The Rényi divergence is a measure of closeness of two probability distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptography. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters, and sometimes to simpler security proofs than the existing ones.If the event E occurs with significant probability under D 1 , and if the SD (resp. RD) is small, then the event E also occurs with significant probability under D 2 . These properties are particularly handy when the success of an attacker against a given scheme can be described as an event whose probability should be negligible, e.g., the attacker outputs a new valid message-signature pair for a signature scheme. If in the attacker succeeds with good probability in the real scheme based on distribution D 1 , then it also succeeds with good probability in the simulated scheme (of the security proof) based on distribution D 2 .To make the SD probability preservation property useful, it must be ensured that the SD ∆(D 1 , D 2 ) is smaller than any D 1 (E) that the security proof must handle. Typically, the quantity D 1 (E) is assumed to be greater than some success probability lower bound ε, which is of the order of 1/poly(λ) where λ refers to the security parameter, or even 2 −o(λ) if the proof handles attackers whose success probabilities can be sub-exponentially small (which we believe better reflects practical objectives). As a result, the SD ∆(D 1 , D 2 ) must be < ε for the SD probability preservation property to be relevant. Similarly, the RD probability preservation property is non-vacuous when the RD R a (D 1 D 2 ) is ≤ poly(1/ε). In many cases, the latter seems less demanding than the former: in all our applications of RD, the RD between D 1 and D 2 is small while their SD is too large for the SD probability preservation to be applicable. In fact, as we will see in Subsection 2.3, the RD becomes sufficiently small to be useful before the SD when sup x D 1 (x)/D 2 (x) tends to 1. This explains the superiority of the RD in several of our applications.Although RD seems more amenable than SD for search problems, it seems less so for distinguishing problems. A typical cryptographic example is semantic security of an encryption scheme. Semantic security requires an adversary A to distinguish between the encryption distributions of two plaintext messages of its choosing: the distinguishing advantage Adv A (D 1 , D 2 ), defined as the difference of probabilities that A outputs 1 using D 1 or D 2 , should be large. In security proofs, algorithm A is often called on distributions D 1 and D 2 that are close to D 1 and D 2 (respectivel...
Abstract. The subfield attack exploits the presence of a subfield to solve overstretched versions of the NTRU assumption: norming the public key h down to a subfield may lead to an easier lattice problem and any sufficiently good solution may be lifted to a short vector in the full NTRU-lattice. This approach was originally sketched in a paper of Gentry and Szydlo at Eurocrypt'02 and there also attributed to Jonsson, Nguyen and Stern. However, because it does not apply for small moduli and hence NTRUEncrypt, it seems to have been forgotten. In this work, we resurrect this approach, fill some gaps, analyze and generalize it to any subfields and apply it to more recent schemes. We show that for significantly larger moduli -a case we call overstretched-the subfield attack is applicable and asymptotically outperforms other known attacks. This directly affects the asymptotic security of the bootstrappable homomorphic encryption schemes LTV and YASHE which rely on a mildly overstretched NTRU assumption: the subfield lattice attack runs in sub-exponential time 2 O(λ/ log 1/3 λ) invalidating the security claim of 2 Θ(λ) . The effect is more dramatic on GGH-like Multilinear Maps: this attack can run in polynomial time without encodings of zero nor the zero-testing parameter, yet requiring an additional quantum step to recover the secret parameters exactly. We also report on practical experiments. Running LLL in dimension 512 we obtain vectors that would have otherwise required running BKZ with block-size 130 in dimension 8192. Finally, we discuss concrete aspects of this attack, the condition on the modulus q to guarantee full immunity, discuss countermeasures and propose open questions.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.