# Expander Graphs are Non-Malleable Codes

Any d-regular graph on n nodes with spectral expansion λ satisfying n = Ω(d^3(d)/λ) yields a O(λ^3/2/d)-non-malleable code in the split-state model.

## Authors

• 6 publications
• 2 publications
• ### Approximately counting independent sets in bipartite graphs via graph containers

By implementing algorithmic versions of Sapozhenko's graph container met...
09/08/2021 ∙ by Matthew Jenssen, et al. ∙ 0

• ### A new approach to the Kasami codes of type 2

The dual of the Kasami code of length q^2-1, with q a power of 2, is con...
09/28/2018 ∙ by Minjia Shi, et al. ∙ 0

• ### Breadth-first search on a Ramanujan graph

The behavior of the randomized breadth-first search algorithm is analyze...
08/26/2019 ∙ by Janko Boehm, et al. ∙ 0

• ### Completely regular codes in Johnson and Grassmann graphs with small covering radii

Let L be a Desarguesian 2-spread in the Grassmann graph J_q(n,2). We pro...
12/13/2020 ∙ by I. Yu. Mogilnykh, et al. ∙ 0

• ### Non-Malleable Extractors and Codes in the Interleaved Split-State Model and More

We present explicit constructions of non-malleable codes with respect to...
04/14/2018 ∙ by Eshan Chattopadhyay, et al. ∙ 0

• ### On Near Optimal Spectral Expander Graphs of Fixed Size

We present a pair of heuristic algorithms. The first is to generate a ra...
09/29/2021 ∙ by Clark Alexander, et al. ∙ 0

• ### Finite-size scaling, phase coexistence, and algorithms for the random cluster model on random graphs

For Δ≥ 5 and q large as a function of Δ, we give a detailed picture of t...
06/20/2020 ∙ by Tyler Helmuth, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

A split-state non-malleable code [DPW10] consists of randomized encoding and decoding algorithms . A message is encoded as a pair of strings , such that . An adversary then specifies an arbitrary pair of functions . The code is said to be non-malleable if, intuitively, the message obtained as is “unrelated” to the original message . In particular, to be -non-malleable, it is enough [DKO13] to guarantee that when the message is chosen uniformly at random and encoded into

, the probability that

is at most . Since their introduction in 2010 [DPW10], split-state non-malleable codes have been the subject of intense study within theoretical computer science [DPW10, DKO13, ADL14, CZ14, CGL16, Li17].

Until our work, all known proofs of security for explicit split-state non-malleable codes have required complex mathematical proofs, and all known such proofs either directly or indirectly used the mathematics behind constructions of two-source extractors [DKO13, ADL14, CZ14, CGL16, Li17].

In this work, we show that expander graphs immediately give rise to split-state non-malleable codes. Specifically, we show that any -regular graph on nodes with spectral expansion satisfying yields a -non-malleable code in the split-state model. Our proof is elementary, requiring a little more than two pages to prove, having at its heart two nested applications of the Expander Mixing Lemma. Furthermore, we only need expanders of high degree (e.g., ), which can be constructed and analyzed easily, yielding -non-malleable codes (see, e.g., [Tre] or the appendix).

## 2 Preliminaries

We shall assume familiarity with the basics of codes and non-malleable codes. A cursory introduction to the most relevant definitions and intuition can be found in the appendix.

###### Notation 1 (Graphs).

A graph consists of vertices and edges . In this exposition every graph is undirected and always denotes the number of vertices of the graph in question.

• For any we denote by the set of neighbors of in .

• For any two subsets we denote by the set of (directed) edges from to in . I.e. .

###### Definition 2 (Spectral Expander).

Let be a -regular graph, be its adjacency matrix, and

be the eigenvalues of

. We say that is a spectral expander if .

###### Theorem 3 (Expander Mixing Lemma).

Suppose that is a spectral expander. Then for every pair of subsets we have

 ∣∣∣|E(S,T)|−d⋅|S|⋅|T|n∣∣∣≤λ√|S|⋅|T|.

Our results will rely on the following characterization of 1-bit non-malleable codes by Dziembowski, Kazana, and Obremski found in [DKO13].

###### Theorem 4.

Let be a coding scheme with and . Further, let be a set of functions . Then is -non-malleable with respect to if and only if for every ,

 Prbu←{0,1}(dec(f(enc(b)))=1−b)≤12+ε,

where the probability is over the uniform choice of and the randomness of .

## 3 Results

We first formally introduce our candidate code and then prove that it is a non-malleable code.

### 3.1 Candidate Code

From a graph we can very naturally construct a coding scheme as follows.

###### Definition 5 (Graph Code).

Let be a graph. The associated graph code, , consists of the functions

 encG :{0,1}→V×V, decG :V×V→{0,1}

which are randomized and deterministic, respectively, and given by

 encG(b) ={(u,v)u←(V×V)∖E,b=0,(u,v)u←E,b=1, decG(v1,v2) ={0,(v1,v2)∉E,1,(v1,v2)∈E.

### 3.2 Non-Malleability of Expander Graph Codes

Finally, arriving at the core of the matter, we first establish the following lemma casting the expression of Theorem 4 in terms of graph properties.

###### Proposition 6.

Let be a graph, functions be given, and satisfy . For the probability that flips a random bit encoded by , write

 T=Prbu←{0,1}(decG(f(encG(b)))=1−b)

where the probability is taken over the randomness of and the sampling of . Then

 T =12+12d(n−d)⋅∑(v,u)∈E(d∣∣g−1(v)∣∣⋅∣∣h−1(u)∣∣n−∣∣E(g−1(v),h−1(u))∣∣).
###### Proof.

For denote by the probability taken over the randomness of . It is clear that and that by definition

 Q0 =Pr(v,u)u←V×V∖E[(g(v),h(u))∈E], Q1 =Pr(v,u)u←E[(g(v),h(u))∉E].

First, for we see that the number of non-edges that are mapped by to any given is given by . There are non-edges in so it follows that

 Q0=∑(v,u)∈E∣∣g−1(v)∣∣⋅∣∣h−1(u)∣∣−∣∣E(g−1(v),h−1(u))∣∣n(n−d).

Second, for the number of edges of that are mapped to non-edges by is given by . Since there are edges of to choose from when encoding the bit ,

 Q1=∑(v,u)∉E∣∣E(g−1(v),h−1(u))∣∣dn.

Now, observing that the number of (directed) edges in the graph is and that and are both partitions of , we get

 Q1=dn−∑(v,u)∈E∣∣E(g−1(v),h−1(u))∣∣dn=1−∑(v,u)∈E∣∣E(g−1(v),h−1(u))∣∣dn.

Putting it all together,

 T =∑(v,u)∈E∣∣g−1(v)∣∣⋅∣∣h−1(u)∣∣−∣∣E(g−1(v),h−1(u))∣∣2n(n−d)+12−∑(v,u)∈E∣∣E(g−1(v),h−1(u))∣∣2dn =12+12d(n−d)⋅∑(v,u)∈E(d∣∣g−1(v)∣∣⋅∣∣h−1(u)∣∣n−∣∣E(g−1(v),h−1(u))∣∣).

We proceed immediately with the main theorem, which concludes the exposition. In order to keep this presentation short and to the point, more elaborate calculations, which save a few -factors, have been placed in the appendix as Theorem 12.

###### Theorem 7.

Let be -regular with spectral expansion satisfying . Then is an -non-malleable code in the split-state model.

###### Proof.

Let be given. By Theorem 4 and Proposition 6 we just need to show that

is bounded by . Define the sets

 G1 ={v∈V∣∣∣g−1(v)∣∣>nd2}, H1 ={u∈V∣∣∣h−1(u)∣∣>nd2}, G2 ={v∈V∣∣∣g−1(v)∣∣≤nd2}, H2 ={u∈V∣∣∣h−1(u)∣∣≤nd2},

for write

and observe that .

Consider the case when . Simply bounding the terms of the form by using that each vertex has only neighbours, we get

 R2,1+R2,2 ≤12n(n−d)∑(v,u)∈E∩(G2×V)∣∣g−1(v)∣∣⋅∣∣h−1(u)∣∣ ≤12n(n−d)⋅d⋅∑u∈Vnd2⋅∣∣h−1(u)∣∣=n2(n−d)d.

Thus, . By symmetry, . It only remains to show that .

To this end, partition and , respectively, as

 Gk1 ={v∈G1∣n2k−1≥∣∣g−1(v)∣∣>n2k}, Hl1 ={v∈H1∣n2l−1≥∣∣h−1(u)∣∣>n2l}

for . Now, focusing on each pair and , we write

 Sk,l=12d(n−d)⋅∑(v,u)∈E∩(Gk1×Hl1)(d∣∣g−1(v)∣∣⋅∣∣h−1(u)∣∣n−∣∣E(g−1(v),h−1(u))∣∣)

and apply first the mixing lemma then the Cauchy-Schwartz inequality to get

 2d(n−d)Sk,l =∑v∈Gk1⎛⎜⎝d∣∣g−1(v)∣∣⋅∑u∈N(v)∩Hl1∣∣h−1(u)∣∣n−∣∣ ∣ ∣∣E⎛⎜⎝g−1(v),⋃u∈N(v)∩Hl1h−1(u)⎞⎟⎠∣∣ ∣ ∣∣⎞⎟⎠ ≤∑v∈Gk1λ√∣∣g−1(v)∣∣⋅∑u∈N(v)∩Hl1∣∣h−1(u)∣∣ ≤λ√n2k−1⋅n2l−1⋅∑v∈Gk1√∣∣N(v)∩Hl1∣∣ ≤2λn⋅2−l+k2⋅√∣∣Gk1∣∣⋅√∣∣E(Gk1,Hl1)∣∣.

We use the fact that , apply the mixing lemma to the last factor, and wield Jensen’s inequality on the arising square root to obtain

 d(n−d)Sk,l ≤λn⋅2−l+k2⋅√∣∣Gk1∣∣⋅√d⋅∣∣Gk1∣∣⋅∣∣Hl1∣∣n+λ√∣∣Gk1∣∣⋅∣∣Hl1∣∣ ≤λ√2kdn+2k−l4λ3/2n≤λ⋅√d3n+2k−l4λ3/2n.

By symmetry of and , . Thus,

 =O(log(d)λ3/2d).

## References

• [ADL14] Divesh Aggarwal, Yevgeniy Dodis, and Shachar Lovett. Non-malleable codes from additive combinatorics. In

Symposium on Theory of Computing, STOC

, 2014.
• [CGL16] Eshan Chattopadhyay, Vipul Goyal, and Xin Li. Non-malleable extractors and codes, with their many tampered extensions. In Symposium on Theory of Computing, STOC, 2016.
• [CZ14] Eshan Chattopadhyay and David Zuckerman. Non-malleable codes against constant split-state tampering. In Foundations of Computer Science, FOCS, 2014.
• [DKO13] Stefan Dziembowski, Tomasz Kazana, and Maciej Obremski. Non-malleable codes from two-source extractors. In CRYPTO, 2013.
• [DPW10] Stefan Dziembowski, Krzysztof Pietrzak, and Daniel Wichs. Non-malleable codes. In ICS, 2010.
• [Li17] Xin Li. Improved non-malleable extractors, non-malleable codes and independent source extractors. In Symposium on Theory of Computing, STOC, 2017.
• [Tre] Luca Trevisan. Luca trevisan’s ‘in theory’ blog. Accessed: 2018-09-27.

## Appendix A Non-Malleable Codes

The following section will outline the definition and basic results regarding non-malleable codes. We shall start with an informal overview.

Consider the following very general scenario: A sender wants to encode a value , obtaining an encoding, , and send it to a recipient through a channel such that can then decode the received message to recover the original message, . Restricting the size of or letting be a noisy channel that alters the message in some randomized way leads to the field of coding theory, whereas for instance restricting the amount of information that an adversary with limited computational resources can glean from observing the traffic through leads us to the field of cryptography.

### a.1 Definition

Working with non-malleable codes, we ask the following information theoretic question. Consider some publicly known encoding and decoding functions (the encoding function may be randomized) and suppose that an adversary can pick a tampering function from a family of functions and apply that function to whatever message passes through such that in fact receives not but . What restrictions must then apply to to guarantee that no results in encoding a message with some relation to that is not the identity? By this we mean that with some non-negligible probability transforms the original message into a related message, which is not just itself but different and depending on .

Since this explanation is rather vague, let us define the notion of a non-malleable code more formally.

###### Definition 8 (Coding scheme).

We define a coding scheme to be a pair of functions . The encoding function is randomized while the decoding function is deterministic. Further, for all the pair satisfies

 P(dec(enc(s))=s)=1

where the probability is taken over the randomness of .

Note that can return meaning that the encoding it was given could not be decoded.

###### Definition 9 (Non-malleable code).

A coding scheme , and , is said to be -non-malleable with respect to a family of tampering functions , each being a function , if the following holds. For every there exists a distribution supported on such that for every

the random variables defined by the experiments

 Asf ={~s←enc(s);Output dec(f(~s))}, Bsf ={~s←Df;If ~s=∗ output s else output ~s}

satisfy .

The intuition behind this definition is that we would like a code to be non-malleable if the only possible “attacks” against it either copy the message or outputs something that is not related to the message. The distribution in the definition satisfies just that. It can either sample some constant not depending on or simply copy .

### a.2 The Necessity of Restricting F

A natural initial question to ask, is whether we need any restrictions on at all. We are quickly assured that this is indeed the case. If we let be the set of all functions, it contains a function that decodes the message, changes it to a related message, and then encodes it again. It is thus intuitively clear that there is no defense against such tampering. The following proposition proves this formally.

###### Proposition 10.

Suppose that the coding scheme is -non-malleable with respect to the family of all functions from to , . Then .

###### Proof.

If then the proposition is trivially true. So assume , let be a permutation of with no fixed points, and let be the function where is computed using some fixed randomness. Further, let be the distribution corresponding to and in the definition of non-malleability. Then for every , we have . Thus, for every the fact that implies since and

 P(Bmf=φ(m)∣Df∈(M∖{φ(m)})∪{∗,⊥})=0

as . Now, since is a permutation of , we have

 1≥P(Df∈M)=∑m∈MP(Df=m)=∑m∈MP(Df=φ(m))≥|M|⋅(1−ε),

which yields the desired inequality, . ∎

### a.3 Split State Model

Having established that the class of allowed functions must be restricted, let us specify the particular restriction we shall work with. A very common setting to consider is that of the split state model. Let sets and be given. In the split state model, the class consists of all functions which can be written as for functions and , i.e. such that . For clarity, we repeat the definition of non-malleability in the split state model.

###### Definition 11 (Split State Non-Malleable Code).

A coding scheme , and , is -non-malleable in the split state model if for every pair of functions and writing there exists a distribution supported on such that for every the random variables defined by the experiments

 Asf ={(L,R)←enc(s);Output dec(g(L),h(R))} Bsf ={~s←Df;If ~s=∗ output s else output ~s}

satisfy .

## Appendix B Deliver Us from Log Factors

A more thorough analysis of the sums in the proof of Theorem 7 allows us to get slightly better bounds. The technicalities are of little interest to the big picture and were hence omitted in the body of the paper. The addition consists of an alternative ending to the proof of Theorem 7.

###### Theorem 12.

Let be -regular with spectral expansion satisfying . Then is an -non-malleable code in the split-state model.

###### Proof.

At the very end of the proof of Theorem 7, we arrived at

 d(n−d)Sk,l≤2−l+k2λn⋅√∣∣Gk1∣∣⋅√d⋅∣∣Gk1∣∣⋅∣∣Hl1∣∣n+λ⋅√∣∣Gk1∣∣⋅∣∣Hl1∣∣.

Applying Jensen’s inequality, we get

 Sk,l≤O(λ√dn)⋅2−l+k2⋅∣∣Gk1∣∣⋅√∣∣Hl1∣∣+O(λ3/2d)⋅2−l+k2⋅4√∣∣Gk1∣∣3⋅∣∣Hl1∣∣ (1)

with the functions hidden by the -notation being independent of .

Now, note that

 ∣∣g−1(Gk1)∣∣ ≥n⋅∣∣Gk1∣∣2k ∣∣h−1(Hl1)∣∣ ≥n⋅∣∣Hl1∣∣2l (2)

and for all we have . We shall bound each of the terms of (1) separately.

First, using the Cauchy-Schwartz inequality in the second inequality,

 ∑1≤k,l≤⌈log2(d2)⌉(2−l+k2⋅∣∣Gk1∣∣⋅√∣∣Hl1∣∣) ≤O(d⋅√log(d))⋅√∑1≤l≤⌈log2(d2)⌉2−l⋅∣∣Hl1∣∣ =O(d⋅√log(d))

since the are disjoint subsets of . In conclusion,

 O(λ√dn)⋅∑1≤k,l≤⌈log2(d2)⌉2−l+k2⋅∣∣Gk1∣∣⋅√∣∣Hl1∣∣ =O(λ⋅√d⋅log(d)√n)=O(λ3/2d).

Second, let and write . We now bound the sum using (2).

 ∑1≤k

where the third inequality is established using Hölder’s inequalty.

It now follows that

 ∑1≤k≤l≤⌈log2(d2)⌉Sk,l=O(λ3/2d).

By symmetry of and ,

which completes the proof. ∎

## Appendix C Instantiating Our Construction

Using our results to instantiate an efficient, secure split-state non-malleable code, we require a family of graphs , where each is -regular with spectral expansion , satisfying the following:

1. The function is negligible.

2. We have

3. Both sampling an edge and sampling a non-edge can be done in time polynomial in .

4. Determining membership of a pair in can be done deterministically in time polynomial in .

Given such a family of graphs it is clear that the corresponding graph code is an efficiently computable non-malleable code.

### c.1 Instantiation with Cayley Graphs

Explicit constructions of such families of graphs do indeed exist. We shall here give an example from [Tre] from the class of graphs known as Cayley graphs. The construction is as follows.

###### Definition 13.

For a prime and let the graph have vertex set and edge set

 E(LDp,t)={(x,x+(b,ab,a2b,…,atb))∣x∈Ft+1p,a,b∈Fp},

i.e.  are connected by an edge if and only if there exists such that .

It is worth nothing that the graph is is -regular and that it is undirected as is connected to if and only if is connected to .

Now, let and for each let be some -bit prime. We consider the family of graphs for our instantiation. In the following, we shall check the criteria from the beginning of the section point by point.

1. The family of graphs has great expander properties.

###### Theorem 14 (Trevisan [Tre]).

For , the graph is a -spectral expander.

This fact allows us to note that for our particular choice of graphs, , which in fact is and the representation size is bits.

2. We have such that indeed,

 nk=∣∣V(LDpk,5)∣∣=p6=Ω(d3klog(dk)λk).
3. Sampling an edge is simply a question of picking uniformly at random and then outputting the edge .

To pick a non-edge, simply sample two random vertices uniformly at random and check (with the procedure to be specified below) whether . Since for the probability of hitting an edge with such a random choice is , the expected number of repetitions is constant and hence the procedure takes expected polynomial time.

4. To test membership of some in , perform the following operation: Compute and write . It is now trival to check whether is of the form .

## Acknowledgements

We thank Anders Aamand and Jakob Bæk Tejs Knudsen for suggestions and insights regarding the main theorem that helped simplify and improve the results presented. Furthermore, we thank Aayush Jain, Yuval Ishai, and Dakshita Khurana for early discussions regarding simple constructions of split-state non-malleable codes.

Research supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, and NSF grant 1619348, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C- 0205. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government.