From Single-Bit to Multi-Bit Public-Key Encryption via Non-Malleable Codes

Transcription

1 An extended astract of this paper is pulished in the proceedings of the twelfth IACR Theory of Cryptography Conference TCC This is the full version. rom Single-Bit to Multi-Bit Pulic-Key Encryption via Non-Malleale Codes Sandro Coretti ETH Zurich Ueli Maurer ETH Zurich Daniele Venturi Sapienza University of Rome Björn Tackmann UC San Diego August 3, 2015 Astract One approach towards asing pulic-key encryption (PKE) schemes on weak and credile assumptions is to uild stronger or more general schemes generically from weaker or more restricted ones. One particular line of work in this context was initiated y Myers and shelat (OCS 09) and continued y Hohenerger, Lewko, and Waters (Eurocrypt 12), who provide constructions of multi-it CCA-secure PKE from single-it CCA-secure PKE. It is well-known that encrypting each it of a plaintext string independently is not CCA-secure the resulting scheme is malleale. We therefore investigate whether this malleaility can e dealt with using the conceptually simple approach of applying a suitale non-malleale code (Dziemowski et al., ICS 10) to the plaintext and susequently encrypting the resulting codeword ity-it. We find that an attacker s aility to ask multiple decryption queries requires that the underlying code e continuously non-malleale (aust et al., TCC 14). Since, as we show, this flavor of non-malleaility can only e achieved if the code is allowed to, the resulting scheme inherits this property and therefore only achieves a weaker variant of CCA security. We formalize this new notion of so-called CCA security (SD-CCA) as CCA security with the restriction that the decryption oracle stops working once the attacker sumits an invalid ciphertext. We first show that the aove approach ased on non-malleale codes yields a solution to the prolem of domain extension for SD-CCA-secure PKE, provided that the underlying code is continuously non-malleale against a reduced form of it-wise tampering. Then, we prove that the code of Dziemowski et al. is actually already continuously non-malleale against (even full) it-wise tampering; this constitutes the first information-theoretically secure continuously nonmalleale code, a technical contriution that we elieve is of independent interest. Compared to the previous approaches to PKE domain extension, our scheme is more efficient and intuitive, at the cost of not achieving full CCA security. Our result is also one of the first applications of non-malleale codes in a context other than memory tampering. Work done while author was as ETH Zurich.

2 Contents 1 Introduction Overview Techniques and Contriutions More Details on Related Work Preliminaries Systems: Resources and Converters, Distinguishers, and Reductions Discrete Systems The Notion of Construction Pulic-Key Encryption Schemes Continuously Non-Malleale Codes rom Single-Bit to Multi-Bit Channels Single-Bit PKE Viewed Constructively Tying the Channels Together Plugging It Together Continuous Non-Malleaility against Bit-Wise Tampering 10 A The Composition Theorem of Constructive Cryptography 18 B Channel Resources 18 C Non-Malleale Codes and the One-Time Pad 19 C.1 The Malleaility of the One-Time Pad C.2 Getting Rid of the Malleaility D SD-CCA Security and Deferred Material from Section 3 21 D.1 ormal Definition of SD-CCA D.2 Single-it Channels from Single-it PKE D.3 Tying the Channels Together D.4 rom Protocols to PKE Schemes D.5 Game-Based Proof E Achieving Adaptive Continuous Non-Malleaility 27 On the Necessity of Self-Destruct 30.1 Proof of Theorem G Continuous Non-Malleaility against ull Bit-Wise Tampering 32 2

3 1 Introduction 1.1 Overview A pulic-key encryption (PKE) scheme enales a sender A to send messages to a receiver B confidentially if B can send a single message, the pulic key, to A authentically. A encrypts a message with the pulic key and sends the ciphertext to B via a channel that could e authenticated or insecure, and B decrypts the received ciphertext using the private key. ollowing the seminal work of Diffie and Hellman [21], the first formal definition of pulic-key encryption has een provided y Goldwasser and Micali [31], and to date numerous instantiations of this concept have een proposed, e.g., [49, 24, 16, 28, 32, 35, 50, 48], for different security properties and ased on various different computational assumptions. One natural approach towards developing pulic-key encryption schemes ased on weak and credile assumptions is to uild stronger or more general schemes generically from weaker or less general ones. While the holy grail generically uilding a chosen-ciphertext secure scheme ased on any chosen-plaintext secure one has so far remained out of reach, and despite negative results [30], various interesting positive results have een shown. or instance, Cramer et al. [15] uild ounded-query chosen-ciphertext secure schemes from chosen-plaintext secure ones, Choi et al. [10] non-malleale schemes from chosen-plaintext secure ones, and Lin and Tessaro [37] show how the security of weakly chosen-ciphertext secure schemes can e amplified. A line of work started y Myers, Sergi, and shelat [46] and continued y Dachman-Soled [17] shows how to otain chosen-ciphertext secure schemes from plaintext-aware ones. Most relevant for our work, however, are the results of Myers and shelat [47] and Hohenerger, Lewko, and Waters [33], which generically uild a multi-it chosen-ciphertext secure scheme from a single-it chosen-ciphertext secure one. A naïve attempt at solving this prolem would e to encrypt each it m i of a plaintext m = m 1 m k under an independent pulic key pk i of the single-it scheme. Unfortunately, this simple approach does not yield chosen-ciphertext security. The reason is that the aove scheme is malleale: given a ciphertext e = (e 1,..., e k ), where e i is an encryption of m i, an attacker can generate a new ciphertext e e that decrypts to a related message, for instance y copying the first ciphertext component e 1 and replacing the other components y fresh encryptions of, say, 0. The aove malleaility issue suggests the following natural encode-then-encrypt-it-y-it approach: first encode the message using a non-malleale code 1 (a concept introduced y Dziemowski et al. [23]) to protect its integrity, otaining an n-it codeword c = c 1 c n ; then encrypt each it c i of the codeword using pulic key pk i as in the naïve protocol from aove. It turns out that non-malleale codes as introduced y [23] are not sufficient: Since they are only secure against a single tampering, the security of the resulting scheme would only hold with respect to a single decryption. Continuously non-malleale codes (aust et al. [25]) allow us to extend this guarantee to multiple decryptions. However, such codes once an attack has een detected, and, therefore, so must any PKE scheme uilt on top of them. This is a restriction that we prove to e unavoidale for this approach ased on non-malleale codes. The resulting scheme achieves a notion weaker than full CCA, which we term chosenciphertext security (SD-CCA). Roughly, SD-CCA security is CCA security with the twist that the decryption oracle stops working once the adversary sumits an invalid ciphertext. Our paper consists of two main parts: irst, we prove that the aove approach allows to uild multi-it SD-CCA-secure PKE from single-it SD-CCA-secure PKE, provided that the underlying code is continuously non-malleale against a reduced form of it-wise tampering. This proof is greatly facilitated y rephrasing the prolem using the paradigm of constructive cryptography [39], since it follows almost immediately from the composition theorem. or comparison we also provide a purely game-ased proof. Second, we show that a simplified variant of the code y Dziemowski et al. [23] is already continuously non-malleale against the aforementioned reduced it-wise tampering and that 1 Roughly, a code is non-malleale w.r.t. a function class if the message otained y decoding a codeword modified via a function in is either the original message or a completely unrelated value. 1

4 the full variant of said code achieves continuous non-malleaility against full it-wise tampering. This constitutes the first information-theoretically secure continuously non-malleale code, a contriution that we elieve is of independent interest, and forms the technical core of this paper. 1.2 Techniques and Contriutions Constructive cryptography [39]. Security statements for cryptographic schemes can e stated as constructions of a stronger or more useful desired resource from a weaker or more restricted assumed one. Two such construction steps can e composed, i.e., if a protocol π constructs a resource S from an assumed resource R, denoted y R == π S, and, additionally, a protocol ψ assumes resource S and constructs a resource T, then the composition theorem of constructive cryptography (see Appendix A) states that the composed protocol, denoted ψ π, constructs resource T from R. The resources considered in this work are different types of communication channels etween two parties A and B; a channel is a resource that involves three entities: the sender, the receiver, and a (potential) attacker E. We use and extend the notation y [43], denoting different types of channels y different arrow symols. A confidential channel (later denoted ) hides the messages sent y A from the attacker E ut potentially allows her to inject independent messages; an authenticated channel (later denoted ) is dual to the confidential channel in that it potentially leaks the message to the attacker ut prevents modifications and injections; an insecure channel (later denoted ) protects neither the confidentiality nor the authenticity. In all cases, the doule arrow head indicates that the channel can e used to transmit multiple messages. A single arrow head, instead, means that channels are single-use. All channels used within this work are descried formally in Appendix B. Warm-up: dealing with the malleaility of the one-time pad. To illustrate the intuition ehind our approach, consider the following simple example: The one-time pad allows to encrypt an n-it message m using an n-it shared key κ y computing the ciphertext e = m κ. If e is sent via an insecure channel, an attacker can replace it y a different ciphertext e, in which case the receiver will compute m = e κ = m (e e ). This can e seen, as descried in [42], as constructing from an insecure channel and a shared secret n-it key an XOR-malleale channel, denoted, which is confidential ut allows the attacker to specify a mask δ {0, 1} n (= e e ) to e XORed to the transmitted message. Non-malleale codes can e used to deal with the XOR-malleaility. To transmit a k-it message m, we encode m with a (k, n)-it non-malleale code, otaining an n-it codeword c, which we transmit via the XOR-malleale channel. Since y XORing a mask δ to a codeword transmitted via the attacker can influence the value of each it of the codeword only independently, a code that is non-malleale w.r.t. the function class it, which (in particular) allows to either keep or flip each it of a codeword only individually, is sufficient. Indeed, the non-malleaility of the code implies that the decoded message will e either the original message or a completely unrelated value, which is the same guarantee as formulated y the single-message confidential channel (denoted ), and hence using the code, one achieves the construction ==. A more detailed treatment and a formalization of this example appears in Appendix C; suitale non-malleale codes are descried in [14, 23, 9]. Dealing with the malleaility of multiple single-it encryptions. Intuitively, CCA encryption guarantees that an attacker, y modifying a particular ciphertext, can either leave the message contained therein intact or replace it y an independently created one. This intuition is formally captured y the confidential channel : at the attacker interface E, it allows to either forward messages sent y A or to inject independent messages. In [12], it is shown how CCA-secure encryption 2

5 can e used to construct a confidential channel from A to B from an authenticated channel from B to A and an insecure channel from A to B. As shown in Section 3, this and the composition theorem imply that using n independent single-it PKE schemes, one can construct 1-it n (independent) instances of the single-it confidential channel, written [ 1-it ] n. The remaining step is showing how to achieve the construction [ 1-it ] n == k-it (1) for some k > 1. Then, y the composition theorem, plugging these two steps together yields a protocol m-pke that constructs a k-it confidential channel from an authenticated channel and an insecure channel. To achieve construction (1), we use non-malleale codes. The fact that the channels are multipleuse leads to two important differences to the one-time-pad example aove: irst, the attacker can faricate multiple codewords, which are then decoded. Second, each it of such a codeword can e created y comining any of the its sent y A over the corresponding channel. These capailities can e formally captured y a particular class copy of tampering functions. We prove in Section 3 that any code that is continuously non-malleale w.r.t. copy can e used to achieve (1). Unfortunately, we show in Appendix that any code, in order to satisfy the aove type of nonmalleaility, has to in the event of a decoding error. or the application in the setting of pulic-key encryption, this means that the decryption algorithm of the receiver B also has to deny processing any further ciphertext once the code s. Self-destruct CCA security. In Section 3 we show how the protocol m-pke can e seen as a PKE scheme that achieves CCA security (SD-CCA) and show that the single-it confidential 1-it channel can also e constructed using a single-it SD-CCA scheme (instead of a CCA-secure one). Thus, overall we otain a way to transform 1-it SD-CCA-secure PKE into multi-it SD- CCA-secure PKE. or comparison we also provide a direct, entirely game-ased proof that comining a single-it SD-CCA PKE scheme with a non-malleale code as aove yields a multi-it SD-CCA scheme (see Appendix D). SD-CCA is a (weaker) CCA variant that allows the scheme to in case it detects an invalid ciphertext. The standard CCA game can easily e extended to include the mode of the decryption: the decryption oracle keeps answering decryption queries as long as no invalid ciphertext (i.e., a ciphertext upon which the decryption algorithm outputs an error symol) is received; after such an event occurs, no further decryption query is answered. The guarantees of SD-CCA are perhaps est understood if compared to the q-ounded CCA notion y [10]. While q-cca allows an a priori determined numer q of decryption queries, SD-CCA allows an aritrary numer of valid decryption queries and one invalid query. rom a practical viewpoint, an attacker can efficiently violate the availaility with a scheme of either notion. However, as long as no invalid ciphertexts are received, an SD-CCA scheme can run indefinitely, whereas a q-cca scheme has to necessarily stop after q decryptions. Susequent work [13] shows that SD-CCA security can in fact e achieved from CPA security only, y generalizing a technique y Choi et al. [10]. The resulting scheme, however, is consideraly less efficient than the one we provide in this paper. In [13], the authors also study the relation etween SD-CCA and other standard security notions and discuss possile applications. Continuous non-malleaility w.r.t. copy. The class copy can e seen as a multi-encoding version of the function class set, which consists of functions that tamper with every it of an encoding individually and may either leave it unchanged or replace it y a fixed value. In Section 4 we uild a continuously non-malleale code w.r.t. copy ; the code consists of a linear error-correcting secret sharing (LECSS) scheme and can e seen as a simplified version of the code in [23]. The security proof of the code proceeds in two steps: irst, we prove that it is continuously non-malleale w.r.t. set against tampering with a single encoding; the main challenge in this proof is showing that y repeatedly 3

6 tampering with an encoding, an attacker cannot infer (too much) useful information aout it. Then, we show that if a code is continuously non-malleale w.r.t. copy against tampering with a single encoding, then it is also adaptively continuously non-malleale w.r.t. copy, i.e., against tampering with many encodings simultaneously. In addition, in Appendix G, we also show that the full version of the code y [23] is non-malleale against full it-wise tampering (i.e., when additionally the tamper function is allowed to flip its of an encoding). These are the main technical contriutions of this work. 1.3 More Details on Related Work The work of Hohenerger et al. [33] uilding on the work of Myers and shelat [47] descries a multi-it CCA-secure encrytion scheme from a single-it CCA-secure one, a CPA-secure one, and a 1-query-ounded CCA-secure one. Their scheme is rather sophisticated and has a somewhat circular structure, requiring a complex security proof. The pulic key is of the form pk = (pk in, pk A, pk B ), where the inner pulic key pk in is the pulic key of a DCCA secure PKE scheme, and the outer pulic keys pk A and pk B are, respectively, the pulic key of a 1-ounded CCA and a CPA secure PKE scheme. To encrypt a k-it message m one first encrypts a tuple (r A, r B, m), using the inner pulic key, otaining a ciphertext e in, where r A and r B are thought as eing the randomness for the outer encryption scheme. Next, one has to encrypt e in under the outer pulic key pk A (resp. pk B ) using randomness r A (resp. r B ) and thus otaining a ciphertext e A (resp. e B ). The output ciphertext is e = (e A, e B ). To use the aove scheme, we have to instantiate the DCCA, 1-ounded CCA and CPA components. As argued in [33], all schemes can e instantiated using a single-it CCA-secure PKE scheme yielding a fully lack-ox construction of a multi-it CCA-secure PKE from a single-it CCA-secure PKE. Let us denote with l p (resp., l e ) the it-length of the pulic key (resp., the ciphertext) for the singleit CCA-secure PKE scheme. When we refer to the construction of [15] for the 1-ounded CCA component, we get a pulic key of size roughly (3 + 16s) l p for the pulic key and (k + 2s) 4s le 2 for the ciphertext, for security parameter s. 2 In contrast, our scheme instantiated with the information-theoretic LECSS scheme of [23] has a ciphertext of length 5k l e and a pulic key of length k l p. Note that the length of the pulic key depends on the length of the message, as we need independent pulic keys for each encrypted it (whereas the DCCA scheme can use always the same pulic key). However, we oserve that when k is not too large, e.g. in case the PKE scheme is used as a key encapsulation mechanism, we would have k s yielding pulic keys of comparale size. On the negative side, recall that our construction needs to in case an invalid ciphertext is processed, which is not required in [33], and thus our construction only achieves SD-CCA security and not full-lown CCA security. As shown in [12], the constructive security statement for pulic-key encryption corresponds to replayale CCA security (RCCA), a notion proposed y Canetti et al. [6]. Hence, our scheme actually achieves replayale CCA security (SD-RCCA) see Appendix D. We remark, however, that if one is interested in SD-CCA security, this can e achieved generically from SD-RCCA security using the transformation in [6]. Non-malleale codes. Beyond the constructions of [23, 9, 25], non-malleale codes exists against lock-wise tampering [11], against it-wise tampering and permutations [5, 4], against split-state tampering oth information-theoretic [22, 2, 7, 3, 1] and computational [38, 18] and in a setting where the computational complexity of the tampering functions is limited [8, 27, 34]. We stress that the typical application of non-malleale codes is to protect cryptographic schemes against memory tampering (see, e.g., [29, 23, 19, 20]). A further application of non-malleale codes has een shown y Agrawal et al. [4] (in concurrent and independent work). They show that one can otain a non-malleale multi-it commitment scheme from a non-malleale single-it commitment scheme y 2 or simplicity, we assumed that the random strings r A, r B are computed y stretching the seed (of length s) of a pseudo-random generator. 4

7 encoding the value with a (specific) non-malleale code and then committing to the codeword its. Despite the similarity of the approaches, the techniques applied in their paper differ heavily from ours. The class of tampering functions the code has to protect against is different, and we additionally need continuous non-malleaility to handle multiple decryption queries (this is not required for the commitment case). 2 Preliminaries 2.1 Systems: Resources and Converters, Distinguishers, and Reductions Resources and converters. We use the concepts and terminology of astract [41] and constructive cryptography [39]. The resources we consider are different types of communication channels, which are systems with three interfaces laeled y A, B, and E. A converter is a two-interface system which is directed in that it has an inside and an outside interface. Converters model protocol engines that are used y the parties, and using a protocol is modeled y connecting the party s interface of the resource to the inside interface of the converter (which hides those two interfaces) and using the outside interface of the converter instead. We generally use upper-case, old-face letters (e.g., R, S) or channel symols (e.g., ) to denote resources or single-interface systems and lower-case Greek letters (e.g., α, β) or sans-serif fonts (e.g., enc, dec) for converters. We denote y Φ the set of all resources and y Σ the set of all converters. or I {A, B, E}, a resource R Φ, and a converter α Σ, the expression α I R denotes the composite system otained y connecting the inside interface of α to interface I of R; the outside interface of α ecomes the I-interface of the composite system. The system α I R is again a resource (cf. igure 2 on page 9). or two resources R and S, [R, S] denotes the parallel composition of R and S. or each I {A, B, E}, the I-interfaces of R and S are merged and ecome the su-interfaces of the I-interface of [R, S]. Two converters α and β can e composed serially y connecting the inside interface of β to the outside interface of α, written β α, with the effect that (β α) I R = β I α I R. Moreover, converters can also e taken in parallel, denoted y [α, β], with the effect that [α, β] I [R, S] = [α I R, β I S]. We assume the existence of an identity converter id Σ with id I R = R for all resources R Φ and interfaces I {A, B, E} and of a special converter Σ with an inactive outside interface. Distinguishers. A distinguisher D connects to all interfaces of a resource U and outputs a single it at the end of its interaction with U. The expression DU defines a inary random variale corresponding to the output of D when interacting with U, and the distinguishing advantage of a distinguisher D on two systems U and V is defined as D (U, V) := P[DU = 1] P[DV = 1]. The distinguishing advantage measures how much the output distriution of D differs when it is connected to either U or V. Note that the distinguishing advantage is a pseudo-metric. 3 Reductions. When relating two distinguishing prolems, it is convenient to use a special type of system C that translates one setting into the other. ormally, C is a converter that has an inside and an outside interface. When it is connected to a system S, which is denoted y CS, the inside interface of C connects to the (merged) interface(s) of S and the outside interface of C is the interface of the composed system. C is called a reduction system (or simply reduction). To reduce distinguishing two systems S, T to distinguishing two systems U, V, one exhiits a reduction C such that CS U and CT V. Then, for all distinguishers D, we have D (U, V) = D (CS, CT) = DC (S, T). The last equality follows from the fact that C can also e thought of as eing part of the distinguisher (which follows from the composition-order independence [41]). 3 That is, for any D, it is symmetric, satisfies the triangle inequality, and D (R, R) = 0 for all R. 5

8 2.2 Discrete Systems The ehavior of systems can e formalized y random systems as in [45, 40]: A random system S is a sequence (p S Y i X i ) i 1 of conditional proaility distriutions, where p S Y i X i (y i, x i ) is the proaility of oserving the outputs y i = (y 1,..., y i ) given the inputs x i = (x 1,..., x i ). If for two systems R and S, p R Y i X i = p S Y i X i for all i and for all parameters where oth are defined, they are called equivalent, denoted y R S. In that case, D (R, S) = 0 for all distinguishers D. A system S can e extended y a so-called monotone inary output (or MBO) B, which is an additional one-it output B 1, B 2,... with the property that B i = 1 implies B i+1 = 1 for all i. 4 The enhanced system is denoted y Ŝ, and its ehavior is descried y the sequence (pŝ Y i,b i ) X i i 1. If for two systems ˆR and Ŝ with MBOs, p ˆR Y i,b i =0 X i = pŝ Y i,b i =0 X i for all i, they are called game equivalent, which is denoted y ˆR g Ŝ. In such a case, D (R, S) Γ D ( ˆR) = Γ D (Ŝ), where ΓD ( ˆR) denotes the proaility that D provokes the MBO. or more details and a proof of this fact, consult [40] The Notion of Construction We formalize the security of protocols via the notion of construction, introduced in [39]: Definition 1. Let Φ and Σ e as aove, and let ε 1 and ε 2 e two functions mapping each distinguisher D to a real numer in [0, 1]. A protocol π = (π 1, π 2 ) Σ 2 constructs resource S Φ from resource R Φ with distance (ε 1, ε 2 ) and with respect the simulator σ Σ, denoted 6 R π,σ,(ε 1,ε 2 ) == S, if for all distinguishers D, { D (π A 1 π B 2 E R, E S) ε 1 (D) (availaility) D (π A 1 π B 2 R, σ E S) ε 2 (D) (security). The availaility condition captures that a protocol must correctly implement the functionality of the constructed resource in the asence of the attacker. The security condition models the requirement that everything the attacker can achieve in the setting with the assumed resource and the protocol, she can also accomplish in the setting with the constructed resource (using the simulator to translate the ehavior). The notion of construction composes; details can e found in Appendix A. 2.4 Pulic-Key Encryption Schemes A pulic-key encryption (PKE) scheme with message space M {0, 1} and ciphertext space E is defined as three algorithms Π = (K, E, D), where the key-generation algorithm K outputs a key pair (pk, sk), the (proailistic) encryption algorithm E takes a message m M and a pulic key pk and outputs a ciphertext e E pk (m), and the decryption algorithm takes a ciphertext e E and a secret key sk and outputs a plaintext m D sk (e). The output of the decryption algorithm can e the special symol, indicating an invalid ciphertext. A PKE scheme is correct if m = D sk (E pk (m)) (with proaility 1 over the randomness in the encryption algorithm) for all messages m and all key pairs (pk, sk) generated y K. We introduce security notions for PKE schemes as we need them. 4 In other words, once the MBO is 1, it cannot return to 0. 5 Intuitively, this means that in order to distinguish the two systems, D has to provoke the MBO. 6 In less formal contexts, we sometimes drop the superscripts on ==. 6

9 init i 0 on (encode, x) i i + 1 c (i) $ Enc(x) System S real on (tamper, f) with f (i) c f(c (1),..., c (i) ) x Dec(c ) if x = out x init i 0 on (encode, x) i i + 1 x (i) $ x System S simu,τ on (tamper, f) with f (i) x $ τ(i, f) if x = if x = (same, j) x x (j) out x igure 1: Systems S real and Ssimu,τ defining adaptive continuous non-malleaility of (Enc, Dec). The command has the effect that is output and all future queries are answered y. 2.5 Continuously Non-Malleale Codes Non-malleale codes, introduced in [23], are coding schemes that protect the encoded messages against certain classes of adversarially chosen modifications, in the sense that the decoding will result either in the original message or in an unrelated value. Definition 2 (Coding scheme). A (k, n)-coding scheme (Enc, Dec) consists of a randomized encoding function Enc : {0, 1} k {0, 1} n and a deterministic decoding function Dec : {0, 1} n {0, 1} k { } such that Dec(Enc(x)) = x (with proaility 1 over the randomness of the encoding function) for each x {0, 1} k. The special symol indicates an invalid codeword. Basic non-malleale codes [23] provide the aove guarantee in a context where the adversary is allowed to modify a (random) codeword c (of a message of his choice) y specifying a function f : {0, 1} n {0, 1} n from a particular function class and oserve the output of the decoding algorithm applied to the tampered codeword f(c). Continuous non-malleaility, introduced in [25], extends this guarantee to the case where the adversary is allowed to perform multiple such modifications of a target codeword c. That is, he can repeatedly and adaptively specify functions f and see the decoding of the tampered codeword f(c). The functions f specified y the adversary are always applied to the same c. The notion of adaptive continuous non-malleaility considered here is an extension of continuous non-malleaility in that the adversary is allowed to (adaptively) specify multiple messages x (1), x (2),... and the functions may depend on all of the corresponding codewords c (1), c (2),.... That is, the class is actually a sequence ( (i) ) i 1 of function families with (i) {f f : ({0, 1} n ) i {0, 1} n }, and after encoding i messages, the adversary chooses functions from (i). A similar adaptive notion has een already considered for continuous strong non-malleaility in the split-state model [26]. ormally, adaptive continuous non-malleaility w.r.t. is defined y comparing the two random systems S real and Ssimu,τ defined in igure 1. Both systems process encode and tamper queries from a distinguisher D, whose ojective is to tell the two systems apart. System S real produces a random encoding c(i) of each message x (i) specified y D and allows D to repeatedly issue tampering functions f (i). or each such query, S real computes the modified codeword c = f(c (1),..., c (i) ) and outputs Dec(c ). Whenever Dec(c ) =, the system enters a mode, in which all further queries are replied to y. The second random system, S simu,τ, features a simulator τ, which is allowed to keep state. The simulator repeatedly takes a tampering function and outputs either a message x, (same, v) for v {1,..., i}, or, where (same, v) is used y τ to indicate that (it elieves that) the tampering results in an n-it string that decodes to the v th message encoded. System S simu,τ outputs whatever τ outputs, except that (same, v) is replaced y the v th message x (v) specified y D. Moreover, in case of, S simu,τ s. or l, q N, S real,l,q is the system that ehaves as Sreal except that only the first l encode-queries and Ssimu,τ ). Note that y setting and the first q tamper-queries are handled (and similarly for S simu,τ,l,q l = 1, one recovers continuous non-malleaility as defined in [25], 7 and y additionally setting q = 1 7 Being ased on strong non-malleaility [23], the notion of [25] is actually stronger than ours. 7

10 the original definition of non-malleaility. Definition 3 (Continuous non-malleaility). Consider a sequence = ( (i) ) i 1 of function families (i) {f f : ({0, 1} n ) i {0, 1} n } and let l, q N. A coding scheme (Enc, Dec) is adaptively continuously (, ε, l, q)-non-malleale (or simply (, ε, l, q)-non-malleale) if there exists a simulator τ such that D (S real,l,q, Ssimu,τ,l,q ) ε for all distinguishers D. 3 rom Single-Bit to Multi-Bit Channels In this section we examine the question of domain extension for CCA-secure pulic-key encryption (PKE) via the following intuitive non-malleale code ased approach: first encode a k-it message using a non-malleale (k, n)-code to protect its integrity, otaining an n-it codeword c; then encrypt c it-wise using n independent pulic keys for a single-it CCA-secure PKE. We oserve that the adversary s aility of asking multiple decryption queries requires to opt for continuously non-malleale codes. The property of these codes, however, translates to the resulting PKE scheme, and thus we achieve domain extension only for schemes with so-called CCA security, a variant of CCA security where the decryption oracle stops working after the attacker sumits an invalid ciphertext; this variant is defined more precisely in Section D.1. We stress that the need for is not a limitation of the security proof of our code (cf. Section 4), as continuous non-malleaility for the class of tampering functions required for the aove transformation to work is impossile without the property (cf. Appendix for details). As shown elow, phrasing PKE domain extension using the paradigm of constructive cryptography allows to decompose the prolem into two independent parts: The first part includes a (canonical) reduction to the SD-CCA security of the single-it PKE scheme, whereas the second part, which involves non-malleale codes, is purely information-theoretic. The two parts can then e comined to otain a single protocol, whose security follows from the composition theorem. We also show how the resulting protocol can e understood as a PKE scheme and that it achieves SD-CCA security. All channel resources that appear in this section are formally defined in Section B of the appendix; to understand the statements and explanations elow, the informal descriptions given in Section 1.2 are sufficient, however. 3.1 Single-Bit PKE Viewed Constructively ollowing the proof of [12, Theorem 2], one can show that a 1-it SD-CCA-secure PKE scheme can e used to design a protocol that achieves the construction [, ] == 1-it, (2) where, in a nutshell, the receiver s protocol converter is responsile for key generation, decryption, as well as ing, the sender s protocol converter for encryption, and where the authenticated channel is used for the transmission of the pulic key and the insecure channel for sending 1-it ciphertexts. The constructed single-it confidential channel hides all messages sent y the sender from the attacker and allows the attacker to either deliver already sent messages or to inject independent messages. This captures the intuitive (SD-)CCA guarantee that an attacker, y modifying a particular ciphertext, can either leave the message contained therein intact or replace it y an independently created one. Using n independent copies of the single-it scheme in parallel yields a protocol 1-pke that achieves: [, ] 1-pke 1-it == [ ] n, (3) More details can e found in Ap- which follows almost directly from the composition theorem. pendix D.2. 8

11 1-it A encode 1-it. decode B A k-it σ B 1-it E igure 2: Left: The assumed resource [ ] 1-it n with protocol converters encode and decode attached to interfaces A and B, denoted encode A decode B [ ] 1-it n. Right: The constructed resource k-it with simulator σ attached to the E-interface, denoted σ E. k-it In particular, σ must simulate the E- interfaces of [ ] 1-it n. The protocol is secure if the two systems are indistinguishale. E 3.2 Tying the Channels Together We now show how to construct, using an adaptive continuously non-malleale (k, n)-code (cf. Section 2.5), a (single) k-it confidential channel from the n independent single-it confidential channels constructed in the previous section. This is achieved y having the sender encode the message with the non-malleale code and sending the resulting codeword over the 1-it channels (it-y-it), while the receiver decodes all n-it strings received via these channels. Additionally, due to the property of continuously non-malleale codes, the receiver must stop decoding once an invalid codeword has een received. More precisely, let (Enc, Dec) e a (k, n)-coding scheme and consider the following protocol nmc = (encode, decode): Converter encode encodes every message m {0, 1} k input at its outside interface with fresh randomness, resulting in an n-it encoding c = c 1 c n Enc(m). Then, for i = 1,..., n, it outputs it c i to the i th channel at the inside interface. Converter decode, whenever it receives an n- it string c = c 1 c n (where the i th it c i was received on the ith channel), it computes m Dec(c ) and outputs m at the outside interface. If m =, it implements the mode, i.e., it answers all future encodings received at the inside interface y outputting at the outside interface. The goal is now to show that protocol nmc achieves the construction 1-it [ ] n nmc == k-it. (4) The required non-malleaility. By inspecting oth sides of igure 2, it ecomes immediately apparent why adaptive continuously non-malleale codes are the proper choice to achieve construction (4): On the left-hand side, the distinguisher can repeatedly input messages m (i) at interface A, which results in encodings c (i) eing input (it-y-it) into the single-it channels. Using the E-interfaces of these channels, the distinguisher can repeatedly see the decoding of an n-it string c = c 1 c n at interface B, where each it c j results from either forwarding one of the its already in the j th channel or from injecting a fresh it that is either 0 or 1. Put differently, the distinguisher can effectively launch tampering attacks using functions from copy := ( copy) (i) i 1, where copy (i) {f f : ({0, 1} n ) i {0, 1} n } and each function f copy (i) is characterized y a vector χ(f) = (f 1,..., f n ) where f j {zero, one, copy 1,..., copy i }, with the meaning that f takes as input i codewords (c (1),..., c (i) ) and outputs an n-it string c = c 1 c n in which each it c j is either set to 0 (zero), set to 1 (one), or copied from the jth it in a codeword c (v) (copy v ) for v {1,..., i}. On the right-hand side, the distinguisher may again input messages m (i) at interface A to the k- it confidential channel. At interface E, this channel only allows to either deliver entire k-it messages 9

12 already sent y A or to inject independent messages. The simulator σ required to prove (4) needs to simulate the E-interfaces of the single-it confidential channels at its outside interface and, ased solely on what is input at these interfaces, decide whether to forward or inject a message, which corresponds exactly to the task of the simulator τ in the non-malleaility experiment (cf. Section 2.5). Theorem 1 elow formalizes this correspondence; its proof is essentially a technicality: one merely needs to translate etween the channel settings and the non-malleaility experiment. or completeness it is provided in full detail in Appendix D.3. Theorem 1. or any l, q N, if (Enc, Dec) is ( copy, ε, l, q)-continuously non-malleale, there exists a simulator σ such that [ 1-it,l,q ] n (nmc,σ,(0,ε)) k-it,l,q ==, where the additional superscripts l, q on a channel mean that it only processes the first l queries at the A-interface and only the first q queries at the E-interface. 3.3 Plugging It Together The composition theorem of constructive cryptography (cf. Appendix A) implies that the protocol m-pke = nmc 1-pke resulting from composing the protocols 1-pke and nmc for transformations (3) and (4), respectively, achieves [, ] m-pke == k-it. (5) Protocol m-pke corresponds (in a straight-forward manner) to a PKE scheme Π that achieves SD- CCA security, as shown in Section D.4 of the appendix. 8 Hence, overall, we otain a domain extension technique for SD-CCA-secure PKE schemes. urthermore, in Section D.5, we also provide a direct game-ased proof of the fact that comining single-it SD-CCA-secure PKE with a non-malleale code as shown aove yields a multi-it SD- CCA-secure PKE scheme. That proof is a hyrid argument and is otained y unwrapping the concatenation of the statements in this section. The modular nature and the intuitive simplicity of the proofs are lost, however. 4 Continuous Non-Malleaility against Bit-Wise Tampering In this section, we descrie a code that is adaptively continuously non-malleale w.r.t. copy. or completeness, in Appendix G, we also provide a code secure w.r.t. to an extension copy of copy that allows it-flips as well. The transition from continuous to adaptive continuous non-malleaility w.r.t. copy is achieved generically: Theorem 2. If a (k, n)-coding scheme (Enc, Dec) is continuously ( copy, ε, 1, q)-non-malleale, it is also continuously ( copy, 2lε + ql 2 k, l, q)-non-malleale, for all l, q N. The proof of Theorem 2 appears in Appendix E. It remains to construct a continuously nonmalleale code that is secure against tampering with a single encoding, which we do elow. Continuous non-malleaility for single encoding. The code is ased on a linear error-correcting secret-sharing (LECSS). The use of a LECSS is inspired y the work of [23], who proposed a (noncontinuous) non-malleale code against it-wise tampering ased on a LECSS and, additionally, an AMD-code (cf. Appendix G), where the AMD-code essentially handles it-flips. As we do not need to provide non-malleaility against it-flips, using only the LECSS is sufficient for our purposes. The following definition is taken from [23]: 9 8 Actually, our protocol only achieves replayale SD-CCA security, which, however, is not a major issue as explained in Section D.4. 9 The operator denotes the it-wise XOR. 10

13 Definition 4 (LECSS code). A (k, n)-coding scheme (Enc, Dec) is a (d, t)-linear error-correcting secret-sharing (LECSS) code if the following properties hold: Linearity: or all c {0, 1} n such that Dec(c), all δ {0, 1} n, we have { if Dec(δ) = Dec(c δ) = Dec(c) Dec(δ) otherwise. Distance d: or all c {0, 1} n with Hamming weight 0 < w H (c ) < d, we have Dec(c ) =. Secrecy t: or any fixed x {0, 1} k, the its of Enc(x) are individually uniform and t-wise independent (over the randomness in the encoding). It turns out that a LECSS code is already continuously non-malleale with respect to copy : Theorem 3. Assume that (Enc, Dec) is a (t, d)-lecss (k, n)-code for d > n/4 and d > t. Then (Enc, Dec) is ( copy, ε, 1, q)-continuously non-malleale for all q N and ( ) ε = 2 (t 1) t t/2 + n(d/n 1/4) 2. or revity, we write set for copy (1) elow, with the idea that the tampering functions in copy (1) only allow to keep a it or to set it to 0 or to 1. More formally, a function f set can e characterized y a vector χ(f) = (f 1,..., f n ) where f i {zero, one, keep}, with the meaning that f takes as input a codeword c and outputs a codeword c = c 1 c n in which each it is either set to 0 (zero), set to 1 (one), or left unchanged (keep). or the proof of Theorem 3, fix q N and some distinguisher D. or the remainder of this section, let := set, S real := Sreal,1,q and Ssimu,τ := Ssimu,τ,1,q (for a simulator τ to e determined). or a tamper query f with χ(f) = (f 1,..., f n ) issued y D, let A(f) := {i f i {zero, one}}, B(f) := {i f i {keep}}, and a(f) := A(f). Moreover, let val(zero) := 0 and val(one) := 1. Queries f with 0 a(f) t, t < a(f) < n t, and n t a(f) n are called low queries, middle queries, and high queries, respectively. Handling Middle Queries. Consider the hyrid system H that proceeds as S real, except that as soon as D specifies a middle query f, H s, i.e., answers f and all susequent queries y. ( Lemma 4. D (S real, H) t ) t t/2. n(d/n 1/4) 2 Proof. Define a successful middle query to e a middle query that does not decode to. On oth systems S real and H, one can define an MBO B (cf. Section 2.2) that is provoked if and only if the first middle query is successful and the has not een provoked up to that point. Clearly, S real g and H ehave identically until MBO B is provoked, thus Ŝreal Ĥ, and D (S real, H) Γ D (Ŝreal ). Towards ounding Γ D (Ŝreal ), note first that adaptivity does not help in provoking B: or any distinguisher D, there exists a non-adaptive distinguisher D with Γ D (Ŝreal D ) Γ (Ŝreal ). (6) D proceeds as follows: irst, it (internally) interacts with D only. Initially, it stores the message x output y D internally. Whenever D outputs a low query, D answers with x. Whenever D outputs a high query f = (f 1,..., f n ), D checks whether there exists a codeword c that agrees with f in positions i where f i {zero, one}. If it exists, it answers with Dec(c ), otherwise with. As soon as D specifies a middle query, D stops its interaction with D and sends x and all the queries to Ŝreal. 11

14 To prove (6), fix all randomness in experiment D S real, i.e., the coins of D (inside D ) and the randomness of the encoding (inside S real ). Suppose D would provoke B in the direct interaction with S real. In that case all the answers y D are equal to the answers y S real. This is due to the fact that the distance of the LECSS is d > t; a successful low query must therefore result in the original message x and a successful high query in Dec(c ). Thus, whenever D provokes B, D provokes it as well. It remains to analyze the success proaility of non-adaptive distinguishers D. ix the coins of D ; this determines the tamper queries. Suppose there is at least one middle case, as otherwise B is trivially not provoked. The middle case s success proaility can e analyzed as in [23, Theorem 4.1], which leads to D Γ (Ŝreal ) 1 ( ) 2 t + t t/2 n(d/n 1/4) 2 (recall that the MBO cannot e provoked after an unsuccessful first middle query). Simulator. The final step of the proof consists of exhiiting a simulator τ such that D (H, S simu,τ ) is small. The indistinguishaility proof is facilitated y defining two hardly distinguishale systems B and B and a wrapper system W such that WB H and WB S simu,τ. System B works as follows: Initially, it takes a value x {0, 1} k, computes an encoding c 1 c n $ Enc(x) of it, and outputs λ (where the symol λ indicates an empty output). Then, it repeatedly accepts guesses g i = (j, ), where (j, ) is a guess for c j. If a guess g i is correct, B returns a i = 1. Otherwise, it outputs a i = and s (i.e., all future answers are ). The system B ehaves as B except that the initial input x is ignored and the c 1,..., c n are chosen uniformly at random and independently. The ehavior of B (and similarly that of B ) is descried y a sequence (p B ) A i G i i 0 of conditional proaility distriutions (cf. Section 2.2), where p B A i G i (a i, g i ) is the proaility of oserving the outputs a i = (λ, a 1,..., a i ) given the inputs g i = (x, g 1,..., g i ). or simplicity, assume elow that g i is such that no position is guessed twice (a generalization is straight-forward) and that a i is of the form {λ}{1} { } (as otherwise it has proaility 0 anyway). or system B, all i, and any g i, p B A i G i (a i, g i ) = 2 (s+1) if a i has s < min(i, t) leading 1 s; this follows from the t-wise independence of the its of Enc(x). All remaining output vectors a i, i.e., those with at least min(i, t) preceding 1 s, share a proaility mass of 2 min(i,t), in a way that depends on the code in use and on x. (It is easily verified that this yields a valid proaility distriution.) The ehavior of B is ovious given the aove (simply replace t y n in the aove description). Lemma 5. D (B, B ) 2 t. Proof. On oth systems B and B, one can define an MBO B that is zero as long as less than t positions have een guessed correctly. In the following, ˆB and ˆB denote B and B with the MBO, respectively. Analogously to the aove, the ehavior of ˆB (and similarly that of ˆB ) is descried y a sequence (p ˆB A i,b i ) =0 G i i 0 of conditional proaility distriutions, where p ˆB A i,b i (a i, g i ) is the proaility =0 G i of oserving the outputs a i = (λ, a 1,..., a i ) and 0 = 1 =... = i = 0 given the inputs g i = (x, g 1,..., g i ). One oserves that due to the t-wise independence of Enc(x) s its, for i < t, 2 (s+1) if a i has s < i leading 1 s, p ˆB A i,b i =0 G (a i, g i ) = p ˆB i A i,b i =0 G (a i, g i ) = i 2 i if a i has i leading 1 s, and 0 otherwise, and for i t, p ˆB A i,b i =0 G i (a i, g i ) = p ˆB A i,b i =0 G i (a i, g i ) = 12 { 2 (s+1) if a i has s < t leading 1 s, 0 otherwise.

15 System W init i [n] : c i on first (encode, x) at o out x at i on (tamper, f) with 0 a(f) t at o for i where f i A(f) g val(f i ) if c i = out (i, g) at i get a {, 1} at i if a = c i g else if c i g out x at out on (tamper, f) with t < a(f) < n t at o on (tamper, f) with n t a(f) n at o for i where f i A(f) c i val(f i) if codeword c : i A(f) : c i = c i for i where f i B(f) g c i if c i = out (i, g) at i get a {, 1} at i if a = c i g else if c i g else out Dec(c ) at out igure 3: The wrapper system W. The command causes W to output at o and to answer all future queries y. The symol stands for undefined. g Therefore, ˆB ˆB and D (B, B ) Γ D ( ˆB ). Oserve that y an argument similar to the one aove, adaptivity does not help in provoking the MBO of ˆB. Thus, Γ D ( ˆB ) 2 t, since an optimal non-adaptive strategy simply tries to guess distinct positions. Recall that the purpose of the wrapper system W is to emulate H and S simu,τ using B and B, respectively. The key point is to note that low queries f can e answered knowing only the positions A(f) of Enc(x), high queries knowing only the positions in B(f), and middle queries can always e rejected. A full description of W can e found in igure 3. It has an outside interface o and an inside interface i; at the latter interface, W expects to e connected to either B or B. Lemma 6. WB H. Proof. Since the distance of the LECSS is d > t, the following holds: A low query results in same if all injected positions match the corresponding its of the encoding, and in otherwise. Similarly, for a high query, there can e at most one codeword that matches the injected positions. If such a codeword c exists, the outcome is Dec(c ) if the its in the keep-positions match c, and otherwise. By inspection, it can e seen that W acts accordingly. Consider now the system WB. Due to the nature of B, the ehavior of WB is independent of the value x that is initially encoded. This allows to easily design a simulator τ as required y Definition 3. A full description of τ can e found in igure 4. Lemma 7. The simulator τ of igure 4 satisfies WB S simu,τ. 13