# Top PDF Explicit Non-Malleable Codes Resistant to Permutations ### Explicit Non-Malleable Codes Resistant to Permutations

Our rate-0 construction is fairly natural, though its analysis turns out to be more complicated. At a high-level the construction combines an “outer code” which has a sufficiently large distance and dual distance (for example, a “packed secret-sharing scheme” based on the Reed-Solomon code) with an “inner code” which is transparent to bit-level permutations – namely, a unary code. Each character of the outer code-word is encoded into a block of bits using the inner code. To obtain some level of resistance to mixing bits from different blocks, we keep the bits in the codeword randomly permuted, and also, we ensure a good density of invalid codewords in the code (achieved, specifically, by requiring that the the weight of each codeword is, say, even), so that blindly mixing together bits from different codewords has some probability of creating an invalid codeword. A careful combinatorial argument can be used to show that, despite dependencies among the blocks caused by a permutation attack, the probability of having all attacked blocks remaining valid decreases multiplicatively. If the outer code has a large distance, this ensures that the probability of creating a different valid codeword is negligible. However, we need to ensure not only that the attack has negligible chance of modifying one codeword into a different valid codeword, but also that the probability of creating an invalid codeword is (almost) independent of the actual message. Roughly, this is based on the large dual distance of the outer code. ### Explicit Non-malleable Codes Resistant to Permutations and Perturbations

◦ The above code uses a large alphabet. It is concatenated with a binary inner code that is also resistant to permutations: each character in the outer code’s alphabet is mapped to a positive integer (in a certain range) and is encoded by a block of bits whose weight (number of positions with a 1) equals this integer. Note that a permutation may move bits across the different blocks. To resist such attacks, we keep the bits within each block randomly permuted, and also, ensure that a good fraction of the weights do not correspond to a valid block (achieved, for instance, by requiring that the the weight of each block is a multiple of 3 2 ), so that blindly mixing together bits from different blocks has some probability of creating an invalid block. A careful combinatorial argument can be used to show that, despite dependencies among the blocks caused by a permutation attack, the probability of having all attacked blocks remaining valid decreases multiplicatively with the number of blocks being attacked thus. This, combined with the fact that the outer code has a large distance, ensures that the probability of creating a different valid codeword by this attack is negligible. However, we need to ensure not only that the attack has negligible chance of modifying one codeword into a different valid codeword, but also that the probability of creating an invalid codeword is (almost) independent of the actual message. Roughly, this is based on the large independence of the outer code. ### Block-wise Non-Malleable Codes

in various models. Faust et al.  studied non-malleable code when the tampering function is allowed to tamper codeword as long as it does not decodes to a special symbol ⊥. They gave a necessary condition and a construction of such codes. This work was further improved by Jafargholi and Wichs . Agarwal et al.  studied a class of tampering function that can permute the bits of the encoding and (optionally) perturb them. They proposed an efficient and explicit construction of non-malleable codes in the information theoretic setting. In the follow-up work, the authors  demonstrated a rate-optimized compiler for NMC against bit-wise tampering and permutations. Dachman-Soled et al.  initiated the study of locally decodable and updatable non-malleable codes. They gave two constructions of such codes that are secure against continual tampering, where their concept of continuity is different from Faust et al.  in the sense that they allow an updater that updates the codeword. Chattopadhyay and Zuckerman  showed a construction of non-malleable code in an extension of the split-state model, where codewords is partitioned in to c = o(n) equal sized blocks. ### Upper and Lower Bounds for Continuous Non-Malleable Codes

Continuous Non-Malleable Codes Continuous Non-Malleable codes (CNMC) were introduced by Faust etal. . They gave a construction based on collision resistant hash functions and non-interactive zero knowledge proof systems in the CRS model. They also showed the impossibility of constructing 2-split state CNMC information theoretically. Subsequently, Jafargholi and Wichs  presented a general study of CN- MCs and its variants with some existential results. Aggarwal et al.  gave the first information theoretic construction in the 8-split-state model. Recently, Damg˚ ard et al.  gave the first construction of infor- mation theoretic CNMC against permutations. Faonio et al.  considered a variant of CNMC against split-state tampering where the codeword is refreshed (to avoid self-destruct) in the CRS model. For a discussion related to the recent work of Ostrovsky et al. , see Section 1.2 and Appendix A. ### Short Non-Malleable Codes from Related-Key Secure Block Ciphers

In this work, we considered the simplest construction of an NMC from a block cipher E , and we characterized its security by means of formulating and proving sufficient security conditions on E. Since these require some form of related-key security, it is then natural to wonder how reasonable such an assumption is and how it could be instantiated in practice. A first line of approach is to consider existing block ciphers. There is good empirical evidence that e.g. the NIST standard AES-128 [NIS01] and the NESSIE cipher SHACAL-2 [HN01] are both secure against related-key attacks; this yields immediate candidates for explicit instantiations targeting 64 and 256 bits of security respectively. ### Non-Malleable Codes, Extractors and Secret Sharing for Interleaved Tampering and Composition of Tampering

Relevant prior work on non-malleable codes in the information theoretic setting. There has been a lot of exciting research on non-malleable codes, and it is beyond the scope of this paper to provide a comprehensive survey of them. Instead we focus on relevant explicit (unconditional) constructions in the information theoretic setting, which is also the focus of this paper. One of the most studied classes of tampering functions is the so called split-state tampering, where the codeword is divided into (at least two) disjoint intervals and the adversary can tamper with each interval arbitrarily but independently. This model arises naturally in situations where the codeword may be stored in different parts of memory or different devices. Following a very successful line of work [DKO13, ADL18,Agg15, AB16, CG17,CZ14, ADKO15a, CGL16, Li17, Li18], we now have explicit constructions of non-malleable codes in the 2-split state model with constant rate and constant error, or rate Ω(log log n/ log n) with exponentially small error [Li18]. For larger number of states, a recent line of work [KOS17, KOS18, GMW18] gave explicit constructions of non-malleable codes in the 3-split-state model with constant rate and negligible error. ### Non-Malleable Codes for Small-Depth Circuits

Remark 2 (On the limits of extending our result). Because any function in NC 1 can be computed by a polynomial-size unbounded fan-in circuit of depth O(log(n)/ log log(n)) (see e.g. [KPPY84, Val83]), any non-trivial non-malleable code for larger depth circuits would yield a separation of NC 1 from P. Here, we take non-trivial to mean that error is bounded away from 1 and encoding/decoding run in time polynomial in the codeword length (namely, even an inefficient code, as per the discussion above, can be non-trivial). This follows from the fact (noted in many previous works) that any explicit, non-trivial code is vulnerable to the simple P-tampering attack: decode, flip a bit, re- encode. Hence, in this respect Theorem 1 is the limit of what we can hope to establish given the current state of the art in circuit and complexity theory. ### Expander Graphs are Non-Malleable Codes

Comparison with Previous Work. Until our work, all known proofs of security for explicit split-state non-malleable codes have required complex mathematical proofs, and all known such proofs either directly or indirectly used the mathematics behind constructions of two-source extractors [DKO13, ADL14, CZ14, CGL16, Li17]. In fact, after constructing the first non-malleable code in the split-state model Dziembowski, Kazana, and Obremski wrote: “This brings a natural question if we could show some relationship between the extractors and the non-malleable codes in the split-state model. Unfortunately, there is no obvious way of formalizing the conjecture that non-malleable codes need to be based on extractors” [DKO13]. ### Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

The only known constructions of a CNMC in the split-state model (therefore also achieving message uniqueness) are the codes of [30,28], but unfortunately these constructions rely on both trusted setup and strong computational as- sumptions. Indeed such codes require: (i) a “common reference string”, i.e., the existence of a honestly generated string (with some given distribution) that is assumed to be untamperable, and that is available to the encoding and decod- ing functions, and to the adversary; (ii) the existence of non-interactive zero- knowledge proofs and either collision-resistant hash functions  or public-key encryption resilient to continual leakage [24,28] (which we only know how to obtain under concrete number-theoretic assumptions over bi-linear groups). ### Privacy Amplification from Non-malleable Codes

The second line of constructions began with the privacy amplification proto- col given by Dodis and Wichs [DW09]. They give an efficient two-round construc- tion (i.e., with optimal round complexity) which has an entropy loss of Θ(κ 2 ). This work also introduces “seeded Non-malleable extractors (NME)”, which has the property that the output of the extractor looks uniform, even given its value on a related seed. Their approach for building two-round privacy amplification protocols roughly works as follows: first, they send a seed to a NME which is used to extract the key (k) to a non-interactive one-time message authentication code. k is then used to authenticate a seed s to an extractor. The final shared key K is evaluated by both parties, unless any tampering is detected, to be Ext(w; s). In short, the approach of Dodis and Wichs leads to a Privacy amplification pro- tocol with optimal round complexity of 2. Further, [DW09] give an existential result that if one can efficiently construct non-malleable extractors with optimal parameters, we get a two-round privacy amplification protocol with entropy loss Θ(κ) and min-entropy requirement O(κ + log n). Subsequent to the existential construction of Privacy Amplification given in [DW09], there was focus on im- proving the parameters by giving explicit constructions of seeded non-malleable extractors [DLWZ11,CRS12,Li12a,Li12b,Li15,CGL16,CL16,Coh16,Li17]. While all these constructions give a 2-round privacy amplification protocol with opti- mal entropy loss, the min-entropy requirement is not optimal (the best known being O(κ log κ + log n) by [Li17]). ### Non-Malleable Extractors and Non-Malleable Codes: Partially Optimal Constructions

The recent line of study on randomness extractors has been a great success, resulting in ex- citing new techniques, new connections, and breakthroughs to long standing open problems in several seemingly different topics. These include seeded non-malleable extractors, privacy ampli- fication protocols with an active adversary, independent source extractors (and explicit Ramsey graphs), and non-malleable codes in the split state model. Previously, the best constructions are given in [Li17]: seeded non-malleable extractors with seed length and entropy requirement O(log n + log(1/) log log(1/)) for error ; two-round privacy amplification protocols with opti- mal entropy loss for security parameter up to Ω(k/ log k), where k is the entropy of the shared weak source; two-source extractors for entropy O(log n log log n); and non-malleable codes in the 2-split state model with rate Ω(1/ log n). However, in all cases there is still a gap to optimum and the motivation to close this gap remains strong. ### Optimal Computational Split-state Non-malleable Codes

coding scheme was proposed in . For the case of only two states, an explicit non-malleable code for encoding a single bit was proposed by . Recently, in a break-through result, an explicit scheme (of rate 0) was proposed for arbitrary length messages by . A constant rate construction for 10 states was provided in  (and later in ). Very recently, Aggarwal et al.  show that constant rate for such codes can in fact be achieved with only k = 2 states. We note that in this setting it is not possible to go beyond rate 1/2 if one insists upon information theoretic non-malleability. Our present work shows that by relying on compu- tational definition of non-malleability, we can achieve rate 1 with only 2 states (which are necessary). Asymptotically, these are the best possible parameters. ### Tamper Detection and Continuous Non-Malleable Codes

Necessity of Few Fixed Points. Secondly, we argue that the restriction on few fixed points is necessary. It is clear that the single identity function has all fixed-points (ϕ = 1) and full entropy (µ = n) but cannot be detected by any code. This shows that we must require ϕ < 1 even when µ = n and the function family is of size 1. We can further show that for any ϕ, there is a small family F of size |F | = 2 n which has ϕ-few fixed points and fully entropy (µ = n) such that no code (Enc, Dec) is even an (F, ϕ)-weak tamper-detection code. At first it may seem that a single permutation with ϕ-few fixed points could do the trick, but perhaps the code is chosen in such a way that the valid codewords c are never fixed points f (c) 6= c even though a ϕ-fraction of random values x are fixed points f (x) = x. To defeat this, we consider a family F of permutations with ϕ-few fixed points where the set of fixed points is 1-wise independent: for each x ∈ {0, 1} n we have Pr ### Non-Malleable Codes Against Bounded Polynomial Time Tampering

Cheraghchi and Guruswami [CG14] gave probabilistic constructions of efficient codes for circuits of size O(n c ) (where an efficient randomized procedure outputs a “good” code with high probability). Faust et.al [FMVW14] gave an improved (in terms of the dependence on the error bound) construction against the same class, which is explicit, but relies on a model including an untamparable CRS (common reference string). The presence of CRS is undesirable, as not only must the CRS be generated by a trusted party, the CRS is also a non-tamperable component of the scheme. Moreover, both of these works can be viewed as using limited (t-wise) independence to partially derandomize probabilistic constructions. This approach inherently leads to a CRS whose length is at least as long as the bound on the size of the tampering circuits — meaning the tampering circuits cannot even read the entire CRS. We additionally note that if we allowed other size parameters, in particular the codeword size, to be as large as the runtime of the tampering function, then achieving non-malleability would become trivial. This motivates the following questions: ### A Rate-Optimizing Compiler for Non-malleable Codes Against Bit-wise Tampering and Permutations

Intuitively, the short tag τ should encode some information about the much longer c in a way that makes it hard to change c without changing τ as well, and since the latter is encoded using a non- malleable code, one could hope that the over all code is non-malleable. One such choice of the tag, used in a preliminary version of this result [AGM + 14a], is τ = (h, h(c)), where h is a randomly chosen hash function with a short description from a (statistical) collision-resistant hash function family. As shown in [AGM + 14a], this suffices for the class of attacks involving permutations (but not allowing the adversary to set/reset the bits). However, when the class of attacks allowed for ### Non-Malleable Codes for Partial Functions with Manipulation Detection

Due to their important applications, constructing non-malleable codes has received a lot of attention over recent years. As non-malleability against gen- eral functions is impossible , various subclasses of tampering functions have been considered, such as split-state functions [1–3, 26, 27, 36, 37], bit-wise tam- pering and permutations [4, 5, 27], bounded-size function classes , bounded depth/fan-in circuits , space-bounded tampering , and others (cf. Section 1.4). One characteristic shared by those function classes is that they allow full access to the codeword, while imposing structural or computational restrictions to the way the function computes over the input. In this work we initiate a com- prehensive study on non-malleability for functions that receive partial access over the codeword, which is an important yet overlooked class, as we elaborate below. The class of partial functions. The class of partial functions contains all functions that read/write on an arbitrary subset of codeword bits with specific cardinality. Concretely, let c be a codeword with length ν. For α ∈ [0, 1), the function class F αν (or F α for brevity) consists of all functions that operate over ### Non-Malleable Codes from Average-Case Hardness: AC0, Decision Trees, and Streaming Space-Bounded Tampering

We now introduce an intermediate variant of non-malleability, called Medium Non-malleability, which informally gives security guarantees “in-between” strong and regular non-malleability. Specifically, the difference is that the experiment is allowed to output same ∗ only when some predicate g evaluated on (c, ˜ c) is set to true. Thus, strong non-malleability can be viewed as a special case of medium non-malleability, by setting g to be the identity function. On the other hand, regular non-malleability does not impose restrictions on when the experiment is allowed to output same ∗ . Note that g cannot be just any predicate in order for the definition to make sense. g must be a predicate such that if g evaluated on (c, c) is set to true, then (with ˜ overwhelming probability over the random coins of D) D(˜ c) = D(c). ### Reducing the Key Size of McEliece Cryptosystem from Automorphism-induced Goppa Codes via Permutations

As such, it is an interesting problem to consider sub-classes of Goppa codes to better balance the security and public key size requirements. One common approach adopted is to employ quasi-cyclic or quasi-dyadic Goppa codes [29, 7] or more generally, codes with a nontrivial automorphism group . Indeed, in , the authors showed that existing quasi-cyclic and quasi-dyadic constructions are induced from nontrivial automorphism subgroups of the rational function field. The main advantage to use a code with a nontrivial automorphism group G is that there exists a subset of basis codewords such that this subset together with their permutations induced by G form the whole basis of the code. As such, this allows one to use the subset of codewords as the public key instead of the entire basis, thereby reducing the size of the public key. Nonetheless, the size reduction leads to a trade-off with respect to its resistance to structural attacks. In particular, it was shown in [15, 14, 4] that the public/private key pair of such codes is equivalent to a public/private key pair of another code with smaller parameters. Algebraic cryptanalysis can then be performed on the corresponding codes with smaller parameters and successful attacks following this approach were carried out in [16, 17]. As such, one must select the parameters carefully in order to balance the trade-off and to achieve the desired security level . ### Non-Malleable Extractors, Two-Source Extractors and Privacy Amplification

The motivation to study a non-malleable extractor, the privacy amplification problem, is a fun- damental problem in symmetric cryptography that has been studied by many researchers. Bennett, Brassard, and Robert introduced this problem in [BBR88]. The basic setting is that, two parties (Alice and Bob) share an n-bit secret key X, which is weakly random. This could happen because the secret comes from a password or biometric data, which are themselves weakly random, or be- cause an adversary Eve managed to learn some partial information about an originally uniform secret, for example via side channel attacks. We measure the entropy of X by the min-entropy defined above. The goal is to have Alice and Bob communicate over a public channel so that they can convert X into a nearly uniform secret key. Generally, we also assume that Alice and Bob have local private uniform random bits. The problem is the presence of the adversary Eve, who can see every message transmitted in the channel and may or may not change the messages. We assume that Eve has unlimited computational power. 