Non-Malleable Codes for Small-Depth Circuits

Abstract: We construct efficient, unconditional non-malleable codes that are secure against tampering functions computed by small-depth circuits. For constant-depth circuits of polynomial size (i.e. AC 0 tampering functions), our codes have codeword length n = k 1+o(1) for a k-bit message. This is an exponential improvement of the previous best construction due to Chattopadhyay and Li (STOC 2017), which had codeword length 2 O( √ k) . Our construction remains efficient for circuit depths as large as Θ(log(n)/ log log(n)… Show more

“…The main building block of the ZK-preserving alphabet reduction is an encoding scheme with equivocation properties called Reconstructable Probabilistic Encoding (RPE) [ 34 , 35 , 36 , 37 ]. In this section, we formally define these objects.…”

“…This gives an efficient reconstructor . We note that the final ZK-PCP construction will use an explicit RPE construction due to [ 37 , 39 ].…”

“…The RPE that [ 13 ] uses is obtained by applying a general observation of [ 37 , 39 ]—that the existence of linear codes implies the existence of RPEs—to the linear codes of Decatur [ 41 ]. Specifically, Ball et al ([ 37 ], Lemma 2) prove the following, where a code is linear if its encoding procedure simply multiplies the input with a public generator matrix, and the distance of the code is (i.e., the minimal weight of a non-zero codeword):…”

“…(RPEs from linear error-correcting codes [ 37 ]). If there exists a linear error-correcting code with messages in and distance d, then there exists a -RPE.…”

Shielding Probabilistically Checkable Proofs: Zero-Knowledge PCPs from Leakage Resilience

“…The main building block of the ZK-preserving alphabet reduction is an encoding scheme with equivocation properties called Reconstructable Probabilistic Encoding (RPE) [ 34 , 35 , 36 , 37 ]. In this section, we formally define these objects.…”

“…This gives an efficient reconstructor . We note that the final ZK-PCP construction will use an explicit RPE construction due to [ 37 , 39 ].…”

“…The RPE that [ 13 ] uses is obtained by applying a general observation of [ 37 , 39 ]—that the existence of linear codes implies the existence of RPEs—to the linear codes of Decatur [ 41 ]. Specifically, Ball et al ([ 37 ], Lemma 2) prove the following, where a code is linear if its encoding procedure simply multiplies the input with a public generator matrix, and the distance of the code is (i.e., the minimal weight of a non-zero codeword):…”

“…(RPEs from linear error-correcting codes [ 37 ]). If there exists a linear error-correcting code with messages in and distance d, then there exists a -RPE.…”

Shielding Probabilistically Checkable Proofs: Zero-Knowledge PCPs from Leakage Resilience

“…Additionally, non-malleable codes in the split-state model have found many applications in the construction of non-malleable codes against other important and natural tampering families, as mentioned below: Decision tree tampering ([ 46 ]): each tampered output symbol is a function of a small polynomial number of (adaptively chosen) queries to codeword symbols. Small-depth circuit tampering ([ 46 , 47 ]): the tampered codeword is produced by a boolean circuit of polynomial size and nearly logarithmic depth. (Bounded) Polynomial-size circuit tampering ([ 48 ]): the tampered codeword is produced by circuit of bounded polynomial size, for some constant d , where n is the codeword length.…”

Non-Malleable Code in the Split-State Model

Upper and Lower Bounds for Continuous Non-Malleable Codes