Abstract
A non-malleable code is an unkeyed randomized encoding scheme that offers the strong guarantee that decoding a tampered codeword either results in the original message, or in an unrelated message. We consider the simplest possible construction in the computational split-state model, which simply encodes a message m as k||Ek(m) for a uniformly random key k, where E is a block cipher. This construction is comparable to, but greatly simplifies over, the one of Kiayias et al. (ACM CCS 2016), who eschewed this simple scheme in fear of related-key attacks on E. In this work, we prove this construction to be a strong non-malleable code as long as E is (i) a pseudorandom permutation under leakage and (ii) related-key secure with respect to an arbitrary but fixed key relation. Both properties are believed to hold for “good” block ciphers, such as AES-128, making this non-malleable code very efficient with short codewords of length |m|+2τ (where τ is the security parameter, e.g., 128 bits), without significant security penalty.
Highlights
1.1 Non-Malleable CodesNon-malleable codes (NMCs) were introduced by Dziembowski, Pietrzak and Wichs in 2010 [DPW10]
We give a characterization of the security of this Non-Malleable CodesNon-malleable codes (NMCs) in terms of basic sufficient security properties of E: we show that RKNMC[E] is secure if (i) E is related-key secure with respect to any single related-key function (Definition 4), appropriately defined to deal with output-predictable functions such as constant mappings, and (ii) E has a graceful degradation in standard PRP security if limited information about its key is leaked (Definition 3)
Constructions benefiting from a related-key secure block cipher E are already known — one can for instance design a tweakable block cipher E from an XOR-related-key secure block cipher E as E(k, t, ·) = E(k ⊕ t, ·) [LRW11, BK03] — but often competitive PRP-based alternatives exist
Summary
Non-malleable codes (NMCs) were introduced by Dziembowski, Pietrzak and Wichs in 2010 [DPW10] They allow the encoding and decoding of messages in such a way that decoding a tampered (modified) codeword results in a message that is either the one that was originally encoded, or one uncorrelated with it. NMCs offer a very different perspective from classical error-correcting codes: when correction is not possible, decoding is required to fail catastrophically, outputting an unrelated message and not, e.g., one that is close to the original in terms of some metric. Received: 2017-09-01, Revised: 2017-11-23, Accepted: 2018-01-23, Published: 2018-03-01
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
