Optimal Computational Split-state Non-malleable Codes
Lecture Notes in Computer Science
Non-malleable codes are a generalization of classical errorcorrecting codes where the act of "corrupting" a codeword is replaced by a "tampering" adversary. Non-malleable codes guarantee that the message contained in the tampered codeword is either the original message m, or a completely unrelated one. In the common split-state model, the codeword consists of multiple blocks (or states) and each block is tampered with independently. The central goal in the split-state model is to construct high
... rate nonmalleable codes against all functions with only two states (which are necessary). Following a series of long and impressive line of work, constant rate, two-state, non-malleable codes against all functions were recently achieved by Aggarwal et al. (STOC 2015). Though constant, the rate of all known constructions in the split state model is very far from optimal (even with more than two states). In this work, we consider the question of improving the rate of split-state non-malleable codes. In the "information theoretic" setting, it is not possible to go beyond rate 1/2. We therefore focus on the standard computational setting. In this setting, each tampering function is required to be efficiently computable, and the message in the tampered codeword is required to be either the original message m or a "computationally" independent one. In this setting, assuming only the existence of one-way functions, we present a compiler which converts any poor rate, two-state, (sufficiently strong) non-malleable code into a rate-1, two-state, computational nonmalleable code. These parameters are asymptotically optimal. Furthermore, for the qualitative optimality of our result, we generalize the result of Cheraghchi and Guruswami (ITCS 2014) to show that the existence of one-way functions is necessary to achieve rate > 1/2 for such codes. Our compiler requires a stronger form of non-malleability, called augmented non-malleability. This notion requires a stronger simulation guarantee for non-malleable codes and simplifies their modular usage in cryptographic settings where composition occurs. Unfortunately, this form of non-malleability is neither straightforward nor generally guaranteed by known results. Nevertheless, we prove this stronger form of nonmalleability for the two-state construction of Aggarwal, Dodis, and Lovett (STOC 14). This result is of independent interest. The most common model for tolerating arbitrary tampering functions is the split state model. In this model, the codeword is "split" into two or more states c = (c 1 , . . . , c k ); a tampering function f is viewed as a list of k functions (f 1 , . . . , f k ) fixed before c is sampled, where each function f i tampers with the corresponding component c i of the codeword independently, i.e., the tampered codeword is c = (f 1 (c 1 ), . . . , f k (c k )). Ideally, we would like to achieve codewords with minimum number of states k = 2 while tolerating all possible tampering functions and achieving high-rate. 8 In a break-through result, Aggarwal, Dodis, and Lovett  presented an explicit non-malleable code for k = 2 states for messages of arbitrary length (significantly improving upon  which only encodes a single bit). However, their work only achieves rate Ω(n −6/7 ) (or rate 0, asymptotically) where n is the block length of the codeword. Chattopadhyay and Zuckerman  present an encoding which has constant rate by increasing the number of states to k = 10. Very recently, Aggarwal et al  show that constant rate for such codes can in fact be achieved with only k = 2 states. 9 Though constant, the rate of codes in [9,2] is very far from optimal. A natural question is if we can achieve the best parameters, i.e.: Can we construct explicit, 2-state, non-malleable codes of rate 1 tolerating all tampering functions in P/poly? 8 We note that in this model, one can even tolerate tampering functions beyond P/poly. This is the so called "information theoretic" setting. 9 Sometimes, the setting where k = 2 is commonly referred to as the split state setting; and when k > 2 it is explicitly mentioned and often called multiple split state setting. 10 This is precisely defined by requiring a simulator whose output, in the case where the tampered message is not m, is computationally indistinguishable from a message in the (real) tampered codeword.