Non-Malleable Codes with Split-State Refresh

(1)

Non-Malleable Codes with Split-State Refresh

Antonio Faonio and Jesper Buus Nielsen Aarhus University

(2)

1 Introduction

Non-malleable codes (NMCs) are a natural relaxation of the notions of error correcting codes and error detecting codes, which tolerates more attacks by relaxing the security guarantees. An error correcting code guarantees that the encoded message is always correctly decoded. The price for this guarantee is that the code can tolerate only limited attacks, e.g., that some small constant fraction of the codeword is tampered with. An error detecting code decodes either the correct message or returns some special symbol ⊥signalling an error. They can tolerate more general attacks, e.g., that some larger constant fraction of the codeword is tampered with. A NMC only guarantees that either the encoded message is correctly decoded or the decoder outputs a message which is unrelated to the encoded message. This weak guarantee allows much more general tampering. It is for instance possible to tolerate tampering that modifies the entire codeword.

Despite the weaker security guarantee, NMCs can be used to protect against physical attacks. Consider a physical deviceDwith an embedded secret keyK. For instance a signature card which on inputmoutputsσ=Sign_K(m). Assume the device might fall into the hands of an adversary that can apply a physical attack on the device to tamper withK, producing a different but related keyK0. Now, on inputmthe device outputs σ=SignK0(m). We would like to ensure that the adversary cannot learn any information aboutK from seeingSignK0(m). LetEncodeandDecode denote the encoding and decoding algorithms of a NMC. Consider now a deviceD˜ on which we store an encoded keyX ← Encode(K). On input mthe device outputsσ = SignDecode(X)(m). We callD˜ the strengthened device. In face of a tampering with the key the strengthened device outputsσ=Sign_Decode₍_X0₎(m). The value ofDecode(X0)will either beKor an unrelated keyK0. NMC security guarantees that whenK0is an unrelated key, then the adversary could in fact have computedK0itself without any access toK. It follows that the adversary either learns a correct signatureσ=Sign_K(m)or a valueσ=Sign_K0(m) it could have computed itself without access to the device. This ensures that tampering does not result in information leaking from the device.

(3)

It is clear that we need to put some restriction on the tampering function. If the adversary submits the functionT(X) =Encode(Decode(X) + 1)the simulator would have to outputm+ 1without knowingm. The most popular way to restrict the tampering functions is to assume the split-state model (STM), which was first used to get leakage-resilient cryptography (see Dziembowski et al.[21]). In this model we assume that the encodingX consists of two partsX = (X0, X1)stored on two separate storage devices or seperate parts of a chip. The assumption is that the adversary can only tamper independently with the two parts, i.e., in the model it submits tampering functions T = (T0_{, T}1₎_{and the result of tampering is}_(X00_{, X}01_{) = (T}0_(X0_{), T}1_(X1_{)). This is} also the model we consider in this paper. In the split state model it is possible to construct codes which tolerates arbitrary tampering, except that the two parts must be tampered independently.

Unfortunately NMC security is not sufficient for device strengthening if the adversary can repeatedly tamper with the device. To see this assume for simplicity that the encoding has the property that if a single bit is flipped in an encodingX, thenDecode(X0_{) =}_⊥. Consider then the tampering functionOiwhich overwrites thei’th bit inXby0. Each

Oiis allowed in the split-state model. Now,Decode(Oi(X)) = ⊥if and only if the

i’th bit ofXis1. Hence by applyingO1, . . . , O|X|an adversary can learnXand then compute m = Decode(X). This means that if the code is secure then by definition the simulator can also computem, which it cannot. Let us call the above attack the fail-or-not attack.

Two different ways to circumvent the fail-or-not attack has been proposed in the literature. In [33] Liu and Lysyanskaya propose that the strengthened device whenever it reconstructed the keyK=Decode(X)resamples a new encodingX0←Encode(K) and overridesXbyX0on the storage medium. This way the adversary gets to tamper with each fresh encoding only once and the NMC assumption is sufficient. In [24] Faustet al.propose a model where the encodingXremains the same in all tamperings. Instead the authors assume that the strengthened device self destructs when it detects that Decode(X) =⊥. In the fail-or-not attack the adversary is using failure or not to leak information on the encodingX. If the device self destructs on failure this can however only be exploited to leak logarithmic many bits, namely in which round of tampering the self destruction happened. The authors in [24] then use a code which can tolerate limited leakage on the two halves of the encoding and constructs the code such that computing in which round the device would have self-destructed can be done using only limited independent leakage from the two halves, reducing tampering to leakage, an idea we use in our new code too.

(4)

Our Contributions We propose a new model in line with [33]. In particular we do not assume the device can self destruct and we use refreshing to protect against the fail-or-not attack. We propose two extra requirements on the refreshing which we motivate below. First, we want the refreshing to be split-state, i.e., the refreshing algorithm should be of the formRefresh(X) = (Refresh0(X0),Refresh1(X1)). Second, the code should tolerate multiple tampering attacks in between refreshes.

To motivate the model, imagine the following application for strengthening a device. The partsX0_and_X1_{are placed in separate storages. When the key is needed the device} computesK=Decode(X)and outputsSign_K(m). In addition to this, occasionally the device will read up a partXiand write backX0i=Refresh(Xi). The refreshing of the parts might also be done by separate processes sitting in the storage device of the part, as opposed to the circuitry doing the decoding. The practical motivation is as follows. In all existing codes the encoding process is considerably more complex than the decoding process. For instance encoding necessarily needs cryptographic strength randomness, whereas decoding can be deterministic. It could therefore be much harder to create a leakage and tamper free implementation ofEncode. Also, refreshing by decoding and re-encoding is unnecessarily risky as (real-world) leakage from this process could be leakage on the decoded keyK.

Notice on the other hand that if a partial refreshingX0i=Refresh(Xi)is tampered with, then it can simply be considered just another tampering attack onXiin the split state model. In the same way, if a partial refreshingX_i0 =Refresh(Xi)is leaky, then it

can simply be considered just another leakage attack onXiin the split state model. For

this to be true it is important that the refreshing is split state, motivating our first extra requirement. As a consequence, if only occasionally the refreshing succeeds in being tamper and leakage free, all the failed attempts can be recast as tamper and leakage attacks. This means the code remains secure if it can tolerate several tamper and leakage attacks in between refreshes, motivating our second extra requirement. Notice that for this to be true, the security of the code should not depend on the two parts being refreshed at the same time. We can only assume that each part occasionally gets refreshed.

Our model works as follows. The adversary submits to the game a messagem and the game samples(X0_{, X}1₎ _← _Encode_{(m). The adversary can then repeatedly} submit leakage or tamper queries. In a leakage query the adversary submits(i, L)and is givenR=L(Xi_{). In a tampering query the adversary submits}_(T0_{, T}1₎_{and is given} m0 = Decode(T0_(X0_{), T}1_(X1_)).1 _{The adversary can also make a refresh query by}

submitting an indexjto the game. Then the game refreshes the corresponding part: Ej_←_Refresh

j(Ej). We give a simulation-based security definition. The simulator is

not givenm. To simulate a leakage query the simulator is given(j, L)and must return some valueRto the adversary. To simulate a tampering query the simulator is given (T0_{, T}1₎_{and must return some value}_m0_{, where}_m0₌_∗_{is replaced with}_m0₌_m_before m0is returned to the adversary. To simulate a refresh query the simulator is givenjand has to return nothing. The adversary must not be able to tell whether it is interacting

(5)

with the real world or the simulator. The only restriction on the adversary is that the length of the leakage and the number of tampering attacks in between refreshes must be limited. For any polynomialsp(κ), q(κ)we construct a code that can toleratep(κ)bits of leakage andq(κ)many tampering attacks in between successful refreshes.

Our definition isnot strongaccording to the notions of Non-Malleable Codes given in the original paper [20]. In the security experiment of the strong NMCs the adversary receives either the entire tampered codeword (as opposed to receive the decoded message of the tampered codeword) or∗in case that the tampering function keeps the codeword unaltered. The goal of the adversary is to distinguish the codewords of two different message given the result of the tampering function. However, such definition cannot be met in presence of a split-state refresh algorithm. In fact the adversary could forward, as tampering function, the refreshing function itself and receives a valid codeword (since it won’t be the same codeword). Given the codeword, it can easily distinguish by decoding.

Our techniques borrow ideas from both [33] and [24]. InX1_{we will keep a secret} keysk for a public-key encryption scheme. InX0 _{we will keep the corresponding} public keypk=PK(sk), an encryptionc=Enc(pk, m)of the encoded message and a simulation-sound NIZK proof of knowledgeπof somesksuch thatpk =PK(sk)using cas a label. Decoding will check the proof and if it is correct andsk matchespk. If so, it outputsDec(sk0, c). To tolerate leakage and to allow refreshing we use a leakage resilient encryption scheme which allows to refreshsk andcindependently. The public keypkinX1will never be refreshed, which is secure aspkmight in fact be public. To allow the proof of knowledge to be refreshed we use a non-malleable proof with some controlled malleability. We give a concrete instantiation of this framework based on the Continual Leakage-Resilient scheme of Dodiset al.[18] and the Controlled-Malleable NIZK system of Chaseet al.[10] instantiated with Groth-Sahai proofs [29].

The structure of the encoding scheme is very similar to the one proposed by [33], however there are few substantial differences: 1. We substitute the PKE and the NIZK scheme with cryptographic primitives that allow efficient refresh mechanisms; 2. The NP relationship of the NIZK is different. (In fact, it is inspired by the scheme of [24].)

(6)

enough for the leakage needed to simulate tampering to not grow about the leakage tolerance of the encryption scheme.

In [18], it was shown that Continually Leakage-Resilient Codes with Split-State Refresh are impossible to construct without computational assumptions. The result holds even when the leakage between each updates is 1 bit. It is easy to see that the same result holds for Non-Malleable Codes with Split-State Refresh. (This is because a tampering attack corresponds at least to 1 bit of leakage.)

More Related Work. Non-Malleable Codes were introduced to achieve tamper-proof security of arbitrary cryptographic primitives. Since their introduction many works have constructed NMCs in different models both under cryptographic assumptions or information theoretically (see [19,1,2,12,25,15,31,3,37]).

A related line of work on tamper resilience (see [30,26,32,14]) aims at constructing secure compilers protecting against tampering attacks targeting the computation carried out by a cryptographic device (typically in the form of boolean and arithmetic circuits). A third line of work on tamper resilience instead aims at constructing ad hoc solutions for different contexts like for example symmetric encryption [6,35,27], public-key encryption [5,38,7,34,23,16,17], hash functions [28] and more [8,37,13].

Roadmap. In the following we will first introduce some known notation and abstract definitions of the properties we need from the primitives in the abstract framework. Then we describe and prove the abstract framework, followed by an instantiation based on External Diffie-Hellman assumption [4,9]. At the end we will present the application to continual-tamper-and-leakage resilient cryptography in more details.

2 Preliminaries

2.1 Notation and Probability Preliminaries

We let_Ndenote the naturals and_Rdenote the reals. Fora, b∈_R, we let[a, b] ={x∈ R : a≤x≤b}; fora∈Nwe let[a] ={0,1, . . . , a}. Ifxis a bit-string, we denote its length by|x|and for anyi≤ |x|we denote withx(i)thei-th bit ofx; IfXis a set, |X |represents the number of elements inX. Whenxis chosen randomly inX, we write x←$X. WhenAis an algorithm, we writey ←A(x)to denote a run ofAon input xand outputy; ifAis randomized, thenyis a random variable andA(x;r)denotes a run ofAon inputxand randomnessr. An algorithmAisprobabilistic polynomial-time (PPT) ifAis allowed to use random choices and the computation ofA(x;r)terminates in at mostpoly(|x|)steps for any inputx∈ {0,1}∗_{and randomness}_r_{∈ {0,}_1}∗_.

Letκbe a security parameter. A functionnegl is callednegligibleinκ(or simply negligible) if it vanishes faster than the inverse of any polynomial inκ. For a relation R ⊆ {0,1}∗× {0,1}∗, the language associated withRisLR={x:∃ws.t.(x, w)∈ R}.

For two ensemblesX ={Xκ}κ∈N,Y ={Yκ}κ∈N, we writeX c

≈Y, meaning that

every probabilistic polynomial-time distinguisherDhas(κ)advantage in distinguishing XandY, i.e.,1

(7)

We simply writeX ≈ Yc when there exists a negligible functionsuch thatX ≈c

Y. Similarly, we writeX ≈ Y (statistical indistinguishability), meaning that every

unbounded distinguisher has(κ)advantage in distinguishingXandY. Given a stringX = (X1_{, X}2₎_∈_({0,_1}∗₎2 _{and a value}_`_∈

NletO`(X)bethe

split-state leakage oracle.O`(X)accepts as input tuple of the form(i, f)where the first

elementiis an index in{0,1}and the the second elementf is a function defined as a circuit. If the total amount of leakage is below`,O`(X)outputsf1(Xi1)otherwise it

outputs the special symbol⊥. More formally, the oracleO`(X)is a state machine that

maintains state variablesO`(X).l0andO`(X).l1and upon input(i, f)wherefis an

efficiently computable function with co-domain{0,1}o_{for a value}_o_∈

Noutputsf(Xi) if(li₊_o)_≤_`_{and then updates the value}_li_to_li₊_{o, otherwise it outputs the value}_⊥.

Given two PPT interactive algorithmsAandBwe write(y, k)←A(x)B(z)to denote the joint execution of the algorithmAwith inputxand the algorithmBwith input z. The stringy(resp.z) is the output ofA(resp.B) after the interaction. In particular we writeAO`(X)to denoteAhaving oracle access to the leakage oracle with input

X. Moreover, we writeAB,Cto denoteAinteracting in an interleaved fashion both withBand withC.

2.2 Cryptographic Primitives

NIZK Proof of Knowledge. We first introduce the necessary notation forlabel-malleable NIZK (lM-NIZK for short) argument system. A label-malleable NIZK is intuitively a non-malleable NIZK except that from a proof under a given label one can generate a new proof for the same statement under a different label without using the witness. A lM-NIZKN IZK:= (I,P,V,RandProof,LEval)with label spaceLis a tuple of PPT algorithms where: (1) The algorithmIupon input the security parameter1κ_{, creates a}

common reference string (CRS)ω; (2) The prover algorithmPupon inputω, a label L∈ Land a valid instancextogether with a witnesswproduces a proofπ. We write PL(ω, x, w); (3) The verifier algorithmVupon inputω, a labelLan instancextogether with a proofπoutputs a verdict in{0,1}. We writeVL(ω, x, π); (4) The label-derivation algorithmLEvalupon inputω, a transformationφ, a labelLan instancexand a proofπ outputs a new proofπ0_.

Definition 1 (Adaptive multi-theorem zero-knowledge).LetN IZKbe a non-interactive argument system for a relationR. We say thatN IZKsatisfies adaptive multi-theorem zero-knowledge if the following holds:

(i) There exists a PPT algorithmS0that outputs a CRSωand a trapdoorτsim.

(ii) There exist a PPT simulatorS1and a negligible functionν such that, for all PPT adversariesA, we have that

P[A(ω)P(ω,·) = 1|ω←I(1

κ_)]₋

P[A(ω)SIM(τsim,·) = 1|(ω, τsim)←S0(1κ)]

≤ν(κ).

The simulation oracleSIM(τsim,·)takes as input a tuple(L, x, w)and checks if

(x, w)∈ R, and, if true, ignoreswand outputs a simulated argumentS1(τsim, L, x),

(8)

ExperimentExpT −_Ext_,_SlmSE_,_A (κ):

(ω, τsim, τext)←S0(1κ);Q ← ∅; (x∗, L∗, π∗)←A(ω)SIM∗(τsim); (w, φ, L)←Ext1(τext, L∗, x∗, π);

Return(w, φ, L),Q. OracleSIM∗

(τsim,Q):

Upon message(L, x)∈ L ×LR; Q ← Q ∪ {(L, x)};

ReturnS1(τsim, L, x).

ExperimentExpT −N IZKlDP(κ):

ω←I(1κ₎_;_b_←_$_{₀_,₁_}_; (φ, L, x, w, π), st←A(ω); if(x, w)∈ R ∨/ VL₍_{ω, x, π}_{) = 0}

then Return0;

if(b= 0)thenπ0←P(ω, φ(L), x, w); elseπ0←LEval(ω, φ,(x, L, π));

b0←A(st, π0); Return(b=b0).

Fig. 1: Experiments definingT-ml-SE and label derivation privacy ofN IZK.

GivenN IZKthat supports the set of labelsL, we say that a setT is a set of label transformations forN IZKiff for anyφ∈ T the co-domain ofφis a subset ofL.

Definition 2 (T-Malleable Label Simulation Extractability).LetT be a set of label transformations forN IZK. LetN IZKbe a non-interactive argument system for a relationR. We say thatN IZKisT-malleable label simulation extractable(T-ml-SE) if the following holds:

(i) There exists an algorithmS0that outputs a CRSω, a simulation trapdoorτsim, and

an extraction trapdoorτext.

(ii) There exists a PPT algorithmExtsuch that, for all PPT adversariesA, the probabil-ity, taken over the experimentExpT −_Ext,S,AlmSE(as defined in Fig. 1), of the conjunction of the following events is negligible in the security parameterκ:

(a) (L∗, x∗)6∈ QandV(ω, L∗, x∗, π∗) = 1; (b) (x∗, w)6∈ R;

(c) Eitherφ6∈ T or for any(L, x)either(L, x)6∈ Qorφ(L)6=L∗.

Moreover, we say thatAwins theT-lm SE Experiment when all the above events happen.

Definition 3 (Label Derivation Privacy).LetN IZKa lM-NIZK, and letT be a set of label transformations. We say thatN IZKhaslabel derivation privacyif for all PPTA, there exists a negligible functionneglsuch that(PhExpT −_{N IZK}lDP(κ) = 1i−1

2)≤negl(κ) (where the experiment is defined in Fig. 1).

(9)

randomnessr∈ R, and outputs a ciphertextc=Enc(pk, m;r); the set of all ciphertexts is denoted byC. (4) The deterministic algorithmDectakes as input the secret keysk and a ciphertextc, and outputsm=Dec(sk, c)which is either equal to some message m∈ Mor to an error symbol⊥. Additionally, we also consider two PPT algorithms: 1. AlgorithmUpdateCtakes as input a public keypka ciphertextcand outputs a new ciphertextc. 2. AlgorithmUpdateStakes as input a secret keysk and outputs a new secret keysk0.

Correctness (with Updates). We say thatE satisfies correctnessif for all pub ← Setup(1κ₎_and₍_pk_,_sk₎_←_Gen₍_pub₎_{we have that:}

P[Dec(UpdateS(sk),UpdateC(pk,Enc(pk, m))) =m] = 1,

where the randomness is taken over the internal coin tosses of algorithmsEnc,UpdateS andUpdateC. Additionally, we require that for anypk,sk ←Gen(pub): (A) anysk0 such thatPK(sk0) =pkand anyc∈ Cwe have thatDec(sk, c) =Dec(sk0, c); (B) any sk0←UpdateS(sk)we have thatPK(sk) =PK(sk0).

CLRS Friendly PKE Security. We now turn to define Continual-Leakage Resilient Storage Friendly public key encryption.

ExperimentExpclrsE,A(κ, `):

pub←Setup(1κ₎

(pk,sk)←Gen(pub)

b←${0,1};j←1

l0:= 0;l1:= 0

(m0, m1)←A(pub,pk)

if|m0| 6=|m1|setm0←m1

c←Enc(pk, mb)

state0_:=_sk_,_state1_:=_c_;

st←A(pk)Update,O`(state)

b0←A(pk, c)

Return(b0=b)

OracleUpdate(i): O`(state).li:= 0

r0←${0,1}p(κ) if (i= 0)

c=state0

c0←UpdateC(pk, c)

state0:=c0

if (i= 1)

sk=state1

sk0←UpdateS(sk)

state1:=sk0

Fig. 2: Experiment defining CLRS security ofE.

Definition 4. Forκ ∈ _N, let ` = `(κ)be the leakage parameter. We say thatE = (Setup,Gen,Enc,Dec,UpdateC,UpdateS) is `-CLRS Friendly if for all PPT

adver-sariesAthere exists a negligible functionν:N→[0,1]such that

P

h

Expclrs_E,A(κ, `) = 1i−1 2

≤ν(κ),

(10)

We observe that Definition 4 is weaker than the definition of Dodiset al.[18], in fact we do not consider leakage from the update process. We introduce an extra property on the UpdateCalgorithm of a CLRS Friendly PKE.

Definition 5. We say that E is perfectly ciphertext-update private if for any κ ∈ N, pub ← Setup(1κ), (pk,sk) ← Gen(pub) and any m ∈ Mthe distributions {Encode(pk, m)}and{UpdateC(pk,Enc(pk, m))}are equivalent.

IfEis a CLRS Friendly PKE then the weaker version of the property above where the two distributions are computationally indistinguishable already holds. The construction in Section 4 can be proved secure using the computational ciphertext-update privacy property. However, we prefer to include the perfectly ciphertext-update privacy property because it simplifies the exposition.

3 Definition

In this section we consider three definitions of Non-Malleable Codes with Refresh (NMC-R). The syntax given allows the scheme to depends on a common reference string following [33].

A coding scheme in the CRS model is a tupleΣ = (Init,Encode,Decode)of PPT algorithms with the following syntax: (1) Init on input 1κ outputs a common reference stringcrs. (2)Encodeon inputscrsand a messagem∈ MκoutputsX∈ Cκ;

(3)Decode is a deterministic algorithm that on inputscrs and a codewordX ∈ Cκ

decodes tom0 ∈ Mκ. A coding scheme is correct if for anyκand anym∈ Mκwe

havePcrs,re[Decode(crs,Encode(crs, m;re)) =m] = 1.

We consider coding schemes with an efficient refreshing algorithm. Specifically, for a coding scheme Σ there exists an algorithm Rfrshthat upon inputs crs and a codeword X ∈ Cκ outputs a codeword X ∈ Cκ. For correctness we require that

P[Decode(crs,Rfrsh(crs, X)) =Decode(crs, X)] = 1, where the probability is over the randomness used by the algorithms and the generation of the CRS.

We are interested in coding schemes in the split-state model where the two parts can be refreshed independently and without the need of any interactions. Given a codeword X := (X0_{, X}1_{), we consider the procedure} _Rfrsh₍_crs_, _{(i, X}i₎₎_for_i _{∈ {0,}_1} _that

takes thei-th piece of the codeword and outputs a new pieceX0i_{. Abusing of notation,}

given a codewordX := (X0_{, X}1₎_{when we write}_Rfrsh₍_crs_{, X)}_{we implicitly mean} the execution of both Rfrsh(crs,(i, X0))andRfrsh(crs,(i, X1)). Similarly, given a split-state functionT = (T0, T1)we equivalently writeT(X)meaning the application of bothT0(X0)andT1(X1).

We require that for any codewordX := (X0, X1) and for anyi ∈ {0,1}, let ¯

X such thatX¯i _← _Rfrsh₍_crs_,_{(i, X}i₎₎_and _X_¯i−1 ₌ _Xi _then

P[Decode(crs,X) =¯ Decode(crs, X)] = 1.

NMC with Refresh in the STM. We now give the security definition for Non-Malleable Codes with Refresh. Although the definition would be meaningful for a more general setting, for the sake of concreteness, we specialize it for the split-state model. LetIm

(11)

messagemand acts as the identity function otherwise. LetTamperandSimTamper

be the experiments described in Figure 3.

ExperimentTamperA,Σ(κ, `, ρ, τ):

Variablesi, t0_{, t}1

set to0;

crs←Init(1κ);

(m, z)←A0(crs);(m0, st0) := (m, z);

X0:= (X00, X01)←Encode(crs, m0);

foralli < ρ(κ):

(Ti+1, sti+1, j)←A1(mi, sti)O`(Xi),

whereTi+1is a split-state function; ˜

Xi+1:=Ti+1(Xi);

mi+1:=Decode(crs,X˜i+1);

Xi+1:=Xi;

Forj0∈ {0,1}if(tj0 _{> τ}₎_or₍_j0

=j)

X_ij₊₁0 ←Rfrsh(crs,(j0, X_ij0))

SetO`(Xi).lj

0

andtj0to0; Incrementt0_{, t}1

andi; ReturnA2(stp).

ExperimentSimTamperA,S(κ, `, ρ, τ):

Variableiset to0;

(crs,aux)←S0(1κ);

(m, z)←A(crs);(m0, st0) := (m, z);

foralli < ρ(κ):

(Ti+1,sti+1, j)←A1(mi,sti)S2(z); ¯

mi+1←S1(Ti+1, z);

mi+1:=Im0( ¯mi+1);

S3(j, z)

i:=i+ 1; ReturnA2(stp).

Fig. 3: Experiments defining the security of NMC with RefreshΣ. Notice thattj_for

j∈ {0,1}counts the number of rounds since the last refresh ofXj_{. If}_tj_{> τ} _{or if the}

adversary triggers it then a refresh ofXj_{is executed.}

Definition 6 (Non-Malleable Codes with Refresh).For κ ∈ N, let ` = `(κ), ρ = ρ(κ), τ = τ(κ)be parameters. We say that the coding schemeΣis a(`, ρ, τ) -Non-Malleable Code with Refresh (NMC-R) in the split state model if for any adversary A = (A0,A1,A2)where A0 and A2 are a PPT algorithm and A1 is deterministic polynomial time, there exists a PPT simulatorS = (S0,S1,S2,S3)and a negligible functionνsuch that

P

Tamper_A,Σ(κ, `, ρ, τ) = 1

−PSimTamperA,S(κ, `, ρ, τ) = 1

≤ν(κ).

We give some remarks regarding the definition above. The simulatorSis composed of four different partsS0,S1,S2,S3. The algorithmS0upon input1κproduces a CRS toghether with some trapdoor informationaux, the CRS produced and the output ofInit are computational indistinguishable.

For simplicity, we assume that the state informationauxis stored in a common read-and-write memory that the simulatorsS0,S1,S2,S3have access to. We will sometime referee toS1as thetampering simulator, toS2as theleakage simulatorand toS3as the refresh simulator.

(12)

informationzabout the messagemand other information thatA0wants to pass toA1. Notice that we can assume without loss of any generalityA1to be deterministic, in fact, zmay also contain random coins. The tampering simulator, the leakage simulator and the refresh simulator take as input the state informationz. In addition, in each round, the tampering simulatorS1receives a split-state tampering functionTi+1and it outputs a messagem¯i+1. First, we notice that, in general, the tamperingTi+1can be produced as a function of the initial messagem, therefore the simulator (which does not knowm) cannot compute the tampering function by its own, even givenz. Secondly, the adversary can efficiently produce a tampering function that keeps the same encoded message but modifies the codeword (for example, by submitting the refreshing algorithmRfrshas tampering function). The task of the tampering simulator is to detect this (outputting the special symbol∗), in this case the functionImforwards toAthe initial messagem. (We

stress that the simulator does not know the messagem, so it cannot forwardmdirectly toAbut it needs to pass byIm.)

The tamper experiment takes four parameters: the security parameterκ, the leakage parameter`, the round parameterρand the tampering parameter τ. The tampering parameterτcounts how many times the adversary can tamper with the codeword before a refresh of the codeword is needed.

4 Construction

Let E = (Setup,Gen,Enc,Dec,UpdateC,UpdateS)be a CLRS friendly PKE with ciphertext spaceCE. LetRbe theNPrelation defined below:

R:={(pk,sk) : pk =PK(sk),sk ∈ SK}.

LetT be a set of label transformations defined below:

T :={φ : ∃pk,sk:∀m, r:Dec(sk, φ(Enc(pk, m;r)) =m,pk =PK(sk)}.

Notice that bothRandT are implicitly parametrized by the public parameterspubof the PKE scheme. LetU be the following set of label transformations:

U :={UpdateC(pk,·;ru) : ru∈ {0,1}κ,pk∈ PK}.

It is easy to check thatU ⊆ T. In fact, by the correctness of PKE, there existssksuch thatP[Dec(sk,UpdateC(pk,Enc(pk, m)) =m] = 1andpk=PK(sk).

LetN IZK:= (I,P,V,LEval)be a lM-NIZK argument system for the relationR with label spaceCEand set of transformationT. LetΣbe the following coding scheme

with refresh in the CRS model:

– Init(1κ_{): Sample}_ω_←_I₍₁κ₎_and_pub_←_Setup₍₁κ_{). Return}_crs _{= (ω,}_pub_). – Encode(crs, m): Parsecrs = (ω,pub), sample(sk,pk) ← Gen(pub), compute

(13)

– Decode(crs, X): Parsecrs = (ω,pub)andX = (X0_{, X}1₎_where_X1 ₌_sk _and X0_{= (}_pk_{, c, π). Check: (A)}_pk ₌_PK₍_sk₎_{and (B)}_Vc_(ω,_pk_{, π) = 1.}

If both checks (A) and (B) hold then returnDec(sk, c), otherwise return⊥.

– Rfrsh(crs,(j, Xj_)):

– j = 0, parseX0 _{= (c,}_pk_{, π),}_r_←_$_{0,_1}κ_{, compute}_c0 _:=_UpdateC₍_pk_{, c;}_r) andπ0←LEval(ω, UpdateC(pk,·;r), (pk, c, π)), returnX0_{:= (}_pk_{, c}0_{, π}0_). – j= 1, parseX1₌_sk_{and compute}_sk0_←_UpdateS₍_sk_{), return}_X1_{:= (}_sk0_).

Theorem 1. For any polynomialτ(κ), ifEis an`0-CLRS-Friendly PKE scheme (Def. 4) with public key spacePKand message spaceMand where`0(κ) :=`(κ) +τ(κ)· (max(κ+ 1,log(|M|+ 2) + 1,log|PK|))and ifN IZKis an adaptive multi-theorem zero-knowledge (Def. 1) label-malleable non-interactive argument of knowledge system with malleable label simulation extractability (Def. 2) and label derivation privacy (Def. 3) then the scheme above is a(`, ρ, τ)-Non-Malleable Code with Refresh for any polynomialρ(κ).

The leakage rate of the encoding scheme depends on the relation between the size of the proofs of the NIZK system and the parameters of the CLRS Friendly PKE. Roughly, settingτbe a constant, assuming the size of the secret key and the size of the ciphertext of the PKE be approximately the same and letr=|sk|/`be the leakage ratio of the CLRS-Friendly PKE then the leakage ratio of the coding scheme is strictly less than r/(2 + 1/poly(κ)). This comes from the extractability property2_{of the NIZK system}

and theO(κ)-bits of leakage needed to support tampering attacks.

Proof. The correctness follows immediately from the correctness of theEandN IZK andU ⊆ T. The proof of security is divided in two parts. We first define a simulator, then we define a sequence of mental experiments starting with the initialTamper

experiment and proceeding toward theSimTamperexperiment and we prove that the experiments are computationally indistinguishable.

The Simulator. LeteSbe the simulator of theN IZKas postulated by Def. 1. Given an

adversaryA= (A0,A1,A2)consider the following simulatorS= (S0,S1,S2,S3)for theSimTamperexperiment:

SimulatorS0(1κ_):

– Set the variablest0, t1, l0, l1to0.

– Run theN IZKsimulator(ω, τsim, τext)←eS0(1κ).

– Sample(pk,sk)←Gen(pub),c←Enc(pk,0κ)andπ←S˜1(ω, c,pk).

– Set the joint stateauxto(τsim, τext, X0, X1, t0, t1)where(X0, X1) = ((pk, c, π),(sk)).

SimulatorS1(T, z):

– ParseT = (T0_{, T}1₎_and _aux _as_(τ

sim, τext, X0, X1, t0, t1)where (X0, X1) =

((pk, c, π),(sk)). 2

(14)

– ComputeX˜i₌_Ti_(Xi₎_for_i_{∈ {0,}_1}.

– Checkpk˜ =PK( ˜sk)andV˜c_(ω,_pk˜_,_{π) = 1}_˜ _{(check (A) and (B) of}_Decode_), if at least one of the checks fails then return⊥.

– Compute(sk0, φ, c0)←Ext(τext,˜c, pk˜,˜π):

(I) Ifpk˜ =PK(sk0)then outputm˜ =Dec(sk0,˜c); (II) Ifφ(c0) = ˜c,c0 =candT ∈ T return∗; (III) Else abort.

SimulatorS2(z):

– Parseauxas(τsim, τext, X0, X1, t0, t1, l0, l1)where(X0, X1) = ((pk, c, π),(sk)). – Upon message(i, L)wherei∈ {0,1}, computey←L(Xi). Ifli+|y| ≤λthen

updateli:=li+|y|and outputyelse output⊥. SimulatorS3(j, z):

– Parseauxas(τsim, τext, X0, X1, t0, t1, l0, l1)where(X0, X1) = ((pk, c, π),(sk));

Ifj6∈ {0,1}andt0_{, t}1_≤_τ_set_X

i+1:=Xi; Else:

– Ifj= 0or(t0> τ)then computec0←UpdateC(pk, c)andπ0←eS1(τsim, c0,pk)

and resetl0, t0to0;

– Ifj= 1or(t1> τ)then computesk0←UpdateS(sk)and resetl1, t1to0.

– Setauxas(τsim, τext, X00, X01, t0, t1, l0, l1)where(X00, X01) = ((pk, c0, π0),(sk0)).

The Hybrids. We consider a sequence of mental experiments, starting with the initial

Tamperexperiment which for simplicity we denote byG0. We summarize the sequence of mental experiments in Fig 3.

GameG0. This is exactly the game defined by the experimentTamper, whereΣis the coding scheme described above. In particular, theInitalgorithm of Σ sam-ples a CRS ω ← I(1κ₎ _for _{N IZK, a pair} ₍_pk_,_sk

0) ← Gen(pub), encrypts c0 ← Enc(pk, m)and computes π0 ← Pc(ω,pk,sk). The Rfrsh∗ algorithm if Σupon inputj = 0samples randomnessru←${0,1}κ, defines the transforma-tionφu(·) := UpdateC(pk,· ;ru)and computes ci+i := φu(ci) and πi+1 := LEval(ω, φu, (pk, ci, πi)).

GameG1. We change the way the proofsπi+1 are refreshed. For each iterationi ∈ [ρ(κ)], the refresh procedureRfrsh∗upon inputj= 0parsesX0

i as(pk, ci, πi),

sam-ples randomnessru←${0,1}κ, defines the transformationφ_u(·) :=UpdateC(pk,·;r_u), computesci+1←φu(ci)and afreshproof:

πi+1←Pci+1(ω,pk,ski).

Finally, it setsX_i0₊₁:= (pk, ci+1, πi+1).

GameG2. We change the way the CRS for theN IZKand the proofsπiare computed.

Letω, τsim, τext←eS0(1κ)and fori∈[ρ(κ)]ifRfrsh∗is called at thei-th iteration

(15)

G0, G1 , G2 , G3 , G4, G5 , G6 , G7 , G8 , Variablesi, l0_{, l}1_{, t}0_{, t}1_{set to}₀_;

ω←I(1κ); ω, τsim, τext ←eS0(1κ);

pub←E.Setup(1κ₎_;

crs:= (ω,pub);

(m, z)←A0(crs);(m0, st0) := (m, z); pk,sk←KGen(pub);

c0←Encode(pk, m); c0←Encode(pk,0κ);

π0←Pc(ω,pk,sk); π0←eS1(τsim, c0,pk);

X0

0 := (pk, c0, π0);

X01 :=sk0;X0:= (X00, X01);

foralli < ρ(κ):

(Ti+1,sti+1, j)←A1(mi, sti)O`(Xi); ˜

Xi+1:=Ti+1(Xi); ( ˜pk,˜c,π˜),( ˜sk) = ˜Xi+1;

if (V˜c₍_ω,_pk_˜_,_π_˜_{) = 1}_and_PK_{( ˜}_sk_{) = ˜}_pk_{) then}

mi+1:=Dec( ˜sk,˜c);

C:={c0, . . . , ci}; C:={ci}; sk0, φ, c0←Ext(τext,π˜);

if( ˜pk6=PK(sk0))and

(φ(c)6=c0orc06∈Corφ6∈ T); thenAbort

ifpk˜ =PK(sk0)thenmi+1:=Im(Dec(sk0,c˜));

if (φ(c0) = ˜c, c0∈C, φ∈ T)thenmi+1:=Im(∗);

elsemi+1:=⊥;

Xi+1:=Xi;

Forj0∈ {0,1}if(tj0> τ)or(j0=j)

X_ij₊₁0 ←Rfrsh(crs,(j0, X_ij0))

SetO`(Xi).lj

0

, tj0to0; Incrementt0, t1andi; ReturnA2(stρ).

ProcedureRfrsh(crs,(j, X_ij)): ifj= 0then:

(pk, ci, πi) =Xi0;

ru←${0,1}κ;

φu(·) :=UpdateC(pk,·;ru);

ci+1:=φu(ci);

πi+1←LEval(ω, φu, Xi0);

πi+1←Pci+1(ω,pk,sk);

πi+1←eS1(τsim, ci+1,pk);

Xi0+1:= (pk, ci+1, πi+1);

ifj= 1then;

ski=Xi1;

ski+1←UpdateS(ski);

X1

i+1:= (ski+1);

(16)

GameG3. We extract the witness from the proofπ˜and abort if the extraction procedure fails. The game is the same asG2but, for each iterationi, letX˜i+1be the tampered codeword whereX˜i+1= ( ˜pk,c,˜π),˜ ( ˜sk). The game first checks ifV˜c(ω,pk˜,π) = 1˜ and if so then it runs:

sk0, φ, c0←Ext(τext,π).˜

LetCbe the set of ciphertexts produced by the game until thei-th iteration. Namely C := {c0, . . . , ci}. If both the conditions: (i)pk˜ = PK(sk0)and (ii)φ(c0) = ˜c,

c0_∈_C_and_φ_{∈ T} _{do not hold then the game outputs a special symbol}_Abort_.

GameG4. We change the output ofDecodeto match point (I) of the simulatorS1. The game is the same asG3but, for each iterationi∈[ρ(κ)], after the extraction, if the conditionpk˜ =PK(sk0)holds, it sets the messagemi+1:=Im(Dec(sk0,˜c)). GameG5. We change the output ofDecode. The game is the same asG4but, for each

iterationi∈[ρ(κ)], after thei-th extraction, if the conditionsφ(c0) = ˜c,c0 ∈C, whereC={c0, . . . , ci}andφ∈ T hold, it sets the messagemi+1:=Im(∗)(the

original message).

GameG6. We do not decode explicitly anymore. The game is the same asG5but, for each iterationi∈[ρ(κ)], in the execution of the decoding algorithmDecode, we do not execute the instructionmi+1:=Dec( ˜sk,c).˜

GameG7. We change the output ofDecodeto match point (II) of the simulatorS1. The game is the same asG6but, for each iterationi∈[ρ(κ)], after thei-th extraction, let the setCbe redefined as the singleton containing the ciphertext produced after the last refresh, namelyC:={ci}, the game checks that the conditionsφ(c0) = ˜c,

c0 ∈ C (instead ofc0 ∈ {c0, . . . , ci}) andφ ∈ T hold then it sets the message

mi+1:=Im(∗)(the original message).

GameG8. We replace the ciphertextcwith a dummy ciphertext. The game is the same asG7but it setsc←Enc(pk,0κ)(instead ofc←Enc(pk, m)).

It is easy to check thatG8is equivalent to theSimTamperA,S.

Lemma 1. For all PPT adversariesAthere exists a negligible functionν0,1:N→[0,1] such that|P[G0(κ) = 1]−P[G1(κ) = 1]| ≤ν0,1(κ).

Proof. We reduce to label derivation privacy ofN IZKvia an hybrid argument. For any l∈[ρ(κ) + 1], letHyb_lbe the hybrid experiment that executes the same code ofG1 until thel-th iteration (the proofs arenew) and then executes the same code ofG1(the proofs arere-labeled). In particular, for anyl, in the hybridHyb_l, for any0≤i < l the proofπiis computed asPci+1(σ,pk,sk)while fori≥lthe proofπiis computed

asLEval(ω, φu, (pk, ci, πi)). Moreover,Hybρ+1is equivalent toG1whileHyb1is equivalent toG0.

Suppose there exist a PPT adversaryA, an indexl∈[ρ(κ)]and a polynomialp(·) such that, for infinitely many values ofκ∈N, the adversaryAdistinghuishes between

Hyb_landHyb_l₊₁with probability at least1/p(κ).

We can construct an adversaryBthat breaks label derivation privacy. The adversary Bwith inputω ← I(1κ)runs the code of hybridHybl onAuntil thel-th iteration.

(17)

φu(·) :=UpdateC(pk,·;ru)withru←${0,1}κ, and receives back the proofπ0. Notice thatcl:=φu(cl−1).

If the challenge bit isb= 0thenπ0←Pcl_(ω,_pk_,_sk_{), and therefore}_B_perfectly

sim-ulatesHybl+1otherwise ifb= 1thenπ0 ←LEval(ω, φu,(pk, cl−1, πl−1)), therefore

Bperfectly simulatesHybl. ThereforeBcan break label derivation privacy ofN IZK

with advantage1/p(κ).

Proof. We reduce to adaptive multi-theorem zero-knowledge ofN IZK.

Suppose there exist a PPT adversaryAand a polynomialpsuch that, for infinitely many values ofκ∈ N,|P[G1(κ) = 1]−P[G2(κ) = 1]| ≥ 1/p(κ). LetBbe a PPT adversary for the multi-theorem zero-knowledge game that runs the same code ofG2but for anyi, instead of computing the proofπi, forwards to its oracle the query(ci,pk,sk).

The view provided byBtoAis equivalent toG2ifB’s oracle isPand equivalent to

G3ifB’s oracle isSIM(τsim,·). ThereforeBcan break multi-theorem zero-knowledge

ofN IZKwith advantage1/p(κ).

Proof. We reduce to theT-Malleable label simulation extractability ofN IZK. Let Abortbe the event that the gameG3aborts with messageAbort. Notice that the two games proceed exactly the same until the eventAborthappens. Therefore, we have

|P[G2(κ) = 1]−P[G3(κ) = 1]| ≤P[Abort].

Suppose there exist a PPT adversaryAand a polynomialpsuch that, for infinitely many values ofκ∈N,P[Abort]≥1/p(κ), where the probability is over the gameG3with adversaryA.

LetBbe a PPT adversary for the malleable label simulation extractability that runs the same code ofG3but for anyi, instead of computing the proofπi, forwards to its

oracle the query(ci,pk)and, if the event during thei-th iteration the messageAbortis

raised, outputs the valueX˜0

i+1= ( ˜pk,˜c,π). Notice, that the message˜ Abortis raised only if the winning condition of the malleable label simulation extractability experiment are met. Therefore the winning probability ofBis the probability of the eventAbortin

G3.

Lemma 4. _P[G3(κ) = 1] =P[G4(κ) = 1].

Proof. Notice that the two games proceed the same until PK( ˜sk) = PK(sk0) but Dec( ˜sk,c)˜ 6=Dec(sk0,˜c). LetWrongDecbe such event. Then we have

|P[G3(κ) = 1]−P[G4(κ) = 1]| ≤P[WrongDec].

By the correctness ofEwe have that the eventWrongDechas probability0.

(18)

Proof. Notice that two games proceed the same untilφ(ci) = ˜c and φ ∈ T but

Dec(sk0,c)˜ 6= m(the original message). LetNotSamebe such event. Therefore, we have

|P[G3(κ) = 1]−P[G4(κ) = 1]| ≤P[NotSame].

The definition of the setT andφ∈ T together with the fact thatciis an encryption

ofmunderpkandφ(ci) = ˜cimply thatDec(sk0,˜c) =m. In factφ∈ T implies that

Dec(sk, φ(c))decrypts correctly ifcis a valid ciphertext underpkandpk =PK(sk). Therefore, we have that the eventNotSamehas probability0.

Lemma 6. _P[G5(κ) = 1] =_P[G6(κ) = 1].

Proof. G6does not execute the instructionmi+1 :=Dec( ˜sk,c), however notice that˜ already in gameG5either the valuemi+1is overwritten or the game outputsAbort. So the two game are semantically the same.

Proof. We reduce to the CLRS security ofEvia an hybrid argument. Forl ∈ [ρ(κ)] letHyb_l be an hybrid experiment that executes the code ofG6 until the(l−1)-th iteration and, after that, executes the code ofG7. Specifically, for everyi < lthe hybrid

Hyb_l, at thei-th iteration, runs the extractor and checks if the conditionsT0(c) = ˜c, c0 ∈ {c0, . . . , ci} andT ∈ T hold, and, if yes, it setsmi+1 := m. For everyi ≥ l the hybridHyb_l, at thei-th iteration, runs the extractor and checks if the conditions T0(c) = ˜c,c0=ciandT ∈ T hold, and, if yes, it setsmi+1:=m. In particular,Hyb0 is equivalent toG7whileHybρis equivalent toG8.

Given an adversaryAand an indexk ∈[l−1]define the eventOldCTkover the

random experimentHyb_lto hold ifAat thel-th iteration outputs a tampering function Tlsuch thatTl(Xl0) = ( ˜pk,c,˜π)˜ and, let(⊥, T0, c0)←Ext(τext,c,˜ ˜π), thenc0=ck.

LetOldCTbe the event{∃k∈[l−1] :OldCTk}. It is easy to check that

P[Hybl= 1]−P

Hybl+1= 1

≤P[OldCT].

In fact, if the eventOldCTdoes not happen inHyb_lthen the conditionc0 =clholds,

therefore the two hybrids behave exactly the same.

Suppose there exist an adversaryAand a polynomialp(·)such that, for infinitely many values ofκ∈_N, the adversaryAdistinguishes between gameG6andG7with probability at least1/p(κ). Then_P[OldCT]≥1/p(κ).

We build a PPT adversaryBthat breaks CLRS Friendly PKE Security ofE. LetHa family of 2-wise independent hash functions with domainCEand co-domain{0,1}κ.

We introduce some useful notation in Fig. 5. A formal description ofBfollows: AdversaryB:

1. Receivepub,pkfrom the challenger of the CLRS security experiment and get oracle access toO`(state).

2. Set variablesi, t0_{, t}1_to₀_{(as in the}_Tamper_experiment).

(19)

4. Letm, zbe the output fromA0, letm0be a valid plaintext forEsuch that the first bit ofm0differs from the first bit ofmand|m0_|₌_{|m|. Send the} tuplem, m0to the challenger. Setst0:=z.

5. Fori= 0to(l−1)execute the following loop:

(a) Sampleri←${0,1}κand run the adversaryA₁(m_i, st_i), upon query (j, L)fromA1, ifj= 1forward the same query to the leakage oracle, ifj= 0forward the query(0,LL,ri,pk)to the leakage oracle.

(b) Eventually, the adversaryA1outputs(Ti+1,sti+1, j). (c) Forward the query(1,PK(T1

i+1(·)))to the leakage oracle and letpk 0_be the answer. Forward the query(0,VT0

i+1,ri,pk,pk0)to the leakage oracle

and letabe the answer, ifa= 0then setmi+1:=⊥and continue to the next cycle.

(d) Otherwise, forward the query(0,MT_i₊₁,ri,pk)and letm

0_{be the answer,} ifm0 isAbort∗then abort, otherwise setmi+1 := m0. Execute the refresh algorithmRfrsh∗(j)as defined byG6. (In particular, use the trapdoorτsim to sampleπi+1←eS1(τsim, ci+1,pk).)

6. Sample H←$H and r_l←${0,1}κ and run the adversary A₁ on input (ml−1,stl−1) and reply to the leakage oracle queries as in step (5a).

Even-tually, the adversary A1 outputs (Tl,stl, j) forward the leakage query

(0,HT_l,rl,pk,H), lethbe the answer of the leakage oracle.

7. Setxto be the empty string. Fori:= 1toη, whereη:= 2p2_{(κ) + 2p(κ)|c|,} execute the following:

(a) Samplerl+i←${0,1}κand run the adversaryA₁on input(m_l−1,st_l−1) and reply to the leakage oracle queries as in step (5a).

(b) Eventually the adversary A1 outputs (Tl,stl, j), forward the query

(0,HTl,r,pk,x)to the leakage oracle, letathe answer, ifa 6= ⊥set

x:=xka.

(c) Call the oracleUpdate(0)and increase the counteri.

8. If|x|<|c|then sampleb0←${0,1}and outputb0. Otherwise, query the leakage oracle with(1,(Dec(·, x))₍₀₎)and letabe the answer. Ifa=m(0) output0else output1.

We compute the amount of leakage performed byB. For any executions of the loop in step (5) the adversaryBforwards all the leakage queries made byAand, additionally:

– In step (5c) leakslog|PK|bits from the secret key and 1 bit from the ciphertext;

– In step (5d) leakslog(|M|+ 2)bits from the ciphertext (the output is either a message or∗orAbort);

Notice that τ many of the leakage queries described above are allowed before an invocation ofUpdateis forced. Moreover, in step (6) the adversaryBleaksκbit from the ciphertext and for any executions of the loop in step (7) leaks 1 bit from the ciphertext and then it calls theUpdatealgorithm.

Let`A the maximum amount of leakage between each invocation of theRfrsh∗

algorithm done byA, then the amount of leakage done byBis:

(20)

– LL,r,pk(c):

ReturnL(pk, c,S1(τsim, c,pk;r)).

– VT ,r,pk,pk0(c):

( ˜pk,˜c,π˜) :=T(pk, c,S1(τsim, c,pk;r));

Output(V˜c(ω,pk˜,π˜) = 1 ∧ pk˜ =pk0).

– MT ,r,pk(c):

( ˜pk,˜c,π˜) :=T(pk, c,S1(τsim, c,pk;r)); sk0, T0, c0←Ext(τext,π˜);

ifpk˜ =PK(sk0)outputDec(sk0,c˜); if(T0(c) =c0, c0∈C, T0∈ T)output∗; OutputAbort∗.

– HT ,r,pk,H(c):

( ˜pk,c,˜π˜) :=T(pk, c,S1(τsim, c,pk;r)); sk0, T0, c0←Ext(τext,π˜);

If(c0∈ {/ c,⊥})outputH(c). else output⊥.

– CT ,r,pk,H,x,h(c):

( ˜pk,c,˜π˜) :=T(pk, c,S1(τsim, c,pk;r)); sk0, T0, c0←Ext(τext,π˜);

if(T0(c)6=c0orT06∈ T)then output⊥; ifh=H(c)then

if|x|<|c|then output(c(|x|+1)), else output the empty string.

Fig. 5: Leakage functions on the ciphertext ofE.

We compute the winning probability ofB. Letc0, . . . , cl+ηbe the set of ciphertexts

produced (either byEnc, in the case ofc0, or by theUpdateCprocedure otherwise) during the CLRS Security Experiment withB. Consider the following events and random variables:

– LetCollisionbe the event{∃i, j≤[l+η] :i6=j∧H(ci) =H(cj)};

– LetHitbe the event that{∃k < l:h=H(ck)}, wherehis the output of the leakage

query(0,HT_l,rl,pk,H)(see step 6).

– LetHitibe the random variable equal to 1 if the condition(h=H(c))in thei-th

execution of the leakage query(0,HTl,rl+i,pk,x)(see step 7) holds, 0 otherwise.

– LetCompletebe the event|x|=|c|.

It is easy to check that if(¬Collision∧Hit∧Complete)holds then, at step (8), there exist a positive indexk < lsuch that(x=ck)holds. Therefore conditioned on the

conjunction of the events the adversaryBwins3_{with probability 1.}

Claim. P[Collision]≤(η+l)2·2−κ.

Proof. Recall thatHis 2-wise independent, therefore for any fixedx, y∈ CEsuch that

x6=y,P[H(x) =H(y)] = 2−κ, where the probability is taken over the sampling of H. Moreover, the ciphertextscifori∈[l+η]are sampled independently of the choice

ofH, therefore given two indicesi, jwherei6=j, by averaging over all the possible assignment ofci, cj we have thatP[H(ci) =H(cj)] = 2−κ. By union bound we get

the claim.

Claim. P[Hit|b= 0] =P[OldCT]. 3

(21)

Proof. In fact, the adversaryB(on challenge the ciphertextEnc(pk, m)) follows the code ofHyb_luntil step 6. In particular,Bhas only oracle access to the ciphertext and the secret key (as prescribed by the CLRS Security experiment), while the hybridHybl

has full access to them. However, the adversaryBcan perform the same operations via its own leakage oracle access. Therefore, in the execution of the leakage query (0,HT_l,rl,pk,H)at step (6), the eventc

0 ₌_c

k wheresk0, T0, c0 ←Ext(τext,pk˜)holds

with the same probability of the eventOldCTin the hybridHyb_l.

Claim. P[Complete]≤2−2κ+1.

Proof. Letϕbe the variable that denotes all the randomness used (including the chal-lenger randomness) in the CLRS experiment between the chalchal-lenger and the adversary Bjust before the execution of the step 7. LetGoodthe event that{P[Hit]≥1/2p(κ)}. By a Markov argument the probabilityP[ϕ∈Good]is at least1/2. We can condition on the eventGood.

We analyze the random variables{Hiti}i∈[η]. Fixing the choice of the randomnessϕ, for anyi, the random variableHitidepends only onrl+iand on the output ofUpdateC

at the (l+i)-th invocation. Notice that the adversary Bat each iteration of step 7 samples a freshrl+i, moreover by the perfectly ciphertext-update privacy (see Def. 5)

ofE, for anyj 6= ithe ciphertextci andcj are independent (in fact, for anykthe

distribution ofck+1does not depend on the value ofck). Therefore, the random variables

{Hiti}i∈[η]for any assignment ofϕare independent. LetZ :=

P

j∈[η]Hitj, we have

thatE[Z|Good]≥η/2p(κ).

P[¬Complete|Good] =

P[Z <|c| |Good] =P[Z <E[Z|Good]−(E[Z|Good]− |c|)|Good] =

P[Z <E[Z|Good]−p(κ)·κ|Good]≤2−2κ

Where, in the last step of the above disequations, we used the Chernoff bound.

Let Guess := (¬Hit∨ ¬Complete), namely the event that triggers B to guess the challenge bit at random. Obviously, for anya∈ {0,1},_P[b0=b|Guess, b=a] = 1₂. For anya∈ {0,1}and infinitely manyκ:

P[b0=b]≥ ≥1

2P[Guess] +P[b

0₌_b_∧_Hit_∧_Complete_] ≥1

2P[Guess] +P[¬Collision∧Hit∧Complete] (1) ≥1

2P[Guess] + (P[Hit]−P[¬Complete]−P[Collision]) ≥1

2P[Guess] +P[Hit]−2

−2κ+1₋_(η₊_l)2_·₂−κ

≥ 1 2−

1 2P[Hit]

+P[Hit]−2−2κ+1−(η+l)2·2−κ (2) ≥1

2+ 1

4·(P[OldCT] +P[Hit|b= 1])−((η+l)

2_{+ 1)}_·₂−κ_.

(22)

Proof. We reduce to the CLRS Friendly PKE Security ofE.

By contradiction, assume that there exists a PPT an adversary and a polynomialp(·) such that for infinitely many values ofκ∈ N, we have thatAdistinguishes between gameG7and gameG8with probability at least1/p(κ). We build a PPT adversaryB that breaks CLRS Friendly PKE Security ofE. The adversaryBfollows the points (1) to (5) of the adversary defined in Lemma 7 with the following modifications: (i) The adversaryBruns internallyD; (ii) The messages for the challenge aremand0κ_{; (iii) The}

cycle in step (5) runs fori= 0toρ(κ); (iv) The adversaryBeventually outputs the same output bit asA. Let`Athe maximum amount of leakage between each invocation of the

Rfrsh∗algorithm done byA, then the amount of leakage done byBis: `0=`A+τ·(max(log(|M|+ 2) + 1,log|PK|))

A formal description ofBfollows. AdversaryB:

1. Receivepub,pkfrom the challenger of the CLRS security experiment and get oracle access toO`(state).

2. Set variablesi,flg, l0_{, l}1_{, t}0_{, t}1_to₀_{(as in the}_Tamper_experiment). 3. Runω, τsim, τext ←eS0(1κ), setcrs:= (pub, ω)and sendcrstoA0. 4. Letm, zbe the output fromA0. Send(m,0κ₎_{to the challenger and set}

st0:=z.

5. Fori= 0toρ(κ)execute the following loop:

(a) Sampleri←${0,1}κand run the adversaryA1(m_i, st_i), upon query (j, L)fromA1, ifj= 1forward the same query to the leakage oracle, ifj= 0forward the query(0,LL,ri,pk)to the leakage oracle.

(b) Eventually, the adversaryA1outputs(Ti+1,sti+1, j). (c) Forward the query(1,PK(T1

i+1(·)))to the leakage oracle and letpk 0

be the answer. Forward the query(0,V_T0

i+1,ri,pk,pk0)to the leakage oracle and letabe the answer, ifa= 0then setmi+1:=⊥and continue to the next cycle.

(d) Otherwise, forward the query(0,MT_i,ri,pk)and letm

0_{be the answer,} ifm0isAbort∗then abort, otherwise setmi+1:=m0.

(e) Execute the refresh algorithmRfrsh∗(j)as defined byG6. (In particu-lar, use the trapdoorτsimto sampleπi+1←eS1(τsim, ci+1,pk).)

6. OutputA2(stρ).

The view provided byBtoAis equivalent toG7if the challenge bitb of the PKE Friendly Security experiment is 0. (This because the encrypted message ism.) Otherwise the view is equivalent toG8.

Wrapping up all together we have that:

_P[G0= 1]−P[G8= 1]

≤X

i∈[7]

|P[Gi = 1]−P[Gi+1= 1]| ≤

X

i∈[7]

(23)

5 Concrete Instantiations

For a groupGof prime orderqand a generatorg ofG, we denote by [a]g :=ga ∈

G theimplicit representation of an elementa ∈ Zq. Let G be a PPT pairing

gen-eration algorithm that upon input the security parameter 1κ outputs a tuple gd = (_G1,G2,GT, q, g, h, e) where the first three elements are the description of groups

of prime orderq >2κ_,_g_(resp._{h) is a generator for the group}

G1(resp.G2) andeis an efficiently computable non-degenerate pairing function fromG1×G2 →GT. In

what follow, we indicate vectors with bold chars and matrices with capital bold chars, all vectors are row vectors, given a group_G, two matricesX ∈_Gn×m_,_Y _∈

Gm×tfor n, m, t≥1and an elementa∈_Gwe denote withX·Y the matrix product ofXand Y and witha·Xthe scalar multiplication ofXbya. Given two elements[a]g∈G1and [b]h∈G2we denote with[a]g•[b]h= [a·b]e(g,h)the valuee([a]g,[b]h), the notation is

extended to vectors and matrices in the natural way. Given a fieldFand natural numbers n, m, j ∈Nwherej ≤min(n, m)we defineRkj(Fn×mto be the set of matrices in Fn×mwith rows rankj; given a matrixBwe letRank(B)be the rank ofB.

Definition 7. Thek-rank hidingassumption for a pairing generation algorithmpub:= (_G1,_G2,_GT, q, g1, g2, e)←$G(1κ)states that for any i ∈ {1,2} and for anyk ≤

j, j0≤min(n, m)the tuple(gi,[B]gi)and the tuple(gi,[B

0_]

gi)for randomB←$Rkj

andB0←$Rk_j0 are computational indistinghuishable.

Thek-rank hiding assumption was introduced by Naor and Segev in [36] where the authors showed to be implied by the more commonk-linear (DLIN) assumption. The assumption gets weaker askincreases. In fact fork= 1this assumption is equivalent to DDH assumption. Unfortunately, it is known that DDH cannot hold in symmetric pairings where G1 = G2. However, it is reasonable to assume that DDH holds in asymmetric pairings. This assumption is often calledexternal Diffie-Hellmanassumption (SXDH) (see [4,9]).

5.1 The Encryption Scheme.

We consider a a slight variation of the the CLRS Friendly PKE scheme of [18]. Con-sider the following PKE schemeE= (Setup,Gen,Enc,Dec,UpdateC,UpdateS)with message spaceM:={0,1}and parametersn, m, d∈N.

– Setup(1κ_{): Sample}_gd _{← G}₍₁κ₎_{and vectors}_p_,_w_←_$

Zmq such thatp·wT = 0

modq. Returnpub:= (gd,[p]g,[w]h). (Recall that all algorithms implicitly take

pubas input.)

– Gen(pub): Samplet←$_Zm_q ,r←$_Z_qnand computesk := [rT ·w+1T_n ·t]_h, set α := p·tT _{and compute} _pk _{:= [α]}

g. The latter can be computed given only

[p]g∈Gm1 andt∈Zmq . Return(pk,sk).

(24)

– Dec(sk, C): Letf = e(g, h), parsesk = [S]h ∈ Gn2×m, letS1be the first row ofSand parseC = ([C]g,[c]g)∈ Gn1×m×Gn1

. Computeb:= [c−C·ST

1]f

and output1if and only ifb= [1n]f. In particular,[b]fcan be computed by first

computing[c]f :=e([c]g, h)and then[C·ST1]f :=Qie(C[i],S[i]). – UpdateC(pk, C): ParseC = ([C]g,[c]g)∈ Gn1×m×G

n

1

. SampleB←$_Zn_q×n such thatB·1T

n =1nand the rank ofBisd. Return([B·C],[B·cT]).

– UpdateS(sk): Parsesk = [S]h∈Gn2×m. SampleA←$Znq×nsuch thatA·1Tn = 1nand the rank ofAisd. Return[A·S]h.

Some remarks are in order. First, the main difference between the scheme above and the PKE of [18] is in the public-keys and in the ciphertexts spaces. LetEDLWWbe the

scheme proposed by [18]. A public key forEDLWWis the target group element[p·tT]f,

while in the scheme above, a public key belongs to the groupG1. Similarly, a ciphertext forEDLWWis a tuple(c1, c2)wherec2 ∈ GnT. The message space ofEDLWWisGT,

while the message space of the scheme above is{0,1}. This is a big disadvantage, however, thanks to this modification, the public keys, secret keys and ciphertexts belong either to_G1orG2. As we will see, this modification is necessary to use lM-NIZK based on Groth-Sahai proof systems [29].

Second, we cannot directly derive from the secret key the public key. However, we can define the functionPK0that upon inputsk = [S]hproducespk0 = [p]g•[S1]h,

whereS1is the first row ofS. Notice that the NMCΣand the simulatorS1of Theorem 1 need to check if the public key stored in one side isvalidfor the secret key stored in the other side. We can fix4_{this issue by checking the condition}_e(_pk_{, h) =}_PK0₍_sk₎_instead.

Theorem 2. For anym ≥ 6,n ≥ 3m−6,d:= n−m+ 3the above scheme is an `-CLRS-friendly encryption scheme under the External Diffie-Hellman Assumption onG for`= min{m/6−1, n−3m+ 6} ·log(q)−ω(logκ).

The proof of security follows the same line of [18]. We give the details in Appendix A. The PKE schemeEis perfectly ciphertext-update private. We defer the formal proof to Appendix A .

Unfortunately, the message space of the PKE is{0,1}which limits the number of applications of NMC-R. We propose two different way to overcome this weakness.

Direct Product Encryption. For anyk∈_NletE×k _{= (}_Setup_,_Gen_,_Enc×k_,_Dec×k₎

whereEnc×k(pk, m1, . . . , mk) := (Enc(pk, m1),Enc(pk, m2), . . . ,Enc(pk, mk))and

Dec×kperforms the obvious decryption.

Lemma 9. For any polynomialk(κ), ifEis a`-CLRS-Friendly secure PKE thenE×k

is a`-CLRS-Friendly secure PKE.

The proof of the Lemma follows by a simply hybrid arguments . We defer the proof in Appendix A. The main disadvantage is that while the size of the ciphertexts ofE×k_gets

bigger the amount of leakage (on the ciphertext) allowed does not grow proportionally. 4

In particular, the reduction in Lemma 7 in steps 5c can leak(1,PK0(Ti+1(·)))and then, in step

5d, we need to modify the functionV_T0

i+1,ri,pk,pk0to check ife( ˜pk, h) =pk

0

and the function

MTi+1,ri,pkto check ife( ˜pk, h) =PK

0

(25)

CLRS-Friendly Key Encapsulation Mechanisms. Letpub←Setup(1κ₎_and_pk_,_sk_←

Gen(pub)as defined in Sec. 5.1 and letHbe an efficiently computable mapping from GT to{0,1}κsuch that the random variableH(U)forU←$_G_T is statistically close to the uniform distribution over{0,1}κ_{. Consider the following procedures:}

– Enc0(pk): Sampleu←$_Zn_q andz←$_Z_qand computec1:= [uT ·p]_gandc2:= [αu+z1n]g. ReturnC:= (c1, c2)andK:=H([z]e(g,h)).

– Dec0(sk, C): Letf =e(g, h), parsesk = [S]h∈Gn2×m, letS1be the first row of Sand parseC= ([C]g,[c]g)∈ Gn1×m×G

n

1

. Compute[z]f := [c−C·ST1]f

and outputH([z]f)if only ifv= [z·1n]f. In particular,[z]f can be computed by

first computing[c]f :=e([c]g, h)and then[C·ST1]f :=Qie(C[i],S[i]).

In Appendix C we define CLRS-Friendly Key Encapsulation Mechanism (KEM) schemes and Non-Malleable Key-Encoding schemes with Refresh (NMKE-R), we show that the construction in Sec. 4 yields a Non-Malleable Key-Encoding scheme with Refresh when instantiated with a CLRS-Friendly KEM, we show that the scheme(Setup,Gen,Enc0, Dec0,UpdateC,UpdateS)is a CLRS-Friendly KEM and we provide a Continual-Tamper-and-Leakage Resilient Compiler for the class of keyed-but-stateless cryptographic func-tionalities.

5.2 The Label-Malleable NIZK.

We can cast a lM-NIZK as a special case of the Controlled-Malleable NIZK (cM-NIZK) argument of knowledge systems [10]. Roughly speaking, cM-NIZK systems allow malleability (from a specific set of allowable transformation) both on the instance and on the NIZK proof. Similarly to lM-NIZK AoK systems, cM-NIZK systems have a form of simulation sound extractability called Controlled-Malleable Simulation Sound Extractability (cM-SSE). Informally, the extractor will either extract a valid witness or willtrack backto a tuple formed by an instance queried to the simulation oracle and the associated simulated proof. We provides the formal definitions of cM-NIZK along with a generic transformation to lM-NIZK in Appendix B.

The elegant framework of [10] (full version [11]) builds on the malleability of Groth-Sahai proof systems [29] and provides a set of sufficient conditions to have efficient cM-NIZK systems. Here we translate the conditions to the setting of lM-NIZK systems.

Definition 8. For a relationRand a set of transformationsT on the set of labelsL, we say(R,T)isLM-friendlyif the following five properties hold:

1. Representable statements and labels:any instance and witness ofRcan be rep-resented as a set of group elements; i.e., there are efficiently computable bijections Fs:LR →Gdsis for somedsandis,Fw:WR→Gdwid for somedwandiwwhere

LR:={x|∃w: (x, w)∈ R}andLR:={w|∃x: (x, w)∈ R}andFl:L →Gdill

for somedlandil=is.

2. Representable transformations:any transformation inT can be represented as a set of group elements; i.e., there is an efficiently computable bijectionFt:T →Gditt

(26)

3. Provable statements:we can prove the statement(x, w) ∈ R(using the above representation forxandw) using pairing product equations; i.e., there is a pairing product statement that is satisfied byFs(x)andFw(w)iff(x, w)∈ R.

4. Provable transformations:we can prove the statement “φ(L0) = L∧φ ∈ T” (using the above representations for labelsL, L0 and transformationφ) using a pairing product equation, i.e. there is a pairing product statement that is satisfied by Ft(φ), Fl(L), Fl(L0)iffT ∈ T ∧ φ(L0) =L.

5. Transformable transformations:for anyφ, φ0∈ T there is a valid transformation t(φ)that takes the statement “φ(L0) = L∧ φ ∈ T” (phrased using pairing products as above) for the statement “(φ0◦φ)(L0) =φ(L)∧ (φ0◦φ)∈ T” and that preserves5the labelL0_.

The definition above is almost verbatim from [11], the only differences are that the point (1) is extended to support labels and that the original definition has a condition on the malleability of the tuple statement/witness (which trivially holds for lM-NIZK). We adapt a theorem of [11] to the case of Label Malleability:

Theorem 3. If the DLIN assumption holds then we can construct a lM-NIZK that satisfies derivation privacy for any LM-friendly relation and transformation set(R,T).

With this powerful tool in our hand, we are now ready to show that there exists a lM-NIZK for the relation and transformation set(Rpub,Tpub)defined above:

Rpub={([α]g,[S]h) : [α]g= [p·ST1]g},

Tpub=

φB(C,c) := [B·CT]g,[B·cT]g

: 1=B·1T .

wherepub = (gd,[p]g,[w]h) ← Setup(1κ). Notice that the set of all the possible

updates of a ciphertext,

φ :φ(·) =UpdateC(pub,pk,·;B),B∈Zqn×n,1n =B·1Tn,rank(B) =d ,

is a subset ofTpub. Therefore, we can apply the generic transformation of Sec. 4 given

a lM-NIZK for the relationRpuband the set of transformationsTpub and the

CLRS-Friendly PKE defined above. We show that the tuple(Rpub,Tpub)is LM-Friendly. Representable statements and labels: Notice thatLRpub ⊆G1, while the set of valid

label is the setGn1×m×Gn1.

Representable transformations: We can describe a transformationφB ∈ Tpub as a

matrix of elements[B]h∈Gn2×n.

Provable statements: The relationRpub can be represented by the pairing product

statement[α]g•[1]h= [p]•[ST1]h.

Provable transformations: Given a transformationφB∈ Tpuband labelsc= ([C]g,[c]g), c0=

([C0]g,[c0]g), the statement “φB(c0) =c∧φB∈ T” is transformed as the system

of pairing product statements:

 



[B]h•[C0T]g= [C]g•[1]h

[B]h•[c0T]g= [c]g•[1]h

[B]h•[1T]g= [1]f

(3)

(27)

Transformable transformations: LetφB, c, c0be as before and letφB0 ∈ T_pub. We show that we can transform the system in Eq. (3) to be a valid system of pairing product statement for the statement(φB0◦φ_B)(c0) =φ_B0(c)∧(φ_B0◦φ_B)∈ T. Given the system of pairing product equations in Eq. (3) andB0 ∈Znq×nwe can

perform operations at the exponent and derive:

 



[B0·B]h•[C0T]g= [B0·CT]g•[1]h

[B0·B]h•[c0T]g= [B0·cT]g•[1]h

[B0·B]h•[1T]g= [1]f

The SetT_pub×kof Transformations forE×k_. _{For any}_k_∈

N, let the PKE schemeE×k be defined as in Sec. 5.1, letCE×k = (CE)k be the ciphertexts space ofE×k and let

T_pub×k = (Tpub)k. Explicitly, the set of transformations is defined as:

T×k pub =

 



φ_B¯ :

φ_B¯(¯c) = [Bi·CiT]g,[Bi·ciT]g:i∈[k],

¯

c= (C1_,_c1_{), . . . ,}₍_Ck_,_ck_),

¯

B=B1_{, . . . ,}_Bk_, _∀i_∈_{[k] :}₁₌_Bi_·₁T

 



For any positive polynomialk(κ), the tuple(Rpub,Tpub×k)is LM-Friendly. The result

follows straight forward from the framework presented in Sec. B.3 of [11] where it is shown that the for any pair of transformations on statements over pairing product equations we can derive a new transformation for the conjunction of the statements.

6 Applications

Following the same approach of [22,33] we show a compiler that maps any functionality G(s,·)to a Continually-Leakage-and-Tamper Resilient functionalityG0(s0,·)equipped with refresh procedureRfrsh. Consider the experiments in Fig. 6.

Definition 9. A compiler Φ = (Setup,FCompile,MCompile,Rfrsh) is a Split-State (`, ρ, τ)-Continually-Leakage-and-Tamper (for short(`, ρ, τ)-CLT) Compiler in the CRS model if for every PPT adversaryAthere exists a simulatorSsuch that for every efficient functionality G : {0,1}κ_{× {0,}_1}i _{→ {0,}_1}o _for_{κ, i, o} _∈

N and any secret state s∈ {0,1}κ_{, the output of the real experiment}_TamperFunc(G,s)

A,Φ (κ, `, ρ, τ)and the

output of the simulated experimentIdealFunc(κ)are indistinghuishable.

Given a NMC-RΣ, consider the following compilerΠ = (Setup,MCompile,Enc,FCompile,Rfrsh):

– Setup(1κ_{): Output}_crs_←_$_Σ._Init₍₁κ_);

– MCompile(crs, s): Outputs0_←_$_Σ._Enc₍_crs_{, s);}

– FCompile(crs, G): OutputG0(s0, x) :=G(Σ.Dec(crs, s0));

– Rfrsh(crs, s0): OutputΣ.Rfrsh(crs, s0).