Abstract
In security proofs of lattice based cryptography, to bound the closeness of two probability distributions is an important procedure. To measure the closeness, the Rényi divergence has been used instead of the classical statistical distance. Recent results have shown that the Rényi divergence offers security reductions with better parameters, e.g. smaller deviations for discrete Gaussian distributions. However, since previous analyses used a fixed order Rényi divergence, i.e., order two, they lost tightness of reductions. To overcome the deficiency, we adaptively optimize the orders based on the advantages of the adversary for several lattice-based schemes. The optimizations enable us to prove the security with both improved efficiency and tighter reductions. Indeed, our analysis offers security reductions with smaller parameters than the statistical distance based analysis and the reductions are tighter than that of previous Rényi divergence based analysis. As applications, we show tighter security reductions for sampling discrete Gaussian distributions with smaller precomputed tables for BLISS signatures, and variants of learning with errors (LWE) problem and small integer solution (SIS) problem called k-LWE and k-SIS.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Though there are no assurance for the upper bound of \(R_{\alpha }(\varPhi \Vert \varPhi ')\) to be \(O(\exp (\alpha ))\) for arbitrary distributions \( \varPhi \) and \( \varPhi '\), it holds for the distributions which we study in this paper.
- 2.
- 3.
While in [5], the brute-force adversary for all key candidates is considered, we consider the corresponding one-time guessing adversary. Hence, the advantage of the guessing adversary is the inverse of the computation time of the brute-force adversary.
- 4.
In [2], Bai et al. analyzed the precisions by measuring the closeness between \(B_{\tilde{c}_i}\) and \(B_{c_i}\) depending on i. The analysis further reduces the required precisions for SD and KLD based analyses, i.e., 4598 and 3893 bits tables respectively. Though our analysis also offers lower precisions, we omit the analysis in this paper.
- 5.
References
Agrawal, S., Gentry, C., Halevi, S., Sahai, A.: Discrete Gaussian Leftover Hash Lemma over Infinite Domains. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 97–116. Springer, Heidelberg (2013)
Bai, S., Langois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: IACR Cryptology ePrint Archive: Report 2015/483, Asiacrypt 2015 (2015, to appear)
Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013)
van Erven, T., Harremoës, P.: Rényi divergence and Kullback-Leibler divergence. In: CoRR, abs/1206.2459 (2012)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC 2008, pp. 197–206. ACM (2008)
Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014)
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)
Ling, S., Phan, D.H., Stehlé, D., Steinfeld, R.: Hardness of k-LWE and applications in traitor tracing. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 315–334. Springer, Heidelberg (2014)
Ling, S., Phan, D.H., Stehlé, D., Steinfeld, R.: Hardness of \(k\)-LWE and applications in traitor tracing. In: IACR Cryptology ePrint Archive: Report 2014/494 (2015). Accessed 5 August 2015
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)
Rényi, A.: On measures of entropy and information. Proc. Fourth Berkeley Symp. Math. Stat. Probab. 1, 547–561 (1961)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A BLISS Signature Scheme
BLISS signature algorithm proceed as follows:
-
Key generation algorithm, \( \mathsf {KeyGen}()\):
-
Choose f, g as uniform polynomials with exactly \(d_1=\lceil \delta _1n \rceil \) entries in \( \{\pm 1\}\) and \(d_2=\lceil \delta _2n \rceil \) entries in \( \{\pm 2\}\)
-
\(S=(s_1,s_2)^T \leftarrow (f,2g+1)^T\)
-
If \(N_{\kappa }(S)\ge C^2 \cdot 5 \cdot (\lceil \delta _1n \rceil +4 \lceil \delta _2n \rceil )\cdot \kappa \) then restart
-
\(a_q=(2g+1)/f \mod q\) (restart if f is not invertible)
-
Return \(({ pk}=A,{ sk}=S)\) where \(A=(2a_q,q-2) \mod 2q\).
-
-
Signature Algorithm, \( \mathsf {Sign}(\mu ,pk=A,sk=S)\):
-
\( {{\varvec{y}}}_1,{{\varvec{y}}}_2 \leftarrow D_{\mathbb {Z}^n,s}\)
-
\( {{\varvec{u}}}=\zeta \cdot {{\varvec{a}}}_1 \cdot {{\varvec{y}}}_1+{{\varvec{y}}}_2 \mod 2q\)
-
\( {{\varvec{c}}}\leftarrow H(\lfloor {{\varvec{u}}}\rceil _d \mod p,\mu )\)
-
Choose a random bit b
-
\( {{\varvec{z}}}_1 \leftarrow {{\varvec{y}}}_1+(-1)^b {{\varvec{s}}}_1 {{\varvec{c}}}\)
-
\( {{\varvec{z}}}_2 \leftarrow {{\varvec{y}}}_2+(-1)^b {{\varvec{s}}}_2 {{\varvec{c}}}\)
-
Continue with probability \(1/\left( M \exp \left( -\frac{\Vert S {{\varvec{c}}}\Vert ^2}{s^2/\pi }\right) \cosh \left( \frac{\langle {{\varvec{z}}},S {{\varvec{c}}}\rangle }{s^2/\pi }\right) \right) \) otherwise restart
-
\( {{\varvec{z}}}_2^{\dagger }\leftarrow (\lfloor {{\varvec{u}}}\rceil _d-\lfloor {{\varvec{u}}}-{{\varvec{z}}}_2 \rceil _d) \mod p\)
-
Return \(({{\varvec{z}}}_1,{{\varvec{z}}}_2^{\dagger },{{\varvec{c}}})\)
-
-
Verification Algorithm, \( \mathsf {Verify}(\mu ,pk=A,({{\varvec{z}}}_1,{{\varvec{z}}}_2^{\dagger },{{\varvec{c}}}))\):
-
if \(\Vert ({{\varvec{z}}}_1|2^d \cdot {{\varvec{z}}}_2^{\dagger })\Vert _2\ge B_2\), then reject
-
if \(\Vert ({{\varvec{z}}}_1|2^d \cdot {{\varvec{z}}}_2^{\dagger })\Vert _{\infty }\ge B_{\infty }\), then reject
-
Accept if and only if \( {{\varvec{c}}}=H(\lfloor \zeta \cdot {{\varvec{a}}}_1 \cdot {{\varvec{z}}}_1+\zeta \cdot q \cdot {{\varvec{c}}}\rceil _d+{{\varvec{z}}}_2^{\dagger } \mod p,\mu )\)
-
For the detailed definitions of parameters, see Table 3 in [5].
B Proof of Lemma 6 in Sect. 3
From an equality (3),
The first two terms satisfy
by using the fact that \(c_i \le 1/2\) and \(|\varepsilon _i|\le c_i2^{-p}\). Since \( \ln (1+2^{-2p})\le 2^{-2p}\),
Then, all we have to prove is the remaining terms to be \(O((\alpha 2^{-p})^3)\). The terms are upper bounded as
by using the fact that \(c_i \le 1/2\) and \(|\varepsilon _i|\le c_i2^{-p}\). Then, the terms are upper bounded as
by using the fact that \( \alpha 2^{-p}\le 1\).
Acknowledgements. K. Takashima is supported by the JSPS Fellowship for Young Scientists.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Takashima, K., Takayasu, A. (2015). Tighter Security for Efficient Lattice Cryptography via the Rényi Divergence of Optimized Orders. In: Au, MH., Miyaji, A. (eds) Provable Security. ProvSec 2015. Lecture Notes in Computer Science(), vol 9451. Springer, Cham. https://doi.org/10.1007/978-3-319-26059-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-26059-4_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26058-7
Online ISBN: 978-3-319-26059-4
eBook Packages: Computer ScienceComputer Science (R0)