Continuously Non-malleable Codes with Split-State Refresh

Faonio, Antonio; Nielsen, Jesper Buus; Simkin, Mark G.; Venturi, Daniele

doi:10.1007/978-3-319-93387-0_7

Cited by 14 publications

(8 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, we focus only on the "default flavor" of continuous non-malleability. This in contrast to previous work on continuously nonmalleable codes (except [20,19,28]), which instead by default considered continuous super non-malleability. While the notion we consider is strictly weaker than continuous strong or super non-malleability, to the best of our knowledge, it is sufficient for all known applications of continuously non-malleable codes, in particular [30,31,20,19,28].…”

Section: Continuous Non-malleabilitymentioning

confidence: 88%

“…The only known constructions of a CNMC in the split-state model (therefore also achieving message uniqueness) are the codes of [30,28], but unfortunately these constructions rely on both trusted setup and strong computational assumptions. Indeed such codes require: (i) a "common reference string", i.e., the existence of a honestly generated string (with some given distribution) that is assumed to be untamperable, and that is available to the encoding and decoding functions, and to the adversary; (ii) the existence of non-interactive zeroknowledge proofs and either collision-resistant hash functions [30] or public-key encryption resilient to continual leakage [24,28] (which we only know how to obtain under concrete number-theoretic assumptions over bi-linear groups). 8 Since [30] by default considered continuous super non-malleability, they require an even stronger form of uniqueness called codeword uniqueness, which intuitively says that it should be hard to find (c0, c1,c1) such that both (c0, c1) and (c0,c1) are valid, and c1 =c1, even if the two codewords encode the same message.…”

Section: Continuous Non-malleabilitymentioning

confidence: 99%

“…Non-malleable codes. Only a few constructions of continuously non-malleable codes are known (besides the already mentioned constructions of [30,28]). In particular, continuous non-malleability is known to be achievable in the informationtheoretic setting, for the simpler cases of bit-wise independent tampering [20,19] (where each bit of the codeword is tampered independently), and constant-state tampering [5].…”

Section: Additional Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Ostrovsky

Persiano

Venturi

et al. 2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

At ICS 2010, Dziembowski, Pietrzak and Wichs introduced the notion of non-malleable codes, a weaker form of error-correcting codes guaranteeing that the decoding of a tampered codeword either corresponds to the original message or to an unrelated value. The last few years established non-malleable codes as one of the recently invented cryptographic primitives with the highest impact and potential, with very challenging open problems and applications. In this work, we focus on so-called continuously non-malleable codes in the split-state model, as proposed by Faust et al. (TCC 2014), where a codeword is made of two shares and an adaptive adversary makes a polynomial number of attempts in order to tamper the target codeword, where each attempt is allowed to modify the two shares independently (yet arbitrarily). Achieving continuous non-malleability in the split-state model has been so far very hard. Indeed, the only known constructions require strong setup assumptions (i.e., the existence of a common reference string) and strong complexity-theoretic assumptions (i.e., the existence of non-interactive zero-knowledge proofs and collision-resistant hash functions). As our main result, we construct a continuously non-malleable code in the split-state model without setup assumptions, requiring only one-toone one-way functions (i.e., essentially optimal computational assumptions). Our result introduces several new ideas that make progress towards understanding continuous non-malleability, and shows interesting connections with protocol-design and proof-approach techniques used in other contexts (e.g., look-ahead simulation in zero-knowledge proofs, non-malleable commitments, and leakage resilience).

show abstract

Section: Continuous Non-malleabilitymentioning

confidence: 88%

Section: Continuous Non-malleabilitymentioning

confidence: 99%

Section: Additional Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Ostrovsky

Persiano

Venturi

et al. 2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Similar limitations have been considered before in the literature to circumvent impossibility results, in particular in the so called split-state model [DPW18]. Several constructions have been proposed in this model including: non-malleable codes (Dziembowski, Pietrzak and Wichs [DPW18]), signature schemes (Faonio et al [FNSV18]), and more (Liu and Lysyanskaya [LL12]).…”

Section: Related Workmentioning

confidence: 91%

Security of Hedged Fiat–Shamir Signatures Under Fault Attacks

Aranha

Orlandi

Takahashi

et al. 2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

Deterministic generation of per-signature randomness has been a widely accepted solution to mitigate the catastrophic risk of randomness failure in Fiat-Shamir type signature schemes. However, recent studies have practically demonstrated that such de-randomized schemes, including EdDSA, are vulnerable to differential fault attacks, which enable adversaries to recover the entire secret signing key, by artificially provoking randomness reuse or corrupting computation in other ways. In order to balance concerns of both randomness failures and the threat of fault injection, some signature designs are advocating a "hedged" derivation of the per-signature randomness, by hashing the secret key, message, and a nonce. Despite the growing popularity of the hedged paradigm in practical signature schemes, to the best of our knowledge, there has been no attempt to formally analyze the fault resilience of hedged signatures. We perform a formal security analysis of the fault resilience of signature schemes constructed via the Fiat-Shamir transform. We propose a model to characterize bit-tampering fault attacks, and investigate their impact across different steps of the signing operation. We prove that, for some types of faults, attacks are mitigated by the hedged paradigm, while attacks remain possible for others. As concrete case studies, we then apply our results to XEdDSA, a hedged version of EdDSA used in the Signal messaging protocol, and to Picnic2, a hedged Fiat-Shamir signature scheme in Round 2 of the NIST Post-Quantum standardization process.

show abstract

“…The compiler from LRREs to CNMREs is very similar to the original construction of CNMC of [33], and its proof of security follows a proof technique similar to [14,29,32]. Our LRREs are inspired by the leakage-resilient storage of Davi, Dziembowski and Venturi [18] based on the inner-product extractor (see also Dziembowski and Faust [21]).…”

Section: Technical Overviewmentioning

confidence: 99%

Practical Continuously Non-malleable Randomness Encoders in the Random Oracle Model

Faonio

2021

Cryptology and Network Security

Self Cite

View full text Add to dashboard Cite

A randomness encoder is a generalization of encoding schemes with an efficient procedure for encoding uniformly random strings. In this paper we continue the study of randomness encoders that additionally have the property of being continuous non-malleable. The beautiful notion of non-malleability for encoding schemes, introduced by Dziembowski, Pietrzak and Wichs (ICS10), states that tampering with the codeword can either keep the encoded message identical or produce an uncorrelated message. Continuous non-malleability extends the security notion to a setting where the adversary can tamper the codeword polynomially many times and where we assume a self-destruction mechanism in place in case of decoding errors. Our contributions are: (1) two practical constructions of continuous non-malleable randomness encoders in the random oracle model, and (2) a new compiler from continuous nonmalleable randomness encoders to continuous non-malleable codes, and (3) a study of lower bounds for continuous non-malleability in the random oracle model.

show abstract

Continuously Non-malleable Codes with Split-State Refresh

Cited by 14 publications

References 41 publications

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Security of Hedged Fiat–Shamir Signatures Under Fault Attacks

Practical Continuously Non-malleable Randomness Encoders in the Random Oracle Model

Contact Info

Product

Resources

About