Inception Makes Non-malleable Codes Stronger

Non-malleable codes (NMCs), introduced by Dziembowski, Pietrzak and Wichs~\cite{DPW10}, provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. NMCs have emerged as a fundamental object at the intersection of coding theory and cryptography. A large body of the recent work has focused on various constructions of non-malleable codes in the split-state model. Many variants of NMCs have been introduced in the literature i.e. strong NMCs, super strong NMCs and continuous NMCs. Perhaps the most useful notion among these is that of continuous non-malleable codes, that allows for continuous tampering by the adversary. In this paper we give the first efficient, information-theoretic secure construction of continuous non-malleable codes in $2$-split-state model. Enroute to our main result, we obtain constructions for almost all possible notion of non-malleable codes that have been considered in the split-state model, and for which such a construction is possible. Our result is obtained by a series of black-box reductions starting from the non-malleable codes from~\cite{ADL14}. One of the main technical ingredient of our result is a new concept that we call \emph{inception coding}. We believe it may be of independent interest

Rate-Optimizing Compilers for Continuously Non-Malleable Codes

We study the *rate* of so-called *continuously* non-malleable codes, which allow to encode a message in such a way that (possibly adaptive) continuous tampering attacks on the codeword yield a decoded value that is unrelated to the original message. Our results are as follows: -) For the case of bit-wise independent tampering, we establish the existence of rate-one continuously non-malleable codes with information-theoretic security, in the plain model. -) For the case of split-state tampering, we establish the existence of rate-one continuously non-malleable codes with computational security, in the (non-programmable) random oracle model. We further exhibit a rate-1/2 code and a rate-one code in the common reference string model, but the latter only withstands *non-adaptive* tampering. It is well known that computational security is inherent for achieving continuous non-malleability in the split-state model (even in the presence of non-adaptive tampering). Continuously non-malleable codes are useful for protecting *arbitrary* cryptographic primitives against related-key attacks, as well as for constructing non-malleable public-key encryption schemes. Our results directly improve the efficiency of these applications

Continuous NMC Secure Against Permutations and Overwrites, with Applications to CCA Secure Commitments

Non-Malleable Codes (NMC) were introduced by Dziembowski, Pietrzak and Wichs in ICS 2010 as a relaxation of error correcting codes and error detecting codes. Faust, Mukherjee, Nielsen, and Venturi in TCC 2014 introduced an even stronger notion of non-malleable codes called continuous non-malleable codes where security is achieved against continuous tampering of a single codeword without re-encoding. We construct information theoretically secure CNMC resilient to bit permutations and overwrites, this is the first Continuous NMC constructed outside of the split-state model. In this work we also study relations between the CNMC and parallel CCA commitments. We show that the CNMC can be used to bootstrap a self-destruct parallel CCA bit commitment to a self-destruct parallel CCA string commitment, where self-destruct parallel CCA is a weak form of parallel CCA security. Then we can get rid of the self-destruct limitation obtaining a parallel CCA commitment, requiring only one-way functions

Tamper Detection and Continuous Non-Malleable Codes

We consider a public and keyless code (\Enc,\Dec) which is used to encode a message $m$ and derive a codeword c = \Enc(m). The codeword can be adversarially tampered via a function f \in \F from some tampering function family \F, resulting in a tampered value $c\u27 = f(c)$. We study the different types of security guarantees that can be achieved in this scenario for different families \F of tampering attacks. Firstly, we initiate the general study of tamper-detection codes, which must detect that tampering occurred and output \Dec(c\u27) = \bot. We show that such codes exist for any family of functions \F over $n$ bit codewords, as long as |\F| < 2^{2^n} is sufficiently smaller than the set of all possible functions, and the functions f \in \F are further restricted in two ways: (1) they can only have a few fixed points $x$ such that $f(x)=x$, (2) they must have high entropy of $f(x)$ over a random $x$. Such codes can also be made efficient when |\F| = 2^{\poly(n)}. For example, \F can be the family of all low-degree polynomials excluding constant and identity polynomials. Such tamper-detection codes generalize the algebraic manipulation detection (AMD) codes of Cramer et al. (EUROCRYPT \u2708). Next, we revisit non-malleable codes, which were introduced by Dziembowski, Pietrzak and Wichs (ICS \u2710) and require that \Dec(c\u27) either decodes to the original message $m$, or to some unrelated value (possibly $\bot$) that doesn\u27t provide any information about $m$. We give a modular construction of non-malleable codes by combining tamper-detection codes and leakage-resilient codes. This gives an alternate proof of the existence of non-malleable codes with optimal rate for any family \F of size |\F| < 2^{2^n}, as well as efficient constructions for families of size |\F| = 2^{\poly(n)}. Finally, we initiate the general study of continuous non-malleable codes, which provide a non-malleability guarantee against an attacker that can tamper a codeword multiple times. We define several variants of the problem depending on: (I) whether tampering is persistent and each successive attack modifies the codeword that has been modified by previous attacks, or whether tampering is non-persistent and is always applied to the original codeword, (II) whether we can self-destruct and stop the experiment if a tampered codeword is ever detected to be invalid or whether the attacker can always tamper more. In the case of persistent tampering and self-destruct (weakest case), we get a broad existence results, essentially matching what\u27s known for standard non-malleable codes. In the case of non-persistent tampering and no self-destruct (strongest case), we must further restrict the tampering functions to have few fixed points and high entropy. The two intermediate cases correspond to requiring only one of the above two restrictions. These results have applications in cryptography to related-key attack (RKA) security and to protecting devices against tampering attacks without requiring state or randomness

Extending The Applicability of Non-Malleable Codes

Modern cryptographic systems provide provable security guarantees as long as secret keys of the system remain confidential. However, if adversary learns some bits of information about the secret keys the security of the system can be breached. Side-channel attacks (like power analysis, timing analysis etc.) are one of the most effective tools employed by the adversaries to learn information pertaining to cryptographic secret keys. An adversary can also tamper with secret keys (say flip some bits) and observe the modified behavior of the cryptosystem, thereby leaking information about the secret keys. Dziembowski et al. (JACM 2018) defined the notion of non-malleable codes, a tool to protect memory against tampering. Non-malleable codes ensure that, when a codeword (generated by encoding an underlying message) is modified by some tampering function in a given tampering class, if the decoding of tampered codeword is incorrect then the decoded message is independent of the original message. In this dissertation, we focus on improving different aspects of non-malleable codes. Specifically, (1) we extend the class of tampering functions and present explicit constructions as well as general frameworks for constructing non-malleable codes. While most prior work considered ``compartmentalized" tampering functions, which modify parts of the codeword independently, we consider classes of tampering functions which can tamper with the entire codeword but are restricted in computational complexity. The tampering classes studied in this work include complexity classes $\mathsf{NC}^0$, and $\mathsf{AC}^0$. Also, earlier works focused on constructing non-malleable codes from scratch for different tampering classes, in this work we present a general framework for constructing non-malleable codes based on average-case hard problems for specific tampering families, and we instantiate our framework for various tampering classes including $\mathsf{AC}^0$. (2) The locality of code is the number of codeword blocks required to be accessed in order to decode/update a single block in the underlying message. We improve efficiency and usability by studying the optimal locality of non-malleable codes. We show that locally decodable and updatable non-malleable codes cannot have constant locality. We also give a matching upper bound that improves the locality of previous constructions. (3) We investigate a stronger variant of non-malleable codes called continuous non-malleable codes, which are known to be impossible to construct without computational assumptions. We show that setup assumptions such as common reference string (CRS) are also necessary to construct this stronger primitive. We present construction of continuous non-malleable codes in CRS model from weaker computational assumptions than assumptions used in prior work

FMNV Continuous Non-malleable Encoding Scheme is More Efficient Than Believed

Non-malleable codes are kind of encoding schemes which are resilient to tampering attacks. The main idea behind the non-malleable coding is that the adversary can\u27t be able to obtain any valuable information about the message. Non-malleable codes are used in tamper resilient cryptography and protecting memory against tampering attacks. Several kinds of definitions for the non-malleability exist in the literature. The Continuous non-malleability is aiming to protect messages against the adversary who issues polynomially many tampering queries. The first continuous non-malleable encoding scheme has been proposed by Faust et el. (FMNV) in 2014. In this paper, we propose a new method for proving continuous non-malleability of FMNV scheme. This new proof leads to an improved and more efficient scheme than previous one. The new proof shows we can have the continuous non-malleability with the same security by using a leakage resilient storage scheme with about (k+1)(log(q)-2) bits fewer leakage bound (where k is the output size of the collision resistant hash function and q is the maximum number of tampering queries)

Upper and Lower Bounds for Continuous Non-Malleable Codes

Recently, Faust et al. (TCC\u2714) introduced the notion of continuous non-malleable codes (CNMC), which provides stronger security guarantees than standard non-malleable codes, by allowing an adversary to tamper with the codeword in continuous way instead of one-time tampering. They also showed that CNMC with information theoretic security cannot be constructed in 2-split-state tampering model, and presented a construction of the same in CRS (common reference string) model using collision-resistant hash functions and non-interactive zero-knowledge proofs. In this work, we ask if it is possible to construct CNMC from weaker assumptions. We answer this question by presenting lower as well as upper bounds. Specifically, we show that it is impossible to construct 2-split-state CNMC, with no CRS, for one-bit messages from any falsifiable assumption, thus establishing the lower bound. We additionally provide an upper bound by constructing 2-split-state CNMC for one-bit messages, assuming only the existence of a family of injective one way functions. We also present a construction of 4-split-state CNMC for multi-bit messages in CRS model from the same assumptions. Additionally, we present definitions of the following new primitives: (1) One-to-one commitments, and (2) Continuous Non-Malleable Randomness Encoders, which may be of independent interest

Strong Continuous Non-malleable Encoding Schemes with Tamper-Detection

A non-malleable encoding scheme is a keyless encoding scheme which is resilient to tampering attacks. Such a scheme is said to be continuously secure if the scheme is resilient to attacks containing more than one tampering procedure. Also, such a scheme is said to have tamper-detection property if any kind of tampering attack is detected. In [S. Faust, et al., Continuous nonmalleable codes, TCC Proc., LNCS Vol. 8349, 2014.] a general continuous non-malleable encoding scheme based on NIZK is introduced which is secure in a strong model for which the adversary receives a no-tamper as a response to its tampering query if the decoding of the tampered codeword is identical to the original message. In this article we introduce a new strongly secure continuous non-malleable encoding scheme with tamper-detection property whose security is based on the existence of secure MAC’s. Moreover, we introduce and justify the importance of an intermediate security model called semi-strong continuous non-malleability, while we provide a secure semi-strong continuous non-malleable encoding scheme whose security is based on the existence of CCA-secure public-key encryption. Considering the area of applications of encoding schemes in tamper-proof devices, it is instructive to note that our proposed schemes can be used to implement an algorithmic tamperdetection level as well as maintaining the security conditions

Continuous Space-Bounded Non-Malleable Codes from Stronger Proofs-of-Space

Non-malleable codes are encoding schemes that provide protections against various classes of tampering attacks. Recently Faust et al. (CRYPTO 2017) initiated the study of space- bounded non-malleable codes that provide such protections against tampering within small- space devices. They put forward a construction based on any non-interactive proof-of-space (NIPoS). However, the scheme only protects against an a priori bounded number of tampering attacks. We construct non-malleable codes that are resilient to an unbounded polynomial number of space-bounded tamperings. Towards that we introduce a stronger variant of NIPoS called proof-extractable NIPoS (PExt-NIPoS), and propose two approaches of constructing such a primitive. Using a new proof strategy we show that the generic encoding scheme of Faust et al. achieves unbounded tamper-resilience when instantiated with a PExt-NIPoS. We show two methods to construct PExt-NIPoS: 1. The first method uses a special family of “memory-hard” graphs, called challenge-hard graphs (CHG), a notion we introduce here. We instantiate such family of graphs based on an extension of stack of localized expanders (first used by Ren and Devadas in the context of proof-of-space). In addition, we show that the graph construction used as a building block for the proof-of-space by Dziembowski et al. (CRYPTO 2015) satisfies challenge-hardness as well. These two CHG-instantiations lead to continuous space-bounded NMC with different features in the random oracle model. 2. Our second instantiation relies on a new measurable property, called uniqueness of NIPoS. We show that standard extractability can be upgraded to proof-extractability if the NIPoS also has uniqueness. We propose a simple heuristic construction of NIPoS, that achieves (partial) uniqueness, based on a candidate memory-hard function in the standard model and a publicly verifiable computation with small-space verification. Instantiating the encoding scheme of Faust et al. with this NIPoS, we obtain a continuous space-bounded NMC that supports the “most practical” parameters, complementing the provably secure but “relatively impractical” CHG-based constructions. Additionally, we revisit the construction of Faust et al. and observe that due to the lack of uniqueness of their NIPoS, the resulting encoding schemes yield “highly impractical” parameters in the continuous setting. We conclude the paper with a comparative study of all our non-malleable code constructions with an estimation of concrete parameters

Continuously non-malleable codes with split-state refresh

Non-malleable codes for the split-state model allow to encode a message into two parts, such that arbitrary independent tampering on each part, and subsequent decoding of the corresponding modified codeword, yields either the same as the original message, or a completely unrelated value. Continuously non-malleable codes further allow to tolerate an unbounded (polynomial) number of tampering attempts, until a decoding error happens. The drawback is that, after an error happens, the system must self-destruct and stop working, otherwise generic attacks become possible. In this paper we propose a solution to this limitation, by leveraging a split-state refreshing procedure. Namely, whenever a decoding error happens, the two parts of an encoding can be locally refreshed (i.e., without any interaction), which allows to avoid the self-destruct mechanism. An additional feature of our security model is that it captures directly security against continual leakage attacks. We give an abstract framework for building such codes in the common reference string model, and provide a concrete instantiation based on the external Diffie-Hellman assumption. Finally, we explore applications in which our notion turns out to be essential. The first application is a signature scheme tolerating an arbitrary polynomial number of split-state tampering attempts, without requiring a self-destruct capability, and in a model where refreshing of the memory happens only after an invalid output is produced. This circumvents an impossibility result from a recent work by Fuijisaki and Xagawa (Asiacrypt 2016). The second application is a compiler for tamper-resilient RAM programs. In comparison to other tamper-resilient compilers, ours has several advantages, among which the fact that, for the first time, it does not rely on the self-destruct feature