Non-Malleable Codes for Space-Bounded Tampering

Faust, Sebastian; Hostáková, Kristina; Mukherjee, Pratyay; Venturi, Daniele

doi:10.1007/978-3-319-63715-0_4

Cited by 23 publications

(7 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several constructions of non-malleable codes in the split-state model appeared in the literature, both for the information-theoretic [32,31,3,20,4,2,14,5,48,49,17] and computational setting [50,36,24,1,46,52,23]. Non-malleable codes exist also for several other models besides split-state tampering, including bit-wise independent tampering and permutations [20,6,7,22,21], circuits of polynomial size [32,19,38,39], constant-state tampering [18], block-wise tampering [13], space-bounded algorithms [35,9], bounded-depth circuits [8,16], and partial functions [47].…”

Section: Further Related Workmentioning

confidence: 99%

Continuously non-malleable codes with split-state refresh

Faonio

Nielsen

Simkin

et al. 2019

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

Non-malleable codes for the split-state model allow to encode a message into two parts, such that arbitrary independent tampering on each part, and subsequent decoding of the corresponding modified codeword, yields either the same as the original message, or a completely unrelated value. Continuously non-malleable codes further allow to tolerate an unbounded (polynomial) number of tampering attempts, until a decoding error happens. The drawback is that, after an error happens, the system must self-destruct and stop working, otherwise generic attacks become possible.In this paper we propose a solution to this limitation, by leveraging a split-state refreshing procedure. Namely, whenever a decoding error happens, the two parts of an encoding can be locally refreshed (i.e., without any interaction), which allows to avoid the self-destruct mechanism in some applications. Additionally, the refreshing procedure can be exploited in order to obtain security against continual leakage attacks. We give an abstract framework for building refreshable continuously non-malleable codes in the common reference string model, and provide a concrete instantiation based on the external Diffie-Hellman assumption.Finally, we explore applications in which our notion turns out to be essential. The first application is a signature scheme tolerating an arbitrary polynomial number of split-state tampering attempts, without requiring a self-destruct capability, and in a model where refreshing of the memory happens only after an invalid output is produced. This circumvents an impossibility result from a recent work by Fuijisaki and Xagawa (Asiacrypt 2016). The second application is a compiler for tamper-resilient read-only RAM programs. In comparison to other tamper-resilient RAM compilers, ours has several advantages, among which the fact that, in some cases, it does not rely on the self-destruct feature.Unfortunately, we cannot generalize the above proof strategy to multiple rounds. Indeed, Faust et al. exploit the fact that the leakage-resilient storage scheme remains secure even when the adversary is allowed to obtain one half of the encoding in full. Clearly, after that, the adversary is not allowed to leak further from the other half of the codeword. In our case, we would need to repeat the above trick again and again, in particular after each decoding error (and subsequent refresh of the target encoding) happens; however, once the reduction obtains one half of the codeword it cannot ask leakage queries anymore, so that it is unclear how to complete the proof. We give a solution to this problem by relying on a simple informationtheoretic observation.Let (X 0 , X 1 ) be two random variables, and consider a process that interleaves the computation of a sequence of leakage functions g 1 , g 2 , g 3 , . . . from X 0 and from X 1 . The process continues until, for some index i ∈ N, we have that g i (X 0 ) = g i (X 1 ). We claim that g i (X 0 ) := g 1 (X 0 ), g 2 (X 0 ), · · · , g i−1 (X 0 ) do not reveal more information about X 0 than what ...

show abstract

Section: Further Related Workmentioning

confidence: 99%

Continuously non-malleable codes with split-state refresh

Faonio

Nielsen

Simkin

et al. 2019

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Faust et al [FHMV17] gave constructions of (a weaker notion of) non-malleable codes against space-bounded tampering in the random oracle model.…”

Section: Related Workmentioning

confidence: 99%

Non-Malleable Codes for Small-Depth Circuits

Ball

Dachman-Soled

Guo

et al. 2018

2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS)

View full text Add to dashboard Cite

We construct efficient, unconditional non-malleable codes that are secure against tampering functions computed by small-depth circuits. For constant-depth circuits of polynomial size (i.e. AC 0 tampering functions), our codes have codeword length n = k 1+o(1) for a k-bit message. This is an exponential improvement of the previous best construction due to Chattopadhyay and Li (STOC 2017), which had codeword length 2 O( √ k) . Our construction remains efficient for circuit depths as large as Θ(log(n)/ log log(n)) (indeed, our codeword length remains n ≤ k 1+ε ), and extending our result beyond this would require separating P from NC 1 .We obtain our codes via a new efficient non-malleable reduction from small-depth tampering to split-state tampering. A novel aspect of our work is the incorporation of techniques from unconditional derandomization into the framework of non-malleable reductions. In particular, a key ingredient in our analysis is a recent pseudorandom switching lemma of Trevisan and Xue (CCC 2013), a derandomization of the influential switching lemma from circuit complexity; the randomness-efficiency of this switching lemma translates into the rate-efficiency of our codes via our non-malleable reduction. * marshall@cs.columbia.edu, Columbia University.

show abstract

“…A number of constructions also aim for additional properties, such as having efficient refreshing mechanisms that allow to update an existing codeword to a new one (decoding to the same message) without the need for decoding [FN17]. Some constructions also specifically focus on computationally restricted adversaries, either in terms of time or space complexity (e.g., [FHMV17,BDSKM17]).…”

Section: Related Workmentioning

confidence: 99%

Short Non-Malleable Codes from Related-Key Secure Block Ciphers

Fehr

Karpman

Mennink

2018

ToSC

View full text Add to dashboard Cite

A non-malleable code is an unkeyed randomized encoding scheme that offers the strong guarantee that decoding a tampered codeword either results in the original message, or in an unrelated message. We consider the simplest possible construction in the computational split-state model, which simply encodes a message m as k||Ek(m) for a uniformly random key k, where E is a block cipher. This construction is comparable to, but greatly simplifies over, the one of Kiayias et al. (ACM CCS 2016), who eschewed this simple scheme in fear of related-key attacks on E. In this work, we prove this construction to be a strong non-malleable code as long as E is (i) a pseudorandom permutation under leakage and (ii) related-key secure with respect to an arbitrary but fixed key relation. Both properties are believed to hold for “good” block ciphers, such as AES-128, making this non-malleable code very efficient with short codewords of length |m|+2τ (where τ is the security parameter, e.g., 128 bits), without significant security penalty.

show abstract

Non-Malleable Codes for Space-Bounded Tampering

Cited by 23 publications

References 41 publications

Continuously non-malleable codes with split-state refresh

Continuously non-malleable codes with split-state refresh

Non-Malleable Codes for Small-Depth Circuits

Short Non-Malleable Codes from Related-Key Secure Block Ciphers

Contact Info

Product

Resources

About