Self-Destruct Non-Malleability
نویسندگان
چکیده
We introduce a new security notion for public-key encryption (PKE) that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA), which appears to be the strongest natural PKE security notion below full-blown chosen-ciphertext (IND-CCA) security. In this notion, the adversary is allowed to ask many adaptive “parallel” decryption queries (i.e., a query consists of many ciphertexts) up to the point when the first invalid ciphertext is submitted. As such, NM-SDA security generalizes non-malleability against chosen plaintext attacks (NM-CPA, where only one parallel decryption query is allowed) and recently introduced indistinguishability against (chosen-ciphertext) self-destruct attacks (IND-SDA, where each adaptive query consists of a single ciphertext). After showing that NM-SDA is a strict strengthening of NM-CPA and IND-SDA and allows for more applications, we establish the following two results: • Domain Extension. For any K > 1, there is a black-box construction of a K-bit NM-SDA PKE scheme from a single-bit NM-SDA PKE scheme. Moreover, this can be done using only O(K + λ) calls to the underlying single-bit NM-SDA scheme, where λ is the security parameter. To achieve our goal, we define and construct a novel type of continuous nonmalleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “expand-then-encrypt-bit-by-bit” approach to work. • Black-Box Construction from IND-CPA. Prior work showed that NM-CPA secure PKE can be constructed from any IND-CPA secure PKE in a black-box way. Here we show that the same construction actually achieves our strictly stronger notion of NM-SDA security. (This requires a non-trivial extension of the original security proof to handle multiple parallel decryption queries.) Hence, the notions of IND-CPA, NM-CPA, IND-SDA and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security. We also show how to improve the rate of the resulting NM-SDA scheme from quadratic to linear.
منابع مشابه
From Single-Bit to Multi-bit Public-Key Encryption via Non-malleable Codes
One approach towards basing public-key encryption (PKE) schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker” or more restricted ones. One particular line of work in this context was initiated by Myers and shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), who provide constructions of multi-bit CCA-secur...
متن کاملTamper Detection and Continuous Non-malleable Codes
We consider a public and keyless code (Enc,Dec) which is used to encode a message m and derive a codeword c = Enc(m). The codeword can be adversarially tampered via a function f ∈ F from some “tampering function family” F , resulting in a tampered value c′ = f(c). We study the different types of security guarantees that can be achieved in this scenario for different families F of tampering atta...
متن کاملA new security proof for FMNV continuous non-malleable encoding scheme
A non-malleable code is a variant of an encoding scheme which is resilient to tampering attacks. The main idea behind non-malleable coding is that the adversary should not be able to obtain any valuable information about the message. Non-malleable codes are used in tamper-resilient cryptography and protecting memories against tampering attacks. Many different types of non-malleability have alre...
متن کاملInformation Theoretic Continuously Non-Malleable Codes in the Constant Split-State Model
We present an information-theoretically secure continuously non-malleable code in the constant split-state model, where there is a self-destruct mechanism which ensures that the adversary loses access to tampering after the first failed decoding. Prior to our result only codes with computational security were known for this model, and it has been an open problem to construct such a code with in...
متن کاملAlternatives to Non-Malleability: Definitions, Constructions and Applications
We explore whether non-malleability is necessary for the applications typically used to mo-tivate it, and propose two alternatives. The first we call weak non-malleability (wnm) and showthat it suffices to achieve secure contract bidding (the application for which non-malleability wasinitially introduced), despite being strictly weaker than non-malleability. The second we callta...
متن کامل