A split-state non-malleable code [DPW10] consists of randomized encoding and decoding algorithms . A message is encoded as a pair of strings , such that . An adversary then specifies an arbitrary pair of functions . The code is said to be non-malleable if, intuitively, the message obtained as is “unrelated” to the original message . In particular, to be -non-malleable, it is enough [DKO13] to guarantee that when the message is chosen uniformly at random and encoded into
, the probability thatis at most . Since their introduction in 2010 [DPW10], split-state non-malleable codes have been the subject of intense study within theoretical computer science [DPW10, DKO13, ADL14, CZ14, CGL16, Li17].
Until our work, all known proofs of security for explicit split-state non-malleable codes have required complex mathematical proofs, and all known such proofs either directly or indirectly used the mathematics behind constructions of two-source extractors [DKO13, ADL14, CZ14, CGL16, Li17].
In this work, we show that expander graphs immediately give rise to split-state non-malleable codes. Specifically, we show that any -regular graph on nodes with spectral expansion satisfying yields a -non-malleable code in the split-state model. Our proof is elementary, requiring a little more than two pages to prove, having at its heart two nested applications of the Expander Mixing Lemma. Furthermore, we only need expanders of high degree (e.g., ), which can be constructed and analyzed easily, yielding -non-malleable codes (see, e.g., [Tre] or the appendix).
We shall assume familiarity with the basics of codes and non-malleable codes. A cursory introduction to the most relevant definitions and intuition can be found in the appendix.
Notation 1 (Graphs).
A graph consists of vertices and edges . In this exposition every graph is undirected and always denotes the number of vertices of the graph in question.
For any we denote by the set of neighbors of in .
For any two subsets we denote by the set of (directed) edges from to in . I.e. .
Definition 2 (Spectral Expander).
Let be a -regular graph, be its adjacency matrix, and be the eigenvalues of
be the eigenvalues of. We say that is a spectral expander if .
Theorem 3 (Expander Mixing Lemma).
Suppose that is a spectral expander. Then for every pair of subsets we have
Our results will rely on the following characterization of 1-bit non-malleable codes by Dziembowski, Kazana, and Obremski found in [DKO13].
Let be a coding scheme with and . Further, let be a set of functions . Then is -non-malleable with respect to if and only if for every ,
where the probability is over the uniform choice of and the randomness of .
We first formally introduce our candidate code and then prove that it is a non-malleable code.
3.1 Candidate Code
From a graph we can very naturally construct a coding scheme as follows.
Definition 5 (Graph Code).
Let be a graph. The associated graph code, , consists of the functions
which are randomized and deterministic, respectively, and given by
3.2 Non-Malleability of Expander Graph Codes
Finally, arriving at the core of the matter, we first establish the following lemma casting the expression of Theorem 4 in terms of graph properties.
Let be a graph, functions be given, and satisfy . For the probability that flips a random bit encoded by , write
where the probability is taken over the randomness of and the sampling of . Then
For denote by the probability taken over the randomness of . It is clear that and that by definition
First, for we see that the number of non-edges that are mapped by to any given is given by . There are non-edges in so it follows that
Second, for the number of edges of that are mapped to non-edges by is given by . Since there are edges of to choose from when encoding the bit ,
Now, observing that the number of (directed) edges in the graph is and that and are both partitions of , we get
Putting it all together,
We proceed immediately with the main theorem, which concludes the exposition. In order to keep this presentation short and to the point, more elaborate calculations, which save a few -factors, have been placed in the appendix as Theorem 12.
Let be -regular with spectral expansion satisfying . Then is an -non-malleable code in the split-state model.
is bounded by . Define the sets
and observe that .
Consider the case when . Simply bounding the terms of the form by using that each vertex has only neighbours, we get
Thus, . By symmetry, . It only remains to show that .
To this end, partition and , respectively, as
for . Now, focusing on each pair and , we write
and apply first the mixing lemma then the Cauchy-Schwartz inequality to get
We use the fact that , apply the mixing lemma to the last factor, and wield Jensen’s inequality on the arising square root to obtain
By symmetry of and , . Thus,
Divesh Aggarwal, Yevgeniy Dodis, and Shachar Lovett.
Non-malleable codes from additive combinatorics.
Symposium on Theory of Computing, STOC, 2014.
- [CGL16] Eshan Chattopadhyay, Vipul Goyal, and Xin Li. Non-malleable extractors and codes, with their many tampered extensions. In Symposium on Theory of Computing, STOC, 2016.
- [CZ14] Eshan Chattopadhyay and David Zuckerman. Non-malleable codes against constant split-state tampering. In Foundations of Computer Science, FOCS, 2014.
- [DKO13] Stefan Dziembowski, Tomasz Kazana, and Maciej Obremski. Non-malleable codes from two-source extractors. In CRYPTO, 2013.
- [DPW10] Stefan Dziembowski, Krzysztof Pietrzak, and Daniel Wichs. Non-malleable codes. In ICS, 2010.
- [Li17] Xin Li. Improved non-malleable extractors, non-malleable codes and independent source extractors. In Symposium on Theory of Computing, STOC, 2017.
- [Tre] Luca Trevisan. Luca trevisan’s ‘in theory’ blog. https://lucatrevisan.wordpress.com/2011/02/28/cs359g-lecture-16-constructions-of-expanders/. Accessed: 2018-09-27.
Appendix A Non-Malleable Codes
The following section will outline the definition and basic results regarding non-malleable codes. We shall start with an informal overview.
Consider the following very general scenario: A sender wants to encode a value , obtaining an encoding, , and send it to a recipient through a channel such that can then decode the received message to recover the original message, . Restricting the size of or letting be a noisy channel that alters the message in some randomized way leads to the field of coding theory, whereas for instance restricting the amount of information that an adversary with limited computational resources can glean from observing the traffic through leads us to the field of cryptography.
Working with non-malleable codes, we ask the following information theoretic question. Consider some publicly known encoding and decoding functions (the encoding function may be randomized) and suppose that an adversary can pick a tampering function from a family of functions and apply that function to whatever message passes through such that in fact receives not but . What restrictions must then apply to to guarantee that no results in encoding a message with some relation to that is not the identity? By this we mean that with some non-negligible probability transforms the original message into a related message, which is not just itself but different and depending on .
Since this explanation is rather vague, let us define the notion of a non-malleable code more formally.
Definition 8 (Coding scheme).
We define a coding scheme to be a pair of functions . The encoding function is randomized while the decoding function is deterministic. Further, for all the pair satisfies
where the probability is taken over the randomness of .
Note that can return meaning that the encoding it was given could not be decoded.
Definition 9 (Non-malleable code).
A coding scheme , and , is said to be -non-malleable with respect to a family of tampering functions , each being a function , if the following holds. For every there exists a distribution supported on such that for every the random variables defined by the experiments
the random variables defined by the experiments
The intuition behind this definition is that we would like a code to be non-malleable if the only possible “attacks” against it either copy the message or outputs something that is not related to the message. The distribution in the definition satisfies just that. It can either sample some constant not depending on or simply copy .
a.2 The Necessity of Restricting
A natural initial question to ask, is whether we need any restrictions on at all. We are quickly assured that this is indeed the case. If we let be the set of all functions, it contains a function that decodes the message, changes it to a related message, and then encodes it again. It is thus intuitively clear that there is no defense against such tampering. The following proposition proves this formally.
Suppose that the coding scheme is -non-malleable with respect to the family of all functions from to , . Then .
If then the proposition is trivially true. So assume , let be a permutation of with no fixed points, and let be the function where is computed using some fixed randomness. Further, let be the distribution corresponding to and in the definition of non-malleability. Then for every , we have . Thus, for every the fact that implies since and
as . Now, since is a permutation of , we have
which yields the desired inequality, . ∎
a.3 Split State Model
Having established that the class of allowed functions must be restricted, let us specify the particular restriction we shall work with. A very common setting to consider is that of the split state model. Let sets and be given. In the split state model, the class consists of all functions which can be written as for functions and , i.e. such that . For clarity, we repeat the definition of non-malleability in the split state model.
Definition 11 (Split State Non-Malleable Code).
A coding scheme , and , is -non-malleable in the split state model if for every pair of functions and writing there exists a distribution supported on such that for every the random variables defined by the experiments
Appendix B Deliver Us from Log Factors
A more thorough analysis of the sums in the proof of Theorem 7 allows us to get slightly better bounds. The technicalities are of little interest to the big picture and were hence omitted in the body of the paper. The addition consists of an alternative ending to the proof of Theorem 7.
Let be -regular with spectral expansion satisfying . Then is an -non-malleable code in the split-state model.
At the very end of the proof of Theorem 7, we arrived at
Applying Jensen’s inequality, we get
with the functions hidden by the -notation being independent of .
Now, note that
and for all we have . We shall bound each of the terms of (1) separately.
First, using the Cauchy-Schwartz inequality in the second inequality,
since the are disjoint subsets of . In conclusion,
Second, let and write . We now bound the sum using (2).
where the third inequality is established using Hölder’s inequalty.
It now follows that
By symmetry of and ,
which completes the proof. ∎
Appendix C Instantiating Our Construction
Using our results to instantiate an efficient, secure split-state non-malleable code, we require a family of graphs , where each is -regular with spectral expansion , satisfying the following:
The function is negligible.
Both sampling an edge and sampling a non-edge can be done in time polynomial in .
Determining membership of a pair in can be done deterministically in time polynomial in .
Given such a family of graphs it is clear that the corresponding graph code is an efficiently computable non-malleable code.
c.1 Instantiation with Cayley Graphs
Explicit constructions of such families of graphs do indeed exist. We shall here give an example from [Tre] from the class of graphs known as Cayley graphs. The construction is as follows.
For a prime and let the graph have vertex set and edge set
i.e. are connected by an edge if and only if there exists such that .
It is worth nothing that the graph is is -regular and that it is undirected as is connected to if and only if is connected to .
Now, let and for each let be some -bit prime. We consider the family of graphs for our instantiation. In the following, we shall check the criteria from the beginning of the section point by point.
The family of graphs has great expander properties.
Theorem 14 (Trevisan [Tre]).
For , the graph is a -spectral expander.
This fact allows us to note that for our particular choice of graphs, , which in fact is and the representation size is bits.
We have such that indeed,
Sampling an edge is simply a question of picking uniformly at random and then outputting the edge .
To pick a non-edge, simply sample two random vertices uniformly at random and check (with the procedure to be specified below) whether . Since for the probability of hitting an edge with such a random choice is , the expected number of repetitions is constant and hence the procedure takes expected polynomial time.
To test membership of some in , perform the following operation: Compute and write . It is now trival to check whether is of the form .
We thank Anders Aamand and Jakob Bæk Tejs Knudsen for suggestions and insights regarding the main theorem that helped simplify and improve the results presented. Furthermore, we thank Aayush Jain, Yuval Ishai, and Dakshita Khurana for early discussions regarding simple constructions of split-state non-malleable codes.
Research supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, and NSF grant 1619348, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C- 0205. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government.