Non-Malleable Encryption: Simpler, Shorter, Stronger

Abstract

In a seminal paper, Dolev et al.i¾?[15] introduced the notion of non-malleable encryption NM-CPA. This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption IND-CCA, and, yet, can be generically built from semantically secure IND-CPA encryption, as was shown in the seminal works by Pass eti¾?al. [29] and by Choi et al.i¾?[9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security:1.Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved?2.Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA?3.Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor $$\mathcal {O}\lambda $$, where $$\lambda $$ is the security parameter. Still, encrypting a message of size $$\mathcal {O}\lambda $$ would require ciphertext and keys of size $$\mathcal {O}\lambda ^2$$ times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a $$\lambda $$-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size $$\mathcal {O}\lambda $$ times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code NMC, called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural encode-then-encrypt-bit-by-bit approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under chosen-ciphertext self-destruct attacks NM-SDA. After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results--faster construction from IND-CPA and domain extension from one-bit scheme--also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying plausibly, strictly? below IND-CCA security.