Tighter Security for Efficient Lattice Cryptography via the Rényi Divergence of Optimized Orders

Abstract

In security proofs of lattice based cryptography, to bound the closeness of two probability distributions is an important procedure. To measure the closeness, the Rényi divergence has been used instead of the classical statistical distance. Recent results have shown that the Rényi divergence offers security reductions with better parameters, e.g. smaller deviations for discrete Gaussian distributions. However, since previous analyses used a fixed order Rényi divergence, i.e., order two, they lost tightness of reductions. To overcome the deficiency, we adaptively optimize the orders based on the advantages of the adversary for several lattice-based schemes. The optimizations enable us to prove the security with both improved efficiency and tighter reductions. Indeed, our analysis offers security reductions with smaller parameters than the statistical distance based analysis and the reductions are tighter than that of previous Rényi divergence based analysis. As applications, we show tighter security reductions for sampling discrete Gaussian distributions with smaller precomputed tables for BLISS signatures, and variants of learning with errors (LWE) problem and small integer solution (SIS) problem called k-LWE and k-SIS.

Appendices

A BLISS Signature Scheme

BLISS signature algorithm proceed as follows:

• Key generation algorithm, \( \mathsf {KeyGen}()\):

  • Choose f, g as uniform polynomials with exactly \(d_1=\lceil \delta _1n \rceil \) entries in \( \{\pm 1\}\) and \(d_2=\lceil \delta _2n \rceil \) entries in \( \{\pm 2\}\)

  • \(S=(s_1,s_2)^T \leftarrow (f,2g+1)^T\)

  • If \(N_{\kappa }(S)\ge C^2 \cdot 5 \cdot (\lceil \delta _1n \rceil +4 \lceil \delta _2n \rceil )\cdot \kappa \) then restart

  • \(a_q=(2g+1)/f \mod q\) (restart if f is not invertible)

  • Return \(({ pk}=A,{ sk}=S)\) where \(A=(2a_q,q-2) \mod 2q\).

• Signature Algorithm, \( \mathsf {Sign}(\mu ,pk=A,sk=S)\):

  • \( {{\varvec{y}}}_1,{{\varvec{y}}}_2 \leftarrow D_{\mathbb {Z}^n,s}\)

  • \( {{\varvec{u}}}=\zeta \cdot {{\varvec{a}}}_1 \cdot {{\varvec{y}}}_1+{{\varvec{y}}}_2 \mod 2q\)

  • \( {{\varvec{c}}}\leftarrow H(\lfloor {{\varvec{u}}}\rceil _d \mod p,\mu )\)

  • Choose a random bit b

  • \( {{\varvec{z}}}_1 \leftarrow {{\varvec{y}}}_1+(-1)^b {{\varvec{s}}}_1 {{\varvec{c}}}\)

  • \( {{\varvec{z}}}_2 \leftarrow {{\varvec{y}}}_2+(-1)^b {{\varvec{s}}}_2 {{\varvec{c}}}\)

  • Continue with probability \(1/\left( M \exp \left( -\frac{\Vert S {{\varvec{c}}}\Vert ^2}{s^2/\pi }\right) \cosh \left( \frac{\langle {{\varvec{z}}},S {{\varvec{c}}}\rangle }{s^2/\pi }\right) \right) \) otherwise restart

  • \( {{\varvec{z}}}_2^{\dagger }\leftarrow (\lfloor {{\varvec{u}}}\rceil _d-\lfloor {{\varvec{u}}}-{{\varvec{z}}}_2 \rceil _d) \mod p\)

  • Return \(({{\varvec{z}}}_1,{{\varvec{z}}}_2^{\dagger },{{\varvec{c}}})\)

• Verification Algorithm, \( \mathsf {Verify}(\mu ,pk=A,({{\varvec{z}}}_1,{{\varvec{z}}}_2^{\dagger },{{\varvec{c}}}))\):

  • if \(\Vert ({{\varvec{z}}}_1|2^d \cdot {{\varvec{z}}}_2^{\dagger })\Vert _2\ge B_2\), then reject

  • if \(\Vert ({{\varvec{z}}}_1|2^d \cdot {{\varvec{z}}}_2^{\dagger })\Vert _{\infty }\ge B_{\infty }\), then reject

  • Accept if and only if \( {{\varvec{c}}}=H(\lfloor \zeta \cdot {{\varvec{a}}}_1 \cdot {{\varvec{z}}}_1+\zeta \cdot q \cdot {{\varvec{c}}}\rceil _d+{{\varvec{z}}}_2^{\dagger } \mod p,\mu )\)

For the detailed definitions of parameters, see Table 3 in [5].

B Proof of Lemma 6 in Sect. 3

From an equality (3),

$$\begin{aligned} (R_{\alpha }(B_{\tilde{c}_i}\Vert B_{c_i}))^{\alpha -1}&=c_i \sum ^{\alpha }_{j=0}\left( {\begin{array}{c}\alpha \\ j\end{array}}\right) \left( \frac{\varepsilon _i}{c_i}\right) ^j +(1-c_i)\sum ^{\alpha }_{j=0}\left( {\begin{array}{c}\alpha \\ j\end{array}}\right) \left( -\frac{\varepsilon _i}{1-c_i}\right) ^j\\&=\sum ^{\alpha }_{j=0}\left( {\begin{array}{c}\alpha \\ j\end{array}}\right) \left( \frac{\varepsilon _i^j}{c_i^{j-1}}+\frac{(-\varepsilon _i)^j}{(1-c_i)^{j-1}}\right) \\&=1\!+\!\frac{\alpha (\alpha -1)}{2}\cdot \frac{\varepsilon _i^2}{c_i(1-c_i)} \!+\!\sum ^{\alpha }_{j=3}\left( {\begin{array}{c}\alpha \\ j\end{array}}\right) \left( \frac{\varepsilon _i^j}{c_i^{j-1}}+\frac{(-\varepsilon _i)^j}{(1-c_i)^{j-1}}\right) . \end{aligned}$$

The first two terms satisfy

$$\begin{aligned}&\;\;\;\; 1+\frac{\alpha (\alpha -1)}{2}\cdot \frac{\varepsilon _i^2}{c_i(1-c_i)}\le \left( 1+\frac{|\varepsilon _i|^2}{c_i(1-c_i)}\right) ^{\frac{\alpha (\alpha -1)}{2}}\\&\le \left( 1+2^{-2p}\cdot \frac{c_i}{1-c_i}\right) ^{\frac{\alpha (\alpha -1)}{2}} \le \left( 1+2^{-2p}\right) ^{\frac{\alpha (\alpha -1)}{2}} \end{aligned}$$

by using the fact that \(c_i \le 1/2\) and \(|\varepsilon _i|\le c_i2^{-p}\). Since \( \ln (1+2^{-2p})\le 2^{-2p}\),

$$\begin{aligned} \left( 1+2^{-2p}\right) ^{\frac{\alpha (\alpha -1)}{2}}\le \exp \left( \frac{\alpha (\alpha -1)}{2}\cdot 2^{-2p}\right) . \end{aligned}$$

Then, all we have to prove is the remaining terms to be \(O((\alpha 2^{-p})^3)\). The terms are upper bounded as

$$\begin{aligned}&\sum ^{\alpha }_{j=3}\left( {\begin{array}{c}\alpha \\ j\end{array}}\right) \left( \frac{(-\varepsilon _i)^j}{(1-c_i)^{j-1}}+\frac{\varepsilon _i^j}{c_i^{j-1}}\right) \le \sum ^{\alpha }_{j=3}\frac{\alpha ^j}{j!}\left( \frac{(-\varepsilon _i)^j}{(1-c_i)^{j-1}}+\frac{\varepsilon _i^j}{c_i^{j-1}}\right) \\\le & {} \sum ^{\alpha }_{j=3}\frac{\alpha ^j}{j!}\cdot 2 \cdot \frac{|\varepsilon _i|^j}{c_i^{j}}\cdot c_i \le \sum ^{\alpha }_{j=3}\frac{(\alpha 2^{-p})^j}{j!} \end{aligned}$$

by using the fact that \(c_i \le 1/2\) and \(|\varepsilon _i|\le c_i2^{-p}\). Then, the terms are upper bounded as

$$\begin{aligned}\le & {} (\alpha 2^{-p})^3 \cdot \sum ^{\alpha -3}_{j=0}\frac{(\alpha 2^{-p})^j}{j!} \le (\alpha 2^{-p})^3 \cdot \sum ^{\infty }_{j=0}\frac{(\alpha 2^{-p})^j}{j!} =(\alpha 2^{-p})^3 \cdot \exp (\alpha 2^{-p})\\= & {} O((\alpha 2^{-p})^3) \end{aligned}$$

by using the fact that \( \alpha 2^{-p}\le 1\).

Acknowledgements. K. Takashima is supported by the JSPS Fellowship for Young Scientists.