Results 1  10
of
18
Efficient NonMalleable Codes and KeyDerivation for PolySize Tampering Circuits
, 2013
"... Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes have applications to immunizing cryptosystems against tampering attacks and relatedkey attacks. One cannot have an efficient nonmalleable code that protects against all efficient tampering functions f. However, in this work we show “the next best thing”: for any polynomial bound s given apriori, there is an efficient nonmalleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size F  ≤ 2s, there is an efficient nonmalleable code that protects against all f ∈ F. The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are informationtheoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is nonmalleable with overwhelming
Nonmalleable codes from twosource extractors. Unpublished manuscript
, 2013
"... Abstract. We construct an efficient informationtheoretically nonmalleable code in the splitstate model for onebit messages. Nonmalleable codes were introduced recently by Dziembowski, Pietrzak and Wichs (ICS 2010), as a general tool for storing messages securely on hardware that can be subject t ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Abstract. We construct an efficient informationtheoretically nonmalleable code in the splitstate model for onebit messages. Nonmalleable codes were introduced recently by Dziembowski, Pietrzak and Wichs (ICS 2010), as a general tool for storing messages securely on hardware that can be subject to tampering attacks. Informally, a code (Enc: M → L×R, Dec: L × R → M) is nonmalleable in the splitstate model if any adversary, by manipulating independently L and R (where (L, R) is an encoding of some message M), cannot obtain an encoding of a message M ′ that is not equal to M but is “related ” M in some way. Until now it was unknown how to construct an informationtheoretically secure code with such a property, even for M = {0, 1}. Our construction solves this problem. Additionally, it is leakageresilient, and the amount of leakage that we can tolerate can be an arbitrary fraction ξ < 1/4 of the length of the codeword. Our code is based on the innerproduct twosource extractor, but in general it can be instantiated by any twosource extractor that has large output and has the property of being flexible, which is a new notion that we define. We also show that the nonmalleable codes for onebit messages have an equivalent, perhaps simpler characterization, namely such codes can be defined as follows: if M is chosen uniformly from {0, 1} then the probability (in the experiment described above) that the output message M ′ is not equal to M can be at most 1/2 + ɛ. 1
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient
Continuous Nonmalleable Codes
 TCC 2014
, 2014
"... Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modi ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modify it to the encoding of a completely unrelated value. This paper introduces an extension of the standard nonmalleability security notion – socalled continuous nonmalleability – where we allow the adversary to tamper continuously with an encoding. This is in contrast to the standard notion of nonmalleable codes where the adversary only is allowed to tamper a single time with an encoding. We show how to construct continuous nonmalleable codes in the common splitstate model where an encoding consist of two parts and the tampering can be arbitrary but has to be independent with both parts. Our main contributions are outlined below: 1. We propose a new uniqueness requirement of splitstate codes which states that it is computationally hard to find two codewords C = (X0, X1) and C ′ = (X0, X ′ 1) such that both codwords are valid, but X0 is the same in both C and C ′. A simple attack shows that uniqueness is necessary to achieve continuous nonmalleability in the splitstate model. Moreover,
Bounded Tamper Resilience: How to go beyond the Algebraic Barrier
, 2013
"... Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. 1. We show that standard ID and signature schemes constructed from a large class of Σprotocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters.
From singlebit to multibit publickey encryption via nonmalleable codes
 IACR CRYPTOLOGY EPRINT ARCHIVE
, 2014
"... One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and co ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), is to build a multibit chosenciphertext (CCA) secure publickey encryption scheme from a singlebit CCAsecure one. While their approaches achieve the desired goal, it is fair to say that the employed techniques are complicated and that the resulting ciphertext lengths are impractical. We propose a completely different and surprisingly simple approach to solving this problem. While it is wellknown that encrypting each bit of a plaintext string independently is insecure—the resulting scheme is malleable—we show that applying a suitable nonmalleable code (Dziembowski et al., ICS ’10) to the plaintext and subsequently encrypting the resulting codeword bitbybit results in a secure scheme. Our result is the one of the first applications of nonmalleable codes in a context other than memory tampering. The original notion of nonmalleability is, however, not sufficient. We therefore prove that
Nonmalleable reductions and applications
, 2014
"... Nonmalleable codes, introduced by Dziembowski, Pietrzak and Wichs [DPW10], provide a useful message integrity guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Nonmalleable codes, introduced by Dziembowski, Pietrzak and Wichs [DPW10], provide a useful message integrity guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely “unrelated value”. Although such codes do not exist if the family of “tampering functions ” F allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families F. The family which received the most attention [DPW10, LL12, DKO13, ADL14, CG14a, CG14b] is the family of tampering functions in the so called (2part) splitstate model: here the message x is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with each L and R individually. Despite this attention, the following problem remained open: Build efficient, informationtheoretically secure nonmalleable codes in the splitstate model with constant encoding rate: L  = R  = O(x). In this work, we resolve this open problem. Our technique for getting our main result is of
Tamper Detection and Continuous NonMalleable Codes
, 2014
"... We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family ” F, resulting in a tampered value c ′ = f(c). We study the different types of s ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family ” F, resulting in a tampered value c ′ = f(c). We study the different types of security guarantees that can be achieved in this scenario for different families F of tampering attacks. Firstly, we initiate the general study of tamperdetection codes, which must detect that tampering occurred and output Dec(c′) = ⊥. We show that such codes exist for any family of functions F over n bit codewords, as long as F  < 22n is sufficiently smaller than the set of all possible functions, and the functions f ∈ F are further restricted in two ways: (1) they can only have a few fixed points x such that f(x) = x, (2) they must have high entropy of f(x) over a random x. Such codes can also be made efficient when F  = 2poly(n). For example, F can be the family of all lowdegree polynomials excluding constant and identity polynomials. Such tamperdetection codes generalize the algebraic manipulation detection (AMD) codes of Cramer et al. (EUROCRYPT ’08). Next, we revisit nonmalleable codes, which were introduced by Dziembowski, Pietrzak and Wichs (ICS ’10) and require that Dec(c′) either decodes to the original message m, or to some unrelated value (possibly ⊥) that doesn’t provide any information about m. We give a modular construction of nonmalleable codes by
Locally Decodable and Updatable NonMalleable Codes and Their Applications
, 2014
"... Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications o ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications of nonmalleable codes have been discovered, and one of the most significant applications among these is the connection with tamperresilient cryptography. There is a large body of work considering security against various classes of tampering functions, as well as nonmalleable codes with enhanced features such as leakage resilience. In this work, we propose combining the concepts of nonmalleability, leakage resilience, and locality in a coding scheme. The contribution of this work is threefold: 1. As a conceptual contribution, we define a new notion of locally decodable and updatable nonmalleable code that combines the above properties. 2. We present two simple and efficient constructions achieving our new notion with different levels of security.
A leakageresilient pairingbased variant of the Schnorr signature scheme
 IMA Int. Conf., volume 8308 of LNCS
, 2013
"... Abstract. Leakageresilient cryptography aims at capturing sidechannel attacks within the provable security framework. Currently there exists a plethora of schemes with provably secure guarantees against a variety of sidechannel attacks. However, meeting the strongest security levels (resilience ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Leakageresilient cryptography aims at capturing sidechannel attacks within the provable security framework. Currently there exists a plethora of schemes with provably secure guarantees against a variety of sidechannel attacks. However, meeting the strongest security levels (resilience against continual leakage attacks) under the weakest assumptions leads currently to costly schemes. Additionally, recent results show the impossibility to achieve the strongest leakageresilient security levels for cryptosystems whose secret key is uniquely determined by its public key. The above justifies the use of stronger assumptions to achieve simpler, more efficient schemes, since most deployed and practical cryptosystems satisfy the abovementioned uniqueness of the secret key property. In particular, the Schnorrbased leakageresilient digital signature schemes proposed up to now are built by gluing together `copies of the basic signature scheme, resulting in a public key that admits exponentiallymany secret keys. Furthermore, the space needed to store the secret key material is proportional to the leakage tolerated by these schemes. We aim at designing a leakageresilient variant of the Schnorr signature scheme whose secret key's storage space is constant, independently of the amount of leakage that it can tolerate. We assume that at any given time only the parts of the memory in use leak (splitstate/only computation leaks information model); we ease the problem of exhibiting a security reduction by relying on generic groups (generic bilinear group model). We proceed by first proposing a pairing analogue of the Schnorr signature scheme, that we next transform to include split signing key updates. We give a leakageresilience lower bound in generic bilinear groups against continual leakage attacks for the new scheme.