Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence

  • Thomas PrestEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10624)


The Rényi divergence is a measure of divergence between distributions. It has recently found several applications in lattice-based cryptography. The contribution of this paper is twofold.

First, we give theoretic results which renders it more efficient and easier to use. This is done by providing two lemmas, which give tight bounds in very common situations – for distributions that are tailcut or have a bounded relative error. We then connect the Rényi divergence to the max-log distance. This allows the Rényi divergence to indirectly benefit from all the advantages of a distance.

Second, we apply our new results to five practical usecases. It allows us to claim 256 bits of security for a floating-point precision of 53 bits, in cases that until now either required more than 150 bits of precision or were limited to 100 bits of security: rejection sampling, trapdoor sampling (61 bits in this case) and a new sampler by Micciancio and Walter. We also propose a new and compact approach for table-based sampling, and squeeze the standard deviation of trapdoor samplers by a factor that provides a gain of 30 bits of security in practice.


Rényi divergence Security proofs Lattice-based cryptography Gaussian sampling 



I would like to thank Fabrice Mouhartem, Damien Stehlé and Michael Walter for useful discussions. I am also grateful to Ange Martinelli, Daniele Micciancio, Thomas Ricosset and the anonymous reviewers of ASIACRYPT 2017 for their insightful comments which helped to improve the quality of this paper.

This work has been supported in part by the BPI-funded project “RISQ”.


  1. [ABB10a]
    Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert [Gil10], pp. 553–572Google Scholar
  2. [ABB10b]
    Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Rabin [Rab10], pp. 98–115Google Scholar
  3. [ADPS16]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)Google Scholar
  4. [Ass06]
    Van Assche, W.: Padé and hermite-padé approximation and orthogonality (2006)Google Scholar
  5. [Bab85]
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. In: Mehlhorn, K. (ed.) STACS 1985. LNCS, vol. 182, pp. 13–20. Springer, Heidelberg (1985). CrossRefGoogle Scholar
  6. [Bab86]
    Babai, L.: On lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [BGG+14]
    Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen and Oswald [NO14], pp. 533–556Google Scholar
  8. [BGM+16]
    Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  9. [BLL+15]
    Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  10. [Boy10]
    Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  11. [Boy13]
    Boyen, X.: Attribute-based functional encryption on lattices. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 122–142. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  12. [BS16]
    Bun, M., Steinke, T.: Concentrated differential privacy: simplifications, extensions, and lower bounds. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 635–658. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  13. [Cac97]
    Cachin, C.: Entropy measures and unconditional security in cryptography. Ph.D. thesis (1997)Google Scholar
  14. [CHKP10]
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert [Gil10], pp. 523–552Google Scholar
  15. [DDLL13]
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  16. [DG14]
    Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  17. [DLP14]
    Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). Google Scholar
  18. [DN12a]
    Ducas, L., Nguyen, P.Q.: Faster Gaussian lattice sampling using lazy floating-point arithmetic. In: Wang and Sako [WS12], pp. 415–432Google Scholar
  19. [DN12b]
    Ducas, L., Nguyen, P.Q.: Learning a Zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang and Sako [WS12], pp. 433–450Google Scholar
  20. [DP16]
    Ducas, L., Prest, T.: Fast fourier orthogonalization. In: Abramov, S.A., Zima, E.V., Gao, X.-S. (eds.) Proceedings of the ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC 2016, Waterloo, ON, Canada, 19–22 July 2016, pp. 191–198. ACM (2016)Google Scholar
  21. [EFGT17]
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Generalized Howgrave-Graham-Szydlo and side-channel attacks against BLISS. Publication status unknown (2017).
  22. [GGH97]
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997). Google Scholar
  23. [Gil10]
    Gilbert, H. (ed.): EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010). zbMATHGoogle Scholar
  24. [GJSS01]
    Gentry, C., Jonsson, J., Stern, J., Szydlo, M.: Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 1–20. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  25. [GLP12]
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  26. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 197–206. ACM Press (2008)Google Scholar
  27. [GS02]
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  28. [HHGP+03]
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  29. [Kle00]
    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA (2000)Google Scholar
  30. [LD13]
    Lepoint, T., Ducas, L.: Proof-of-concept software implementation of BLISS (2013).
  31. [LP15]
    Lyubashevsky, V., Prest, T.: Quadratic time, linear space algorithms for Gram-Schmidt orthogonalization and Gaussian sampling in structured lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 789–815. Springer, Heidelberg (2015). Google Scholar
  32. [LPSS14]
    Ling, S., Phan, D.H., Stehlé, D., Steinfeld, R.: Hardness of k-LWE and applications in traitor tracing. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 315–334. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  33. [LSS14]
    Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen and Oswald [NO14], pp. 239–256Google Scholar
  34. [Lyu09]
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  35. [Lyu12]
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval and Johansson [PJ12], pp. 738–755Google Scholar
  36. [Mir17]
    Mironov, I.: Renyi differential privacy. In: Proceedings of 30th IEEE Computer Security Foundations Symposium (2017).
  37. [MP12]
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval and Johansson [PJ12], pp. 700–718Google Scholar
  38. [MR04]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th FOCS, Rome, Italy, 17–19 October 2004, pp. 372–381. IEEE Computer Society Press (2004)Google Scholar
  39. [MR07]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37, 267–302 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  40. [MW17]
    Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017). CrossRefGoogle Scholar
  41. [NO14]
    Nguyen, P.Q., Oswald, E. (eds.): EUROCRYPT 2014. LNCS, vol. 8441. Springer, Heidelberg (2014). Google Scholar
  42. [NR06]
    Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  43. [Pad92]
    Padé, H.: Sur la représentation approchée d’une fonction par des fractions rationnelles. Ph.D. thesis (1892)Google Scholar
  44. [PDG14]
    Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). Google Scholar
  45. [Pei10]
    Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin [Rab10], pp. 80–97Google Scholar
  46. [PJ12]
    Pointcheval, D., Johansson, T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012). zbMATHGoogle Scholar
  47. [POG15]
    Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on 8-bit ATxmega microcontrollers. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 346–365. Springer, Cham (2015). CrossRefGoogle Scholar
  48. [Pop14]
    Poppelmann, T.: Proof-of-concept hardware implementation of BLISS (2014).
  49. [Pre15]
    Prest, T.: Gaussian sampling in lattice-based cryptography. Theses, École Normale Supérieure December 2015Google Scholar
  50. [Rab10]
    Rabin, T. (ed.): CRYPTO 2010. LNCS, vol. 6223. Springer, Heidelberg (2010). zbMATHGoogle Scholar
  51. [R61]
    Rnyi, A.: On measures of entropy and information. In: Proceedings of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, Volume 1: Contributions to the Theory of Statistics, Berkeley, California, pp. 547–561. University of California Press (1961)Google Scholar
  52. [Saa15]
    Saarinen, M.-J.O.: Gaussian sampling precision in lattice cryptography. Cryptology ePrint Archive, Report 2015/953 (2015).
  53. [Str14]
    Swan, S.: Bimodal lattice signature scheme (BLISS) (2014).
  54. [TT15]
    Takashima, K., Takayasu, A.: Tighter security for efficient lattice cryptography via the Rényi divergence of optimized orders. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 412–431. Springer, Cham (2015). Google Scholar
  55. [vEH14]
    van Erven, T., Harremoës, P.: IEEE Trans. Inf. Theory 60(7), 3797–3820 (2014)CrossRefGoogle Scholar
  56. [Wan10]
    Wan, A.: Learning, cryptography, and the average case. Ph.D. thesis, Columbia University (2010)Google Scholar
  57. [WS12]
    Wang, X., Sako, K. (eds.): ASIACRYPT 2012. LNCS, vol. 7658. Springer, Heidelberg (2012). Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.ParisFrance

Personalised recommendations