.9216, p.69, 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01225353
Pseudonym Systems, SAC, vol.51, p.75, 1999. ,
Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography, p.191, 2014. ,
URL : https://hal.archives-ouvertes.fr/hal-01091291
GGHLite: More eecient multilinear maps from ideal lattices, Eurocrypt, vol.8441, p.91, 2014. ,
Traceable group encryption, PKC 2014, vol.8383, p.119, 2014. ,
Lattice-based identiication schemes secure under active attacks, PKC, vol.4939, p.118, 2008. ,
Fiat-Shamir with Aborts: Applications to Lattice and FactoringBased Signatures, Asiacrypt, vol.3, p.34, 2009. ,
Lattice signatures without trapdoors, Citations: § xix and 5, vol.7237, 2012. ,
URL : https://hal.archives-ouvertes.fr/hal-00864308
Secrecy, Authentication, and Public Key Systems, 1979. ,
A Certiied Digital Signature, Crypto, p.30, 1989. ,
One-Time Signatures and Chameleon Hash Functions, SAC, LCNS, p.191, 2011. ,
Trapdoors for lattices: Simpler, tighter, faster, smaller, Citations: § xix, vol.7237, p.158, 2012. ,
Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography, Paradigms in Cryptology-Mycrypt. Malicious and Exploratory Cryptology, pp.83-108, 2017. ,
Statistical zero-knowledge proofs with eecient provers: Lattice problems and more, Crypto, volume 2729 of LNCS, p.118, 2003. ,
On cryptographic assumptions and challenges, Springer, editor, Crypto, p.15, 2003. ,
Revocable Group Signature Schemes with Constant Costs for Signing and Verifying, PKC, p.27, 2009. ,
, NIST post-quantum competition
, Cryptography/Round-1-Submissions. Citations: § xv, 1, and, p.22
Oblivious transfer with adaptive queries, Crypto, volume 1666 of LNCS, p.186, 1999. ,
EEcient oblivious transfer protocols, SODA, p.146, 2001. ,
Computationally secure oblivious transfer, vol.18, p.146, 2005. ,
Number-theoretic constructions of eecient pseudo-random functions, FOCS, p.53, 1997. ,
Attribute-based encryption with partially hidden encryptor-speciied access structures, ACNS'08, number 5037 in LNCS, p.147, 2008. ,
Simpler eecient group signatures from lattices, Citations: § 77, vol.9020, p.118, 2015. ,
An eecient divisible electronic cash scheme, Crypto, vol.963, p.190, 1995. ,
EEcient Blind and Partially Blind Signatures Without Random Oracles, TCC, p.51, 2006. ,
Universal electronic cash, Crypto, vol.576, p.190, 1991. ,
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, EUROCRYPT 1999, number 1592 in LNCS, p.118, 1999. ,
Non-Interactive and Information-Theoretic Secure Veriiable Secret Sharing, Crypto, p.34, 1991. ,
Public-key cryptosystems from the worst-case shortest vector problem, STOC, p.25, 2009. ,
Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence, In Asiacrypt, vol.18, p.90, 2017. ,
Security Proofs for Signature Schemes, Eurocrypt, p.31, 1996. ,
Security Arguments for Digital Signatures and Blind Signatures, Journal of Cryptology, vol.13, issue.3, p.71, 2000. ,
Short Randomizable Signatures, CT-RSA, p.75, 2016. ,
Reassessing Security of Randomizable Signatures, CT-RSA, p.51, 2018. ,
URL : https://hal.archives-ouvertes.fr/hal-01903717
Streaming authenticated data structures, Eurocrypt, vol.7881, p.80, 2013. ,
Non-interactive statistical zero-knowledge proofs for lattice problems, Citations: § 118, vol.5157, p.190, 2008. ,
A framework for eecient and composable oblivious transfer, Citations: § 146, vol.5157, p.190, 2008. ,
Lossy Trapdoor Functions and Their Applications, STOC, p.192, 2008. ,
Degree of diiculty of computing a function and a partial ordering of recursive sets, p.12, 1960. ,
How to exchange secrets by oblivious transfer, Citations: § xvi, p.145, 1981. ,
On lattices, learning with errors, random linear codes, and cryptography, ACM, 2005. Citations: § xviii, vol.4, p.181 ,
Towards Non-Interactive ZeroKnowledge for NP from LWE, 2018. ,
Lattice-Based Blind Signatures, Asiacrypt, vol.6477, pp.413-430, 2010. ,
Security of 2 t-Root Identiication and Signatures, Crypto, vol.3, p.33, 1996. ,
Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number, 2002. ,
Securing Threshold Cryptosystems against Chosen Ciphertext Attack, Eurocrypt, p.66, 1998. ,
Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, Citations: § xv and 1, vol.41, pp.303-332, 1999. ,
, Sequences of Games: A Tool for Taming Complexity in Security Proofs. Tutorial, p.17, 2006.
Cryptosystems Based on Pairings, Symposium on Cryptography and Information Security, pp.26-28, 2000. ,
On the security of dynamic group signatures: Preventing signature hijacking, PKC, vol.7293, p.99, 2012. ,
A new paradigm for public key identiication, Citations: § xvii, vol.42, issue.6, p.88, 1996. ,
Fuzzy identity-based encryption, Eurocrypt, number 3494 in LNCS, p.147, 2005. ,
Smooth projective hashing and two-message oblivious transfer, Eurocrypt'05, number 3494 in LNCS, p.146, 2005. ,
EEcient Electronic Cash: New Notions and Techniques, p.190, 1997. ,
Hierarchical Group Signatures, ICALP 2005, vol.3580, p.118, 2005. ,
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, Citations: § xvii and, pp.1313-1328, 2017. ,
EEcient identity-based encryption without random oracles, Eurocrypt, pp.114-127, 2005. ,
Zero knowledge proofs from Ring-LWE, CANS, vol.8257, p.118, 2013. ,
How to generate and exchange secrets, FOCS, p.11, 1986. ,
Oblivious transfer with access control: Realizing disjunction without duplication, Pairing, number 6847 in LNCS, pp.96-115, 2010. ,
Some security games examples ,
A lattice ? with two diierent basis ,
,
Abstract description of a ?-protocol ,
Security experiments for commitment schemes ,
The Schnorr ?-protocol for discrete logarithm ,
,
,
Stern-like ZKAoK for the relation R abstract ,
, Relations between the protagonists in a dynamic group signature scheme, p.45
Experiment for security against misidentiication attacks, p.48 ,
Experiment for security against framing attacks ,
, Security experiments for
, Security experiment for the pseudo-random-ciphertext property for an IBE. . 124 List of Tables
Comparison between diierent group signature schemes, p.74 ,
, Experimental results for the Pairing-Base group signature scheme, p.75
, Comparison between recent lattice-based group signatures, p.78
, Basic notations and extending/permuting techniques used in our protocols, p.170
, Comparison of the diierent adaptive OT protocols secure in the standard model 186
, Comparison of the diierent adaptive OT-AC schemes secure in the standard model