Our rate-0 construction is fairly natural, though its analysis turns out to be more complicated. At a high-level the construction combines an “outer code” which has a sufficiently large distance and dual distance (for example, a “packed secret-sharing scheme” based on the Reed-Solomon code) with an “inner code” which is transparent to bit-level **permutations** – namely, a unary code. Each character of the outer code-word is encoded into a block of bits using the inner code. To obtain some level of resistance to mixing bits from different blocks, we keep the bits in the codeword randomly permuted, and also, we ensure a good density of invalid codewords in the code (achieved, specifically, by requiring that the the weight of each codeword is, say, even), so that blindly mixing together bits from different codewords has some probability of creating an invalid codeword. A careful combinatorial argument can be used to show that, despite dependencies among the blocks caused by a permutation attack, the probability of having all attacked blocks remaining valid decreases multiplicatively. If the outer code has a large distance, this ensures that the probability of creating a different valid codeword is negligible. However, we need to ensure not only that the attack has negligible chance of modifying one codeword into a different valid codeword, but also that the probability of creating an invalid codeword is (almost) independent of the actual message. Roughly, this is based on the large dual distance of the outer code.

Show more
48 Read more

◦ The above code uses a large alphabet. It is concatenated with a binary inner code that is also **resistant** to **permutations**: each character in the outer code’s alphabet is mapped to a positive integer (in a certain range) and is encoded by a block of bits whose weight (number of positions with a 1) equals this integer. Note that a permutation may move bits across the different blocks. To resist such attacks, we keep the bits within each block randomly permuted, and also, ensure that a good fraction of the weights do not correspond to a valid block (achieved, for instance, by requiring that the the weight of each block is a multiple of 3 2 ), so that blindly mixing together bits from different blocks has some probability of creating an invalid block. A careful combinatorial argument can be used to show that, despite dependencies among the blocks caused by a permutation attack, the probability of having all attacked blocks remaining valid decreases multiplicatively with the number of blocks being attacked thus. This, combined with the fact that the outer code has a large distance, ensures that the probability of creating a different valid codeword by this attack is negligible. However, we need to ensure not only that the attack has negligible chance of modifying one codeword into a different valid codeword, but also that the probability of creating an invalid codeword is (almost) independent of the actual message. Roughly, this is based on the large independence of the outer code.

Show more
53 Read more

in various models. Faust et al. [18] studied **non**-**malleable** code when the tampering function is allowed to tamper codeword as long as it does not decodes to a special symbol ⊥. They gave a necessary condition and a construction of such **codes**. This work was further improved by Jafargholi and Wichs [25]. Agarwal et al. [5] studied a class of tampering function that can permute the bits of the encoding and (optionally) perturb them. They proposed an efficient and **explicit** construction of **non**-**malleable** **codes** in the information theoretic setting. In the follow-up work, the authors [4] demonstrated a rate-optimized compiler for NMC against bit-wise tampering and **permutations**. Dachman-Soled et al. [12] initiated the study of locally decodable and updatable **non**-**malleable** **codes**. They gave two constructions of such **codes** that are secure against continual tampering, where their concept of continuity is different from Faust et al. [18] in the sense that they allow an updater that updates the codeword. Chattopadhyay and Zuckerman [8] showed a construction of **non**-**malleable** code in an extension of the split-state model, where codewords is partitioned in to c = o(n) equal sized blocks.

Show more
51 Read more

Continuous **Non**-**Malleable** **Codes** Continuous **Non**-**Malleable** **codes** (CNMC) were introduced by Faust etal. [39]. They gave a construction based on collision **resistant** hash functions and **non**-interactive zero knowledge proof systems in the CRS model. They also showed the impossibility of constructing 2-split state CNMC information theoretically. Subsequently, Jafargholi and Wichs [51] presented a general study of CN- MCs and its variants with some existential results. Aggarwal et al. [5] gave the first information theoretic construction in the 8-split-state model. Recently, Damg˚ ard et al. [30] gave the first construction of infor- mation theoretic CNMC against **permutations**. Faonio et al. [37] considered a variant of CNMC against split-state tampering where the codeword is refreshed (to avoid self-destruct) in the CRS model. For a discussion related to the recent work of Ostrovsky et al. [62], see Section 1.2 and Appendix A.

Show more
31 Read more

In this work, we considered the simplest construction of an NMC from a block cipher E , and we characterized its security by means of formulating and proving sufficient security conditions on E. Since these require some form of related-key security, it is then natural to wonder how reasonable such an assumption is and how it could be instantiated in practice. A first line of approach is to consider existing block ciphers. There is good empirical evidence that e.g. the NIST standard AES-128 [NIS01] and the NESSIE cipher SHACAL-2 [HN01] are both secure against related-key attacks; this yields immediate candidates for **explicit** instantiations targeting 64 and 256 bits of security respectively.

Show more
17 Read more

Relevant prior work on **non**-**malleable** **codes** in the information theoretic setting. There has been a lot of exciting research on **non**-**malleable** **codes**, and it is beyond the scope of this paper to provide a comprehensive survey of them. Instead we focus on relevant **explicit** (unconditional) constructions in the information theoretic setting, which is also the focus of this paper. One of the most studied classes of tampering functions is the so called split-state tampering, where the codeword is divided into (at least two) disjoint intervals and the adversary can tamper with each interval arbitrarily but independently. This model arises naturally in situations where the codeword may be stored in different parts of memory or different devices. Following a very successful line of work [DKO13, ADL18,Agg15, AB16, CG17,CZ14, ADKO15a, CGL16, Li17, Li18], we now have **explicit** constructions of **non**-**malleable** **codes** in the 2-split state model with constant rate and constant error, or rate Ω(log log n/ log n) with exponentially small error [Li18]. For larger number of states, a recent line of work [KOS17, KOS18, GMW18] gave **explicit** constructions of **non**-**malleable** **codes** in the 3-split-state model with constant rate and negligible error.

Show more
37 Read more

Remark 2 (On the limits of extending our result). Because any function in NC 1 can be computed by a polynomial-size unbounded fan-in circuit of depth O(log(n)/ log log(n)) (see e.g. [KPPY84, Val83]), any **non**-trivial **non**-**malleable** code for larger depth circuits would yield a separation of NC 1 from P. Here, we take **non**-trivial to mean that error is bounded away from 1 and encoding/decoding run in time polynomial in the codeword length (namely, even an inefficient code, as per the discussion above, can be **non**-trivial). This follows from the fact (noted in many previous works) that any **explicit**, **non**-trivial code is vulnerable to the simple P-tampering attack: decode, flip a bit, re- encode. Hence, in this respect Theorem 1 is the limit of what we can hope to establish given the current state of the art in circuit and complexity theory.

Show more
26 Read more

Comparison with Previous Work. Until our work, all known proofs of security for **explicit** split-state **non**-**malleable** **codes** have required complex mathematical proofs, and all known such proofs either directly or indirectly used the mathematics behind constructions of two-source extractors [DKO13, ADL14, CZ14, CGL16, Li17]. In fact, after constructing the first **non**-**malleable** code in the split-state model Dziembowski, Kazana, and Obremski wrote: “This brings a natural question if we could show some relationship between the extractors and the **non**-**malleable** **codes** in the split-state model. Unfortunately, there is no obvious way of formalizing the conjecture that **non**-**malleable** **codes** need to be based on extractors” [DKO13].

Show more
10 Read more

The only known constructions of a CNMC in the split-state model (therefore also achieving message uniqueness) are the **codes** of [30,28], but unfortunately these constructions rely on both trusted setup and strong computational as- sumptions. Indeed such **codes** require: (i) a “common reference string”, i.e., the existence of a honestly generated string (with some given distribution) that is assumed to be untamperable, and that is available to the encoding and decod- ing functions, and to the adversary; (ii) the existence of **non**-interactive zero- knowledge proofs and either collision-**resistant** hash functions [30] or public-key encryption resilient to continual leakage [24,28] (which we only know how to obtain under concrete number-theoretic assumptions over bi-linear groups).

Show more
30 Read more

The second line of constructions began with the privacy amplification proto- col given by Dodis and Wichs [DW09]. They give an efficient two-round construc- tion (i.e., with optimal round complexity) which has an entropy loss of Θ(κ 2 ). This work also introduces “seeded **Non**-**malleable** extractors (NME)”, which has the property that the output of the extractor looks uniform, even given its value on a related seed. Their approach for building two-round privacy amplification protocols roughly works as follows: first, they send a seed to a NME which is used to extract the key (k) to a **non**-interactive one-time message authentication code. k is then used to authenticate a seed s to an extractor. The final shared key K is evaluated by both parties, unless any tampering is detected, to be Ext(w; s). In short, the approach of Dodis and Wichs leads to a Privacy amplification pro- tocol with optimal round complexity of 2. Further, [DW09] give an existential result that if one can efficiently construct **non**-**malleable** extractors with optimal parameters, we get a two-round privacy amplification protocol with entropy loss Θ(κ) and min-entropy requirement O(κ + log n). Subsequent to the existential construction of Privacy Amplification given in [DW09], there was focus on im- proving the parameters by giving **explicit** constructions of seeded **non**-**malleable** extractors [DLWZ11,CRS12,Li12a,Li12b,Li15,CGL16,CL16,Coh16,Li17]. While all these constructions give a 2-round privacy amplification protocol with opti- mal entropy loss, the min-entropy requirement is not optimal (the best known being O(κ log κ + log n) by [Li17]).

Show more
37 Read more

The recent line of study on randomness extractors has been a great success, resulting in ex- citing new techniques, new connections, and breakthroughs to long standing open problems in several seemingly different topics. These include seeded **non**-**malleable** extractors, privacy ampli- fication protocols with an active adversary, independent source extractors (and **explicit** Ramsey graphs), and **non**-**malleable** **codes** in the split state model. Previously, the best constructions are given in [Li17]: seeded **non**-**malleable** extractors with seed length and entropy requirement O(log n + log(1/) log log(1/)) for error ; two-round privacy amplification protocols with opti- mal entropy loss for security parameter up to Ω(k/ log k), where k is the entropy of the shared weak source; two-source extractors for entropy O(log n log log n); and **non**-**malleable** **codes** in the 2-split state model with rate Ω(1/ log n). However, in all cases there is still a gap to optimum and the motivation to close this gap remains strong.

Show more
53 Read more

coding scheme was proposed in [12]. For the case of only two states, an **explicit** **non**-**malleable** code for encoding a single bit was proposed by [17]. Recently, in a break-through result, an **explicit** scheme (of rate 0) was proposed for arbitrary length messages by [3]. A constant rate construction for 10 states was provided in [9] (and later in [3]). Very recently, Aggarwal et al. [2] show that constant rate for such **codes** can in fact be achieved with only k = 2 states. We note that in this setting it is not possible to go beyond rate 1/2 if one insists upon information theoretic **non**-malleability. Our present work shows that by relying on compu- tational definition of **non**-malleability, we can achieve rate 1 with only 2 states (which are necessary). Asymptotically, these are the best possible parameters.

Show more
25 Read more

Necessity of Few Fixed Points. Secondly, we argue that the restriction on few fixed points is necessary. It is clear that the single identity function has all fixed-points (ϕ = 1) and full entropy (µ = n) but cannot be detected by any code. This shows that we must require ϕ < 1 even when µ = n and the function family is of size 1. We can further show that for any ϕ, there is a small family F of size |F | = 2 n which has ϕ-few fixed points and fully entropy (µ = n) such that no code (Enc, Dec) is even an (F, ϕ)-weak tamper-detection code. At first it may seem that a single permutation with ϕ-few fixed points could do the trick, but perhaps the code is chosen in such a way that the valid codewords c are never fixed points f (c) 6= c even though a ϕ-fraction of random values x are fixed points f (x) = x. To defeat this, we consider a family F of **permutations** with ϕ-few fixed points where the set of fixed points is 1-wise independent: for each x ∈ {0, 1} n we have Pr

Show more
24 Read more

Cheraghchi and Guruswami [CG14] gave probabilistic constructions of efficient **codes** for circuits of size O(n c ) (where an efficient randomized procedure outputs a “good” code with high probability). Faust et.al [FMVW14] gave an improved (in terms of the dependence on the error bound) construction against the same class, which is **explicit**, but relies on a model including an untamparable CRS (common reference string). The presence of CRS is undesirable, as not only must the CRS be generated by a trusted party, the CRS is also a **non**-tamperable component of the scheme. Moreover, both of these works can be viewed as using limited (t-wise) independence to partially derandomize probabilistic constructions. This approach inherently leads to a CRS whose length is at least as long as the bound on the size of the tampering circuits — meaning the tampering circuits cannot even read the entire CRS. We additionally note that if we allowed other size parameters, in particular the codeword size, to be as large as the runtime of the tampering function, then achieving **non**-malleability would become trivial. This motivates the following questions:

Show more
30 Read more

Intuitively, the short tag τ should encode some information about the much longer c in a way that makes it hard to change c without changing τ as well, and since the latter is encoded using a **non**- **malleable** code, one could hope that the over all code is **non**-**malleable**. One such choice of the tag, used in a preliminary version of this result [AGM + 14a], is τ = (h, h(c)), where h is a randomly chosen hash function with a short description from a (statistical) collision-**resistant** hash function family. As shown in [AGM + 14a], this suffices for the class of attacks involving **permutations** (but not allowing the adversary to set/reset the bits). However, when the class of attacks allowed for

Show more
23 Read more

Due to their important applications, constructing **non**-**malleable** **codes** has received a lot of attention over recent years. As **non**-malleability against gen- eral functions is impossible [27], various subclasses of tampering functions have been considered, such as split-state functions [1–3, 26, 27, 36, 37], bit-wise tam- pering and **permutations** [4, 5, 27], bounded-size function classes [32], bounded depth/fan-in circuits [6], space-bounded tampering [29], and others (cf. Section 1.4). One characteristic shared by those function classes is that they allow full access to the codeword, while imposing structural or computational restrictions to the way the function computes over the input. In this work we initiate a com- prehensive study on **non**-malleability for functions that receive partial access over the codeword, which is an important yet overlooked class, as we elaborate below. The class of partial functions. The class of partial functions contains all functions that read/write on an arbitrary subset of codeword bits with specific cardinality. Concretely, let c be a codeword with length ν. For α ∈ [0, 1), the function class F αν (or F α for brevity) consists of all functions that operate over

Show more
30 Read more

We now introduce an intermediate variant of **non**-malleability, called Medium **Non**-malleability, which informally gives security guarantees “in-between” strong and regular **non**-malleability. Specifically, the difference is that the experiment is allowed to output same ∗ only when some predicate g evaluated on (c, ˜ c) is set to true. Thus, strong **non**-malleability can be viewed as a special case of medium **non**-malleability, by setting g to be the identity function. On the other hand, regular **non**-malleability does not impose restrictions on when the experiment is allowed to output same ∗ . Note that g cannot be just any predicate in order for the definition to make sense. g must be a predicate such that if g evaluated on (c, c) is set to true, then (with ˜ overwhelming probability over the random coins of D) D(˜ c) = D(c).

Show more
48 Read more

As such, it is an interesting problem to consider sub-classes of Goppa **codes** to better balance the security and public key size requirements. One common approach adopted is to employ quasi-cyclic or quasi-dyadic Goppa **codes** [29, 7] or more generally, **codes** with a nontrivial automorphism group [6]. Indeed, in [14], the authors showed that existing quasi-cyclic and quasi-dyadic constructions are induced from nontrivial automorphism subgroups of the rational function field. The main advantage to use a code with a nontrivial automorphism group G is that there exists a subset of basis codewords such that this subset together with their **permutations** induced by G form the whole basis of the code. As such, this allows one to use the subset of codewords as the public key instead of the entire basis, thereby reducing the size of the public key. Nonetheless, the size reduction leads to a trade-off with respect to its resistance to structural attacks. In particular, it was shown in [15, 14, 4] that the public/private key pair of such **codes** is equivalent to a public/private key pair of another code with smaller parameters. Algebraic cryptanalysis can then be performed on the corresponding **codes** with smaller parameters and successful attacks following this approach were carried out in [16, 17]. As such, one must select the parameters carefully in order to balance the trade-off and to achieve the desired security level [3].

Show more
16 Read more

The motivation to study a **non**-**malleable** extractor, the privacy amplification problem, is a fun- damental problem in symmetric cryptography that has been studied by many researchers. Bennett, Brassard, and Robert introduced this problem in [BBR88]. The basic setting is that, two parties (Alice and Bob) share an n-bit secret key X, which is weakly random. This could happen because the secret comes from a password or biometric data, which are themselves weakly random, or be- cause an adversary Eve managed to learn some partial information about an originally uniform secret, for example via side channel attacks. We measure the entropy of X by the min-entropy defined above. The goal is to have Alice and Bob communicate over a public channel so that they can convert X into a nearly uniform secret key. Generally, we also assume that Alice and Bob have local private uniform random bits. The problem is the presence of the adversary Eve, who can see every message transmitted in the channel and may or may not change the messages. We assume that Eve has unlimited computational power.

Show more
54 Read more

Global Tampering. The work of [20] gives an existential (inefficient) construction of **non**- **malleable** **codes** for doubly-exponential sized function families. More precisely, for any constant 0 < α < 1 and any family F of functions of size |F | ≤ 2 2 αn in the codeword size n, there exists an inefficient **non**-**malleable** code w.r.t. F ; indeed a completely random function gives such a code with high probability. The code is clearly not efficient, and this should be expected for such a broad result: the families F can include all circuits of size (e.g.,) s(n) = 2 n/2 , which means that the efficiency of the code must exceed O(2 n/2 ). Unfortunately, there is no direct way to “scale down” the result in [20] so as to get an efficient construction for singly-exponential-size families. (One can view our work as providing such “scaled down” result.) Moreover, the analysis only yielded a rate of at most (1− α)/3 < 1/3, and it was previously not known if such **codes** can achieve a rate close to 1, even for “small” function families. We note that [20] also showed that the probabilistic method construction can yield efficient **non**-**malleable** **codes** for large function families in the random oracle model. However, this only considers function families that don’t have access to the random oracle. For example, one cannot interpret this as giving any meaningful result for tampering functions with bounded complexity.

Show more
26 Read more