Advertisement

Journal of Cryptology

, Volume 31, Issue 2, pp 610–640 | Cite as

Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance

  • Shi Bai
  • Tancrède Lepoint
  • Adeline Roux-Langlois
  • Amin Sakzad
  • Damien Stehlé
  • Ron SteinfeldEmail author
Article

Abstract

The Rényi divergence is a measure of closeness of two probability distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptography. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters, and sometimes to simpler security proofs than the existing ones.

Keywords

Lattice-based cryptography Rényi divergence Statistical distance Security proofs 

Notes

Acknowledgements

We thank Léo Ducas, Vadim Lyubashevsky and Fabrice Mouhartem for useful discussions. We thank Katsuyuki Takashima and Atsushi Takayasu for informing us about an error in the conference version of this work, and another one in the computations of the \(R_a\)-based analysis of Sect. 3. This work has been supported in part by ERC Starting Grant ERC-2013-StG-335086-LATTAC, an Australian Research Fellowship (ARF) from the Australian Research Council (ARC), ARC Discovery Grants DP0987734, DP110100628 and DP150100285, and the European Unions H2020 Programme under Grant Agreement Number ICT-644209.

References

  1. 1.
    E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe, Post-quantum key exchange—a new hope, in 25th USENIX Security Symposium (USENIX Security 16) (USENIX Association, Austin, 2016), pp. 327–343Google Scholar
  2. 2.
    M. Ajtai, Generating hard instances of lattice problems (extended abstract), in Proceedings of STOC (ACM, 1996), pp. 99–108Google Scholar
  3. 3.
    J. Alwen, S. Krenn, K. Pietrzak, D. Wichs, Learning with rounding, revisited—new reduction, properties and applications, in Proceedings of CRYPTO. LNCS, vol. 8042 (Springer, 2013), pp. 57–74Google Scholar
  4. 4.
    A. Bogdanov, S. Guo, D. Masny, S. Richelson, A. Rosen, On the hardness of learning with rounding over small modulus, in Proceedings of TCC A. LNCS, vol. 9562 (Springer, 2016), pp. 209–224Google Scholar
  5. 5.
    S. Bai, A. Langlois, T. Lepoint, D. Stehlé, R. Steinfeld, Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance, in Proceedings of ASIACRYPT, Part I. LNCS, vol. 9452 (Springer, 2015), pp. 3–24Google Scholar
  6. 6.
    Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D. Stehlé, Classical hardness of learning with errors, in Proceedings of STOC (ACM, 2013), pp. 575–584Google Scholar
  7. 7.
    A. Banerjee, C. Peikert, A. Rosen, Pseudorandom functions and lattices, in Proceedings of EUROCRYPT. LNCS, vol. 7237 (Springer, 2012), pp. 719–737Google Scholar
  8. 8.
    Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in Proceedings of FOCS (IEEE Computer Society Press, 2011), pp. 97–106Google Scholar
  9. 9.
    M. Chiani, D. Dardari, M.K. Simon, New exponential bounds and approximations for the computation of error probability in fading channels. IEEE Trans. Wireless. Commun. 2(4):840–845 (2003)Google Scholar
  10. 10.
    C.-W. Chow, On Algorithmic Aspects of the Learning with Errors Problem and Its Variants, Masters thesis, The Chinese University of Hong Kong (2003)Google Scholar
  11. 11.
    L. Ducas, A. Durmus, T. Lepoint, V. Lyubashevsky, Lattice signatures and bimodal Gaussians, in Proceedings of CRYPTO. LNCS, vol. 8042 (Springer, 2013), pp. 40–56Google Scholar
  12. 12.
    N. Döttling, J. Müller-Quade, Lossy codes and a new variant of the learning-with-errors problem, in Proceedings of EUROCRYPT. LNCS, (Springer, 2013), pp. 18–34Google Scholar
  13. 13.
    L. Ducas, Accelerating Bliss: The Geometry of Ternary Polynomials. Cryptology ePrint Archive, Report 2014/874 (2014). http://eprint.iacr.org/
  14. 14.
    S. Garg, C. Gentry, S. Halevi, Candidate multilinear maps from ideal lattices, in Proceedings of EUROCRYPT. LNCS, vol. 7881 (Springer, 2013), pp. 1–17Google Scholar
  15. 15.
    S. Goldwasser, Y.T. Kalai, C. Peikert, V. Vaikuntanathan, Robustness of the learning with errors assumption, in Proceedings of ICS (Tsinghua University Press, 2010), pp. 230–240Google Scholar
  16. 16.
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in Proceedings of STOC (ACM, 2008), pp. 197–206Google Scholar
  17. 17.
    W. Hoeffding, Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301):13–30 (1963)Google Scholar
  18. 18.
    B. Libert, S. Ling, F. Mouhartem, K. Nguyen, H. Wang, Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions. Cryptology ePrint Archive, Report 2016/101 (2016). http://eprint.iacr.org/
  19. 19.
    V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings. J. ACM 60(6):43 (2013)Google Scholar
  20. 20.
    S. Ling, D.H. Phan, D. Stehlé, R. Steinfeld, Hardness of \(k\)-LWE and applications in traitor tracing, in Proceedings of CRYPTO, Part I. LNCS, vol. 8616 (Springer, 2014), pp. 315–334. Full version available at http://eprint.iacr.org/2014/494
  21. 21.
    A. Langlois, D. Stehlé, R. Steinfeld, GGHLite: more efficient multilinear maps from ideal lattices, in Proceedings of EUROCRYPT. LNCS (Springer, 2014), pp. 239–256. Full version available at http://eprint.iacr.org/2014/487
  22. 22.
    V. Lyubashevsky, Lattice signatures without trapdoors, in Proceedings of EUROCRYPT. LNCS, vol. 7237, ed. By D. Pointcheval, T. Johansson (Springer, 2012), pp. 738–755Google Scholar
  23. 23.
    D. Micciancio, P. Mol. Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions, in Proceeding of CRYPTO. LNCS, vol. 6841 (Springer, 2011), pp. 465–484Google Scholar
  24. 24.
    D. Micciancio, C. Peikert. Hardness of SIS and LWE with small parameters, in Proceeding of CRYPTO. LNCS, vol. 8042 (Springer, 2013) pp. 21–39Google Scholar
  25. 25.
    D. Micciancio, O. Regev, Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1):267–302 (2007)Google Scholar
  26. 26.
    D. Micciancio, O. Regev, Lattice-based cryptography, in Post-Quantum Cryptography, ed By D.J. Bernstein, J. Buchmann, E. Dahmen (Springer, 2009), pp. 147–191Google Scholar
  27. 27.
    T. Pöppelmann, L. Ducas, T. Güneysu, Enhanced lattice-based signatures on reconfigurable hardware, in Proceeding of CHES (2014), pp. 353–370Google Scholar
  28. 28.
    C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem, in Proceeding of STOC (ACM, 2009), pp. 333–342Google Scholar
  29. 29.
    C. Peikert, A Decade of Lattice Cryptography. Cryptology ePrint Archive, Report 2015/939 (2015). http://eprint.iacr.org/
  30. 30.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in Proceeding of STOC (2005), pp. 84–93Google Scholar
  31. 31.
    O. Regev, Lecture Notes of Lattices in Computer Science, Computer Science Tel Aviv University (2009). Available at http://www.cims.nyu.edu/~regev
  32. 32.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM56(6) (2009)Google Scholar
  33. 33.
    A. Rényi, On measures of entropy and information, in Proceeding of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, vol. 1 (1961), pp. 547–561Google Scholar
  34. 34.
    K. Takashima, A. Takayasu, Tighter security for efficient lattice cryptography via the rényi divergence of optimized orders, in Proceeding of ProvSec. LNCS (Springer, 2015), pp. 412–431Google Scholar
  35. 35.
    T. van Erven, P. Harremoes, Rényi divergence and Kullback–Leibler divergence. IEEE Trans. Inf. Theory 60(7):3797–3820 (2014)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Shi Bai
    • 1
  • Tancrède Lepoint
    • 2
  • Adeline Roux-Langlois
    • 3
  • Amin Sakzad
    • 4
  • Damien Stehlé
    • 5
  • Ron Steinfeld
    • 4
    Email author
  1. 1.Department of Mathematical SciencesFlorida Atlantic UniversityBoca RatonUSA
  2. 2.SRI InternationalNew YorkUSA
  3. 3.CNRS/IRISARennesFrance
  4. 4.Faculty of Information TechnologyMonash UniversityClaytonAustralia
  5. 5.ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL)LyonFrance

Personalised recommendations