Explicit Non-malleable Codes Against Bit-Wise Tampering and Permutations

One approach towards basing public-key encryption (PKE) schemes on weak and credible assumptions is to build "stronger" or more general schemes generically from "weaker" or more restricted ones. One particular line of work in this context was initiated by Myers and shelat (FOCS '09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt '12), who provide constructions of multi-bit CCA-secure PKE from single-bit CCA-secure PKE.It is well-known that encrypting each bit of a plaintext string independently is not CCA-securethe resulting scheme is malleable. We therefore investigate whether this malleability can be dealt with using the conceptually simple approach of applying a suitable non-malleable code (Dziembowski et al., ICS '10) to the plaintext and subsequently encrypting the resulting codeword bitby-bit. We find that an attacker's ability to ask multiple decryption queries requires that the underlying code be continuously non-malleable (Faust et al., TCC '14). Since, as we show, this flavor of non-malleability can only be achieved if the code is allowed to "self-destruct," the resulting scheme inherits this property and therefore only achieves a weaker variant of CCA security.We formalize this new notion of so-called self-destruct CCA security (SD-CCA) as CCA security with the restriction that the decryption oracle stops working once the attacker submits an invalid ciphertext. We first show that the above approach based on non-malleable codes yields a solution to the problem of domain extension for SD-CCA-secure PKE, provided that the underlying code is continuously non-malleable against a reduced form of bit-wise tampering. Then, we prove that the code of Dziembowski et al. is actually already continuously non-malleable against (even full ) bit-wise tampering; this constitutes the first information-theoretically secure continuously nonmalleable code, a technical contribution that we believe is of independent interest. Compared to the previous approaches to PKE domain extension, our scheme is more efficient and intuitive, at the cost of not achieving full CCA security. Our result is also one of the first applications of non-malleable codes in a context other than memory tampering.

Section: More Details On Related Workmentioning

confidence: 99%

“…4 In other words, once the MBO is 1, it cannot return to 0. 5 Intuitively, this means that in order to distinguish the two systems, D has to provoke the MBO. 6 In less formal contexts, we sometimes drop the superscripts on ==⇒ .…”

Section: Public-key Encryption Schemesmentioning

confidence: 99%

From Single-Bit to Multi-bit Public-Key Encryption via Non-malleable Codes

Coretti

Maurer

Tackmann

et al. 2015

“…Very recently, an explicit rate-0 code against a more powerful class of tampering functions, which in addition to tampering with each bit of the codeword independently can also permute the bits of the resulting codeword after tampering, was achieved in [4]. This was further improved to rate 1 by [5].…”

Section: Prior Workmentioning

confidence: 99%

“…Non-malleable codes have found interesting cryptographic applications like domain extension of self-destruct CCA-secure public-key encryption [13] and non-malleable commitments [4].…”

Section: Prior Workmentioning

confidence: 99%

Optimal Computational Split-state Non-malleable Codes

Aggarwal

Agrawal

Gupta

et al. 2015

Self Cite

Abstract. Non-malleable codes are a generalization of classical errorcorrecting codes where the act of "corrupting" a codeword is replaced by a "tampering" adversary. Non-malleable codes guarantee that the message contained in the tampered codeword is either the original message m, or a completely unrelated one. In the common split-state model, the codeword consists of multiple blocks (or states) and each block is tampered with independently. The central goal in the split-state model is to construct high rate nonmalleable codes against all functions with only two states (which are necessary). Following a series of long and impressive line of work, constant rate, two-state, non-malleable codes against all functions were recently achieved by Aggarwal et al. (STOC 2015). Though constant, the rate of all known constructions in the split state model is very far from optimal (even with more than two states). In this work, we consider the question of improving the rate of split-state non-malleable codes. In the "information theoretic" setting, it is not possible to go beyond rate 1/2. We therefore focus on the standard computational setting. In this setting, each tampering function is required to be efficiently computable, and the message in the tampered codeword is required to be either the original message m or a "computationally" independent one. In this setting, assuming only the existence of one-way functions, we present a compiler which converts any poor rate, two-state, (sufficiently strong) non-malleable code into a rate-1, two-state, computational nonmalleable code. These parameters are asymptotically optimal. Furthermore, for the qualitative optimality of our result, we generalize the result of Cheraghchi and Guruswami (ITCS 2014) to show that the existence of one-way functions is necessary to achieve rate > 1/2 for such codes. Our compiler requires a stronger form of non-malleability, called augmented non-malleability. This notion requires a stronger simulation guarantee for non-malleable codes and simplifies their modular usage in cryptographic settings where composition occurs. Unfortunately, this form of non-malleability is neither straightforward nor generally guaranteed by known results. Nevertheless, we prove this stronger form of nonmalleability for the two-state construction of Aggarwal, Dodis, and Lovett (STOC 14). This result is of independent interest.

“…However, a general impossibility result by Gennaro et al [27] shows that the above flavour of tamper resistance is unachievable without further assumptions. To overcome this impossibility one usually relies on self-destruct (e.g., [22,15,1,14,13,23,24,25,17,2,3,4,16,30]), or limits the power of the tampering function (e.g., [9,33,7,6,28,35,37,10,11,30,36]). …”

Section: Introductionmentioning

confidence: 99%

The Chaining Lemma and Its Application

Damgård

Faust

Mukherjee

et al. 2015

We present a new information-theoretic result which we call the Chaining Lemma. It considers a so-called "chain" of random variables, defined by a source distribution X (0) with high min-entropy and a number (say, t in total) of arbitrary functions (T 1 , . . . , T t ) which are applied in succession to that source to generate the chain. Intuitively, the Chaining Lemma guarantees that, if the chain is not too long, then either (i) the entire chain is "highly random", in that every variable has high min-entropy; or (ii) it is possible to find a point j (1 ≤ j ≤ t) in the chain such that, conditioned on the end of the chain i.e. X (j) Tj+1remains highly random. We think this is an interesting information-theoretic result which is intuitive but nevertheless requires rigorous case-analysis to prove.We believe that the above lemma will find applications in cryptography. We give an example of this, namely we show an application of the lemma to protect essentially any cryptographic scheme against memory-tampering attacks. We allow several tampering requests, the tampering functions can be arbitrary, however, they must be chosen from a bounded size set of functions that is fixed a priori.