Results 1  10
of
18
Efficient NonMalleable Codes and KeyDerivation for PolySize Tampering Circuits
, 2013
"... Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes have applications to immunizing cryptosystems against tampering attacks and relatedkey attacks. One cannot have an efficient nonmalleable code that protects against all efficient tampering functions f. However, in this work we show “the next best thing”: for any polynomial bound s given apriori, there is an efficient nonmalleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size F  ≤ 2s, there is an efficient nonmalleable code that protects against all f ∈ F. The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are informationtheoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is nonmalleable with overwhelming
Continuous Nonmalleable Codes
 TCC 2014
, 2014
"... Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modi ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modify it to the encoding of a completely unrelated value. This paper introduces an extension of the standard nonmalleability security notion – socalled continuous nonmalleability – where we allow the adversary to tamper continuously with an encoding. This is in contrast to the standard notion of nonmalleable codes where the adversary only is allowed to tamper a single time with an encoding. We show how to construct continuous nonmalleable codes in the common splitstate model where an encoding consist of two parts and the tampering can be arbitrary but has to be independent with both parts. Our main contributions are outlined below: 1. We propose a new uniqueness requirement of splitstate codes which states that it is computationally hard to find two codewords C = (X0, X1) and C ′ = (X0, X ′ 1) such that both codwords are valid, but X0 is the same in both C and C ′. A simple attack shows that uniqueness is necessary to achieve continuous nonmalleability in the splitstate model. Moreover,
Bounded Tamper Resilience: How to go beyond the Algebraic Barrier
, 2013
"... Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. 1. We show that standard ID and signature schemes constructed from a large class of Σprotocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters.
From singlebit to multibit publickey encryption via nonmalleable codes
 IACR CRYPTOLOGY EPRINT ARCHIVE
, 2014
"... One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and co ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), is to build a multibit chosenciphertext (CCA) secure publickey encryption scheme from a singlebit CCAsecure one. While their approaches achieve the desired goal, it is fair to say that the employed techniques are complicated and that the resulting ciphertext lengths are impractical. We propose a completely different and surprisingly simple approach to solving this problem. While it is wellknown that encrypting each bit of a plaintext string independently is insecure—the resulting scheme is malleable—we show that applying a suitable nonmalleable code (Dziembowski et al., ICS ’10) to the plaintext and subsequently encrypting the resulting codeword bitbybit results in a secure scheme. Our result is the one of the first applications of nonmalleable codes in a context other than memory tampering. The original notion of nonmalleability is, however, not sufficient. We therefore prove that
Tamper Detection and Continuous NonMalleable Codes
, 2014
"... We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family ” F, resulting in a tampered value c ′ = f(c). We study the different types of s ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family ” F, resulting in a tampered value c ′ = f(c). We study the different types of security guarantees that can be achieved in this scenario for different families F of tampering attacks. Firstly, we initiate the general study of tamperdetection codes, which must detect that tampering occurred and output Dec(c′) = ⊥. We show that such codes exist for any family of functions F over n bit codewords, as long as F  < 22n is sufficiently smaller than the set of all possible functions, and the functions f ∈ F are further restricted in two ways: (1) they can only have a few fixed points x such that f(x) = x, (2) they must have high entropy of f(x) over a random x. Such codes can also be made efficient when F  = 2poly(n). For example, F can be the family of all lowdegree polynomials excluding constant and identity polynomials. Such tamperdetection codes generalize the algebraic manipulation detection (AMD) codes of Cramer et al. (EUROCRYPT ’08). Next, we revisit nonmalleable codes, which were introduced by Dziembowski, Pietrzak and Wichs (ICS ’10) and require that Dec(c′) either decodes to the original message m, or to some unrelated value (possibly ⊥) that doesn’t provide any information about m. We give a modular construction of nonmalleable codes by
Locally Decodable and Updatable NonMalleable Codes and Their Applications
, 2014
"... Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications o ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications of nonmalleable codes have been discovered, and one of the most significant applications among these is the connection with tamperresilient cryptography. There is a large body of work considering security against various classes of tampering functions, as well as nonmalleable codes with enhanced features such as leakage resilience. In this work, we propose combining the concepts of nonmalleability, leakage resilience, and locality in a coding scheme. The contribution of this work is threefold: 1. As a conceptual contribution, we define a new notion of locally decodable and updatable nonmalleable code that combines the above properties. 2. We present two simple and efficient constructions achieving our new notion with different levels of security.
Affineevasive Sets Modulo a Prime
, 2014
"... In this work, we describe a simple and efficient construction of a large subset S of Fp, where p is a prime, such that the set A(S) for any nonidentity affine map A over Fp has small intersection with S. Such sets, called affineevasive sets, were defined and constructed in [ADL14] as the central s ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
In this work, we describe a simple and efficient construction of a large subset S of Fp, where p is a prime, such that the set A(S) for any nonidentity affine map A over Fp has small intersection with S. Such sets, called affineevasive sets, were defined and constructed in [ADL14] as the central step in the construction of nonmalleable codes against affine tampering over Fp, for a prime p. This was then used to obtain efficient nonmalleable codes against splitstate tampering. Our result resolves one of the two main open questions in [ADL14]. It improves the rate of nonmalleable codes against affine tampering over Fp from log log p to a constant, and consequently the rate for nonmalleable codes against splitstate tampering for nbit messages is improved from n 6 log 7 n to n 6.
Explicit Nonmalleable Codes Against BitWise Tampering and Permutations
"... Abstract. A nonmalleable code protects messages against various classes of tampering. Informally, a code is nonmalleable if the message contained in a tampered codeword is either the original message, or a completely unrelated one. Although existence of such codes for various rich classes of tampe ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A nonmalleable code protects messages against various classes of tampering. Informally, a code is nonmalleable if the message contained in a tampered codeword is either the original message, or a completely unrelated one. Although existence of such codes for various rich classes of tampering functions is known, explicit constructions exist only for “compartmentalized ” tampering functions: i.e. the codeword is partitioned into a priori fixed blocks and each block can only be tampered independently. The prominent examples of this model are the family of bitwise independent tampering functions and the splitstate model. In this paper, for the first time we construct explicit nonmalleable codes against a natural class of noncompartmentalized tampering functions. We allow the tampering functions to permute the bits of the codeword and (optionally) perturb them by flipping or setting them to 0 or 1. We construct an explicit, efficient nonmalleable code for arbitrarily long messages in this model (unconditionally).
A RateOptimizing Compiler for Nonmalleable Codes Against Bitwise Tampering and Permutations
"... A nonmalleable code protects messages against a class of tampering functions. Informally, a code is nonmalleable if the effect of applying any tampering function on an encoded message is to either retain the message or to replace it with an unrelated message. Two main challenges in this area – apa ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
A nonmalleable code protects messages against a class of tampering functions. Informally, a code is nonmalleable if the effect of applying any tampering function on an encoded message is to either retain the message or to replace it with an unrelated message. Two main challenges in this area – apart from establishing the feasibility against different families of tampering – are to obtain explicit constructions and to obtain highrates for such constructions. In this work, we present a compiler to transform lowrate (in fact, zero rate) nonmalleable codes against certain class of tampering into an optimalrate – i.e., rate 1 – nonmalleable codes against the same class. If the original code is explicit, so is the new one. When applied to the family of bitwise tampering functions, this subsumes (and greatly simplifies) a recent result of Cheraghchi and Guruswami (TCC 2014). Further, our compiler can be applied to nonmalleable codes against the class of bitwise tampering and bitlevel permutations. Combined with the rate0 construction in a companion work, this yields the first explicit rate1 nonmalleable code for this family of tampering functions. Our compiler uses a new technique for bootstrapping nonmalleability by introducing errors,
Optimal computational splitstate nonmalleable codes
 IN TCC
, 2016
"... Nonmalleable codes are a generalization of classical errorcorrecting codes where the act of “corrupting” a codeword is replaced by a “tampering” adversary. Nonmalleable codes guarantee that the message contained in the tampered codeword is either the original message m, or a completely unrelated ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes are a generalization of classical errorcorrecting codes where the act of “corrupting” a codeword is replaced by a “tampering” adversary. Nonmalleable codes guarantee that the message contained in the tampered codeword is either the original message m, or a completely unrelated one. In the common splitstate model, the codeword consists of multiple blocks (or states) and each block is tampered with independently. The central goal in the splitstate model is to construct high rate nonmalleable codes against all functions with only two states (which are necessary). Following a series of long and impressive line of work, constant rate, twostate, nonmalleable codes against all functions were recently achieved by Aggarwal et al. (STOC 2015). Though constant, the rate of all known constructions in the split state model is very far from optimal (even with more than two states). In this work, we consider the question of improving the rate of splitstate