Non-Malleable Functions and Their Applications

We formally study “non-malleable functions” (NMFs), a general cryptographic primitive which simplifies and relaxes “non-malleable one-way/hash functions” (NMOWHFs) introduced by Boldyreva et al. (Asiacrypt 2009) and refined by Baecher et al. (CT-RSA 2010). NMFs focus on basic functions, rather than one-way/hash functions considered in the literature of NMOWHFs. We mainly follow Baecher et al. to formalize a game-based definition for NMFs. Roughly, a function f is non-malleable if given an image y∗ ← f(x∗) for a randomly chosen x∗, it is hard to output a mauled image y with a transformation φ from some prefixed transformation class s.t. y = f(φ(x∗)). A distinctive strengthening of our non-malleable notion is that φ such that φ(x∗) = x∗ is allowed. We also consider adaptive non-malleability, which stipulates that non-malleability holds even when an inversion oracle is available. We investigate the relations between non-malleability and one-wayness in depth. In non-adaptive setting, we show that for any achievable transformation class, non-malleability implies one-wayness for poly-to-one functions but not vise versa. In adaptive setting, we show that for most algebra-induced transformation class, adaptive non-malleability (ANM) is equivalent to adaptive one-wayness (AOW) for injective functions. These results establish theoretical connections between non-malleability and one-wayness for functions, which extend to trapdoor functions as well, and thus resolve the open problems left by Kiltz et al. (Eurocrypt 2010). We also study the relations between standard OW/NM and hinted OW/NM, where the latter notions are typically more useful in practice. Towards efficient realizations of NMFs, we give a deterministic construction from adaptive trapdoor functions and a randomized construction from all-but-one lossy functions and one-time signature. This partially solves an open problem posed by Boldyreva et al. (Asiacrypt 2009). Finally, we explore applications of NMFs in security against related-key attacks (RKA). We first show that the implication AOW ⇒ ANM provides key conceptual insight into addressing non-trivial copy attacks in RKA security. We then show that NMFs give rise to a generic construction of continuous non-malleable key derivation functions, which have proven to be very useful in achieving RKA security for numerous cryptographic primitives. Particularly, our construction simplifies and clarifies the construction by Qin et al. (PKC 2015). ∗State Key Laboratory of Information Security (SKLOIS), Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China. & Department of Information Engineering, The Chinese University of Hong Kong, Shatin, N.T., Hong Kong. Email: [email protected] †School of Computer Science and Technology, Southwest University of Science and Technology, Mianyang, China. Email: [email protected] ‡State Key Laboratory of Cryptology, Beijing, China. Email: [email protected] §State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; & State Key Laboratory of Cryptology, Beijing, China. Email: [email protected] ¶Department of Information Engineering, The Chinese University of Hong Kong, Shatin, N.T., Hong Kong. Email: [email protected]