From Single-Bit to Multi-bit Public-Key Encryption via Non-malleable Codes

Coretti, Sandro; Maurer, Ueli; Tackmann, Björn; Venturi, Daniele

doi:10.1007/978-3-662-46494-6_22

Cited by 53 publications

(56 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most of the earlier works on non-malleable codes focus on granular tampering models, where the tampering functions are restricted to act on individual components of the codeword independently. The original work of [20] (see also [12]) gives an efficient construction for bit-tampering (i.e., the adversary can tamper with each bit of the codeword independently of every other bit). Very recently, Cheraghchi and Guruswami [10] gave a construction with improved rate and better efficiency for the same family.…”

Section: Related Workmentioning

confidence: 99%

Efficient Non-malleable Codes and Key-Derivation for Poly-size Tampering Circuits

Faust

Mukherjee

Venturi

et al. 2014

Advances in Cryptology – EUROCRYPT 2014

Self Cite

View full text Add to dashboard Cite

Non-malleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS '10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c = f (c) such that c = c, then the tampered message x contained in c reveals no information about x. Nonmalleable codes have applications to immunizing cryptosystems against tampering attacks and related-key attacks.One cannot have an efficient non-malleable code that protects against all efficient tampering functions f . However, in this work we show "the next best thing": for any polynomial bound s given a-priori, there is an efficient non-malleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size |F| ≤ 2 s , there is an efficient non-malleable code that protects against all f ∈ F. The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are information-theoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is non-malleable with overwhelming probability. Alternatively, we can view the result as providing an efficient non-malleable code in the "common reference string" (CRS) model.We also introduce a new notion of non-malleable key derivation, which uses randomness x to derive a secret key y = h(x) in such a way that, even if x is tampered to a different value x = f (x), the derived key y = h(x ) does not reveal any information about y. Our results for non-malleable key derivation are analogous to those for non-malleable codes.As a useful tool in our analysis, we rely on the notion of "leakage-resilient storage" of Davì, Dziembowski and Venturi (SCN '10) and, as a result of independent interest, we also significantly improve on the parameters of such schemes.

show abstract

Section: Related Workmentioning

confidence: 99%

Efficient Non-malleable Codes and Key-Derivation for Poly-size Tampering Circuits

Faust

Mukherjee

Venturi

et al. 2014

Advances in Cryptology – EUROCRYPT 2014

Self Cite

View full text Add to dashboard Cite

show abstract

“…The bending set B ⊆ X is the set of all high queries f such that w f exists and d H (w f ,c) > αn. 10 It is readily verified that H 2 is a parallel stateless self-destruct game (cf. Definition 6) that behaves according to g, and that H 1 is its B-bending.…”

Section: Hybridsmentioning

confidence: 98%

“…This variant, introduced in [10], allows arbitrarily many queries to the decryption oracle, but each of them may consist of a single ciphertext only, i.e., q arbitrary (denoted by q = * ) and p = 1. Once more, set G Π,ind-sda…”

Section: Definitionmentioning

confidence: 99%

See 1 more Smart Citation

Non-Malleable Encryption: Simpler, Shorter, Stronger

Coretti

Dodis

Tackmann

et al. 2015

Theory of Cryptography

Self Cite

View full text Add to dashboard Cite

In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security:1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security?We answer all three questions in the positive. First, we improve the rate in the construction of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ 2 ) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural "encode-then-encrypt-bit-by-bit" approach to work.Finally, we introduce a new security notion for public-key encryption (PKE) that we dub nonmalleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results-(faster) construction from IND-CPA and domain extension from one-bit scheme-also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security.

show abstract

“…Recently, they also found application to computational cryptography Full version of this paper available at http://eprint.iacr.org/2016/397 (e.g. construction of non-malleable commitments [AGM + 15b], domain extension for public-key encryption schemes [CMTV15,CDTV16]). Roughly speaking, a coding scheme (Enc, Dec) is non-malleable with respect to the tampering function f if decoding f (Enc(m)) produces the original message m or a value m (eventually ⊥) completely unrelated with m. Moreover, the probability of which one of these two events happens is also independent of m. As an illustration of the notion, consider a key that is stored in a device.…”

Section: Introductionmentioning

confidence: 99%

Linear-Time Non-Malleable Codes in the Bit-Wise Independent Tampering Model

Cramer

Damgård

Döttling

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Non-malleable codes were introduced by Dziembowski et al. (ICS 2010) as coding schemes that protect a message against tampering attacks. Roughly speaking, a code is non-malleable if decoding an adversarially tampered encoding of a message m produces the original message m or a value m (eventually ⊥) completely unrelated with m. It is known that non-malleability is possible only for restricted classes of tampering functions. Since their introduction, a long line of works has established feasibility results of non-malleable codes against different families of tampering functions. However, for many interesting families the challenge of finding "good" non-malleable codes remains open. In particular, we would like to have explicit constructions of non-malleable codes with high-rate and efficient encoding/decoding algorithms (i.e. low computational complexity). In this work we present two explicit constructions: the first one is a natural generalization of the work of Dziembowski et al. and gives rise to the first constant-rate non-malleable code with linear-time complexity (in a model including bit-wise independent tampering). The second construction is inspired by the recent works about non-malleable codes of Agrawal et al. (TCC 2015) and of Cheraghchi and Guruswami (TCC 2014) and improves the previous result in the bit-wise tampering model: it builds the first non-malleable codes with linear-time complexity and optimal-rate (i.e. rate 1 − o(1)).

show abstract

From Single-Bit to Multi-bit Public-Key Encryption via Non-malleable Codes

Cited by 53 publications

References 48 publications

Efficient Non-malleable Codes and Key-Derivation for Poly-size Tampering Circuits

Efficient Non-malleable Codes and Key-Derivation for Poly-size Tampering Circuits

Non-Malleable Encryption: Simpler, Shorter, Stronger

Linear-Time Non-Malleable Codes in the Bit-Wise Independent Tampering Model

Contact Info

Product

Resources

About