Non-Malleable Codes Against Affine Errors Ryota Iwamoto Takeshi Koshiba Graduate School of Science and Engineering Graduate School of Science and Engineering Saitama Univeristy Saitama University Email: [email protected] Email: [email protected] Abstract—Non-malleable code is a relaxed version of error- can be defined. A code is non-malleable if there exists a 7 correction codesandthedecodingofmodifiedcodewordsresults probability distribution D such that, for any s ∈ {0,1}k, 1 f in the original message or a completely unrelated value. Thus, 0 the following two probability distributions are statistically if an adversary corrupts a codeword then he cannot get any 2 indistinguishable:(1)theinducedprobabilitydistributionfrom information from the codeword. This means that non-malleable n codesareusefultoprovideasecurityguaranteeinsuchsituations Tamperfs and (2) the probability distribution which is the a that the adversary can overwrite the encoded message. In 2010, identical to Df but if same∗ appears then we replace it with J Dziembowski et al. showed a construction for non-malleable s. 7 codes against the adversary who can falsify codewords bitwise In general, there is no non-malleablde code for any tam- 2 independently.Inthispaper,weconsideranextendedadversarial pering functions. In [11], Dziembowski et al. consider a model (affine error model) where the adversary can falsify ] codewords bitwise independently or replace some bit with the class of bitwise independent tampering functions and give R valueobtainedbyapplyinganaffinemapover alimitednumber a construction of non-malleable codes with respect to the C of bits. We prove that the non-malleable codes (for the bitwise class of bitwise independent tampering functions. Faust et . error model) provided by Dziembowski et al. are still non- al. [12] provide efficient non-malleable codes with respect s malleable against the adversary in the affine error model. to tampering functions which can be computed by poly-size c [ circuits.Chandranetal.[3]considerblock-wisetamperingand I. INTRODUCTION show the impossibility of non-malleable codes with respect 1 As we know, error-correction codes can recover the orig- to block-wise tampering in the information theoretic setting. v 4 inal message from a corrupted codeword (within admissible They also give a construction of non-malleable codes with 1 errors) and error-detection codes can detect if the codeword respect to block-wise tampering from the viewpoint of the 9 is corrupted while the error correction may not be possible. computationalcomplexitytheory.Aggarwaletal.[1] consider 7 Thenotionofnon-malleablecodes,inventedbyDziembowski, morepossibilityofcomputationalnon-malleablecodes.Inthe 0 Pietrzak, and Wichs [11], is a relaxed notion of error de- literature (e.g., [7], [5], [10], [4]), several tampering models . 1 tection codes or error correction codes. (The term “non- are proposed and connections to other research areas such 0 malleability”comesfromnon-malleablecryptography[9].For as randomness extractors and locally decodable codes are 7 1 non-malleablecodes, we suppose that errors would be caused discussed. : bysomeadversary’smaliciousbehaviors.Iftheadversarytam- In this paper, we extend bitwise independent tampering to v persa codewordof a non-malleablecode,its decodingresults “affine”tampering,wheretheadversarycanfalsifycodewords i X in either the original message or an independent message of bitwise independently or replace some bit with the value r the original one. Thus, non-malleable codes are applicable obtained by applying an affine map over a limited number a to situations where error-detection and error-correction are of bits. We prove that the non-malleable codes with respect impossible. For example, they provides a security guarantee to bitwise independent tampering, provided by Dziembowski against adversaries who can overwrite encoded messages. et al. [11], are still non-malleable with respect to the affine We suppose that the adversary tampers a codeword C tampering in the information theoretic setting. by applying a function f to C. We consider the situation II. NOTATIONS where a message s ∈ {0,1}k is randomly encoded and the Letgbearandomizedfunctionandg(x;r)bethefunctional encoded message is tampered by f. We denote the resulting corrupted codeword by a random variable Tamperf. For the value on input x which can be computed with supplimentary s non-malleability,itisdesirablethat,foranys,s′ ∈{0,1}k,the randomness r. If we do not have to specify the randomness randomvariablesTamperf andTamperf arealmostidentical r, we denote it by g(x). If D is a probability distribution, s s′ d ← D means that a value d is chosen according to the to each other. But, it may happen that the decoding result s˜ probability distribution D. For a finite set B, |B| denote the for a tampered codeword coincides with the original message s. In this case, it is clear that Tamperf is dependent on s. number of elements in B. For an n-bit string x ∈ {0,1}n, s w (x) denotes the Hamming weight of x. For two strings Thus,weconsideraprobabilitydistributionD whosesupport H includes s˜ and a special symbol same∗. By fusing the above x and x′ of equal length, dH(x,x′) d=ef wH(x,x′) denotes probability distribution, the notion of non-malleability codes the Hamming distance between x and x′. SD(X ,X ) d=ef 0 1 1 |P (x) − P (x)| denotes the statistical distance every ∆∈{0,1}n, we have the following: 2 x∈X X0 X1 between two probability distributions X and X of the 0 1 saPme support. If SD(X ,X ) is negligibly small for two ⊥ if D(∆)=⊥, 0 1 D(c+∆)= probability distributions X and X , we say that X and D(c)+D(∆) otherwise. 0 1 0 (cid:26) X are statistically indistinguishable and write X ≈ X . If 1 0 1 Distance d: SD(X ,X )=0, we write X =X . 0 1 0 1 Foreveryc˜∈{0,1}n\{0n}whoseHammingweight III. PREVIOUS RESULTS is less than d, we have D(c˜)=⊥. Secrecy t: In this section, we review the previous results by Dziem- For any s, let C = (C ,...,C ) = Enc(s) be a 1 n bowski et al. in [11]. randomvariable,whereC isthei-thbitofC.Then i Definition 1: (Coding Scheme) A coding scheme is a pair {C } are t-wise independent.Each (marginal) i 1≤i≤n oftwo functions(Enc,Dec), whereEnc:{0,1}k →{0,1}n C is the uniform distribution over {0,1}. i is a (randomized) encoding function and Dec : {0,1}n → Then we say that (E,D) is a (t,d)-linear error-correction {0,1}k∪{⊥} is a deterministic decoding function satisfying secret-sharing (LECSS) scheme. that Pr[Dec(Enc(s))=s]=1 for every s∈{0,1}k. Bitwise independenttampering can be described as The desired property for non-malleable codes is discussed in Section I. We give a formal definition of non-malleable f(c ,...,c )=(f (c ),...,f (c )), codes below. 1 n 1 1 n n Definition 2: (Non-malleability)LetF beaclassoftamper- where each f is ing functions and (Enc,Dec) be a coding scheme. For each i f ∈F and s∈{0,1}k, define a random variable as follows: • the bit-flipping function (i.e., fi(b)=1⊕b), • the identity function (i.e., fi(b)=b), c←Enc(s); • the 0-constant function (i.e., fi(b)=0), or Tamperf d=ef  c˜←f(c); . • the 1-constant function (i.e., fb(1)=1). s s˜←Dec(c˜);  Output s˜.  We denote the class of bitwise independent tampering func- tions by FBIT. That is, The randomness of Tamperf comes from the randomness to s bit-flipping, identity, compute the encoding function Enc. If, for each f ∈ F and FBIT = f =(f1,...,fn):fi ∈ 0-constant, 1-constant . for each s, there exists a universalprobabilitydistributionD (cid:26) (cid:26) (cid:27)(cid:27) f over {0,1}k∪{⊥,same∗} such that Theorem 5: ([11]) Suppose that (E,D) is a (d,t)-LECSS schemewhered>n/4and(A,V)isaρ-secureAMDcoding s˜←D ; f Tamperf ≈ If s˜=same∗ then output s; scheme. By using these schemes, we define a coding scheme s  Otherwise, output s˜.  (End,Dec) as follows:   then we say that (Enc,Dec) is non-malleablewith respect to Enc(s) = E(A(s)); F. If the statistical distance in the aboveis boundedby ε, we ⊥ if D(c)=⊥, Dec(c) = say the non-malleable code (Enc,Dec) is ε-secure. V(D(c)) otherwise. (cid:26) Dziembowski et al. [11] showed a non-malleable code against the adversary who can tamper codewords bitwise Then, (Enc,Dec) is ε-secure non-malleable with respect to independently. Their construction is just a combination of FBIT, where ε≤max(ρ,2−Ω(t)). algebraic manipulation detection (AMD) codes by Cramer et al.[8]andalinearerror-correctionsecretsharingscheme[11]. IV. MAIN RESULTS Definition 3: (AMD codes [8]) Let (A,V) be a coding scheme, where A : {0,1}k → {0,1}n is an encoding In this paper, we show that Dziembowski’s non-malleable function and V is a decoding function. If, for some ρ, for code with respect to FBIT is also non-malleable with re- every s ∈ {0,1}k and for every ∆ ∈ {0,1}n \ {0n}, spect to a class of affine tampering functions, which is a Pr[V(A(m) + ∆) 6= ⊥] ≤ ρ, then we say that (A,V) is generalization of FBIT. Informally speaking, the class of analgebraicmanipulationdetection(AMD)codingschemeof affinetamperingfunctionsincludesallthebitwiseindependent ρ-security. tampering functions and also includes functions f such that Definition 4: (LECSSscheme[11])Let(E,D)beacoding c˜ = f(c ,c ) = c ⊕c ⊕1, where bits at some positions 2 1 2 1 2 scheme. Suppose that (E,D) satisfies the following three are altered into a sum of several bits and some constant. properties: Here, we define a new function: f is said to be ℓ-affine if i Linearity: fi(b1,...,bn)= j∈Bbj ⊕b for some bit b∈{0,1} and For every c ∈ {0,1}n such that D(c) 6= ⊥ and for somesetB ⊆{1,(cid:16)...,n}su(cid:17)chthat|B|≤ℓ.We definea class L of affine tampering functions as follows: probabilitydistributionPatch(D ,s)asfollows:First,sample f s˜as s˜←D . If s˜=same∗ then output s instead of same∗. f Fℓ-AFFINE Otherwise, output s˜ as it is. We will construct D such that, f bit-flipping, identity, foranys,SD(S˜s,Patch(D ,s))≤ε.Beforediscussingeach f = f =(f ,...,f ):f ∈ 0-constant, 1-constant, 1 n i   case, we need some useful property: ( ℓ-affine  Fact: If i ∈ B then C˜s is the uniform distribution 3 i over {0,1} and the joint distribution {C˜s} is t-wise ∧all ℓ-affine functions are ℓ-wise independent , i i∈B3 independent because of t-secrecy of the LECSS scheme and ) t-wise independenceofaffinefunctionsin Ft-AFFINE forany where functions g1,...,gk are said to be ℓ-wise independent s. So is {∆si =C˜is−Cis}i∈B3. if their functional values on the uniform random inputs are Case 1: p≤t−r ℓ-wise independent. We show that ∆s for each s is identical to ∆s′ for any other Remark: For each ℓ-affine function fi(b1,...,bn) = s′. j∈Bbj ⊕ b, there is the correponding vector βi = • If fi is the identity function,then we have ∆si =0. If fi ((cid:16)aL1,...,an(cid:17)), where aj = 1 if j ∈ B and aj = 0 is bit-flipping, then we have ∆si =1. otherwise. Note that wH(βi) ≤ ℓ. To choose ℓ-wise inde- • If i ∈ B1∪B3 then ∆si is the uniform distribution over pendent functions, we first choose vectors β1,...,βk such {0,1}, since |B1 ∪ B3| = |B1| + |B3| = p + r ≤ t that rank[β1 β2 ··· βk] ≥ min{k,ℓ}. From such vectors implythat{Cis}i∈B1∪B3 ist-wiseindependent.Thus,we β1,...,βk, we can construct k ℓ-affine functions which are have{∆si =C˜is−Cis}i∈B1∪B3 istheuniformdistribution ℓ-wise independent. regardless of s. Theorem 6: Supposethat(E,D)isa(d,t)-LECSSscheme Therefore, there exists a universal probability distribution ∆ where d > 3n/8 and (A,V) is a ρ-secure AMD coding such that ∆=∆s for any s and we have scheme and define a coding scheme (Enc,Dec) as follows: Enc(s) = E(A(s)); S˜s = Dec(C˜s) ⊥ if D(c)=⊥, = V(D(Cs+∆s)) Dec(c) = V(D(c)) otherwise. = V(D(Cs)+D(∆s)) (1) (cid:26) (cid:27) Then (Enc,Dec) is ε-secure non-malleable with respect to = V(A(s)+D(∆s)) Ft-AFFINE, where ε≤max(ρ,2−Ω(t)). = V(A(s)+D(∆)), In the proof in [11] that (Enc,Dec) stated in Theorem 5 is non-malleablewith respect to FBIT, {1,...,n} is partitioned where (1) is by the linearity of the LECSS scheme. into two subsets B and B , where B = {i : f is either 0- 1 2 1 i 1) If D(∆) 6= 0 then the security of AMD codes imply constant or 1-constant} and B2 ={i:fi is either bit-flipping that Pr[S˜s =⊥]≥1−ρ. or identity}. They considered several cases with respect to 2) If D(∆)=0 then we have Pr[S˜s =s]=1. |B | and |B | and analyzed the security for each case. We 1 2 From 1) and 2), we define D as follows: First, sample δ as partition {1,...,n} into three subsets (say, B , B and B ) f 1 2 3 δ ← ∆. If D(δ) = 0 then output same∗. Otherwise, output andconsiderseveralcaseswithrespectto|B |,|B |and|B |. 1 2 3 ⊥. Then,we haveSD(S˜s,Patch(D ,s))≤ρ foranys. This Proof: We show that (Enc,Dec) is non-malleable with f completes the proof in Case 1. respect to Ft-AFFINE and its security ε satisfies Case 2: p≥n−t 1 t t/2 In this case, we show that C˜s for each s is identical to C˜s′ ε≤max ρ, + 2t n(d/n−3/8) for any other s′. (cid:18) (cid:19) ! for any even t > 6. We let f = (f1,...,fn) be a tampering • CI˜fsf=i is1.0-constant, then C˜is =0. If fi is 1-constant, then ffourncsthioonwiinngFtth-aAtF(FEINnEc,Danedc)deifisnneona-munailvleerasballedwisittrhibruetsipoenctDtfo • Foir any i∈B2∪B3, C˜is is the uniformdistributionover {0,1}, since p≥n−t implies that |B ∪B |=|B |+ Ft-FAoFrFaINnyE.message s ∈ {0,1}k, we consider several prob- |B3|=q+r≤t. Thus, we can say that2{Cis}3i∈B2∪B23 is ability distributions and use the following notations Cs := the uniform distribution and {C˜is = f(Cis)}i∈B2∪B3 are Enc(s), C˜s := f(Cs), ∆s := C˜s − Cs, S˜s := Dec(C˜s). independentuniform distributions for any s. Cs, C˜s and ∆s for each i ∈ {1,...,n} denote the i-th bit Furthermore, there exists a universal distribution C˜ such that i i i of Cs, C˜s and ∆s, respectively. We partition i ∈ {1,...,n} C˜ =C˜sforanysandwehaveS˜s =Dec(C˜s)=Dec(C˜).We into three subsets B , B and B as follows: B = {i : f definethedistributionD whichsamplesC˜asaboveandcom- 1 2 3 1 i f is 0-constant or 1-constant}, B = {i : f is bit-flipping or putes Dec(C˜). This implies that SD(S˜s,Patch(D ,s)) = 2 i f identity} and B = {i : f is t-affine}. We let p = |B |, SD(S˜s,D )=0 for any s. This completes the proof in Case 3 i 1 f q =|B |andr =|B |,whichsatisfyp+q+r=n.Wedefinea 2. 2 3 Case 3: t−r<p≤(n−r)/2 and this completes the proof in Case 3. Inthiscase,weshowthataprobabilitydistributionthatalways Case 4: (n−r)/2<p≤n−t outputs ⊥ is a universal distribution D . Since, for any s, Inthiscase,weshowthataprobabilitydistributionthatalways f Pr[S˜s 6=⊥] = Pr[Dec(C˜s)6=⊥] outputs⊥sufficesforauniversaldistributionDf.Tothisend, we show that the probabilitythat Pr[S˜s 6=⊥]=Pr[D(C˜s)6= = Pr[D(∆s)6=⊥], ⊥] is small for any s. Since (n − r)/2 < p ≤ n − t, we itsufficesto show thatPr[D(∆s)6=⊥] is small. {∆si}i∈B2 is t<q+r<(n+r)/2 and thus {C˜is}i∈B1 are fixed by f. Let fixed to a constantby f (if f is the identityfunctionthen∆s c˜∗ ∈ {0,1}n be any value which is consistent with the fixed is fixed to 0 and if fi is bit-fliippingthen∆si is fixedto 1)Leit portion of C˜s so that {C˜is = c˜si}i∈B1. If no such value exist δ∗ ∈ {0,1}n be any value which is consistent with the fixed thenwearedone.Otherwise,wecanusethesimilardiscussion bits of ∆ so that {∆s =δs} and for which D(δ∗)6= ⊥. as in Case 3 and we have i i i∈B2 If no such value exists then we are done since D(∆s) = ⊥ Pr[d (C˜s,c˜∗)≥d] with probability 1. So let us assume that some such value H exists. Since t < p+r ≤ (n + r)/2, {∆si}i∈B1∪B3 are t- ≤ Pr[C˜s =c˜∗∨dH(C˜s,c˜∗)≥d] wise independentuniformdistributionsandwe have Pr[∆s = t/2 1 t δ∗] ≤ 1/2t. On the other hand, we show that d (∆s,δ∗) is ≤ + . not so large. The expected value of the HammHing distance 2t n(nd − 83)2! between ∆s and δ∗ satisfies the following. This complete the proof in Case 4. n E[d (∆s,δ∗)] = E[ d (∆s,δ∗)] Foranycasesofp,q,r,wehavecompletedtheproof.Thus, H H i i we can say that Theorem 6 holds. i=1 X = E[ d (∆s,δ∗)] (2) H i i Remark: In Theorem6, we use a (d,t)-LECSS code where i∈BX1∪B3 d > 3n/8. This requires that an LECSS code for non- = E[dH(∆si,δi∗)] (3) malleability with respect to Ft-AFFINE must be better than i∈BX1∪B3 ones with respect to FBIT. Chen et al. [6] have shown the p+r existence such LECSS codes. = . (4) 2 In the above, (2) holds since ∆s = δ∗ for i ∈ B V. CONCLUDING REMARKS 2 and thus {d (∆s,δ∗)} = 0. (3) is by the linear- H i i i∈B2 We have extended the bitwise independent tampering to ity of the expectation. For (4), since ∆s are indepen- i the affine tampering and shown that the non-malleable codes dent for i ∈ B ∪ B , we consider the probability that 1 3 in [11] with respect to the bitwise independent tampering is d (∆s,δ∗) = d (∆s,δ∗) is larger than d. Since H i∈B1∪B3 H i i also non-malleable with respect to the affine tampering. Our {d (∆s,δ∗)} aret-wiseindependent,wecanapplya H i i i∈PB1∪B3 tamperingmodelfortheaffinetamperingmaybeabitartificial Chernoff-Hoeffdingtail bound as in [2], [13]. Thus, we have becauseofsome technicalreason.As mentioned,the property Pr[d (∆s,δ∗)≥d] of being “affine” is useful to construct ℓ-wise independent H p+r p+r functions. But, this does not rule out the possibility to con- ≤ Pr dH(∆si,δi∗)− 2 ≥d− 2 structℓ-wiseindependentfunctionsfromnon-affinetampering (cid:20)(cid:12) (cid:12) (cid:21) functions. Thus, in future, we may find a wider class of (cid:12) t/2 (cid:12) (cid:12) nt (cid:12) tampering functions for which there exists a non-malleablde ≤ (cid:12) (cid:12) (5) (d− p+r)2! coding scheme. 2 t/2 ≤ nt REFERENCES (d− n+r)2 (cid:18) 4 (cid:19) [1] D. Aggarwal, S. Agrawal, D. Gupta, H. K. Maji, O. Pandey, and M. t/2 t Prabhakaran: Optimal computational split-state non-malleable codes, ≤ . (6) inProc. the13th Theory ofCryptography Conference, Part II,LNCS n(d − 3)2! 9563,pp.393–417,Springer(2016). n 8 [2] M.BellareandJ.Rompel:Randomnessefficientobvioussampling,In In the above, (5) follows from Lemma 2.2 in [2] by Bellare Proc.the35thAnnualIEEESymposium onFoundations ofComputer and Rompel. For (6), we use r<n/2 since r ≤t. Hence, we Science, pp.276–287,IEEEComputerSociety (1994). [3] N. Chandran, V. Goyal, P. Mukherjee, O. Pandey, and J. Upadhyay: have Block-wise non-malleable codes,inProc.the43rdInternational Col- Pr[D(∆s)6=⊥] loquium on Automata, Languages, and Programming, Article 31 (14 pages),LIPIcs55,SchlossDagstuhl–Leibniz-ZentrumfuerInformatik ≤ Pr[∆s =δ∗∨d (∆s,δ∗)≥d] (2016). H [4] N.Chandran,B.Kanukurthi,andS.Raghuraman:Information-theoretic t/2 1 t local non-malleable codes and their applications, in Proc. the 13th ≤ + TheoryofCryptographyConference,PartII,LNCS9563,pp.367–392, 2t n(d − 3)2! Springer(2016). n 8 [5] E. Chattopadhyay and D. Zuckerman: Non-malleable codes against constant split-state tampering, in Proc. the 55th Annual IEEE Sym- posiumonFoundationsofComputerScience,pp.306–315,IEEECom- puterSociety (2014). [6] H.Chen,R.Cramer,S.Goldwasser, R.Hann,andV.Vaikuntanathan: Secure computation from random error correcting codes, in Proc. EUROCRYPT2007,LNCS4515,pp.291–310,Springer(2007). [7] M.Cheraghchi andV.Guruswami:Non-malleable codingagainst bit- wiseandsplit-state tampering, J.Cryptology 30(1):191–241 (2017). [8] R. Cramer, Y. Dodis, S. Fehr, C. Padro´, and D. Wichs: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors, in Proc. EUROCRYPT 2008, LNCS 4965, pp.471– 488,Springer(2008). [9] D.Dolev,C.Dwork,andM.Naor:Nonmalleablecryptography,SIAM J.Comput.30(2):391–437 (2000). [10] S.Dziembowski,T.Kazana,M.Obremski:Non-malleablecodesfrom two-source extractors, in Proc. CRYPTO 2013, Part II, LNCS 8043, pp.239–257, Springer(2013). [11] S.Dziembowski, K.Pietrzak, andD.Wichs:Non-malleable codes,in Proc.the1stSymposiumonInnovationsinComputerScience,pp.434– 452,TsinghuaUniversity Press(2010). [12] S. Faust, P. Mukherjee, D. Venturi, and D. Wichs: Efficient non- malleablecodesandkey-derivation forpoly-sizetamperingcircuits,in Proc.EUROCRYPT2014,LNCS8441,pp.111–128,Springer(2014). [13] J.P.Schmidt,A.Siegel,andA.Srinivasan:Chernoff-Hoeffdingbounds for applications with limited independence, SIAM J. Discrete Math. 8(2):223–250 (1995).