Results 1  10
of
19
Efficient NonMalleable Codes and KeyDerivation for PolySize Tampering Circuits
, 2013
"... Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes have applications to immunizing cryptosystems against tampering attacks and relatedkey attacks. One cannot have an efficient nonmalleable code that protects against all efficient tampering functions f. However, in this work we show “the next best thing”: for any polynomial bound s given apriori, there is an efficient nonmalleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size F  ≤ 2s, there is an efficient nonmalleable code that protects against all f ∈ F. The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are informationtheoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is nonmalleable with overwhelming
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient
Continuous Nonmalleable Codes
 TCC 2014
, 2014
"... Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modi ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modify it to the encoding of a completely unrelated value. This paper introduces an extension of the standard nonmalleability security notion – socalled continuous nonmalleability – where we allow the adversary to tamper continuously with an encoding. This is in contrast to the standard notion of nonmalleable codes where the adversary only is allowed to tamper a single time with an encoding. We show how to construct continuous nonmalleable codes in the common splitstate model where an encoding consist of two parts and the tampering can be arbitrary but has to be independent with both parts. Our main contributions are outlined below: 1. We propose a new uniqueness requirement of splitstate codes which states that it is computationally hard to find two codewords C = (X0, X1) and C ′ = (X0, X ′ 1) such that both codwords are valid, but X0 is the same in both C and C ′. A simple attack shows that uniqueness is necessary to achieve continuous nonmalleability in the splitstate model. Moreover,
From singlebit to multibit publickey encryption via nonmalleable codes
 IACR CRYPTOLOGY EPRINT ARCHIVE
, 2014
"... One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and co ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), is to build a multibit chosenciphertext (CCA) secure publickey encryption scheme from a singlebit CCAsecure one. While their approaches achieve the desired goal, it is fair to say that the employed techniques are complicated and that the resulting ciphertext lengths are impractical. We propose a completely different and surprisingly simple approach to solving this problem. While it is wellknown that encrypting each bit of a plaintext string independently is insecure—the resulting scheme is malleable—we show that applying a suitable nonmalleable code (Dziembowski et al., ICS ’10) to the plaintext and subsequently encrypting the resulting codeword bitbybit results in a secure scheme. Our result is the one of the first applications of nonmalleable codes in a context other than memory tampering. The original notion of nonmalleability is, however, not sufficient. We therefore prove that
NonMalleable Coding Against Bitwise and SplitState Tampering
"... Nonmalleable coding, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where errordetection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original messag ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Nonmalleable coding, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where errordetection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original message or, in presence of any tampering, to an unrelated message. Nonmalleable coding is possible against any class of adversaries of bounded size. In particular, Dziembowski et al. show that such codes exist and may achieve positive rates for any class of tampering functions of size at most 22αn, for any constant α ∈ [0, 1). However, this result is existential and has thus attracted a great deal of subsequent research on explicit constructions of nonmalleable codes against natural classes of adversaries. In this work, we consider constructions of coding schemes against two wellstudied classes of tampering functions; namely, bitwise tampering functions (where the adversary tampers each bit of the encoding independently) and the much more general class of splitstate adversaries (where two independent adversaries arbitrarily tamper each half of the encoded sequence). We obtain the following results for these models. 1. For bittampering adversaries, we obtain explicit and efficiently encodable and decodable nonmalleable
Nonmalleable reductions and applications
, 2014
"... Nonmalleable codes, introduced by Dziembowski, Pietrzak and Wichs [DPW10], provide a useful message integrity guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Nonmalleable codes, introduced by Dziembowski, Pietrzak and Wichs [DPW10], provide a useful message integrity guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely “unrelated value”. Although such codes do not exist if the family of “tampering functions ” F allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families F. The family which received the most attention [DPW10, LL12, DKO13, ADL14, CG14a, CG14b] is the family of tampering functions in the so called (2part) splitstate model: here the message x is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with each L and R individually. Despite this attention, the following problem remained open: Build efficient, informationtheoretically secure nonmalleable codes in the splitstate model with constant encoding rate: L  = R  = O(x). In this work, we resolve this open problem. Our technique for getting our main result is of
Tamper Detection and Continuous NonMalleable Codes
, 2014
"... We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family ” F, resulting in a tampered value c ′ = f(c). We study the different types of s ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family ” F, resulting in a tampered value c ′ = f(c). We study the different types of security guarantees that can be achieved in this scenario for different families F of tampering attacks. Firstly, we initiate the general study of tamperdetection codes, which must detect that tampering occurred and output Dec(c′) = ⊥. We show that such codes exist for any family of functions F over n bit codewords, as long as F  < 22n is sufficiently smaller than the set of all possible functions, and the functions f ∈ F are further restricted in two ways: (1) they can only have a few fixed points x such that f(x) = x, (2) they must have high entropy of f(x) over a random x. Such codes can also be made efficient when F  = 2poly(n). For example, F can be the family of all lowdegree polynomials excluding constant and identity polynomials. Such tamperdetection codes generalize the algebraic manipulation detection (AMD) codes of Cramer et al. (EUROCRYPT ’08). Next, we revisit nonmalleable codes, which were introduced by Dziembowski, Pietrzak and Wichs (ICS ’10) and require that Dec(c′) either decodes to the original message m, or to some unrelated value (possibly ⊥) that doesn’t provide any information about m. We give a modular construction of nonmalleable codes by
Leakageresilient nonmalleable codes
, 2014
"... A recent trend in cryptography is to construct cryptosystems that are secure against physical attacks. Such attacks are usually divided into two classes: the leakage attacks in which the adversary obtains some information about the internal state of the machine, and the tampering attacks where the a ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
A recent trend in cryptography is to construct cryptosystems that are secure against physical attacks. Such attacks are usually divided into two classes: the leakage attacks in which the adversary obtains some information about the internal state of the machine, and the tampering attacks where the adversary can modify this state. One of the popular tools used to provide tamperresistance are the nonmalleable codes introduced by Dziembowski, Pietrzak and Wichs (ICS 2010). These codes can be defined in several variants, but arguably the most natural of them are the informationtheoretically secure codes in the ksplitstate model (the most desired case being k = 2). Such codes were constucted recently by Aggarwal et al. (STOC 2014). Unfortunately, unlike the earlier, computationallysecure constructions (Liu and Lysyanskaya, CRYPTO 2012) these codes are not known to be resilient to leakage. This is unsatisfactory, since in practice one always aims at providing resilience against both leakage and tampering (especially considering tampering without leakage is problematic, since the leakage attacks are usually much easier to perform than the tampering attacks).
Locally Decodable and Updatable NonMalleable Codes and Their Applications
, 2014
"... Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications o ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications of nonmalleable codes have been discovered, and one of the most significant applications among these is the connection with tamperresilient cryptography. There is a large body of work considering security against various classes of tampering functions, as well as nonmalleable codes with enhanced features such as leakage resilience. In this work, we propose combining the concepts of nonmalleability, leakage resilience, and locality in a coding scheme. The contribution of this work is threefold: 1. As a conceptual contribution, we define a new notion of locally decodable and updatable nonmalleable code that combines the above properties. 2. We present two simple and efficient constructions achieving our new notion with different levels of security.
Affineevasive Sets Modulo a Prime
, 2014
"... In this work, we describe a simple and efficient construction of a large subset S of Fp, where p is a prime, such that the set A(S) for any nonidentity affine map A over Fp has small intersection with S. Such sets, called affineevasive sets, were defined and constructed in [ADL14] as the central s ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
In this work, we describe a simple and efficient construction of a large subset S of Fp, where p is a prime, such that the set A(S) for any nonidentity affine map A over Fp has small intersection with S. Such sets, called affineevasive sets, were defined and constructed in [ADL14] as the central step in the construction of nonmalleable codes against affine tampering over Fp, for a prime p. This was then used to obtain efficient nonmalleable codes against splitstate tampering. Our result resolves one of the two main open questions in [ADL14]. It improves the rate of nonmalleable codes against affine tampering over Fp from log log p to a constant, and consequently the rate for nonmalleable codes against splitstate tampering for nbit messages is improved from n 6 log 7 n to n 6.