The Rényi divergence is a measure of closeness of two probability distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptography. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters, and sometimes to simpler security proofs than the existing ones.If the event E occurs with significant probability under D 1 , and if the SD (resp. RD) is small, then the event E also occurs with significant probability under D 2 . These properties are particularly handy when the success of an attacker against a given scheme can be described as an event whose probability should be negligible, e.g., the attacker outputs a new valid message-signature pair for a signature scheme. If in the attacker succeeds with good probability in the real scheme based on distribution D 1 , then it also succeeds with good probability in the simulated scheme (of the security proof) based on distribution D 2 .To make the SD probability preservation property useful, it must be ensured that the SD ∆(D 1 , D 2 ) is smaller than any D 1 (E) that the security proof must handle. Typically, the quantity D 1 (E) is assumed to be greater than some success probability lower bound ε, which is of the order of 1/poly(λ) where λ refers to the security parameter, or even 2 −o(λ) if the proof handles attackers whose success probabilities can be sub-exponentially small (which we believe better reflects practical objectives). As a result, the SD ∆(D 1 , D 2 ) must be < ε for the SD probability preservation property to be relevant. Similarly, the RD probability preservation property is non-vacuous when the RD R a (D 1 D 2 ) is ≤ poly(1/ε). In many cases, the latter seems less demanding than the former: in all our applications of RD, the RD between D 1 and D 2 is small while their SD is too large for the SD probability preservation to be applicable. In fact, as we will see in Subsection 2.3, the RD becomes sufficiently small to be useful before the SD when sup x D 1 (x)/D 2 (x) tends to 1. This explains the superiority of the RD in several of our applications.Although RD seems more amenable than SD for search problems, it seems less so for distinguishing problems. A typical cryptographic example is semantic security of an encryption scheme. Semantic security requires an adversary A to distinguish between the encryption distributions of two plaintext messages of its choosing: the distinguishing advantage Adv A (D 1 , D 2 ), defined as the difference of probabilities that A outputs 1 using D 1 or D 2 , should be large. In security proofs, algorithm A is often called on distributions D 1 and D 2 that are close to D 1 and D 2 (respectivel...
Lattice-based signature and Identity-Based Encryption are well-known cryptographic schemes, and having both efficient and provable secure schemes in the standard model is still a challenging task in light of the current NIST post-quantum competition. We address this problem in this paper by mixing standard IBE scheme,à la ABB (EUROCRYPT 2010) on Ring-SIS/LWE assumptions with the efficient trapdoor of Peikert and Micciancio (EUROCRYPT 2012) and we provide an efficient implementation. Our IBE scheme is more efficient than the IBE scheme of Ducas, Lyubashevsky and Prest based on NTRU assumption and is based on more standard assumptions. We also describe and implement the underlying signature scheme, which is provably secure in the standard model and efficient.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.