Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors 1 * New York University ** University of Warsaw
Plan Introduction to Non-Malleable Codes Split-state Model and Recent Results Non-malleable Reductions Non-Malleable Codes from Two-Source Extractors 2
Definition of Non-Malleable Codes Non-Malleable Codes from Two-Source Extractors 3 Scheme is non-malleable with respect to family H if h can be represented as a probabilistic combination constant functions identity function
We have to limit class H Non-Malleable Codes from Two-Source Extractors 4 can not be represented as combination of constant functions and identity
Existential Result Non-Malleable Codes (ICS 2010) S.Dziembowski, K.Pietrzak and D.Wichs Existence of codes for small enough manipulation families via probabilistic argument Non-Malleable Codes from Two-Source Extractors 5 Where n is a size of codeword
Formal Definition for 1-bit Message Non-Malleable Codes from Two-Source Extractors 6 Scheme (Enc, Dec) is ε-non-malleable with respect to family H If for every h in H: Where B is uniformly distributed over {0,1} and This definition is equivalent to the general definition in 1-bit message case
Plan Introduction to Non-Malleable Codes Split-state Model and Recent Results Non-malleable Reductions Non-Malleable Codes from Two-Source Extractors 7 DONE
2-Split State Model Enc(m)= L, R Manipulation functions (f,g) are any arbitrary functions, f,g are applied separately to L and R : Non-Malleable Codes from Two-Source Extractors 8 L R L’ R’ f g Dec(L’,R’)=m’ Enc(m)
t-Split State Model Non-Malleable Codes from Two-Source Extractors 9
Recent Results Non-malleable Codes from Two-source Extractors (Crypto’13) S.Dziembowski (UW), T.Kazana (UW), M.Obremski (UW) Non-malleable coding against bit-wise and split-state tampering (TCC’14) M.Cheraghchi (MIT), V.Guruswami (CMU) Non-malleable Codes from Additive Combinatorics (STOC’14) D.Aggarwal (NYU), Y.Dodis (NYU), S.Lovett (UCSD) Non-malleable Codes in the Constant Split-state Model (FOCS’14) E.Chattopadhyay (U.Texas), D. Zuckerman (U.Texas) Non-Malleable Codes from Two-Source Extractors 10
Recent Results Non-Malleable Codes from Two-Source Extractors 11 [ADL’14] [u.m.] [CZ’14] Number of statesCodeword length n- length of message
The more parts the easier it gets.. Non-Malleable Codes from Two-Source Extractors 12
Plan Introduction to Non-Malleable Codes Split-state Model and Recent Results Non-malleable Reductions Non-Malleable Codes from Two-Source Extractors 13 DONE
Non-malleable Reductions Non-Malleable Codes from Two-Source Extractors 14
Non-malleable Reductions Non-Malleable Codes from Two-Source Extractors 15
Non-malleable Code as Reduction Non-Malleable Codes from Two-Source Extractors 16
Composition Non-Malleable Codes from Two-Source Extractors 17
Remark Non-Malleable Codes from Two-Source Extractors 18
Codeword length Non-Malleable Codes from Two-Source Extractors 19
Composition v.2 Non-Malleable Codes from Two-Source Extractors 20
Recent Results Non-Malleable Codes from Two-Source Extractors 21 [ADL’14] [u.m.] [CZ’14] Number of states Codeword length n- length of message
Captain Obvious strikes again Non-Malleable Codes from Two-Source Extractors 22 That does not give us much..
Our result Non-malleable Reductions and Applications D.Aggarwal, Y.Dodis, T.Kazana, M.Obremski Non-Malleable Codes from Two-Source Extractors 23 Which combined with [CZ’14] Gives first constant rate (linear length codeword) Non-malleable Code construction in 2-split-state model
Thank You! Non-Malleable Codes from Two-Source Extractors 24
Related Work Non-Malleable Codes (ICS 2010) S.Dziembowski, K.Pietrzak and D.Wichs Existence of codes for small enough manipulation families via probabilistic argument Explicit construction of non-malleable codes with respect to Independent Bit Tampering Tamper and leakage resilience in the split-state model(Crypto 2012) F. Liu and A. Lysyanskaya Explicit construction, computational-security, assuming common reference string Bonus feature- resilient to leakage. Non-Malleable Codes from Two-Source Extractors 25
Our Contribution We give explicit, Non-Malleable Code for 1-bit messages in Split State Model Additionally our constructions is resilient against the adversary who can leak adaptively some information before choosing manipulation functions. Non-Malleable Codes from Two-Source Extractors 26
Plan Introduction to Non-Malleable Codes Our construction of a Non-Malleable Code Leakage feature Non-Malleable Codes from Two-Source Extractors 27 DONE
Secret Sharing It is easy to see that non-malleable scheme needs to be 2-out-of-2 secret sharing Non-Malleable Codes from Two-Source Extractors 28 If it is not secret sharing (example for 1-bit secret): S=1 S=0
Secret Sharing is not enough- counterexample Non-Malleable Codes from Two-Source Extractors 29 Attack example function h can not be represented as combination of identity and constant functions
Secret Sharing with enhanced security - two-source extractors Non-Malleable Codes from Two-Source Extractors 30 Attack example
Will extractors work on smaller field? Non-Malleable Codes from Two-Source Extractors 31 That is still not enough. Attack example:
Problem with Inner Product Main issue with Inner Product approach is that for large field the adversary can exploit its linear structure For small field the adversary can exploit non-uniform distributions of bits multiplication results Non-Malleable Codes from Two-Source Extractors 32 We want to combine advantages of a large field and a small one
Our Construction Non-Malleable Codes from Two-Source Extractors How to encode a bit? Unfortunately we require additional features from chosen extractor namely flexibility
Remarks Security parameter depends only on the size of field If then parameter plays role in the leakage feature Non-Malleable Codes from Two-Source Extractors 34
Plan Introduction to Non-Malleable Codes Our construction of a Non-Malleable Code Leakage feature Non-Malleable Codes from Two-Source Extractors 35 DONE
Bonus Feature - Leakage Adversary before choosing manipulation functions can adaptively leak Non-Malleable Codes from Two-Source Extractors 36 L R A A L’ R’ f g Total leakage <
Recent Paper Non-malleable Codes from Additive Combinatorics Divesh Aggarwal, Yevgeniy Dodis, Shachar Lovett Non-Malleable Codes from Two-Source Extractors 37
A little bit of history Non-Malleable Codes (ICS 2010) Stefan Dziembowski, Krzysztof Pietrzak and Daniel Wichs Existence of codes via probabilistic argument Explicit construction of non-malleable codes with respect to Independent Bit Tampering Non-Malleable Codes from Two-Source Extractors 38
Definition of Non-Malleable Codes Non-Malleable Codes from Two-Source Extractors 39 M=M’ M’ is independent of M or
Basic remarks Non-Malleable Codes from Two-Source Extractors 40 We have to limit manipulations family take f(x)=Enc(Dec(x)+1) It is not Manipulation Detection Adversary can overwrite secret
Formal Definition Scheme (Enc, Dec) is Non-Malleable with respect to functions family if for every exists distribution such that for every message following experiments are indistinguishable Non-Malleable Codes from Two-Source Extractors 41
Two-Source Extractors Ext is (k,ε)-Two-Source Extractor if for every X,Y such that H ∞ (X)≥k and H ∞ (Y)≥k Non-Malleable Codes from Two-Source Extractors 42 Ext is Strong (k,ε)-Two-Source Extractor if
Flexible Two-Source Extractors Ext is Flexible (2k,ε)-Two-Source Extractor if for every X,Y random variables such that H ∞ (X)+H ∞ (Y) ≥ 2k Non-Malleable Codes from Two-Source Extractors 43 Strong Flexible Extractor fulfills
Why Flexibility? Non-Malleable Codes from Two-Source Extractors 44 High H ∞ Standard notion Extractor Uniform distribution Very High H ∞ Low H ∞ Extractor Uniform distribution Flexibility (Leftover Hash Lemma)
Some Remarks and Examples Obviously if X,Y random variables on, then k≥n Non-Malleable Codes from Two-Source Extractors 45 First is Strong Flexible with log (1/ε) = (k − (n + 4) log |F|)/3 − 1 Second is Flexible with log (1/ε) = (k-n)/2-λ+1 Two examples of Flexible Extractors:
Why one bit only? - Example Chose c 1,c 2,c 3,…,c k elements of field F. To encode i=1,2,…k : To encode k+1 : Non-Malleable Codes from Two-Source Extractors 46 Possible attack:
Intuition If the adversary wants to maintain correlation with message m he has to be “close” to one-to-one function Non-Malleable Codes from Two-Source Extractors 47 Ext( LR )=x fg L’R’ Do not reveal information about x Think of it as a loss of information Output does not necessarly need to be small
The Trick! If the adversary uses almost “one-to-one” functions he can not change 1 to 0 Non-Malleable Codes from Two-Source Extractors huge small This set is
Unfortunately the adversary is a very mean person There is significant technical problem when Adversary choses to mix two strategies “Almost” one-to-one function “Almost” constant function Non-Malleable Codes from Two-Source Extractors 49 Function which on a part of domain keeps all information and on the rest of domain choses to ignore it
Far From Constant Non-Malleable Codes from Two-Source Extractors 50
Drive-Through Proof - Part I Non-Malleable Codes from Two-Source Extractors 51 For this theorem we require flexibility notion
Drive-Through Proof – Part II Non-Malleable Codes from Two-Source Extractors 52 For this theorem we require standard extractor notion