Improved Security Evaluation Techniques for Imperfect Randomness from Arbitrary Distributions

Abstract

Dodis and Yu (TCC 2013) studied how the security of cryptographic primitives that are secure in the “ideal” model in which the distribution of a randomness is the uniform distribution, is degraded when the ideal distribution of a randomness is switched to a “real-world” (possibly biased) distribution that has some lowerbound on its min-entropy or collision-entropy. However, in many constructions, their security is guaranteed only when a randomness is sampled from some non-uniform distribution (such as Gaussian in lattice-based cryptography), in which case we cannot directly apply the results by Dodis and Yu.

In this paper, we generalize the results by Dodis and Yu using the Rényi divergence, and show how the security of a cryptographic primitive whose security is guaranteed when the ideal distribution of a randomness is a general (possibly non-uniform) distribution Q, is degraded when the distribution is switched to another (real-world) distribution R. More specifically, we derive two general inequalities regarding the Rényi divergence of R from Q and an adversary’s advantage against the security of a cryptographic primitive. As applications of our results, we show (1) an improved reduction for switching the distributions of distinguishing problems with public samplability, which is simpler and much tighter than the reduction by Bai et al. (ASIACRYPT 2015), and (2) how the differential privacy of a mechanism is degraded when its randomness comes from not an ideal distribution Q but a real-world distribution R. Finally, we show methods for approximate-sampling from an arbitrary distribution Q with some guaranteed upperbound on the Rényi divergence (of the distribution R of our sampling methods from Q).

Appendices

A Proof of Lemma 9

Let \(k \in \mathbb {N}\) and \(A = (a_1,\dots , a_k) \in (\mathbb {R}_{\ge 0})^k\) such that \(\sum _{i \in [k]} a_i \in \mathbb {N}\). For each \(i \in [k]\), let \(\delta _i := \lceil a_i \rceil - a_i\). Also, define

$$ \varDelta := \sum _{i \in [k]} \delta _i = \sum _{i \in [k]} \lceil a_i \rceil - \sum _{i \in [k]} a_i. $$

Note that since \(\sum _{i \in [k]} a_i \in \mathbb {N}\) and \(\delta _i \in [0,1)\) for every \(i \in [k]\), the definition of \(\varDelta \) implies \(\varDelta \in \mathbb {Z}_{\ge 0}\) and \(\varDelta < k\). Furthermore, let \(\mathcal {S}_{\mathtt {up}}\) and \(\mathcal {S}_{\mathtt {low}}\) be subsets of [k] satisfying the following four conditions:

• (1) \(\mathcal {S}_{\mathtt {up}}\cup \mathcal {S}_{\mathtt {low}}= [k]\)

• (2) \(\mathcal {S}_{\mathtt {up}}\cap \mathcal {S}_{\mathtt {low}}= \emptyset \)

• (3) \(|\mathcal {S}_{\mathtt {up}}| = \varDelta \)

• (4) \(\max \{\delta _i | i \in \mathcal {S}_{\mathtt {low}}\} \le \min \{\delta _i|i \in \mathcal {S}_{\mathtt {up}}\}\).

Using them, define the vector \(B = (b_1,\dots , b_k)\) such that for every \(i \in [k]\),

$$ b_i := {\left\{ \begin{array}{ll} \lceil a_i \rceil &{} \text {if}~i \in \mathcal {S}_{\mathtt {low}}\\ \lceil a_i \rceil - 1 &{} \text {if}~i \in \mathcal {S}_{\mathtt {up}}\end{array}\right. }. $$

By definition, every \(b_i\) is an integer. Since \(a_i \in \mathbb {R}_{\ge 0}\) for every \(i \in [k]\), we have \(b_i \in \mathbb {Z}_{\ge 0}\) for every \(i \in \mathcal {S}_{\mathtt {low}}\). Note also that by the definitions of \(\varDelta \) and \(\mathcal {S}_{\mathtt {up}}\), we have \(|\{i \in [k]| \delta _i > 0\}| \ge \varDelta = |\mathcal {S}_{\mathtt {up}}|\), and thus \(a_i > 0\) holds for every \(i \in \mathcal {S}_{\mathtt {up}}\), which implies \(b_i = \lceil a_i \rceil - 1 \ge 0\) for every \(i \in \mathcal {S}_{\mathtt {up}}\). Hence, we have \(B = (b_1,\dots , b_k) \in (\mathbb {Z}_{\ge 0})^k\).

In the following we confirm that the vector B defined above satisfies both of the properties. Regarding the first property, we have

$$\begin{aligned} \sum _{i \in [k]} b_i&= \sum _{i \in \mathcal {S}_{\mathtt {low}}} \lceil a_i \rceil + \sum _{i \in \mathcal {S}_{\mathtt {up}}} (\lceil a_i \rceil - 1)\\&{\mathop {=}\limits ^{(*)}} \sum _{i \in [k]} \lceil a_i \rceil - \varDelta = \sum _{i \in [k]} (a_i + \delta _i) - \sum _{i \in [k]} \delta _i = \sum _{i \in [k]} a_i, \end{aligned}$$

where the equality (*) uses \(|\mathcal {S}_{\mathtt {up}}| = \varDelta \). Hence, B satisfies the first property.

It remains to show that B satisfies the second property. For each \(i \in [k]\), let

$$ d_i := b_i - a_i = {\left\{ \begin{array}{ll} \delta _i &{} \text {if}~i \in \mathcal {S}_{\mathtt {low}}\\ \delta _i - 1 &{} \text {if}~i \in \mathcal {S}_{\mathtt {up}}\end{array}\right. }. $$

Recall that \(\delta _i \in [0,1)\) holds for every \(i \in [k]\). Thus, we have \(|d_i| \le 1\) for all \(i \in [k]\). Furthermore, for every \((i,j) \in [k]^2\), we have

$$ |d_i - d_j| = {\left\{ \begin{array}{ll} |\delta _i - \delta _j| &{} \text {if}~(i,j) \in (\mathcal {S}_{\mathtt {low}})^2~\text {or}~(i,j) \in (\mathcal {S}_{\mathtt {up}})^2\\ |1 - (\delta _j - \delta _i)| &{} \text {if}~(i,j) \in \mathcal {S}_{\mathtt {low}}\times \mathcal {S}_{\mathtt {up}}\\ |\delta _i - \delta _j - 1| &{} \text {if}~(i,j) \in \mathcal {S}_{\mathtt {up}}\times \mathcal {S}_{\mathtt {low}}\end{array}\right. }. $$

From the above, it is immediate that \(|d_i - d_j| \le 1\) holds for the cases \((i,j) \in (\mathcal {S}_{\mathtt {low}})^2\) and \((i,j) \in (\mathcal {S}_{\mathtt {up}})^2\). Also, for the case \((i, j) \in \mathcal {S}_{\mathtt {low}}\times \mathcal {S}_{\mathtt {up}}\), we have \(\delta _i \le \delta _j\) due to the condition (4) of \(\mathcal {S}_{\mathtt {low}}\) and \(\mathcal {S}_{\mathtt {up}}\), and thus we have \(|1-(\delta _j - \delta _i)| \le 1\). Similarly, for the case \((i, j) \in \mathcal {S}_{\mathtt {up}}\times \mathcal {S}_{\mathtt {low}}\), we have \(\delta _i \ge \delta _j\), and thus we have \(|\delta _i - \delta _j - 1| \le 1\). Hence, we have \(|d_i - d_j| \le 1\) for any pair \((i,j) \in [k]^2\). This shows that the vector B satisfies the second property as well. \(\square \) (Lemma 9)

B Proof of Lemma 11

Fix arbitrarily a number \(k \in \mathbb {N}\) and a vector \((a_1,\dots ,a_n) \in \mathbb {R}^k\) satisfying \(|a_i - a_j| \le 1\) for all \(i,j \in [k]\), and let \(\alpha := \sum _{i \in [k]} a_i\). We will show that \(\sum _{i \in [k]} a_i^2 \le \frac{\alpha ^2}{k} + \frac{k}{4}\) holds, which proves the lemma.

Let \(a_{\min }:= \min \{a_i\}_{i \in [k]}\), and \(\delta _i := a_i - a_{\min }\) for each \(i \in [k]\). Note that due to the given condition of the vector \((a_1,\dots ,a_k)\), \(\delta _i \in [0,1]\) holds for all \(i \in [k]\). We also have

$$\begin{aligned} \alpha&= \sum _{i \in [k]} a_i = \sum _{i \in [k]} \Bigl ( a_{\min }+ \delta _i \Bigr ) = ka_{\min }+ \sum _{i \in [k]} \delta _i \nonumber \\ \Longleftrightarrow \quad \sum _{i \in [k]} \delta _i&= \alpha - ka_{\min }. \end{aligned}$$

(18)

Furthermore, for each \(i \in [k]\), we have

$$\begin{aligned} a_i^2 = (a_{\min }+ \delta _i)^2&= a_{\min }^2 + 2 a_{\min }\delta _i + \delta _i^2 \nonumber \\&\le a_{\min }^2 + (2a_{\min }+ 1) \cdot \delta _i, \end{aligned}$$

(19)

where the inequality uses \(\delta _i^2 \le \delta _i\), which is due to \(\delta _i \in [0,1]\).

Now, consider the sum of squares \(\sum _{i \in [k]} a_i^2\). We have

$$\begin{aligned} \sum _{i \in [k]} a_i^2&{\mathop {\le }\limits ^{(*)}} \sum _{i \in [k]} \Bigl ( a_{\min }^2 + (2a_{\min }+ 1) \cdot \delta _i \Bigr )\\&= ka_{\min }^2 + (2 a_{\min }+1) \cdot \sum _{i \in [k]} \delta _i\\&{\mathop {=}\limits ^{(\dag )}} k a_{\min }^2 + (2a_{\min }+ 1) \cdot (\alpha - ka_{\min })\\&= - k \Bigl ( a_{\min }- \Bigl (\frac{\alpha }{k} - \frac{1}{2} \Bigr ) \Bigr )^2 + \frac{\alpha ^2}{k} + \frac{k}{4}\\&\le \frac{\alpha ^2}{k} + \frac{k}{4}, \end{aligned}$$

where the inequality (*) uses Eq. (19), and the equality (†) uses Eq. (18).

                                                                                             \(\square \) (Lemma 11)