efficient non-malleable codes and key-derivations against poly-size tampering circuits
DESCRIPTION
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits. PRATYAY MUKHERJEE Aarhus University (now @NYU) Joint work with Sebastian Faust, Daniele Venturi and Daniel Wichs. (EPFL) (La Sapienza , Rome ) (NEU). - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/1.jpg)
Efficient Non-Malleable Codes and Key-derivations against Poly-size
Tampering Circuits
PRATYAY MUKHERJEE Aarhus University (now @NYU)
Joint work with
Sebastian Faust, Daniele Venturi and Daniel Wichs
New York Crypto Day, CUNY
June 27, 2014
(EPFL) (La Sapienza, Rome ) (NEU)
Appeared in Eurocrypt 2014
![Page 2: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/2.jpg)
Outline
• Introduction to Non-Malleable Codes.• Efficient Non-malleable codes against poly-size
tampering circuit. (Our result-1)• Applications of NMC in Crypto.• A new and related notion: Non-malleable Key-
derivation and it’s application. (Our result-2)
![Page 3: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/3.jpg)
Introduction toNon-malleable Codes
![Page 4: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/4.jpg)
A modified codeword contains either original or unrelated message.
E.g. Can not flip one bit of encoded message by modifying the codeword.
What is Non-Malleable Codes ?
(Only one sentence!)
NMC
![Page 5: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/5.jpg)
The “Tampering Experiment” Consider the following experiment for some encoding scheme (ENC,DEC)
f
ENCs Tamper
2F
CDEC s*C*=f(C)
Goal:Design encoding scheme (ENC,DEC) with meaningful
“guarantee” on s* for an “interesting” class F
Note ENC can be randomized. There is no secret Key.
![Page 6: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/6.jpg)
The “Tampering Experiment” Consider the following experiment for some encoding scheme (ENC,DEC)
f
ENCs Tamper
2F
CDEC s*C*=f(C)
Error-Correcting Codes: Guarantee s* = s F is very limited !
e.g. For hamming codes with distance d, f must be such that:
Ham-Dist(C,C*) < d/2.)
![Page 7: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/7.jpg)
The “Tampering Experiment” Consider the following experiment for some encoding scheme (ENC,DEC)
f
ENCs Tamper
2F
CDEC s*C*=f(C)
Error-Correcting Codes: Guarantee s* = s F is very limited !
e.g. consider f to be a const. function always maps to a “valid” codeword.
Error-Detecting Codes : Guarantee s* = s or
F excludes simple functions !
![Page 8: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/8.jpg)
The “Tampering Experiment” Consider the following experiment for some encoding scheme (ENC,DEC)
f
ENCs Tamper
2F
CDEC s*C*=f(C)
Error-Correcting Codes: Guarantee s* = s F is very limited !
Error-Detecting Codes : Guarantee s* = s or
Non-malleable Codes [DPW ’10] : Guarantee s* = s or “something unrelated”
FHope: Achievable for “rich”
F excludes simple functions !
![Page 9: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/9.jpg)
Let’s be formal…..
![Page 10: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/10.jpg)
f
ENCs Tamper
2F
CDEC s*C*=f(C)
If C* = C return same Else return s*
Tamperf(s)
Definition [DPW 10]:
A code (ENC, DEC) is non-malleable w.r.t. F if 8 f and 8 s0, s1 we have:
Tamperf(s0) Tamperf(s1)
![Page 11: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/11.jpg)
Main Question: How to restrict F ?
Limitation…Limitation: For any (ENC, DEC), there exists fbad :• sDEC(C) • s* = s 1 • C*ENC(s*)
Corollary-1: It is impossible to construct encoding scheme which is non-malleable w.r.t. all functions Fall . Corollary-2: It is impossible to construct efficient encoding scheme which is non-malleable w.r.t. all efficient functions Feff .
No hope to achieve non-malleability for such
fbad !
Other Questions: Rate ( =|C|/|s| ) Efficiency Assumption(s)
![Page 12: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/12.jpg)
…..and Possibilities
Main Question: How to restrict F ?
Codeword consists of components which are independently tamperable.
Decoding requires multiple components. Example: Split-state tampering model where there are only
two independently tamperable components.• [DPW10, LL12, DKO13, ADL13, CG14a,
FMNV14, ADK14]
Way-1: Granular Tampering
![Page 13: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/13.jpg)
…..and Possibilities
Main Question: How to restrict F ? Way-2: Low complexity tampering
The whole codeword is tamperable. The tampering functions are “less complicated” than
encoding/decoding. [CG14b, FMVW 14]
This talk
![Page 14: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/14.jpg)
Efficient NMC for poly-size tampering circuits
![Page 15: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/15.jpg)
Our Result
Main Result: “The next best thing”For any fixed polynomial P, there exists an efficient non-
malleable code for all circuits of size P .
reca
llCorollary-2: It is impossible to construct efficient encoding scheme which is non-malleable w.r.t. all efficient functions Feff .
For any fixed polynomial P, there exists an efficient non-malleable code for any family of functions |F | 2P.
Even more..
Caveat: Our results hold in CRS model.
![Page 16: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/16.jpg)
NMC in CRS model
Fix some polynomial P
. We construct a family of efficient codes parameterized
by CRS: (ENCCRS, DECCRS)
We show that, w.h.p. over the random choice of CRS : (ENCCRS, DECCRS) is an NMC w.r.t. all tampering circuits of size P
Although P is chosen apriori, the tampering circuit can be chosen from the family of all
circuits of size P adaptively.
![Page 17: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/17.jpg)
The Construction OverviewInput: s
Inner Encoding
C1
OuterEncoding
C
Ingredient: a t-wise independent hash function h
C C1 ||h( )C1
is Valid C C is of the form R || h( )R
We choose CRS such that |Circuit computing h| > P No circuit of size P can compute h on “too many” points. (Proof: Probabilistic Method)
Intuitions (outer encoding)
described by CRS
For every tampering function f there is a “small set” Sf such that if a tampered codeword is valid, then it is in Sf w.h.p.
![Page 18: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/18.jpg)
The Construction OverviewInput: s
Inner Encoding
C1
OuterEncoding
C
Intuitions (outer encoding)
For every tampering function f there is a “small set” Sf such that if a tampered codeword is valid, then it is in Sf w.h.p.
We call this property Bounded Malleability which ensures that the tampered codeword does not
contain “too much information” about the input codeword
![Page 19: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/19.jpg)
The Construction OverviewInput: s
Inner Encoding
C1
OuterEncoding
C
Intuitions (Inner encoding)
reca
ll
Output of Tamperf(s) can be thought of as some sort of leakage on C1
f can guess some bit(s) of C1 and if the guess is correct, leave C same otherwise overwrites to some invalid code.
Example
A leakage-resilient code
w.h.p. the leakage range is “small”: {same, , Sf}
![Page 20: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/20.jpg)
Leakage-Resilient CodeDef [DDV 10]: A code (LRENC, LRDEC) is leakage-resilient w.r.t. G if
8 g G and 8 s : g(LRENC(s)) g(U)
Construction [DDV 10]: Let h’ be a t-wise hash function. Then to encode s choose a random r and output c = r || h’ (r)
Our Inner Encoding
We use the same construction but improved analysis to achieve optimal rate 1.
Analysis by [DDV 10] uses bound for extractor and
therefore, r s (rate 1/2) even if the leakage is small
We show: The construction is an LRC as long as: r > even if r <<s
![Page 21: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/21.jpg)
Putting it togetherInput: s
Inner Encoding
C1
OuterEncoding
C
Bounded Malleable Code
Leakage Resilient Code
Non-Malleable Code
![Page 22: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/22.jpg)
Few additional remarks
• Our Construction is Information Theoretic.• It achieves optimal rate 1• Efficient as runs in poly(log(1/)) ; is the error term.
An independent and concurrent work [CG’14] : Constructed NMC for same F but the encoding/decoding runs in poly(1 ) : “Inefficient” when is “negligible” !
![Page 23: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/23.jpg)
……but I thought this is a CRYPTO talk !
![Page 24: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/24.jpg)
Applications in Crypto
Main ApplicationTamper-resilient Cryptography
[DPW 10, LL 12, FMNV 14, FMNV 14a]
![Page 25: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/25.jpg)
Tamper with memory and computation (IPSW ’06)
Tamper only with memory (GLMMR ‘04)
F
k k
F
• Most General Model: Complicated
• Limited existing results !• A Natural First Step : Simpler to handle
• Might be reasonable in practice !
Theoretical models of tampering
Main Focus
![Page 26: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/26.jpg)
Tamper-resilient compiler using NMC [DPW 10]
K
F
K’
F’Compile:
1.Initialization: K' := C= ENC(K)Execution of F‘[C](x):
2. K = DEC(K‘)3. If K Output F[K](x) & Go to: 1 Else STOP.
NMC
Adv Sim
∃∀ Guarantee:
If (ENC,DEC) is non-malleable for then the compiled F’(k’) is tamper-resilient against any memory-tampering fF≈
![Page 27: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/27.jpg)
Other Recent Applications
• FMNV 14a : Tamper-resilient RAM- considers tampering also with computation.
• AGMPP 14: Bit-commitment to String-commitment using NMC secure against bit-permutation.
• CMTV 14: One-bit CCA encryption=> Multi-bit CCA encryption using NMC secure against continuous bit-wise tampering.
• More applications ? – Open !
![Page 28: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/28.jpg)
Non-malleable Key-derivation (NMKD)
![Page 29: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/29.jpg)
Intuition
Source: X
𝐍𝐌𝐊𝐃
Output: Y
NMKD guarantees that if f(X) X then (Y, Y’) (U, Y’)
Tampered Source: f(X)
Output: Y’
𝐍𝐌𝐊𝐃
A dual of Non-Malleable Extractor
![Page 30: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/30.jpg)
NMKD: Defintion
Definition: A function is NMKD w.r.t. F if 8 f following holds
Sample x←UIf f(x) = x return ((x),same) Else return (x), (f(x)))
Real, f
Sample x←U ; y ←U’If f(x) = x return (y,same) Else return (y, (f(x)))
Ideal, f
≈
![Page 31: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/31.jpg)
Results
• Similar to our NMC result: We construct a family of efficient NMKD against Poly-size circuits. (CRS model)
• Our construction is optimal ½)
For any of size 2P, a randomly chosen 2t-wise independent hash function is an NMKD w.h.p. as long as t > P
Theorem (informal)
![Page 32: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/32.jpg)
Application of NMKD : Tamper-Resilient Stream Cipher
s0s1
s2
s'0
s'1
SC(.) SC(.)
SC(.) SC(.)
x0
x’0 x’1
f0f1
x1
ModelNormal
Chain
Tampered Chain
SC(.)
x2/u
![Page 33: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/33.jpg)
Application of NMKD : Tamper-Resilient Stream Cipher
s0s1
s2
s'0
s'1
x0
x’0 x’1
f0f1
x1
Normal Chain
Tampered Chain
x2/u
prg((.)) prg((.)) prg((.))
prg((.)) prg((.))
ConstructionTRSC= PRG NMKD
![Page 34: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/34.jpg)
Conclusion
• The first construction of non-granular and efficient Non-malleable code.– Our construction is information theoretic and achieves
optimal rate.
• A new primitive Non-Malleable Key-derivation.– Application to construct Tamper-resilient Stream Cipher.
• Open:– New Application of NMKD.– Extend our result in plain model. (partial results by AGMPP 14)– More applications of NMC
![Page 35: Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits](https://reader035.vdocuments.net/reader035/viewer/2022070407/568143a5550346895db0284e/html5/thumbnails/35.jpg)
Thank You !