Non-malleable Codes against Lookahead Tampering

There are natural cryptographic applications where an adversary only gets to tamper a high- speed data stream on the fly based on her view so far, namely, the lookahead tampering model. Since the adversary can easily substitute transmitted messages with her messages, it is farfetched to insist on strong guarantees like error-correction or, even, manipulation detection. Dziembowski, Pietrzak, and Wichs (ICS–2010) introduced the notion of non-malleable codes that provide a useful message integrity for such scenarios. Intuitively, a non-malleable code ensures that the tampered codeword encodes the original message or a message that is entirely independent of the original message. Our work studies the following tampering model. We encode a message into k>=1 secret shares, and we transmit each share as a separate stream of data. Adversaries can perform lookahead tampering on each share, albeit, independently. We call this k-lookahead model. First, we show a hardness result for the k-lookahead model. To transmit an l-bit message, the cumulative length of the secret shares must be at least kl/(k-1). This result immediately rules out the possibility of a solution with k = 1. Next, we construct a solution for 2-lookahead model such that the total length of the shares is 3l, which is only 1.5x of the optimal encoding as indicated by our hardness result. Prior work considers stronger model of split-state encoding that creates k>=2 secret shares, but protects against adversaries who perform arbitrary (but independent) tampering on each se- cret share. The size of the secret shares of the most efficient 2-split-state encoding is l*log(l)/loglog(l) (Li, ECCC–2018). Even though k-lookahead is a weaker tampering class, our hardness result matches that of k-split-state tampering by Cheraghchi and Guruswami (TCC–2014). However, our explicit constructions above achieve much higher efficiency in encoding

A constant-rate non-malleable code in the split-state model.

Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs in ICS 2010, have emerged in the last few years as a fundamental object at the intersection of cryptography and coding theory. Non-malleable codes provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value\u27\u27. The family which received the most attention is the family of tampering functions in the so called (2-part) split-state model: here the message x is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with each L and R individually. In this work, we give a constant rate non-malleable code from the tampering family containing so called 2-lookahead functions and forgetful functions, and combined with the work of Dodis, Kazana and the authors from STOC 2015, this gives the first constant rate non-malleable code in the split-state model with negligible error

Non-malleable Reductions and Applications

Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs~\cite{DPW10}, provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely ``unrelated value\u27\u27. Although such codes do not exist if the family of ``tampering functions\u27\u27 \cF allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families \cF. The family which received the most attention is the family of tampering functions in the so called (2-part) {\em split-state} model: here the message x is encoded into two shares L and R, and the attacker is allowed to {\em arbitrarily} tamper with each L and R individually. Despite this attention, the following problem remained open: Build efficient, information-theoretically secure non-malleable codes in the split-state model with constant encoding rate}: |L|=|R|=O(|x|). In this work, we make progress towards obtaining this result. Specifically, we (a) develop a generalization of non-malleable codes, called {\em non-malleable reductions}; (b) show simple composition theorem for non-malleable reductions; (c) build a variety of such reductions connecting various (independently interesting) tampering families \cF to each other; (d) construct several new non-malleable codes in the split-state model by applying the composition theorem to a series of easy to understand reductions. In particular, we design an unconditionally secure non-malleable code with 5 parts where the size of each part is quadratic in the length of the message, and state a conjecture under which we obtain a constant rate 2 part non-malleable code in the split-state model. Of independent interest, we show several ``independence amplification\u27\u27 reductions, showing how to reduce split-state tampering of very few parts to an easier question of split-state tampering with a much larger number of parts. \paragraph{Note.} Some time after publishing the paper (it was presented at STOC 2015), Xin Li pointed out that one of the proofs in the paper had a mistake. In particular, we had incorrectly claimed a proof of Conjecture 26. We would like to emphasize that we still believe that Conjecture 26 is true but we do not have a proof

Inception makes non-malleable codes shorter as well!

Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs in ICS 2010, have emerged in the last few years as a fundamental object at the intersection of cryptography and coding theory. Non-malleable codes provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely ``unrelated value\u27\u27. Although such codes do not exist if the family of ``tampering functions\u27\u27 {\mathcal F} allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families {\mathcal F}. The family which received the most attention is the family of tampering functions in the so called (2-part) {\em split-state} model: here the message x is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with each L and R individually. Dodis, Kazana, and the authors in STOC 2015 developed a generalization of non-malleable codes called the concept of non-malleable reduction, where a non-malleable code for a tampering family {\mathcal F} can be seen as a non-malleable reduction from {\mathcal F} to a family NM of functions comprising the identity function and constant functions. They also gave a constant-rate reduction from a split-state tampering family to a tampering family {\mathcal G} containing so called $2$-lookahead functions, and forgetful functions. In this work, we give a constant rate non-malleable reduction from the family {\mathcal G} to NM, thereby giving the first {\em constant rate non-malleable code in the split-state model.} Central to our work is a technique called inception coding which was introduced by Aggarwal, Kazana and Obremski in TCC 2017, where a string that detects tampering on a part of the codeword is concatenated to the message that is being encoded

Non-malleable Reductions and Applications

Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs [DPW10], provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely "unrelated value". Although such codes do not exist if the family of "tampering functions" F allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families F. The family which received the most attention [DPW10, LL12, DKO13, ADL14, CG14a, CG14b] is the family of tampering functions in the so called (2-part) split-state model: here the message x is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with each L and R individually. Despite this attention, the following problem remained open: Build efficient, information-theoretically secure non-malleable codes in the split-state model with constant encoding rate: |L| = |R| = O(|x|). In this work, we resolve this open problem

FMNV Continuous Non-malleable Encoding Scheme is More Efficient Than Believed

Non-malleable codes are kind of encoding schemes which are resilient to tampering attacks. The main idea behind the non-malleable coding is that the adversary can\u27t be able to obtain any valuable information about the message. Non-malleable codes are used in tamper resilient cryptography and protecting memory against tampering attacks. Several kinds of definitions for the non-malleability exist in the literature. The Continuous non-malleability is aiming to protect messages against the adversary who issues polynomially many tampering queries. The first continuous non-malleable encoding scheme has been proposed by Faust et el. (FMNV) in 2014. In this paper, we propose a new method for proving continuous non-malleability of FMNV scheme. This new proof leads to an improved and more efficient scheme than previous one. The new proof shows we can have the continuous non-malleability with the same security by using a leakage resilient storage scheme with about (k+1)(log(q)-2) bits fewer leakage bound (where k is the output size of the collision resistant hash function and q is the maximum number of tampering queries)

Inception Makes Non-malleable Codes Stronger

Non-malleable codes (NMCs), introduced by Dziembowski, Pietrzak and Wichs~\cite{DPW10}, provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. NMCs have emerged as a fundamental object at the intersection of coding theory and cryptography. A large body of the recent work has focused on various constructions of non-malleable codes in the split-state model. Many variants of NMCs have been introduced in the literature i.e. strong NMCs, super strong NMCs and continuous NMCs. Perhaps the most useful notion among these is that of continuous non-malleable codes, that allows for continuous tampering by the adversary. In this paper we give the first efficient, information-theoretic secure construction of continuous non-malleable codes in $2$-split-state model. Enroute to our main result, we obtain constructions for almost all possible notion of non-malleable codes that have been considered in the split-state model, and for which such a construction is possible. Our result is obtained by a series of black-box reductions starting from the non-malleable codes from~\cite{ADL14}. One of the main technical ingredient of our result is a new concept that we call \emph{inception coding}. We believe it may be of independent interest

Leakage-resilient non-malleable codes

A recent trend in cryptography is to construct cryptosystems that are secure against physical attacks. Such attacks are usually divided into two classes: the \emph{leakage} attacks in which the adversary obtains some information about the internal state of the machine, and the \emph{tampering} attacks where the adversary can modify this state. One of the popular tools used to provide tamper-resistance are the \emph{non-malleable codes} introduced by Dziembowski, Pietrzak and Wichs (ICS 2010). These codes can be defined in several variants, but arguably the most natural of them are the information-theoretically secure codes in the k-split-state model (the most desired case being k=2). Such codes were constucted recently by Aggarwal et al.~(STOC 2014). Unfortunately, unlike the earlier, computationally-secure constructions (Liu and Lysyanskaya, CRYPTO 2012) these codes are not known to be resilient to leakage. This is unsatisfactory, since in practice one always aims at providing resilience against both leakage and tampering (especially considering tampering without leakage is problematic, since the leakage attacks are usually much easier to perform than the tampering attacks). In this paper we close this gap by showing a non-malleable code in the $2$-split state model that is secure against leaking almost a $1/12$-th fraction of the bits from the codeword (in the bounded-leakage model). This is achieved via a generic transformation that takes as input any non-malleable code (\Enc,\Dec) in the $2$-split state model, and constructs out of it another non-malleable code (\Enc',\Dec') in the $2$-split state model that is additionally leakage-resilient. The rate of (\Enc',\Dec') is linear in the rate of (\Enc,\Dec). Our construction requires that \Dec is \emph{symmetric}, i.e., for all $x, y$, it is the case that \Dec(x,y) = \Dec(y,x), but this property holds for all currently known information-theoretically secure codes in the $2$-split state model. In particular, we can apply our transformation to the code of Aggarwal et al., obtaining the first leakage-resilient code secure in the split-state model. Our transformation can be applied to other codes (in particular it can also be applied to a recent code of Aggarwal, Dodis, Kazana and Obremski constructed in the work subsequent to this one)

Length-preserving authenticated encryption of storage blocks

Digital storage is often protected by individually authenticating and encrypting each storage unit, usually a disk block or a memory page. This results in one ciphertext and authentication tag per unit. Where used, these tags are written to external memory locations or to different blocks within the same device, but this has two main drawbacks. First, it is not always possible to use external memory, or to allocate extra blocks to store the tags. Second, storing the tag in a different location than the ciphertext requires two IO requests for each read or write: one request for the ciphertext, another for the tag. In this thesis, I ask and resolve the question: is it possible to use data compression to provide length-preserving storage protection, providing integrity and confidentiality, removing the need for external storage or extra blocks. The thesis contributes to the research of block-level data protection, and analyses existing protection methods for data protection of block devices, such as dm-crypt and dm-verity in Linux, as well as RAM protections such as AMD SEV-SNP. Previous compression-based solutions are analysed and found not to be fully length-preserving. The thesis presents LP-SP, a length-preserving storage protection method that does not need external storage or extra blocks for tags. Additionally, a prototype implementation in the device-mapper in Linux provides compression and performance measurements. These measurements result in LP-SP being especially useful in RAM and other environments with high compression rates