The Rényi divergence is a measure of closeness of two probability distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptography. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters, and sometimes to simpler security proofs than the existing ones.If the event E occurs with significant probability under D 1 , and if the SD (resp. RD) is small, then the event E also occurs with significant probability under D 2 . These properties are particularly handy when the success of an attacker against a given scheme can be described as an event whose probability should be negligible, e.g., the attacker outputs a new valid message-signature pair for a signature scheme. If in the attacker succeeds with good probability in the real scheme based on distribution D 1 , then it also succeeds with good probability in the simulated scheme (of the security proof) based on distribution D 2 .To make the SD probability preservation property useful, it must be ensured that the SD ∆(D 1 , D 2 ) is smaller than any D 1 (E) that the security proof must handle. Typically, the quantity D 1 (E) is assumed to be greater than some success probability lower bound ε, which is of the order of 1/poly(λ) where λ refers to the security parameter, or even 2 −o(λ) if the proof handles attackers whose success probabilities can be sub-exponentially small (which we believe better reflects practical objectives). As a result, the SD ∆(D 1 , D 2 ) must be < ε for the SD probability preservation property to be relevant. Similarly, the RD probability preservation property is non-vacuous when the RD R a (D 1 D 2 ) is ≤ poly(1/ε). In many cases, the latter seems less demanding than the former: in all our applications of RD, the RD between D 1 and D 2 is small while their SD is too large for the SD probability preservation to be applicable. In fact, as we will see in Subsection 2.3, the RD becomes sufficiently small to be useful before the SD when sup x D 1 (x)/D 2 (x) tends to 1. This explains the superiority of the RD in several of our applications.Although RD seems more amenable than SD for search problems, it seems less so for distinguishing problems. A typical cryptographic example is semantic security of an encryption scheme. Semantic security requires an adversary A to distinguish between the encryption distributions of two plaintext messages of its choosing: the distinguishing advantage Adv A (D 1 , D 2 ), defined as the difference of probabilities that A outputs 1 using D 1 or D 2 , should be large. In security proofs, algorithm A is often called on distributions D 1 and D 2 that are close to D 1 and D 2 (respectivel...
