Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance Shi Bai1, Tancrède Lepoint3, Adeline Roux-Langlois4, Amin Sakzad5, Damien Stehlé2, and Ron Steinfeld5 1 Department of Mathematical Sciences, Florida Atlantic University, USA.
[email protected] – http://cosweb1.fau.edu/~sbai 2 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France.
[email protected] – http://perso.ens-lyon.fr/damien.stehle 3 SRI International, USA.
[email protected] – https://tlepoint.github.io/ 4 CNRS/IRISA, Rennes, France.
[email protected] – http://people.irisa.fr/Adeline.Roux-Langlois/ 5 Faculty of Information Technology, Monash University, Clayton, Australia.
[email protected],
[email protected] – http://users.monash.edu.au/~rste/ Abstract. The Rényi divergence is a measure of closeness of two prob- ability distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptogra- phy. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters, and sometimes to simpler security proofs than the existing ones. 1 Introduction Let D1 and D2 be two non-vanishing probability distributions over a common measurable support X. Let a ∈ (1, +∞). The Rényi divergence [Rén61,vEH14] (RD for short) Ra(D1kD2) of order a between D1 and D2 is defined as the a−1 ((a − 1)th root of the) expected value of (D1(x)/D2(x)) over the randomness of x sampled from D1.