Non-malleable codes from additive combinatorics

Proceedings of the forty-sixth annual ACM symposium on Theory of computing Pub Date : 2014-05-31 DOI:10.1145/2591796.2591804

Divesh Aggarwal, Y. Dodis, Shachar Lovett

{"title":"Non-malleable codes from additive combinatorics","authors":"Divesh Aggarwal, Y. Dodis, Shachar Lovett","doi":"10.1145/2591796.2591804","DOIUrl":null,"url":null,"abstract":"Non-malleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of \"tampering functions\" F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called split-state model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The split-state tampering arises in many realistic applications, such as the design of non-malleable secret sharing schemes, motivating the question of designing efficient non-malleable codes in this model. Prior to this work, non-malleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [16], or (2) relied on advanced cryptographic assumptions (such as non-interactive zero-knowledge proofs and leakage-resilient encryption) [26], or (3) could only encode 1-bit messages [14]. As our main result, we build the first efficient, multi-bit, information-theoretically-secure non-malleable code in the split-state model. The heart of our construction uses the following new property of the inner-product function ⟨L;R⟩ over the vector space Fnp (for a prime p and large enough dimension n): if L and R are uniformly random over Fnp, and f, g: Fnp → Fnp are two arbitrary functions on L and R, then the joint distribution (⟨L;R⟩, ⟨f(L), g(R)⟩) is \"close\" to the convex combination of \"affine distributions\" {(U, aU + b) --- a, b ε Fp}, where U is uniformly random in Fp. In turn, the proof of this surprising property of the inner product function critically relies on some results from additive combinatorics, including the so called Quasi-polynomial Freiman-Ruzsa Theorem which was recently established by Sanders [29] as a step towards resolving the Polynomial Freiman-Ruzsa conjecture [21].","PeriodicalId":123501,"journal":{"name":"Proceedings of the forty-sixth annual ACM symposium on Theory of computing","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"144","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the forty-sixth annual ACM symposium on Theory of computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2591796.2591804","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 144

Abstract

Non-malleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of "tampering functions" F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called split-state model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The split-state tampering arises in many realistic applications, such as the design of non-malleable secret sharing schemes, motivating the question of designing efficient non-malleable codes in this model. Prior to this work, non-malleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [16], or (2) relied on advanced cryptographic assumptions (such as non-interactive zero-knowledge proofs and leakage-resilient encryption) [26], or (3) could only encode 1-bit messages [14]. As our main result, we build the first efficient, multi-bit, information-theoretically-secure non-malleable code in the split-state model. The heart of our construction uses the following new property of the inner-product function ⟨L;R⟩ over the vector space Fnp (for a prime p and large enough dimension n): if L and R are uniformly random over Fnp, and f, g: Fnp → Fnp are two arbitrary functions on L and R, then the joint distribution (⟨L;R⟩, ⟨f(L), g(R)⟩) is "close" to the convex combination of "affine distributions" {(U, aU + b) --- a, b ε Fp}, where U is uniformly random in Fp. In turn, the proof of this surprising property of the inner product function critically relies on some results from additive combinatorics, including the so called Quasi-polynomial Freiman-Ruzsa Theorem which was recently established by Sanders [29] as a step towards resolving the Polynomial Freiman-Ruzsa conjecture [21].

查看原文本刊更多论文

加性组合学中的非延展性代码

在传统的纠错(甚至错误检测)无法实现的情况下，不可延展性代码提供了有用且有意义的安全保证;例如，当攻击者可以完全覆盖编码消息时。非正式地说，如果修改后的码字中包含的消息是原始消息或完全不相关的值，则代码是不可延展性的。尽管在“篡改函数”族F完全不受限制的情况下不存在这样的代码，但已知对于许多广义的篡改函数族F来说，它们是存在的。一个这样的自然族就是所谓的分裂状态模型中的篡改函数族。在这里，消息m被编码为两个共享L和R，攻击者可以任意篡改L和R。分裂状态篡改在许多实际应用中都存在，例如不可延展性秘密共享方案的设计，这激发了在该模型中设计有效的不可延性代码的问题。在此工作之前，分裂状态模型中的不可延展性代码在文献中受到了相当大的关注，但它们要么是(1)在随机oracle模型中构建的[16]，要么是(2)依赖于高级加密假设(如非交互式零知识证明和防泄漏加密)[26]，要么是(3)只能编码1位消息[14]。作为我们的主要成果，我们在分裂状态模型中构建了第一个高效、多比特、信息理论上安全的不可延展性代码。的核心建筑使用以下新属性的内积函数⟨L;在向量空间R⟩Fnp (' p和n)足够大维度:如果L和R均匀随机——和f, g: Fnp→Fnp是两个任意函数L和R,然后联合分布(⟨L; R⟩⟨f (L), g (R)⟩)是“关闭”的凸组合“仿射分布”{(U,非盟+ b)——a, bεFp}, U是均匀随机在《外交政策》。反过来，内积函数的这一惊人性质的证明主要依赖于加性组合学的一些结果，包括所谓的拟多项式Freiman-Ruzsa定理，该定理最近由Sanders[29]建立，作为解决多项式Freiman-Ruzsa猜想[21]的一步。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the forty-sixth annual ACM symposium on Theory of computing

自引率

0.00%

发文量