Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs [DPW10], provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely "unrelated value". Although such codes do not exist if the family of "tampering functions" F allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families F. The family which received the most attention [DPW10, LL12, DKO13, ADL14, CG14a, CG14b] is the family of tampering functions in the so called (2-part) split-state model: here the message x is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with each L and R individually. Despite this attention, the following problem remained open:Build efficient, information-theoretically secure non-malleable codes in the split-state model with constant encoding rate: |L| = |R| = O(|x|).In this work, we resolve this open problem. Our technique for getting our main result is of independent interest. We Most importantly, we show several "independence amplification" reductions, showing how to reduce split-state tampering of very few parts to an easier question of split-state tampering with a much larger number of parts. In particular, our final, constant-rate, non-malleable code composes one of these reductions with the very recent, "9-split-state" code of Chattopadhyay
We construct an efficient information-theoretically non-malleable code in the split-state model for one-bit messages. Non-malleable codes were introduced recently by Dziembowski, Pietrzak and Wichs (ICS 2010), as a general tool for storing messages securely on hardware that can be subject to tampering attacks. Informally, a code (Enc : M → L × R, Dec : L × R → M) is non-malleable in the split-state model if any adversary, by manipulating independently L and R (where (L, R) is an encoding of some message M), cannot obtain an encoding of a message M that is not equal to M but is "related" M in some way. Until now it was unknown how to construct an information-theoretically secure code with such a property, even for M = {0, 1}. Our construction solves this problem. Additionally, it is leakage-resilient, and the amount of leakage that we can tolerate can be an arbitrary fraction ξ < 1/4 of the length of the codeword. Our code is based on the inner-product twosource extractor, but in general it can be instantiated by any two-source extractor that has large output and has the property of being flexible, which is a new notion that we define. We also show that the non-malleable codes for one-bit messages have an equivalent, perhaps simpler characterization, namely such codes can be defined as follows: if M is chosen uniformly from {0, 1} then the probability (in the experiment described above) that the output message M is not equal to M can be at most 1/2 + .
This paper studies the design of cryptographic schemes that are secure even if implemented on untrusted machines that fall under adversarial control. For example, this includes machines that are infected by a software virus.\ud We introduce a new cryptographic notion that we call a one-time computable pseudorandom function (PRF), which is a PRF F K (·) that can be evaluated on at most one input, even by an adversary who controls the device storing the key K, as long as: (1) the adversary cannot “leak” the key K out of the device completely (this is similar to the assumptions made in the Bounded-Retrieval Model), and (2) the local read/write memory of the machine is restricted, and not too much larger than the size of K. In particular, the only way to evaluate F K (x) on such device, is to overwrite part of the key K during the computation, thus preventing all future evaluations of F K (·) at any other point x′ ≠ x. We show that this primitive can be used to construct schemes for password protected storage that are secure against dictionary attacks, even by a virus that infects the machine. Our constructions rely on the random-oracle model, and lower-bounds for graphs pebbling problems.\ud We show that our techniques can also be used to construct another primitive, called uncomputable hash functions, which are hash functions that have a short description but require a large amount of space to compute on any input. We show that this tool can be used to improve the communication complexity of proofs-of-erasure schemes, introduced recently by Perito and Tsudik (ESORICS 2010)
A recent trend in cryptography is to construct cryptosystems that are secure against physical attacks. Such attacks are usually divided into two classes: the leakage attacks in which the adversary obtains some information about the internal state of the machine, and the tampering attacks where the adversary can modify this state. One of the popular tools used to provide tamper-resistance are the non-malleable codes introduced by Dziembowski, Pietrzak and Wichs (ICS 2010). These codes can be defined in several variants, but arguably the most natural of them are the information-theoretically secure codes in the k-split-state model (the most desired case being k = 2).Such codes were constucted recently by Aggarwal et al. (STOC 2014). Unfortunately, unlike the earlier, computationally-secure constructions (Liu and Lysyanskaya, CRYPTO 2012) these codes are not known to be resilient to leakage. This is unsatisfactory, since in practice one always aims at providing resilience against both leakage and tampering (especially considering tampering without leakage is problematic, since the leakage attacks are usually much easier to perform than the tampering attacks).In this paper we close this gap by showing a non-malleable code in the 2-split state model that is secure against leaking almost a 1/12-th fraction of the bits from the codeword (in the bounded-leakage model). This is achieved via a generic transformation that takes as input any non-malleable code (Enc, Dec) in the 2-split state model, and constructs out of it another nonmalleable code (Enc , Dec ) in the 2-split state model that is additionally leakage-resilient. The rate of (Enc , Dec ) is linear in the rate of (Enc, Dec). Our construction requires that Dec is symmetric, i.e., for all x, y, it is the case that Dec(x, y) = Dec(y, x), but this property holds for all currently known information-theoretically secure codes in the 2-split state model. In particular, we can apply our transformation to the code of Aggarwal et al., obtaining the first leakage-resilient code secure in the split-state model. Our transformation can be applied to other codes (in particular it can also be applied to a recent code of Aggarwal, Dodis, Kazana and Obremski constructed in the work subsequent to this one).
Much recent work in cryptography attempts to build secure schemes in the presence of side-channel leakage or leakage caused by malicious software, like computer viruses. In this setting, the adversary may obtain some additional information (beyond the control of the scheme designer) about the internal secret state of a cryptographic scheme. Here, we consider key-evolution schemes that allow a user to evolve a secret-key K 1 via a deterministic function f , to get updated keys. .. Such a scheme is leakage-resilient if an adversary that can leak on the first i steps of the evolution process does not get any useful information about any future keys. For such schemes, one must assume some restriction on the complexity of the leakage to prevent pre-computation attacks, where the leakage on a key K i simply pre-computes a future key K i+t and leaks even a single bit on it.We notice that much of the prior work on this problem, and the restrictions made therein, can be divided into two types. Theoretical work offers rigor and provable security, but at the cost of having to make strong restrictions on the type of leakage and designing complicated schemes to make standard reduction-based proof techniques go through (an example of such an assumption is that only the data actually used in computation can leak to the adversary). On the other hand, practical work focuses on simple and efficient schemes, often at the cost of only achieving an intuitive notion of security without formal well-specified guarantees.In this paper, we complement the two tracks via a middle-of-the-road approach. On one hand, we rely on the random-oracle model, acknowledging the usefulness of this methodology in practice despite its theoretical shortcomings. On the other hand, we show that even in the random-oracle model, designing secure leakageresilient schemes with clear and meaningful guarantees requires great care and is susceptible to pitfalls. For example, just assuming that leakage "cannot evaluate the random oracle" can be misleading. Instead, we define a new model in which we assume that the "leakage" can be any arbitrary space bounded computation that can make random oracle calls itself. We connect the space-complexity of a computation in the random-oracle modeling to the pebbling complexity on graphs. Using this connection, we derive meaningful guarantees for relatively simple key-evolution constructions. Our security proofs do not rely on the assumption that only data used in the computation can leak.Our scheme is secure also against a large and natural class of active attacks. This is especially important if the key evolution is performed on a PC that can be attacked by a virus. So far, all results that provided solutions against such attacks were secure under the assumption that the virus can download the data from the machine, but he cannot modify any information stored on it (that was called the bounded retrieval model (BRM)). This paper provides the first scheme were the adversary in the BRM can also modify the data stored on...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
