TY - JOUR
T1 - Non-malleable codes from additive combinatorics
AU - Aggarwal, Divesh
AU - Dodis, Yevgeniy
AU - Lovett, Shachar
N1 - Funding Information:
∗Received by the editors September 3, 2014; accepted for publication (in revised form) January 2, 2018; published electronically April 17, 2018. A preliminary version of this paper appeared in Proceedings of STOC, 2014. http://www.siam.org/journals/sicomp/47-2/98525.html Funding: The first author was supported by the Singapore Ministry of Education and the National Research Foundation and through the Tier 3 grant “Random Numbers from Quantum Processes,” MOE2012-T3-1-009. The second author was partially supported by gifts from VMware Labs and Google and by NSF grants 1319051, 1314568, 1065288, 1017471, and 0845003. The third author was supported by NSF Career Award 1350481.
Funding Information:
The first author was supported by the Singapore Ministry of Education and the National Research Foundation and through the Tier 3 grant “Random Numbers from Quantum Processes,” MOE2012-T3-1-009. The second author was partially supported by gifts from VMware Labs and Google and by NSF grants 1319051, 1314568, 1065288, 1017471, and 0845003. The third author was supported by NSF Career Award 1350481. We thank Oded Regev, Tom Sanders, and Terence Tao for useful discussions, especially related to section 5.3 of the paper. We would also like to thank Stefan Dziembowski, Tomasz Kazana, and Maciej Obremski for sharing their recent work on non-malleable codes for 1-bit messages [DKO13].
Publisher Copyright:
© 2018 Society for Industrial and Applied Mathematics.
PY - 2018
Y1 - 2018
N2 - Non-malleable codes provide a useful and meaningful security guarantee in situations where traditional error-correction (and even error-detection) is impossible, for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message or a completely unrelated value. Although such codes do not exist if the family of “tampering functions” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so-called split-state model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The split-state tampering arises in many realistic applications, such as the design of non-malleable secret sharing schemes, motivating the question of designing efficient non-malleable codes in this model. Prior to this work, non-malleable codes in the split-state model received considerable attention in the literature but either (1) were constructed in the random oracle model, or (2) relied on advanced cryptographic assumptions (such as noninteractive zero-knowledge proofs and leakage-resilient encryption), or (3) could only encode 1-bit messages. As our main result, we build the first efficient, multi-bit, information-theoretically-secure non-malleable code in the split-state model. The heart of our construction uses the following new property of the inner-product function L, R over the vector space Fpn (for a prime p and large enough dimension n): if L and R are uniformly random over Fpn, and f, g : Fpn → Fpn are two arbitrary functions on L and R, then the joint distribution (L, R, f(L), g(R)) is “close” to the convex combination of “affine distributions” ((U, aU + b) | a, b ∈ Fp), where U is uniformly random in Fp. In turn, the proof of this surprising property of the inner product function critically relies on some results from additive combinatorics, including the so-called quasi-polynomial Freiman–Ruzsa theorem, which was recently established by Sanders [Anal. PDE, 5 (2012), pp. 627–655] as a step toward resolving the polynomial Freiman–Ruzsa conjecture [B. Green, in Surveys in Combinatorics, London Mathematical Society, London, 2005, pp. 1–29].
AB - Non-malleable codes provide a useful and meaningful security guarantee in situations where traditional error-correction (and even error-detection) is impossible, for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message or a completely unrelated value. Although such codes do not exist if the family of “tampering functions” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so-called split-state model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The split-state tampering arises in many realistic applications, such as the design of non-malleable secret sharing schemes, motivating the question of designing efficient non-malleable codes in this model. Prior to this work, non-malleable codes in the split-state model received considerable attention in the literature but either (1) were constructed in the random oracle model, or (2) relied on advanced cryptographic assumptions (such as noninteractive zero-knowledge proofs and leakage-resilient encryption), or (3) could only encode 1-bit messages. As our main result, we build the first efficient, multi-bit, information-theoretically-secure non-malleable code in the split-state model. The heart of our construction uses the following new property of the inner-product function L, R over the vector space Fpn (for a prime p and large enough dimension n): if L and R are uniformly random over Fpn, and f, g : Fpn → Fpn are two arbitrary functions on L and R, then the joint distribution (L, R, f(L), g(R)) is “close” to the convex combination of “affine distributions” ((U, aU + b) | a, b ∈ Fp), where U is uniformly random in Fp. In turn, the proof of this surprising property of the inner product function critically relies on some results from additive combinatorics, including the so-called quasi-polynomial Freiman–Ruzsa theorem, which was recently established by Sanders [Anal. PDE, 5 (2012), pp. 627–655] as a step toward resolving the polynomial Freiman–Ruzsa conjecture [B. Green, in Surveys in Combinatorics, London Mathematical Society, London, 2005, pp. 1–29].
KW - Additive combinatorics
KW - Coding theory
KW - Cryptography
KW - Non-malleable codes
UR - http://www.scopus.com/inward/record.url?scp=85046704772&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85046704772&partnerID=8YFLogxK
U2 - 10.1137/140985251
DO - 10.1137/140985251
M3 - Article
AN - SCOPUS:85046704772
SN - 0097-5397
VL - 47
SP - 524
EP - 546
JO - SIAM Journal on Computing
JF - SIAM Journal on Computing
IS - 2
ER -