Non-Malleable Encryption: Simpler, Shorter, Stronger

Coretti, Sandro; Dodis, Yevgeniy; Tackmann, Björn; Venturi, Daniele

doi:10.1007/978-3-662-49096-9_13

Cited by 37 publications

(29 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, we focus only on the "default flavor" of continuous non-malleability. This in contrast to previous work on continuously nonmalleable codes (except [20,19,28]), which instead by default considered continuous super non-malleability. While the notion we consider is strictly weaker than continuous strong or super non-malleability, to the best of our knowledge, it is sufficient for all known applications of continuously non-malleable codes, in particular [30,31,20,19,28].…”

Section: Continuous Non-malleabilitymentioning

confidence: 89%

“…The more general case of continuous non-malleability was introduced by Faust et al [30], with the goal of guaranteeing non-malleability even after multiple (adaptively chosen) tampering attempts; that is, the adversary is allowed to choose the tampering functions to apply in the next round based on the answers obtained in the previous rounds. As pointed out also in [30], continuously non-malleable codes (CNMCs) are arguably the most natural generalization of standard NMCs, and allow to significantly strengthen their applications [31,20,19].…”

Section: Continuous Non-malleabilitymentioning

confidence: 99%

“…Only a few constructions of continuously non-malleable codes are known (besides the already mentioned constructions of [30,28]). In particular, continuous non-malleability is known to be achievable in the informationtheoretic setting, for the simpler cases of bit-wise independent tampering [20,19] (where each bit of the codeword is tampered independently), and constant-state tampering [5]. Jafargholi and Wichs [36] obtain different flavors of continuous non-malleability for the case of tampering functions with high min-entropy or few fixed points.…”

Section: Additional Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Ostrovsky

Persiano

Venturi

et al. 2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

At ICS 2010, Dziembowski, Pietrzak and Wichs introduced the notion of non-malleable codes, a weaker form of error-correcting codes guaranteeing that the decoding of a tampered codeword either corresponds to the original message or to an unrelated value. The last few years established non-malleable codes as one of the recently invented cryptographic primitives with the highest impact and potential, with very challenging open problems and applications. In this work, we focus on so-called continuously non-malleable codes in the split-state model, as proposed by Faust et al. (TCC 2014), where a codeword is made of two shares and an adaptive adversary makes a polynomial number of attempts in order to tamper the target codeword, where each attempt is allowed to modify the two shares independently (yet arbitrarily). Achieving continuous non-malleability in the split-state model has been so far very hard. Indeed, the only known constructions require strong setup assumptions (i.e., the existence of a common reference string) and strong complexity-theoretic assumptions (i.e., the existence of non-interactive zero-knowledge proofs and collision-resistant hash functions). As our main result, we construct a continuously non-malleable code in the split-state model without setup assumptions, requiring only one-toone one-way functions (i.e., essentially optimal computational assumptions). Our result introduces several new ideas that make progress towards understanding continuous non-malleability, and shows interesting connections with protocol-design and proof-approach techniques used in other contexts (e.g., look-ahead simulation in zero-knowledge proofs, non-malleable commitments, and leakage resilience).

show abstract

Section: Continuous Non-malleabilitymentioning

confidence: 89%

Section: Continuous Non-malleabilitymentioning

confidence: 99%

Section: Additional Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Ostrovsky

Persiano

Venturi

et al. 2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Several constructions of non-malleable codes in the split-state model appeared in the literature, both for the information-theoretic [32,31,3,20,4,2,14,5,48,49,17] and computational setting [50,36,24,1,46,52,23]. Non-malleable codes exist also for several other models besides split-state tampering, including bit-wise independent tampering and permutations [20,6,7,22,21], circuits of polynomial size [32,19,38,39], constant-state tampering [18], block-wise tampering [13], space-bounded algorithms [35,9], bounded-depth circuits [8,16], and partial functions [47].…”

Section: Further Related Workmentioning

confidence: 99%

Continuously non-malleable codes with split-state refresh

Faonio

Nielsen

Simkin

et al. 2019

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

Non-malleable codes for the split-state model allow to encode a message into two parts, such that arbitrary independent tampering on each part, and subsequent decoding of the corresponding modified codeword, yields either the same as the original message, or a completely unrelated value. Continuously non-malleable codes further allow to tolerate an unbounded (polynomial) number of tampering attempts, until a decoding error happens. The drawback is that, after an error happens, the system must self-destruct and stop working, otherwise generic attacks become possible.In this paper we propose a solution to this limitation, by leveraging a split-state refreshing procedure. Namely, whenever a decoding error happens, the two parts of an encoding can be locally refreshed (i.e., without any interaction), which allows to avoid the self-destruct mechanism in some applications. Additionally, the refreshing procedure can be exploited in order to obtain security against continual leakage attacks. We give an abstract framework for building refreshable continuously non-malleable codes in the common reference string model, and provide a concrete instantiation based on the external Diffie-Hellman assumption.Finally, we explore applications in which our notion turns out to be essential. The first application is a signature scheme tolerating an arbitrary polynomial number of split-state tampering attempts, without requiring a self-destruct capability, and in a model where refreshing of the memory happens only after an invalid output is produced. This circumvents an impossibility result from a recent work by Fuijisaki and Xagawa (Asiacrypt 2016). The second application is a compiler for tamper-resilient read-only RAM programs. In comparison to other tamper-resilient RAM compilers, ours has several advantages, among which the fact that, in some cases, it does not rely on the self-destruct feature.Unfortunately, we cannot generalize the above proof strategy to multiple rounds. Indeed, Faust et al. exploit the fact that the leakage-resilient storage scheme remains secure even when the adversary is allowed to obtain one half of the encoding in full. Clearly, after that, the adversary is not allowed to leak further from the other half of the codeword. In our case, we would need to repeat the above trick again and again, in particular after each decoding error (and subsequent refresh of the target encoding) happens; however, once the reduction obtains one half of the codeword it cannot ask leakage queries anymore, so that it is unclear how to complete the proof. We give a solution to this problem by relying on a simple informationtheoretic observation.Let (X 0 , X 1 ) be two random variables, and consider a process that interleaves the computation of a sequence of leakage functions g 1 , g 2 , g 3 , . . . from X 0 and from X 1 . The process continues until, for some index i ∈ N, we have that g i (X 0 ) = g i (X 1 ). We claim that g i (X 0 ) := g 1 (X 0 ), g 2 (X 0 ), · · · , g i−1 (X 0 ) do not reveal more information about X 0 than what ...

show abstract

“…Recently, they also found application to computational cryptography Full version of this paper available at http://eprint.iacr.org/2016/397 (e.g. construction of non-malleable commitments [AGM + 15b], domain extension for public-key encryption schemes [CMTV15,CDTV16]). Roughly speaking, a coding scheme (Enc, Dec) is non-malleable with respect to the tampering function f if decoding f (Enc(m)) produces the original message m or a value m (eventually ⊥) completely unrelated with m. Moreover, the probability of which one of these two events happens is also independent of m. As an illustration of the notion, consider a key that is stored in a device.…”

Section: Introductionmentioning

confidence: 99%

Linear-Time Non-Malleable Codes in the Bit-Wise Independent Tampering Model

Cramer

Damgård

Döttling

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Non-malleable codes were introduced by Dziembowski et al. (ICS 2010) as coding schemes that protect a message against tampering attacks. Roughly speaking, a code is non-malleable if decoding an adversarially tampered encoding of a message m produces the original message m or a value m (eventually ⊥) completely unrelated with m. It is known that non-malleability is possible only for restricted classes of tampering functions. Since their introduction, a long line of works has established feasibility results of non-malleable codes against different families of tampering functions. However, for many interesting families the challenge of finding "good" non-malleable codes remains open. In particular, we would like to have explicit constructions of non-malleable codes with high-rate and efficient encoding/decoding algorithms (i.e. low computational complexity). In this work we present two explicit constructions: the first one is a natural generalization of the work of Dziembowski et al. and gives rise to the first constant-rate non-malleable code with linear-time complexity (in a model including bit-wise independent tampering). The second construction is inspired by the recent works about non-malleable codes of Agrawal et al. (TCC 2015) and of Cheraghchi and Guruswami (TCC 2014) and improves the previous result in the bit-wise tampering model: it builds the first non-malleable codes with linear-time complexity and optimal-rate (i.e. rate 1 − o(1)).

show abstract

Non-Malleable Encryption: Simpler, Shorter, Stronger

Cited by 37 publications

References 30 publications

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Continuously non-malleable codes with split-state refresh

Linear-Time Non-Malleable Codes in the Bit-Wise Independent Tampering Model

Contact Info

Product

Resources

About