Non-malleable codes for space-bounded tampering

Non-malleable codes—introduced by Dziembowski, Pietrzak and Wichs at ICS 2010—are key-less coding schemes in which mauling attempts to an encoding of a given message, w.r.t. some class of tampering adversaries, result in a decoded value that is either identical or unrelated to the original message. Such codes are very useful for protecting arbitrary cryptographic primitives against tampering attacks against the memory. Clearly, non-malleability is hopeless if the class of tampering adversaries includes the decoding and encoding algorithm. To circumvent this obstacle, the majority of past research focused on designing non-malleable codes for various tampering classes, albeit assuming that the adversary is unable to decode. Nonetheless, in many concrete settings, this assumption is not realistic

Quantum correlations in Newtonian space and time: arbitrarily fast communication or nonlocality

We investigate possible explanations of quantum correlations that satisfy the principle of continuity, which states that everything propagates gradually and continuously through space and time. In particular, following [J.D. Bancal et al, Nature Physics 2012], we show that any combination of local common causes and direct causes satisfying this principle, i.e. propagating at any finite speed, leads to signalling. This is true even if the common and direct causes are allowed to propagate at a supraluminal-but-finite speed defined in a Newtonian-like privileged universal reference frame. Consequently, either there is supraluminal communication or the conclusion that Nature is nonlocal (i.e. discontinuous) is unavoidable.Comment: It is an honor to dedicate this article to Yakir Aharonov, the master of quantum paradoxes. Version 2 contains some more references and a clarified conclusio

ESPRESSO: The next European exoplanet hunter

The acronym ESPRESSO stems for Echelle SPectrograph for Rocky Exoplanets and Stable Spectroscopic Observations; this instrument will be the next VLT high resolution spectrograph. The spectrograph will be installed at the Combined-Coud\'e Laboratory of the VLT and linked to the four 8.2 m Unit Telescopes (UT) through four optical Coud\'e trains. ESPRESSO will combine efficiency and extreme spectroscopic precision. ESPRESSO is foreseen to achieve a gain of two magnitudes with respect to its predecessor HARPS, and to improve the instrumental radial-velocity precision to reach the 10 cm/s level. It can be operated either with a single UT or with up to four UTs, enabling an additional gain in the latter mode. The incoherent combination of four telescopes and the extreme precision requirements called for many innovative design solutions while ensuring the technical heritage of the successful HARPS experience. ESPRESSO will allow to explore new frontiers in most domains of astrophysics that require precision and sensitivity. The main scientific drivers are the search and characterization of rocky exoplanets in the habitable zone of quiet, nearby G to M-dwarfs and the analysis of the variability of fundamental physical constants. The project passed the final design review in May 2013 and entered the manufacturing phase. ESPRESSO will be installed at the Paranal Observatory in 2016 and its operation is planned to start by the end of the same year.Comment: 12 pages, figures included, accepted for publication in Astron. Nach

Non-Malleable Secret Sharing for General Access Structures

Goyal and Kumar (STOC\u2718) recently introduced the notion of non-malleable secret sharing. Very roughly, the guarantee they seek is the following: the adversary may potentially tamper with all of the shares, and still, either the reconstruction procedure outputs the original secret, or, the original secret is ``destroyed and the reconstruction outputs a string which is completely ``unrelated to the original secret. Prior works on non-malleable codes in the 2 split-state model imply constructions which can be seen as 2-out-of-2 non-malleable secret sharing (NMSS) schemes. Goyal and Kumar proposed constructions of t-out-of-n NMSS schemes. These constructions have already been shown to have a number of applications in cryptography. We continue this line of research and construct NMSS for more general access structures. We give a generic compiler that converts any statistical (resp. computational) secret sharing scheme realizing any access structure into another statistical (resp. computational) secret sharing scheme that not only realizes the same access structure but also ensures statistical non-malleability against a computationally unbounded adversary who tampers each of the shares arbitrarily and independently. Instantiating with known schemes we get unconditional NMMS schemes that realize any access structures generated by polynomial size monotone span programs. Similarly, we also obtain conditional NMMS schemes realizing access structure in monotoneP (resp. monotoneNP) assuming one-way functions (resp. witness encryption). Towards considering more general tampering models, we also propose a construction of n-out-of-n NMSS. Our construction is secure even if the adversary could divide the shares into any two (possibly overlapping) subsets and then arbitrarily tamper the shares in each subset. Our construction is based on a property of inner product and an observation that the inner-product based construction of Aggarwal, Dodis and Lovett (STOC\u2714) is in fact secure against a tampering class that is stronger than 2 split-states. We also show applications of our construction to the problem of non-malleable message transmission

Super-Linear Time-Memory Trade-Offs for Symmetric Encryption

We build symmetric encryption schemes from a pseudorandom function/permutation with domain size $N$ which have very high security -- in terms of the amount of messages $q$ they can securely encrypt -- assuming the adversary has $S < N$ bits of memory. We aim to minimize the number of calls $k$ we make to the underlying primitive to achieve a certain $q$, or equivalently, to maximize the achievable $q$ for a given $k$. We target in particular $q \gg N$, in contrast to recent works (Jaeger and Tessaro, EUROCRYPT \u2719; Dinur, EUROCRYPT \u2720) which aim to beat the birthday barrier with one call when $S < \sqrt{N}$. Our first result gives new and explicit bounds for the Sample-then-Extract paradigm by Tessaro and Thiruvengadam (TCC \u2718). We show instantiations for which $q =\Omega((N/S)^{k})$. If $S < N^{1- \alpha}$, Thiruvengadam and Tessaro\u27s weaker bounds only guarantee $q > N$ when $k = \Omega(\log N)$. In contrast, here, we show this is true already for $k = O(1/\alpha)$. We also consider a scheme by Bellare, Goldreich and Krawczyk (CRYPTO \u2799) which evaluates the primitive on $k$ independent random strings, and masks the message with the XOR of the outputs. Here, we show $q= \Omega((N/S)^{k/2})$, using new combinatorial bounds on the list-decodability of XOR codes which are of independent interest. We also study best-possible attacks against this construction

Ciphertext Expansion in Limited-Leakage Order-Preserving Encryption: A Tight Computational Lower Bound

Order-preserving encryption emerged as a key ingredient underlying the security of practical database management systems. Boldyreva et al. (EUROCRYPT \u2709) initiated the study of its security by introducing two natural notions of security. They proved that their first notion, a ``best-possible\u27\u27 relaxation of semantic security allowing ciphertexts to reveal the ordering of their corresponding plaintexts, is not realizable. Later on Boldyreva et al. (CRYPTO \u2711) proved that any scheme satisfying their second notion, indistinguishability from a random order-preserving function, leaks about half of the bits of a random plaintext. This unsettling state of affairs was recently changed by Chenette et al. (FSE \u2716), who relaxed the above ``best-possible\u27\u27 notion and constructed a scheme satisfying it based on any pseudorandom function. In addition to revealing the ordering of any two encrypted plaintexts, ciphertexts in their scheme reveal only the position of the most significant bit on which the plaintexts differ. A significant drawback of their scheme, however, is its substantial ciphertext expansion: Encrypting plaintexts of length $m$ bits results in ciphertexts of length $m \cdot \ell$ bits, where $\ell$ determines the level of security (e.g., $\ell = 80$ in practice). In this work we prove a lower bound on the ciphertext expansion of any order-preserving encryption scheme satisfying the ``limited-leakage\u27\u27 notion of Chenette et al. with respect to non-uniform polynomial-time adversaries, matching the ciphertext expansion of their scheme up to lower-order terms. This improves a recent result of Cash and Zhang (ePrint \u2717), who proved such a lower bound for schemes satisfying this notion with respect to computationally-unbounded adversaries (capturing, for example, schemes whose security can be proved in the random-oracle model without relying on cryptographic assumptions). Our lower bound applies, in particular, to schemes whose security is proved in the standard model

The Distinction Between Fixed and Random Generators in Group-Based Assumptions

There is surprisingly little consensus on the precise role of the generator g in group-based assumptions such as DDH. Some works consider g to be a fixed part of the group description, while others take it to be random. We study this subtle distinction from a number of angles. - In the generic group model, we demonstrate the plausibility of groups in which random-generator DDH (resp. CDH) is hard but fixed-generator DDH (resp. CDH) is easy. We observe that such groups have interesting cryptographic applications. - We find that seemingly tight generic lower bounds for the Discrete-Log and CDH problems with preprocessing (Corrigan-Gibbs and Kogan, Eurocrypt 2018) are not tight in the sub-constant success probability regime if the generator is random. We resolve this by proving tight lower bounds for the random generator variants; our results formalize the intuition that using a random generator will reduce the effectiveness of preprocessing attacks. - We observe that DDH-like assumptions in which exponents are drawn from low-entropy distributions are particularly sensitive to the fixed- vs. random-generator distinction. Most notably, we discover that the Strong Power DDH assumption of Komargodski and Yogev (Komargodski and Yogev, Eurocrypt 2018) used for non-malleable point obfuscation is in fact false precisely because it requires a fixed generator. In response, we formulate an alternative fixed-generator assumption that suffices for a new construction of non-malleable point obfuscation, and we prove the assumption holds in the generic group model. We also give a generic group proof for the security of fixed-generator, low-entropy DDH (Canetti, Crypto 1997)