Abstract
Nonmalleable coding, introduced by Dziembowski et al. (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where error detection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original message or, in presence of any tampering, to an unrelated message. Nonmalleable coding is possible against any class of adversaries of bounded size. In particular, Dziembowski et al. show that such codes exist and may achieve positive rates for any class of tampering functions of size at most \(2^{2^{\alpha n}}\), for any constant \(\alpha \in [0, 1)\). However, this result is existential and has thus attracted a great deal of subsequent research on explicit constructions of nonmalleable codes against natural classes of adversaries. In this work, we consider constructions of coding schemes against two wellstudied classes of tampering functions; namely, bitwise tampering functions (where the adversary tampers each bit of the encoding independently) and the much more general class of splitstate adversaries (where two independent adversaries arbitrarily tamper each half of the encoded sequence). We obtain the following results for these models. (1) For bittampering adversaries, we obtain explicit and efficiently encodable and decodable nonmalleable codes of length n achieving rate \(1o(1)\) and error (also known as “exact security”) \(\exp (\tilde{\varOmega }(n^{1/7}))\). Alternatively, it is possible to improve the error to \(\exp (\tilde{\varOmega }(n))\) at the cost of making the construction Monte Carlo with success probability \(1\exp (\varOmega (n))\) (while still allowing a compact description of the code). Previously, the best known construction of bittampering coding schemes was due to Dziembowski et al. (ICS 2010), which is a Monte Carlo construction achieving rate close to .1887. (2) We initiate the study of seedless nonmalleable extractors as a natural variation of the notion of nonmalleable extractors introduced by Dodis and Wichs (STOC 2009). We show that construction of nonmalleable codes for the splitstate model reduces to construction of nonmalleable twosource extractors. We prove a general result on existence of seedless nonmalleable extractors, which implies that codes obtained from our reduction can achieve rates arbitrarily close to 1 / 5 and exponentially small error. In a separate recent work, the authors show that the optimal rate in this model is 1 / 2. Currently, the best known explicit construction of splitstate coding schemes is due to Aggarwal, Dodis and Lovett (ECCC TR13081) which only achieves vanishing (polynomially small) rate.
Introduction
Nonmalleable codes were introduced by Dziembowski et al. [15] as a relaxation of the classical notions of error detection and error correction. Informally, a code is nonmalleable if decoding a corrupted codeword either recovers the original message, or a completely unrelated message. Nonmalleable coding is a natural concept that addresses the basic question of storing messages securely on devices that may be subject to tampering, and they provide an elegant solution to the problem of protecting the integrity of data and the functionalities implemented on them against “tampering attacks” [15]. This is part of a general recent trend in theoretical cryptography to design cryptographic schemes that guarantee security even if implemented on devices that may be subject to physical tampering. The notion of nonmalleable coding is inspired by the influential theme of nonmalleable encryption in cryptography which guarantees the intractability of tampering the ciphertext of a message into the ciphertext encoding a related message.
The definition of nonmalleable codes captures the requirement that if some adversary (with full knowledge of the code) tampers the codeword \({\mathsf {Enc}}(s)\) encoding a message s, corrupting it to \(f({\mathsf {Enc}}(s))\), he cannot control the relationship between s and the message the corrupted codeword \(f({\mathsf {Enc}}(s))\) encodes. For this definition to be feasible, we have to restrict the allowed tampering functions f (otherwise, the tampering function can decode the codeword to compute the original message s, flip the last bit of s to obtain a related message \(\tilde{s}\), and then reencode \(\tilde{s}\)), and in most interesting cases also allow the encoding to be randomized. Formally, a (binary) nonmalleable code against a family of tampering functions \(\mathcal {F}\) each mapping \(\{0,1\}^n\) to \(\{0,1\}^n\), consists of a randomized encoding function \({\mathsf {Enc}}: \{0,1\}^k \rightarrow \{0,1\}^n\) and a deterministic decoding function \({\mathsf {Dec}}: \{0,1\}^n \rightarrow \{0,1\}^k \cup \{\perp \}\) (where \(\perp \) denotes error detection) which satisfy \({\mathsf {Dec}}({\mathsf {Enc}}(s))=s\) always, and the following nonmalleability property with error \(\epsilon \): For every message \(s \in \{0,1\}^k\) and every function \(f \in \mathcal {F}\), the distribution of \({\mathsf {Dec}}(f({\mathsf {Enc}}(s))\) is \(\epsilon \)close to a distribution \(\mathcal {D}_f\) that depends only on f and is independent of s (ignoring the issue that f may have too many fixed points).
If some code enables error detection against some family \(\mathcal {F}\), for example if \(\mathcal {F}\) is the family of functions that flips between 1 and t bits and the code has minimum distance more than t, then the code is also nonmalleable (by taking \(\mathcal {D}_f\) to be supported entirely on \(\perp \) for all f). Error detection is also possible against the family of “additive errors,” namely \(\mathcal {F}_{\mathsf {add}} = \{ f_\varDelta \mid \varDelta \in \{0,1\}^n \}\) where \(f_\varDelta (x) := x + \varDelta \) (the addition being bitwise XOR). Cramer et al. [12] constructed “Algebraic Manipulation Detection” (AMD) codes of rate approaching 1 such that offset by an arbitrary \(\varDelta \ne 0\) will be detected with high probability, thus giving a construction of nonmalleable codes against \(\mathcal {F}_{\mathsf {add}}\).
The notion of nonmalleable coding becomes more interesting for families against which error detection is not possible. A simple example of such a class consists of all constant functions \(f_{c}(x) := c\) for \(c \in \{0,1\}^n\). Since the adversary can map all inputs to a valid codeword \(c^*\), one cannot in general detect tampering in this situation. However, nonmalleability is trivial to achieve in this case as the output distribution of a constant function is trivially independent of the message (so the rate 1 code with identity encoding function is itself nonmalleable).
The original work [15] showed that nonmalleable codes of positive rate exist against every nottoolarge family \(\mathcal {F}\) of tampering functions, specifically with \(\mathcal {F} \leqslant 2^{2^{\alpha n}}\) for some constant \(\alpha < 1\). In a companion paper [8], we proved that in fact one can achieve a rate approaching \(1\alpha \) against such families, and this is best possible in that there are families of size \(\approx 2^{2^{\alpha n}}\) for which nonmalleable coding is not possible with rate exceeding \(1\alpha \). (The latter is true both for random families as well as natural families such as functions that only tamper the first \(\alpha n\) bits of the codeword.)
Our Results
This work is focused on two natural families of tampering functions that have been studied in the literature.
BitTampering Functions
The first class consists of bittampering functions f in which the different bits of the codewords are tampered independently (i.e., each bit is either flipped, set to 0 / 1, or left unchanged, independent of other bits); formally \(f(x) = (f_1(x_1),f_2(x_2),\ldots ,f_n(x_n))\), where \(f_1, \ldots , f_n:\{0,1\}\rightarrow \{0,1\}\). As this family is “small” (of size \(4^n\)), by the above general results, it admits nonmalleable codes with positive rate, in fact rate approaching 1 by our recent result [8].
Dziembowski et al. [15] gave a Monte Carlo construction of a nonmalleable code against this family; i.e., they gave an efficient randomized algorithm to produce the code along with efficient encoding and decoding functions such that w.h.p the encoder/decoder pair ensures nonmalleability against all bittampering functions. The rate of their construction is, however, close to .1887 and thus falls short of the “capacity” (best possible rate) for this family of tampering functions, which we now know equals 1.
Our main result in this work is the following:
Theorem 1.1
For all integers \(n \geqslant 1\), there is an explicit (deterministic) construction, with efficient encoding/decoding procedures, of a nonmalleable code against bittampering functions that achieves rate \(1o(1)\) and error at most \(\exp (n^{\varOmega (1)})\).
If we seek error that is \(\exp (\tilde{\varOmega }(n))\), we can guarantee that with an efficient Monte Carlo construction of the code that succeeds with probability \(1\exp (\varOmega (n))\).
The basic idea in the above construction (described in detail in Sect. 4.1) is to use a concatenation scheme with an outer code of rate close to 1 that has large relative distance and large dual relative distance, and as (constantsized) inner codes the nonmalleable codes guaranteed by the existential result (which may be deterministically found by bruteforce if desired). This is inspired by the classical constructions of concatenated codes [16, 18]. The outer code provides resilience against tampering functions that globally fix too many bits or alter too few. For other tampering functions, in order to prevent the tampering function from locally freezing many entire inner blocks (to possibly wrong inner codewords), the symbols of the concatenated codeword are permuted by a pseudorandom permutation.^{Footnote 1}
The seed for the permutation is itself included as the initial portion of the final codeword, after encoding by a nonmalleable code (of possibly low rate). This protects the seed and ensures that any tampering of the seed portion results in the decoded permutation being essentially independent of the actual permutation, which then results in many inner blocks being errordetected (decoded to \(\perp \)) with noticeable probability each. The final decoder outputs \(\perp \) if any inner block is decoded to \(\perp \), an event which happens with essentially exponentially small probability in n with a careful choice of the parameters. The above scheme uses nonmalleable codes in two places to construct the final nonmalleable code, but there is no circularity because the codes for the inner blocks are of constant size, and the code protecting the seed can have very low rate (even subconstant) as the seed can be made much smaller than the message length.
The structure of our construction bears some high level similarity to the optimal rate code construction for correcting a bounded number of additive errors in [17]. The exact details though are quite different; in particular, the crux in the analysis of [17] was ensuring that the decoder can recover the seed correctly, and toward this end the seed’s encoding was distributed at random locations of the final codeword. Recovering the seed is both impossible and not needed in our context here.
SplitState Adversaries
Bittampering functions act on different bits independently. A much more general class of tampering functions considered in the literature [2, 14, 15] is the socalled splitstate model. Here the function \(f :\{0,1\}^n \rightarrow \{0,1\}^n\) must act on each half of the codeword independently (assuming n is even), but can act arbitrarily within each half. Formally, \(f(x) = (f_1(x_1),f_2(x_2))\) for some functions \(f_1,f_2:\{0,1\}^{n/2} \rightarrow \{0,1\}^{n/2}\) where \(x_1,x_2\) consist of the first n / 2 and last n / 2 bits of x. This represents a fairly general and useful class of adversaries which are relevant for example when the codeword is stored on two physically separate devices, and while each device may be tampered arbitrarily, the attacker of each device does not have access to contents stored on the other device.
The capacity of nonmalleable coding in the splitstate model equals 1 / 2, as established in our recent work [8]. A natural question therefore is to construct efficient nonmalleable codes of rate approaching 1 / 2 in the splitstate model (the results in [15] and [8] are existential, and the codes do not admit polynomial size representation or polynomial time encoding/decoding). This remains a challenging open question, and in fact constructing a code of positive rate itself seems rather difficult. A code that encodes onebit messages is already nontrivial, and such a code was constructed in [14] by making a connection to twosource extractors with sufficiently strong parameters and then instantiating the extractor with a construction based on the inner product function over a finite field. We stress that this connection to twosource extractor only applies to encoding onebit messages and does not appear to generalize to longer messages.
Recently, Aggarwal et al. [2] solved the central open problem left in [14]—they construct a nonmalleable code in the splitstate model that works for arbitrary message length, by bringing to bear elegant techniques from additive combinatorics on the problem. The rate of their code is polynomially small: kbit messages are encoded into codewords with \(n \approx k^7\) bits.
In the second part of this article (Sect. 5), we study the problem of nonmalleable coding in the splitstate model. We do not offer any explicit constructions, and the polynomially small rate achieved in [2] remains the best known. Our contribution here is more conceptual. We define the notion of nonmalleable twosource extractors, generalizing the influential concept of nonmalleable extractors introduced by Dodis and Wichs [13]. A nonmalleable extractor is a regular seeded extractor \(\mathsf {Ext}\) whose output \(\mathsf {Ext}(X,S)\) on a weak random source X and uniform random seed S remains uniform even if one knows the value \(\mathsf {Ext}(X,f(S))\) for a related seed f(S) where f is a tampering function with no fixed points. In a twosource nonmalleable extractor, we allow both sources to be weak and independently tampered, and we further extend the definition to allow the functions to have fixed points in view of our application to nonmalleable codes. We prove, however, that for construction of twosource nonmalleable extractors, it suffices to only consider tampering functions that have no fixed points, at cost of a minor loss in the parameters.
We show that given a twosource nonmalleable extractor \(\mathsf {NMExt}\) with exponentially small error in the output length, one can build a nonmalleable code in the splitstate model by setting the extractor function \(\mathsf {NMExt}\) to be the decoding function (the encoding of s then picks a preimage in \(\mathsf {NMExt}^{1}(s)\)).
This identifies a possibly natural avenue to construct improved nonmalleable codes against splitstate adversaries by constructing nonmalleable twosource extractors, which seems like an interesting goal in itself. Towards confirming that this approach has the potential to lead to good nonmalleable codes, we prove a fairly general existence theorem for seedless nonmalleable extractors, by essentially observing that the ideas from the proof of existence of seeded nonmalleable extractors in [13] can be applied in a much more general setting. Instantiating this result with splitstate tampering functions, we show the existence of nonmalleable twosource extractors with parameters that are strong enough to imply nonmalleable codes of rate arbitrarily close to 1 / 5 in the splitstate model.
Explicit construction of (ordinary) twosource extractors and closelyrelated objects is a wellstudied problem in the literature, and an abundance of explicit constructions for this problem is known^{Footnote 2} (see, e.g., [3, 4, 10, 19, 21, 22]). The problem becomes increasingly challenging, however, (and remains open to date) when the entropy rate of the two sources may be substantially below 1 / 2. Fortunately, we show that for construction of constantrate nonmalleable codes in the splitstate model, it suffices to have twosource nonmalleable extractors for source entropy rate .99 and with some output length \(\varOmega (n)\) (against tampering functions with no fixed points). Thus the infamous “1 / 2 entropy rate barrier” on twosource extractors does not concern our particular application.
The rest of this article is organized as follows. Section 2 introduces the notation and basic definition used throughout the article. In Sect. 3 we recall the existence of optimal rate nonmalleable codes proved in [8], and show additional properties achieved by this construction. The construction and related properties are used as building blocks of our explicit construction. The explicit construction of optimal rate nonmalleable codes against bit tampering is presented in Sect. 4, where Sect. 4.1 introduces the construction, Sect. 4.2 proves the correctness of the construction, and Sect. 4.3 sets up the parameters in order to prove the final result. Section 5 considers the more general model of splitstate tampering and introduces the notion of seedless nonmalleable extractors (in Sect. 5.1). Section 5.2 shows how this notion can be used to construct nonmalleable coding schemes in the splitstate tampering model, and Sect. 5.3 shows existence of such seedless nonmalleable extractors using the probabilistic method.
Subsequent Work
After publication of the preliminary version of this work [9], numerous exciting new developments related to the work have emerged. In particular, Chattopadhyay and Zuckerman [6] use ideas from additive combinatorics to construct explicit seedless multiplesource nonmalleable extractors, according to the notion of seedless nonmalleable extractors defined in Sect. 4. Combining this result with the reduction discussed in Sect. 4, they obtain explicit nonmalleable codes for a relaxation of the splitstate model where the number of independent adversaries is lower bounded by a constant (at least 10). This model reduces to the bit tampering model when the number of independent adversaries is equal to the block length of the code, in which case the result of Chattopadhyay and Zuckerman yields explicit and rateoptimal nonmalleable codes for the bittampering model with exponentially small error. Aggarwal et al. [1] introduce the notion of “nonmalleable reductions” and in particular show that the problem of constructing explicit nonmalleable codes in the standard splitstate model (i.e., with two independent adversaries) can be reduced to the same problem with many independent adversaries. Combined with the explicit construction of [6], they obtain the first constant rate and explicit nonmalleable codes in the splitstate model with two adversaries. Finally, Chattopadhyay et al. [5] obtain, among other results, the first explicit construction of twosource nonmalleable extractors which directly lead (via the reduction of Sect. 4) to nonmalleable codes in the splitstate model against two adversaries.
Preliminaries
Notation
We use \(\mathcal {U}_n\) for the uniform distribution on \(\{0,1\}^n\) and \(U_n\) for the random variable sampled from \(\mathcal {U}_n\) and independently of any existing randomness. For a random variable X, we denote by \(\mathscr {D}(X)\) the probability distribution that X is sampled from. Observe that this notation even makes sense when X only assumes a deterministic value; i.e., \(X=x\) with probability 1, in which case \(\mathscr {D}(x)\) would naturally be the distribution trivially supported on the singleton set \(\{x\}\).
Generally, we will use calligraphic symbols (such as \(\mathcal {X}\)) for probability distributions and the corresponding capital letters (such as X) for related random variables. We use \(X \sim \mathcal {X}\) to denote that the random variable X is drawn from the distribution \(\mathcal {X}\). The statistical distance (also known as total variation distance) between two distributions \(\mathcal {X}\) and \(\mathcal {Y}\) over a finite probability space \(\varOmega \) is defined as half the \(\ell _1\) distance between the two distributions; i.e.,
where \(\mathcal {X}(x)\) (resp., \(\mathcal {Y}(x)\)) denotes the probability assigned by \(\mathcal {X}\) (resp., \(\mathcal {Y}\)) to the outcome x. The two distributions \(\mathcal {X}\) and \(\mathcal {Y}\) are called \(\epsilon \)close (resp., \(\epsilon \)far) if their statistical distance is at most (resp., at least) \(\epsilon \). It is a wellknown fact that two distributions \(\mathcal {X}\) and \(\mathcal {Y}\) are \(\epsilon \)close if and only if for every distinguisher \(h:\varOmega \rightarrow \{0,1\}\), and \(X \sim \mathcal {X}\) and \(Y \sim \mathcal {Y}\),
We use the notation \(\mathcal {X}\approx _\epsilon \mathcal {Y}\) to indicate that \(\mathcal {X}\) and \(\mathcal {Y}\) are \(\epsilon \)close. We will use \((\mathcal {X}, \mathcal {Y})\) for the product distribution with the two coordinates independently sampled from \(\mathcal {X}\) and \(\mathcal {Y}\). For a distribution \(\mathcal {X}\) on a finite domain \(\varOmega \), the minentropy of \(\mathcal {X}\) (in bits) is defined as
All unsubscripted logarithms are taken to base 2. Support of a discrete random variable X (that is, the set of possible outcomes of X) is denoted by \(\mathsf {supp}(X)\), and we naturally extend the notation to the underlying probability distribution of X. A distribution is said to be flat if it is uniform on its support. For a sequence \(x = (x_1, \ldots , x_n)\) and set \(S \subseteq [n]\), we use \(x_S\) to denote the restriction of x to the coordinate positions chosen by S. We use \(\tilde{O}(\cdot )\) and \(\tilde{\varOmega }(\cdot )\) to denote asymptotic estimates that hide polylogarithmic factors in the involved parameter.
Definitions
In this section, we review the formal definition of nonmalleable codes as introduced in [15]. First, we recall the notion of coding schemes.
Definition 2.1
(Coding schemes) A pair of functions \({\mathsf {Enc}}:\{0,1\}^k \rightarrow \{0,1\}^n\) and \({\mathsf {Dec}}:\{0,1\}^n \rightarrow \{0,1\}^k \cup \{\perp \}\) where \(k \leqslant n\) is said to be a coding scheme with block length n and message length k if the following conditions hold.

1.
The encoder \({\mathsf {Enc}}\) is a randomized function; i.e., at each call it receives a uniformly random sequence of coin flips that the output may depend on. This random input is usually omitted from the notation and taken to be implicit. Thus for any \(s \in \{0,1\}^k\), \({\mathsf {Enc}}(s)\) is a random variable over \(\{0,1\}^n\). The decoder \({\mathsf {Dec}}\) is; however, deterministic.

2.
For every \(s \in \{0,1\}^k\), we have \({\mathsf {Dec}}({\mathsf {Enc}}(s)) = s\) with probability 1.
The rate of the coding scheme is the ratio k / n. A coding scheme is said to have relative distance \(\delta \) (or minimum distance \(\delta n\)), for some \(\delta \in [0,1)\), if for every \(s \in \{0,1\}^k\) the following holds. Let \(X := {\mathsf {Enc}}(s)\). Then, for any \(\varDelta \in \{0,1\}^n\) of Hamming weight at most \(\delta n\), \({\mathsf {Dec}}(X + \varDelta ) = \perp \) with probability 1. \(\square \)
Before defining nonmalleable coding schemes, we find it convenient to define the following notation.
Definition 2.2
For a finite set \(\varGamma \), the function \(\mathsf {copy}:(\varGamma \cup \{{\underline{\mathsf {same}}}\}) \times \varGamma \rightarrow \varGamma \) is defined as follows:
\(\square \)
The notion of nonmalleable coding schemes from [15] can now be rephrased as follows.
Definition 2.3
(Nonmalleability) A coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) with message length k and block length n is said to be nonmalleable with error \(\epsilon \) (also called exact security) with respect to a family \(\mathcal {F}\) of tampering functions acting on \(\{0,1\}^n\) (i.e., each \(f \in \mathcal {F}\) maps \(\{0,1\}^n\) to \(\{0,1\}^n\)) if for every \(f \in \mathcal {F}\) there is a distribution \(\mathcal {D}_f\) over \(\{0,1\}^k \cup \{\perp , {\underline{\mathsf {same}}}\}\) such that the following holds for all \(s \in \{0,1\}^k\). Define the random variable
and let \(S'\) be independently sampled from \(\mathcal {D}_f\). Then,
Remark 2.4
(Efficiency of sampling \(\mathcal {D}_f\)) The original definition of nonmalleable codes in [15] also requires the distribution \(\mathcal {D}_f\) to be efficiently samplable given oracle access to the tampering function f. It should be noted, however, that for any nonmalleable coding scheme equipped with an efficient encoder and decoder, it can be shown that the following is a valid and efficiently samplable choice for the distribution \(\mathcal {D}_f\) (possibly incurring a constant factor increase in the error parameter):

1.
Let \(S \sim \mathcal {U}_k\), and \(X := f({\mathsf {Enc}}(S))\).

2.
If \({\mathsf {Dec}}(X) = S\), output \({\underline{\mathsf {same}}}\). Otherwise, output \({\mathsf {Dec}}(X)\).
Definition 2.5
(Subcube) A subcube over \(\{0,1\}^n\) is a set \(S \subseteq \{0,1\}^n\) such that for some \(T = \{ t_1, \ldots , t_\ell \} \subseteq [n]\) and \(w = (w_1, \ldots , w_\ell ) \in \{0,1\}^\ell \),
the \(\ell \) coordinates in T are said to be frozen and the remaining \(n\ell \) are said to be random.
Throughout the paper, we use the following notions of limited independence.
Definition 2.6
(Limited independence of bit strings) A distribution \(\mathcal {D}\) over \(\{0,1\}^n\) is said to be \(\ell \) wise \(\delta \) dependent for an integer \(\ell > 0\) and parameter \(\delta \in [0, 1)\) if the marginal distribution of \(\mathcal {D}\) restricted to any subset \(T \subseteq [n]\) of the coordinate positions where \(T \leqslant \ell \) is \(\delta \)close to \(\mathcal {U}_{T}\). When \(\delta = 0\), the distribution is \(\ell \)wise independent.
Definition 2.7
(Limited independence of permutations) The distribution of a random permutation \(\varPi :[n] \rightarrow [n]\) is said to be \(\ell \) wise \(\delta \) dependent for an integer \(\ell > 0\) and parameter \(\delta \in [0, 1)\) if for every \(T \subseteq [n]\) such that \(T \leqslant \ell \), the marginal distribution of the sequence \((\varPi (t):t \in T)\) is \(\delta \)close to that of \((\bar{\varPi }(t):t \in T)\), where \(\bar{\varPi }:[n] \rightarrow [n]\) is a uniformly random permutation.
We will use the following notion of Linear ErrorCorrecting Secret Sharing Schemes (LECSS) as formalized by Dziembowski et al. [15] for their construction of nonmalleable coding schemes against bittampering adversaries.
Definition 2.8
(LECSS) [15] A coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of block length n and message length k is a (d, t)Linear ErrorCorrecting Secret Sharing Scheme (LECSS), for integer parameters \(d, t \in [n]\) if

1.
The minimum distance of the coding scheme is at least d,

2.
For every message \(s \in \{0,1\}^k\), the distribution of \({\mathsf {Enc}}(s) \in \{0,1\}^n\) is twise independent (as in Definition 2.6).

3.
For every \(w, w' \in \{0,1\}^n\) such that \({\mathsf {Dec}}(w) \ne \perp \) and^{Footnote 3} \({\mathsf {Dec}}(w') \ne \perp \), we have \({\mathsf {Dec}}(w+w') = {\mathsf {Dec}}(w) + {\mathsf {Dec}}(w')\), where we use bitwise addition over \(\mathbb {F}_2\).
Existence of Optimal BitTampering Coding Schemes
Our main construction of explicit nonmalleable codes against bittampering adversaries (presented in Sect. 4) uses various building blocks, the most important of which is a small inner coding scheme achieving rate close to 1 which is, in turn, nonmalleable against bittampering adversaries. Similar to classical code concatenation techniques (e.g., [16]), as long as existence of such inner code is known, an exhaustive search can be used to find the inner coding scheme, incurring only a small cost in the overall construction time due to the assumption that the length of the inner code is sufficiently small. In fact, as it turns out, for a target overall rate of \(1\gamma \), the length of the inner code would only depend, almost inverse linearly, on \(\gamma \). In particular, if \(\gamma \) is an absolute positive constant, then so is the length of the inner code that is found via brute force.
In this section, we recall the probabilistic construction of nonmalleable codes introduced in [8] which will then be used to show existence of the inner code needed by our explicit construction. This construction, depicted as Construction 1, is defined with respect to an integer parameter \(t > 0\) (which determines the number of possible codewords that correspond to each message) and a distance parameter \(\delta \in [0, 1)\). The distance parameter determines the relative minimum distance of the code construction that will be used in the analysis of the final code.
The following, proved in [8], shows nonmalleability of the probabilistic construction.
Theorem 3.1
([8]) Let \(\mathcal {F}:\{0,1\}^n \rightarrow \{0,1\}^n\) be any family of tampering functions. For any \(\epsilon , \eta > 0\), with probability at least \(1\eta \), the coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of Construction 1 is a nonmalleable code with respect to \(\mathcal {F}\) and with error \(\epsilon \) and relative distance \(\delta \), provided that both of the following conditions are satisfied.

1.
\(t \geqslant t_0\), for some
$$\begin{aligned} t_0 = O\left( \frac{1}{\epsilon ^6} \Big (\log \frac{\mathcal {F} 2^n}{\eta } \Big ) \right) . \end{aligned}$$(1) 
2.
\(k \leqslant k_0\), for some
$$\begin{aligned} k_0 \geqslant n(1h(\delta ))\log t3\log (1/\epsilon )O(1), \end{aligned}$$(2)where \(h(\cdot )\) denotes the binary entropy function.
Remark 3.2
The Proof of Theorem 3.1 explicitly defines the choice of \(\mathcal {D}_f\) of Definition 2.3 to be the distribution of the following random variable:
where \(H \subseteq \{0,1\}^n\) is the set
for an appropriately chosen \(r = \Theta (\epsilon ^2 t)\).
We now instantiate the above result to the specific case of bittampering adversaries. Apart from nonmalleability of the inner code with respect to bittampering adversaries, our final construction will use additional properties of the inner code that we show to be satisfied by the probabilistic construction above (Construction 1). One of these properties is what we call the cube property. A useful property of Construction 1 is that the decoder function maps most points of the codeword space to the error symbol \(\perp \), and in that sense the code is quite sparse (i.e., the chance that a random vector turns out to be a valid codeword is small). The cube property ensures the stronger requirement that, a random string is a codeword of the inner code with probability less than 1 / 2 even after an adversary fixes all but at least one of its bits to arbitrary values. In other words, the cube property ensures that the inner code remains sparse even over any nontrivial subcube of the codeword space. This is formalized in the lemma below.
Lemma 3.3
(Cube property) Consider the coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of Construction 1 with parameters t and \(\delta \), and assume that \(t 2^{kn(1h(\delta ))} \leqslant 1/8\), where \(h(\cdot )\) is the binary entropy function. Then, there is a \(\delta _0 = O(\log n / n)\) such that if \(\delta \geqslant \delta _0\), the following holds with probability at least \(1\exp (n)\) over the randomness of the code construction. For any subcube \(S \subseteq \{0,1\}^n\) of size at least 2, and \(U_S \in \{0,1\}^n\) taken uniformly at random from S,
Proof
Let \(S \subseteq \{0,1\}^n\) be any subcube, and let \(\gamma := tK/2^n\), where \(K := 2^k\). The assumption implies that \(\gamma V \leqslant 1/8\), where \(V \leqslant 2^{nh(\delta )}\) is the volume of a Hamming ball of radius \(\delta n\). Let \(E_1, \ldots , E_{tK}\) be the codewords chosen by the code construction in the order they are picked.
If \(S \geqslant 2 tK\), the claim obviously holds (since the total number of codewords in \(\mathsf {supp}({\mathsf {Enc}}(\mathcal {U}_k))\) is tK, thus we can assume otherwise.
Arbitrarily order the elements of S as \(s_1, \ldots , s_{S}\), and for each \(i \in [S]\), let the indicator random variable \(X_i\) be so that \(X_i = 1\) iff \({\mathsf {Dec}}(s_i) \ne \perp \). Define \(X_0 = 0\). Our goal is to upper bound
for each \(i \in [S]\). Instead of conditioning on \(X_1, \ldots , X_{i1}\), we condition on a more restricted event and show that regardless of the more restricted conditioning, the expectation of \(X_i\) can still be upper bounded as desired. Namely, we condition on the knowledge of not only \({\mathsf {Dec}}(s_j)\) for all \(j<i\) but also the unique \(j' \in [tK]\) such that \(E_{j'} = s_j\), if \({\mathsf {Dec}}(s_j) \ne \perp \). Obviously the knowledge of this information determines the values of \(X_1, \ldots , X_{i1}\), and thus Proposition 5.15 applies. Under the more restricted conditioning, some of the codewords in \(E_{1}, \ldots , E_{tK}\) (maybe all) will be revealed. Obviously, the revealed codewords have no chance of being assigned to \(s_i\) (since the codewords are picked without replacement). By a union bound, the chance that any of the up to tK remaining codewords is assigned to \(s_i\) by the decoder is thus at most
Since the above holds for any realization of the information that we condition on, we conclude that
Let \(X := X_1 + \cdots + X_{S}\), which determines the number of vectors in S that are hit by the code. We can apply Proposition 5.20 to deduce that
Therefore, if \(S > S_0\) for some \(S_0 = O(n)\), the upper bound can be made less than \(\exp (n) 3^{n}\). In this case, a union bound on all possible subcubes satisfying the size lower bound ensures that the desired cube property holds for all such subcubes with probability at least \(1\exp (n)\).
The proof is now reduced to subcubes with at most \(\delta _0 n = O(\log n)\) random bits, where we choose \(\delta _0 := (\log S_0)/n\). In this case, since the relative distance of the coding scheme of Construction 1 is always at least \(\delta \geqslant \delta _0\), we deduce that
where the first inequality is due to the minimum distance of the code and the second is due to the assumption that \(S \geqslant 2\). Thus, whenever \(2 \leqslant S \leqslant S_0\), we always have the property that
\(\square \)
In addition to the cube property, our analysis of the final construction requires the inner code to satisfy a bounded independence property. Intuitively, bounded independence requires that the output of the encoder for any fixed message, seen as a random variable over \(\{0,1\}^n\), is nearly uniform when restricted to any small fraction of the coordinate positions. This ensures that any “local” view of the encoding of a message would not reveal any significant information about the message. The following lemma formalizes this intuition.
Lemma 3.4
(Bounded independence) Let \(\ell \in [n]\), \(\epsilon > 0\) and suppose the parameters are as in Construction 1. Let \(\gamma := t2^{kn(1h(\delta ))}\), where \(h(\cdot )\) denotes the binary entropy function. There is a choice of
such that, provided that \(t \geqslant t_0\), with probability \(1\exp (n)\) over the randomness of the code construction the coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) satisfies the following: For any \(s \in \{0,1\}^k\), the random vector \({\mathsf {Enc}}(s)\) is \(\ell \)wise \(\epsilon '\)dependent, where
Proof
Consider any message \(s \in \{0,1\}^k\) and suppose the t codewords in \(\mathsf {supp}({\mathsf {Enc}}(s))\) are denoted by \(E_1, \ldots , E_t\) in the order they are picked by the construction.
Let \(T \subseteq [n]\) be any set of size at most \(\ell \). Let \(E'_1, \ldots , E'_t \in \{0,1\}^{T}\) be the restriction of \(E_1, \ldots , E_t\) to the coordinate positions picked by T. Observe that the distribution of \({\mathsf {Enc}}(s)\) restricted to the coordinate positions in T is exactly the empirical distribution of the vectors \(E'_1, \ldots , E'_t\), and the support size of this distribution is bounded by \(2^\ell \).
Let \(K := 2^k\), \(N := 2^n\), and \(V \leqslant 2^{n h(\delta )}\) be the volume of a Hamming ball of radius \(\delta n\). By the code construction, for \(i \in [t]\), conditioned on the knowledge of \(E_1, \ldots , E_{i1}\), the distribution of \(E_i\) is uniform on \(\{0,1\}^n {\setminus } (\varGamma (E_1) \cup \ldots \cup \varGamma (E_{i1}))\) which is a set of size at least \(N(1tK V) \geqslant N(1\gamma )\). By Proposition 5.16, it follows that the conditional distribution of each \(E_i\) remains \((\gamma /(1\gamma ))\)close to \(\mathcal {U}_n\). Since the \(E'_i\) are simply restrictions of the \(E_i\) to some subset of the coordinates, the same holds for the \(E'_i\); i.e., the distribution of \(E'_i\) conditioned on the knowledge of \(E'_1, \ldots , E'_{i1}\) is \((\gamma /(1\gamma ))\)close to \(\mathcal {U}_{T}\).
Observe that \(\epsilon '  \gamma /(1\gamma ) \geqslant \epsilon '/2\). By applying Lemma 5.22 to the sample outcomes \(E'_1, \ldots , E'_{t}\), we can see that with probability at least \(\exp (3n)\) over the code construction, the empirical distribution of the \(E'_i\) is \(\epsilon '\)close to uniform provided that \(t \geqslant t_0\) for some
Now, we can take a union bound on all choices of the message s and the set T and obtain the desired conclusion.\(\square \)
We now put together the above results to conclude our main existence result about the codes that we will use at the “inner” level to encode blocks in our construction of nonmalleable codes against bit tampering functions. Among the properties guaranteed below, we in fact do not need the precise nonmalleability property (item 2 in the statement of Lemma 3.5 below) in our eventual proof, although we use nonmalleability to prove the last property (item 5) which is needed in the proof. The errordetection property ensures that any nontrivial tampering adversary can be detected by the decoder with a substantial probability (e.g., 1 / 3).
Lemma 3.5
Let \(\alpha > 0\) be any parameter. Then, there is an \(n_0 = O(\log ^2(1/\alpha )/\alpha )\) such that for any \(n \geqslant n_0\), Construction 1 can be set up so that with probability \(13\exp (n)\) over the randomness of the construction, the resulting coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) satisfies the following properties:

1.
(Rate) Rate of the code is at least \(1\alpha \).

2.
(Nonmalleability) The code is nonmalleable against bittampering adversaries with error \(\exp (\varOmega (\alpha n))\).

3.
(Cube property) The code satisfies the cube property of Lemma 3.3.

4.
(Bounded independence) For any message \(s \in \{0,1\}^k\), the distribution of \({\mathsf {Enc}}(s)\) is \(\exp (\varOmega (\alpha n))\)close to an \(\varOmega (\alpha n)\)wise independent distribution with uniform entries.

5.
(Error detection) Let \(f:\{0,1\}^n \rightarrow \{0,1\}^n\) be any bittampering adversary that is neither the identity function nor a constant function. Then, for every message \(s \in \{0,1\}^k\),
$$\begin{aligned} \Pr [{\mathsf {Dec}}(f({\mathsf {Enc}}(s))) = \perp ] \geqslant 1/3, \end{aligned}$$where the probability is taken over the randomness of the encoder.
Proof
Consider the family \(\mathcal {F}\) of bittampering functions and observe that \(\mathcal {F} = 4^n\). First, we apply Theorem 3.1 with error parameter \(\epsilon := 2^{\alpha n/27}\), distance parameter \(\delta := h^{1}(\alpha /3)\), and success parameter \(\eta := \exp (n)\). Let \(N := 2^n\) and observe that \(\log (N\mathcal {F}/\eta ) = O(n)\). We choose \(t = \Theta (n/\epsilon ^6)\) so as to ensure that the coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) is nonmalleable for bittampering adversaries with error at most \(\epsilon \), relative distance at least \(\delta \), and message length
which can be made at least \(n(1\alpha )\) if \(n \geqslant n_1\) for some \(n_1 = O(\log (1/\alpha )/\alpha )\). This ensures that properties 1 and 2 are satisfied.
In order to ensure the cube property (property 3), we can apply Lemma 3.3. Let \(K := 2^k\) and note that our choices of the parameters imply \(tK/N^{1h(\delta )} = O(\epsilon ^3) \ll 1/8\). Furthermore, consider the parameter \(\delta _0 = O((\log n)/n)\) of Lemma 3.3 and observe that \(\alpha /3 = h(\delta ) = O(\delta \log (1/\delta ))\). We thus see that as long as \(n \geqslant n_2\) for some \(n_2 = O(\log ^2(1/\alpha )/\alpha )\), we may ensure that \(\delta n \geqslant \delta _0 n\). By choosing \(n_0 := \max \{ n_1, n_2 \}\), we see that the requirements of Lemma 3.3 is satisfied, implying that with probability at least \(1\exp (n)\), the cube property is satisfied.
As for the bounded independence property (Property 4), consider the parameter \(\gamma \) of Lemma 3.4 and recall that we have shown \(\gamma = O(\epsilon ^3)\). Thus by Lemma 3.4, with probability at least \(1\exp (n)\), every encoding \({\mathsf {Enc}}(s)\) is \(\ell \)wise \(\sqrt{\epsilon }\)dependent for some
Finally, we show that property 5 is implied by properties 2, 3, and 4 that we have so far shown to simultaneously hold with probability at least \(13\exp (n)\). In order to do so, we first recall that Theorem 3.1 explicitly defines the choice of \(\mathcal {D}_f\) in Definition 2.3 according to (3). Let \(H \subseteq \{0,1\}^n\) be the set of heavy elements as in (4) and \(r = \Theta (\epsilon ^2 t)\) be the corresponding threshold parameter in the same equation. Let \(f:\{0,1\}^n \rightarrow \{0,1\}^n\) be any nonidentity bittampering function and let \(\ell ' \in [n]\) be the number of bits that are either flipped or left unchanged by f. We consider two cases.
 Case 1:

\(\ell ' \geqslant \log r\). In this case, for every \(x \in \{0,1\}^n\), we have
$$\begin{aligned} \Pr [f(\mathcal {U}_n) = x] \leqslant 2^{\ell '} \leqslant r, \end{aligned}$$and thus \(H = \emptyset \). Also observe that, for \(U \sim \mathcal {U}_n\),
$$\begin{aligned} \Pr [f(U) = U] \leqslant 1/2, \end{aligned}$$the maximum being achieved when f freezes only one bit and leaves the remaining bits unchanged (in fact, if f flips any of the bits, the above probability becomes zero). We conclude that in this case, the entire probability mass of \(\mathcal {D}_f\) is supported on \(\{ {\underline{\mathsf {same}}}, \perp \}\) and the mass assigned to \({\underline{\mathsf {same}}}\) is at most 1 / 2. Thus, by definition of nonmalleability, for every message \(s \in \{0,1\}^k\),
$$\begin{aligned} \Pr [{\mathsf {Dec}}(f({\mathsf {Enc}}(s))) = \perp ] \geqslant 1/2  \epsilon \geqslant 1/3. \end{aligned}$$  Case 2:

\(\ell ' < \log r\). Since \(r = \Theta (\epsilon ^2 t)\), by plugging in the value of t we see that \(r = O(n/\epsilon ^4)\), and thus we know that \(\ell ' < \log n + 4 \log (1/\epsilon ) + O(1)\). Consider any \(s \in \{0,1\}^k\), and recall that, by the bounded independence property, we already know that \({\mathsf {Enc}}(s)\) is \(\ell \)wise \(\sqrt{\epsilon }\)dependent. Furthermore, by (5),
$$\begin{aligned} \ell \geqslant 5 \log (1/\epsilon )  O(1) \geqslant \ell ', \end{aligned}$$where the second inequality follows by the assumed lower bound \(n \geqslant n_0\) on n. We thus can use the \(\ell \)wise independence property of \({\mathsf {Enc}}(s)\) and deduce that the distribution of \(f({\mathsf {Enc}}(s))\) is \((\sqrt{\epsilon })\)close to the uniform distribution on a subcube \(S \subseteq \{0,1\}^n\) of size at least 2. Combined with the cube property (property 3), we see that
$$\begin{aligned} \Pr [{\mathsf {Dec}}(f({\mathsf {Enc}}(s))) = \perp ] \geqslant 1/2  \sqrt{\epsilon } \geqslant 1/3. \end{aligned}$$Finally, by applying a union bound on all the failure probabilities, we conclude that with probability at least \(13\exp (n)\), the code resulting from Construction 1 satisfies all the desired properties.
Explicit Construction of Optimal BitTampering Coding Schemes
In this section, we describe an explicit construction of codes achieving rate close to 1 that are nonmalleable against bittampering adversaries. Throughout this section, we use N to denote the block length of the final code.
The Construction and Underlying Intuitions
At a high level, we combine the following tools in our construction: (1) an inner code \(\mathcal {C}_0\) (with encoder \({\mathsf {Enc}}_0\)) of constant length satisfying the properties of Lemma 3.5; (2) an existing nonmalleable code construction \(\mathcal {C}_1\) (with encoder \({\mathsf {Enc}}_1\)) against bittampering achieving a possibly low (even subconstant) rate; (3) a linear errorcorrecting secret sharing scheme (LECSS) \(\mathcal {C}_2\) (with encoder \({\mathsf {Enc}}_2\)); (4) an explicit function \(\mathsf {Perm}\) that, given a uniformly random seed, outputs a pseudorandom permutation (as in Definition 2.7) on a domain of size close to N. Figure 1 depicts how various components are put together to form the final code construction.
At the outer layer, LECSS is used to precode the message. The resulting string is then divided into blocks, where each block is subsequently encoded by the inner encoder \({\mathsf {Enc}}_0\). For a “typical” adversary that flips or freezes a prescribed fraction of the bits, we expect many of the inner blocks to be sufficiently tampered so that many of the inner blocks detect an error when the corresponding inner decoder is called. However, this ideal situation cannot necessarily be achieved if the fraction of global errors is too small, or if too many bits are frozen by the adversary (in particular, the adversary may freeze all but few of the blocks to valid inner codewords). In this case, we rely on the distance and bounded independence properties of LECSS to ensure that the outer decoder, given the tampered information, either detects an error or produces a distribution that is independent of the source message.
A problem with the above approach is that the adversary knows the location of various blocks and may carefully design a tampering scheme that, for example, freezes a large fraction of the blocks to valid inner codewords and leaves the rest of the blocks intact. To handle adversarial strategies of this type, we permute the final codeword using the pseudorandom permutation generated by \(\mathsf {Perm}\) and include the seed in the final codeword. Doing so has the effect of randomizing the action of the adversary, but on the other hand creates the problem of protecting the seed against tampering. In order to solve this problem, we use the suboptimal code \(\mathcal {C}_1\) to encode the seed and prove in the analysis that nonmalleability of the code \(\mathcal {C}_1\) can be used to make the above intuitions work. We set up the permutation generator \(\mathsf {Perm}\) so that the length of its seed is sufficiently small compared to the block length of the code, so that the suboptimal rate of \(\mathcal {C}_1\) would not have a significant effect on the overall rate of the final code.
The analysis given in Sect. 4.2 follows the following roadmap: Let \(\varPi \) be the random variable describing the pseudorandom permutation sampled by the encoder (i.e., the output of \(\mathsf {Perm}\) given a uniformly random seed). Moreover, let \(\bar{\varPi }\) be the permutation as “perceived” by the decoder; i.e., the output of the decoder of \(\mathcal {C}_1\) given the (possibly tampered) portion of the codeword corresponding to the seed of \(\mathsf {Perm}\). We first consider three key cases in the analysis.
The first case is when the adversary freezes too many bits of the codeword. In this case, the decoder’s output is a function of the frozen bits (which do not carry any information about the message), the portion of the codeword encoding the seed given to \(\mathsf {Perm}\) (again independent of the message), and the remaining (few) bits of the encoding. We use the bounded independence property of the LECSS precode to show that any local view of the codeword is independent of the message. This would suffice to show that the decoding of the tampered codeword is independent of the message.
After eliminating the first case, the second case considered is when \(\bar{\varPi } = \varPi \). This would be the case when the adversary does not tamper the description of the permutation. In this case, the code achieves the abovementioned goal of permuting the action of the adversary. Therefore, assuming that the adversary does not freeze too many bits (which is taken care of by the first case) and that it does not change too few bits (also handled by the minimum distance property of the LECSS precode), a large number of the inner code blocks are expected to decode to the error symbol \(\perp \). Thus in this case the overall code detects the tampering of the adversary with high probability.
The third case being considered is when the random variables \(\bar{\varPi }\) and \(\varPi \) are independent; i.e., when conditioning \(\bar{\varPi }\) on any fixed value does not affect the distribution of \(\varPi \). This is the case, for instance, when the adversary freezes all the bits describing the seed of the permutation generator \(\mathsf {Perm}\), or replaces them with independent random bits. In this case, assuming that not too many bits are frozen by the adversary, we use the bounded independence and cube properties of the inner code \(\mathcal {C}_0\) to show that the decoder is able to detect tampering of the adversary at some inner code block with high probability.
Finally, we show that the general analysis reduces to the above key cases. Due to the nonmalleability of the code \(\mathcal {C}_1\) protecting the description of the pseudorandom permutation, the joint distribution of \((\varPi , \bar{\varPi })\) is essentially a convex combination of the second case (\(\varPi = \bar{\varPi }\)) and the third case (\(\varPi \) independent of \(\bar{\varPi }\)). Thus, after eliminating the case where the adversary freezes too many bits, we can combine the analysis of the second and third cases discussed above to conclude that, in general, the nonmalleability requirement is satisfied for the overall code.
The Building Blocks
In the construction, we use the following building blocks, with some of the parameters to be determined later in the analysis.

1.
An inner coding scheme \(\mathcal {C}_0=({\mathsf {Enc}}_0, {\mathsf {Dec}}_0)\) with rate \(1\gamma _0\) (for an arbitrarily small parameter \(\gamma _0 > 0\)), some block length B, and message length \(b = (1\gamma _0) B\). We assume that \(\mathcal {C}_0\) is an instantiation of Construction 1 and satisfies the properties promised by Lemma 3.5.

2.
A coding scheme \(\mathcal {C}_1=({\mathsf {Enc}}_1, {\mathsf {Dec}}_1)\) with rate \(r > 0\) (where r can in general be subconstant), block length \(n_1 := \gamma _1 n\) (where n is defined later), and message length \(k_1 := \gamma _1 r n\), that is nonmalleable against bittampering adversaries with error \(\epsilon _1\). Without loss of generality, assume that \({\mathsf {Dec}}_1\) never outputs \(\perp \) (otherwise, identify \(\perp \) with an arbitrary fixed message; e.g., \(0^{k_1}\)).

3.
A linear errorcorrecting secret sharing (LECSS) scheme \(\mathcal {C}_2=({\mathsf {Enc}}_2, {\mathsf {Dec}}_2)\) (as in Definition 2.8) with message length \(k_2 := k\), rate \(1\gamma _2\) (for an arbitrarily small parameter \(\gamma _2 > 0\)) and block length \(n_2\). We assume that \(\mathcal {C}_2\) is a \((\delta _2 n_2, t_2 := \gamma '_2 n_2)\)linear errorcorrecting secret sharing scheme (where \(\delta _2 > 0\) and \(\gamma '_2 > 0\) are constants defined by the choice of \(\gamma _2\)). Since b is a constant, without loss of generality assume that b divides \(n_2\), and let \(n_b := n_2 / b\) and \(n := n_2 B/b\).

4.
A polynomialtime computable mapping \(\mathsf {Perm}:\{0,1\}^{k_1} \rightarrow \mathcal {S}_n\), where \(\mathcal {S}_n\) denotes the set of permutations on [n]. We assume that \(\mathsf {Perm}(U_{k_1})\) is an \(\ell \)wise \(\delta \)dependent permutation (as in Definition 2.7, for parameters \(\ell \) and \(\delta \). In fact, it is possible to achieve \(\delta \leqslant \exp (\ell )\) and \(\ell = \lceil \gamma _1 r n/\log n \rceil \) for some constant \(\gamma > 0\). Namely, we may use the following result due to Kaplan, Naor and Reingold [20]:
Theorem 4.1
[20] For every integers \(n, k_1 > 0\), there is a function \(\mathsf {Perm}:\{0,1\}^{k_1} \rightarrow \mathcal {S}_n\) computable in worstcase polynomialtime (in \(k_1\) and n) such that \(\mathsf {Perm}(U_{k_1})\) is an \(\ell \)wise \(\delta \)dependent permutation, where \(\ell = \lceil k_1/\log n \rceil \) and \(\delta \leqslant \exp (\ell )\). \(\square \)
The Encoder
Let \(s \in \{0,1\}^k\) be the message that we wish to encode. The encoder generates the encoded message \({\mathsf {Enc}}(s)\) according to the following procedure.

1.
Let \(Z \sim \mathcal {U}_{k_1}\) and sample a random permutation \(\varPi :[n] \rightarrow [n]\) by letting \(\varPi := \mathsf {Perm}(Z)\). Let \(Z' := {\mathsf {Enc}}_1(Z) \in \{0,1\}^{\gamma _1 n}\).

2.
Let \(S' = {\mathsf {Enc}}_2(s) \in \{0,1\}^{n_2}\) be the encoding of s using the LECSS code \(\mathcal {C}_2\).

3.
Partition \(S'\) into blocks \(S'_1, \ldots , S'_{n_b}\), each of length b, and encode each block independently using \(\mathcal {C}_0\) so as to obtain a string \(C = (C_1, \ldots , C_{n_b}) \in \{0,1\}^{n}\).

4.
Let \(C' := \varPi (C)\) be the string C after its n coordinates are permuted by \(\varPi \).

5.
Output \({\mathsf {Enc}}(s) := (Z', C') \in \{0,1\}^{N}\), where \(N := (1+\gamma _1) n\), as the encoding of s.
A schematic description of the encoder summarizing the involved parameters is depicted in Fig. 1.
The Decoder
We define the decoder \({\mathsf {Dec}}(\bar{Z'}, \bar{C'})\) as follows:

1.
Compute \(\bar{Z} := {\mathsf {Dec}}_1(\bar{Z'})\).

2.
Compute the permutation \(\bar{\varPi }:[n] \rightarrow [n]\) defined by \(\bar{\varPi } := \mathsf {Perm}(\bar{Z})\).

3.
Let \(\bar{C} \in \{0,1\}^n\) be the permuted version of \(\bar{C'}\) according to \(\bar{\varPi }^{1}\).

4.
Partition \(\bar{C}\) into \(n_1/b\) blocks \(\bar{C}_1, \ldots , \bar{C}_{n_b}\) of size B each (consistent to the way that the encoder does the partitioning of \(\bar{C}\)).

5.
Call the inner code decoder on each block, namely, for each \(i \in [n_b]\) compute \(\bar{S'}_i := {\mathsf {Dec}}_0(\bar{C}_i)\). If \(\bar{S'}_i = \perp \) for any i, output \(\perp \) and return.

6.
Let \(\bar{S'} = (\bar{S'}_1, \ldots , \bar{S'}_{n_b}) \in \{0,1\}^{n_2}\). Compute \(\bar{S} := {\mathsf {Dec}}_2(\bar{S'})\), where \(\bar{S} = \perp \) if \(\bar{S'}\) is not a codeword of \(\mathcal {C}_2\). Output \(\bar{S}\).
Remark 4.2
As in the classical variation of concatenated codes of Forney [16] due to Justesen [18], the encoder described above can enumerate a family of inner codes instead of one fixed code in order to eliminate the exhaustive search for a good inner code \(\mathcal {C}_0\). In particular, one can consider all possible realizations of Construction 1 for the chosen parameters and use each obtained inner code to encode one of the \(n_b\) inner blocks. If the fraction of good inner codes (i.e., those satisfying the properties listed in Lemma 3.5) is large enough (e.g., \(11/n^{\varOmega (1)}\)), our analysis still applies. It is possible to ensure that the size of the inner code family is not larger than \(n_b\) by appropriately choosing the parameter \(\eta \) in Theorem 3.1 (e.g., \(\eta \geqslant 1/\sqrt{n}\)).
Analysis
In this section, we prove that the construction of Sect. 4.1 (depicted in Fig. 1) is indeed a coding scheme that is nonmalleable against bittampering adversaries with rate arbitrarily close to 1. More precisely, we prove the following theorem.
Theorem 4.3
For every \(\gamma _0 > 0\), there is a \(\gamma '_0 = \gamma _0^{O(1)}\) and \(N_0 = O(1/\gamma _0^{O(1)})\) such that for every integer \(N \geqslant N_0\), the following holds.^{Footnote 4} The pair \(({\mathsf {Enc}}, {\mathsf {Dec}})\) defined in Sects. 4.1.2 and 4.1.3 can be set up to be a nonmalleable coding scheme against bittampering adversaries, achieving block length N, rate at least \(1\gamma _0\) and error
where r and \(\epsilon _1\) are, respectively, the rate and the error of the assumed nonmalleable coding scheme \(\mathcal {C}_1\).
Remark 4.4
Dziembowski et al. [15, Definition 3.3] also introduce a “strong” variation of nonmalleable codes which implies the standard definition (Definition 2.3) but is more restrictive. It can be argued that the stronger definition is less natural in the sense that an errorcorrecting code that is able to fully correct the tampering incurred by the adversary does not satisfy the stronger definition, while it is nonmalleable in the standard sense, which is what naturally expected to be the case. In this work, we focus on the standard definition and prove the results with respect to Definition 2.3. However, it can be verified (by minor adjustments of the Proof of Theorem 4.3) that the construction of this section satisfies strong nonmalleability (without any loss in the parameters) as well provided that the nonmalleable code \(({\mathsf {Enc}}_1, {\mathsf {Dec}}_1)\) encoding the description of the permutation \(\varPi \) satisfies the strong definition.
Proof of Theorem 4.3
It is clear that, given \((Z', C')\), the decoder can unambiguously reconstruct the message s; that is, \({\mathsf {Dec}}({\mathsf {Enc}}(s)) = s\) with probability 1. Thus, it remains to demonstrate nonmalleability of \({\mathsf {Enc}}(s)\) against bittampering adversaries.
Fix any such adversary \(f:\{0,1\}^N \rightarrow \{0,1\}^N\). The adversary f defines the following partition of [N]:

\(\mathsf {Fr}\subseteq [N]\); the set of positions frozen to either zero or one by f.

\(\mathsf {Fl}\subseteq [N] {\setminus } \mathsf {Fr}\); the set of positions flipped by f.

\(\mathsf {Id}= [N] {\setminus } (\mathsf {Fr}\cup \mathsf {Fl})\); the set of positions left unchanged by f.
Since f is not the identity function (otherwise, there is nothing to prove), we know that \(\mathsf {Fr}\cup \mathsf {Fl}\ne \emptyset \).
We use the notation used in the description of the encoder \({\mathsf {Enc}}\) and decoder \({\mathsf {Dec}}\) for various random variables involved in the encoding and decoding of the message s. In particular, let \((\bar{Z'}, \bar{C'}) = f(Z', C')\) denote the perturbation of \({\mathsf {Enc}}(s)\) by the adversary, and let \(\bar{\varPi } := \mathsf {Perm}({\mathsf {Dec}}_1(\bar{Z'}))\) be the induced perturbation of \(\varPi \) as viewed by the decoder \({\mathsf {Dec}}\). In general \(\varPi \) and \(\bar{\varPi }\) are correlated random variables, but independent of the remaining randomness used by the encoder.
We first distinguish three cases and subsequently use a convex combination argument to show that the analysis of these cases suffices to guarantee nonmalleability in general. The first case considers the situation where the adversary freezes too many bits of the encoding. The remaining two cases can thus assume that a sizeable fraction of the bits are not frozen to fixed values.
Case 1: Too Many Bits of \(C'\) are Frozen by the Adversary
First, assume that f freezes at least \(nt_2/b\) of the n bits of \(C'\). In this case, we show that the distribution of \({\mathsf {Dec}}(f(Z', C'))\) is always independent of the message s and thus the nonmalleability condition of Definition 2.3 is satisfied for the chosen f. In order to achieve this goal, we rely on bounded independence property of the LECSS code \(\mathcal {C}_2\). We remark that a similar technique has been used in [15] for their construction of nonmalleable codes (and for the case where the adversary freezes too many bits).
Observe that the joint distribution of \((\varPi , \bar{\varPi })\) is independent of the message s. Thus it suffices to show that conditioned on any realization \(\varPi = \pi \) and \(\bar{\varPi } = \bar{\pi }\), for any fixed permutations \(\pi \) and \(\bar{\pi }\), the conditional distribution of \({\mathsf {Dec}}(f(Z', C'))\) is independent of the message s.
We wish to understand how, with respect to the particular permutations defined by \(\pi \) and \(\bar{\pi }\), the adversary acts on the bits of the inner code blocks \(C = (C_1, \ldots , C_{n_b})\).
Consider the set \(T \subseteq [n_b]\) of the blocks of \(C=(C_1, \ldots , C_{n_b})\) (as defined in the algorithm for \({\mathsf {Enc}}\)) that are not completely frozen by f (after permuting the action of f with respect to the fixed choice of \(\pi \)). We know that \(T \leqslant t_2/b\).
Let \(S'_T\) be the string \(S' = (S'_1, \ldots , S'_{n_b})\) (as defined in the algorithm for \({\mathsf {Enc}}\)) restricted to the blocks defined by T; that is, \(S'_T := (S'_i)_{i \in T}\). Observe that the length of \(S'_T\) is at most \(b T \leqslant t_2\). From the \(t_2\)wise independence property of the LECSS code \(\mathcal {C}_2\), and the fact that the randomness of \({\mathsf {Enc}}_2\) is independent of \((\varPi , \bar{\varPi })\), we know that \(S'_T\) is a uniform string, and in particular, independent of the original message s. Let \(C_T\) be the restriction of C to the blocks defined by T; that is, \(C_T := (C_i)_{i \in T}\). Since \(C_T\) is generated from \(S_T\) (by applying the encoder \({\mathsf {Enc}}_0\) on each block, whose randomness is independent of \((\varPi , \bar{\varPi })\)), we know that the distribution of \(C_T\) is independent of the original message s as well.
Now, observe that \({\mathsf {Dec}}(f(Z', C'))\) is only a function of T, \(C_T\), the tampering function f and the fixed choices of \(\pi \) and \(\bar{\pi }\) (since the bits of C that are not picked by T are frozen to values determined by the tampering function f), which are all independent of the message s. Thus in this case, \({\mathsf {Dec}}(f(Z', C'))\) is independent of s as well. This suffices to prove nonmalleability of the code in this case. In particular, in Definition 2.3, we can take \(\mathcal {D}_f\) to be the distribution of \({\mathsf {Dec}}(f(Z', C'))\) for an arbitrary message and satisfy the definition with zero error.
Case 2: The Adversary Does not Alter \(\varPi \)
In this case, we assume that \(\varPi = \bar{\varPi }\), both distributed according to \(\mathsf {Perm}(\mathcal {U}_{k_1})\) and independently of the remaining randomness used by the encoder. This situation in particular occurs if the adversary leaves the part of the encoding corresponding to \(Z'\) completely unchanged. We furthermore assume that Case 1 does not occur; i.e., more than \(t_2/b = \gamma '_2 n_2/b\) bits of \(C'\) are not frozen by the adversary. To analyze this case, we rely on bounded independence of the permutation \(\varPi \). The effect of the randomness of \(\varPi \) is to prevent the adversary from gaining any advantage of the fact that the inner code independently acts on the individual blocks.
Let \(\mathsf {Id}' \subseteq \mathsf {Id}\) be the positions of \(C'\) that are left unchanged by f. Similarly, let \(\mathsf {Fl}' \subseteq \mathsf {Fl}\) and \(\mathsf {Fr}' \subseteq \mathsf {Fr}\), respectively, denote the positions of \(C'\) that are flipped and frozen by f. Since we have eliminated the case where too many bits of \(C'\) are frozen, we may assume that \(\mathsf {Id}' \cup \mathsf {Fl}' > t_2/b\), or equivalently,
Recall that the adversary freezes the bits of C corresponding to the positions in \(\varPi ^{1}(\mathsf {Fr}')\) and either flips or leaves the rest of the bits of C unchanged. We consider two subcases.
Case 2.1: \(\mathsf {Id}' > n  \delta _2 n_b\)
In this case, all but less than \(\delta _2 n_b\) of the inner code blocks are decoded to the correct values by the decoder. Thus, the decoder correctly reconstructs all but less than \(b(n  \mathsf {Id}') \leqslant \delta _2 n_2\) bits of \(S'\). Now, the distance property of the LECSS code \(\mathcal {C}_2\) ensures that occurrence of any errors in \(S'\) can be detected by the decoder. Roughly speaking, this means that the decoder would either output the correct message or the error symbol \(\perp \), and thus the distribution \(\mathcal {D}_f\) should be only supported on \(\{{\underline{\mathsf {same}}}, \perp \}\). However, more work is needed to ensure that the probability of the decoder outputting the error symbol is not sensitive to the choice of the original message s.
Let \(T_0 \subseteq [n_b]\) be the set of blocks of C that are affected by the action of f (that is, those blocks in which there is a position \(i \in [n]\) where \(\varPi (i) \notin \mathsf {Id}\)), and \(T_1 \subseteq [n_2]\) (resp., \(T_2 \subseteq [n]\)) be the coordinate positions of \(S'\) (resp., C) contained in the blocks defined by \(T_0\). Observe that \(T_0 < \delta _2 n_b\), \(T_1 = b T_0 < \delta _2 n_2\) and \(T_2 = B T_0\).
The bounded independence property of \(\mathcal {C}_2\) ensures that the restriction of \(S'\) to the positions in \(T_1\) is uniformly distributed, provided that
that we will assume in the sequel. Consequently, the restriction of C to the positions in \(T_2\) has the exact same distribution regardless of the encoded message s.
Recall that the decoder either outputs the correct message s or \(\perp \), and the former happens if and only if \(S'\) is correctly decoded at the positions in \(T_1\). This event (that is, \(\bar{S}'_{T_1} = S'_{T_1}\)) is independent of the encoded message s, since the estimate \(\bar{S}'_{T_1}\) is completely determined by \(S'_{T_1}\), \(\varPi \), and f, which are all independent of s. Thus, the probability of the decoder outputting \(\perp \) is the same regardless of the message s. Since the decoder either outputs the correct s or \(\perp \), we can conclude nonmalleability of the code in this case is achieved with zero error and a distribution \(\mathcal {D}_f\) that is only supported on \(\{ {\underline{\mathsf {same}}}, \perp \}\).
Case 2.2: \(\mathsf {Id}' \leqslant n  \delta _2 n_b\)
In this case, we have \(\mathsf {Fr}' \cup \mathsf {Fl}' \geqslant \delta _2 n_2/b\). Moreover, we fix the randomness of the LECSS code \(\mathcal {C}_2\) so that \(S'\) becomes a fixed string. Recall that \(C_1, \ldots , C_{n_b}\) are independent random variables, since every call of the inner encoder \({\mathsf {Enc}}_0\) uses fresh randomness. In this case, our goal is to show that the decoder outputs \(\perp \) with high probability, thus ensuring nonmalleability by choosing \(\mathcal {D}_f\) to be the singleton distribution on \(\{ \perp \}\).
Since \(\varPi = \bar{\varPi }\), the decoder is able to correctly identify positions of all the inner code blocks determined by C. In other words, we have
where \(f'\) denotes the adversary obtained from f by permuting its action on the bits as defined by \(\varPi ^{1}\); that is,
Let \(i \in [n_b]\). We consider the dependence between \(C_i\) and its tampering \(\bar{C}_i\), conditioned on the knowledge of \(\varPi \) on the first \(i1\) blocks of C. Let C(j) denote the jth bit of C, so that the ith block of C becomes \((C(1+(i1)B), \ldots , C(iB))\). For the moment, assume that \(\delta = 0\); that is, assume that \(\varPi \) is exactly an \(\ell \)wise independent permutation.
Suppose \(i B \leqslant \ell \), meaning that the restriction of \(\varPi \) on the ith block (i.e., \((\varPi (1+(i1)B), \ldots , \varPi (iB))\) conditioned on any fixing of \((\varPi (1), \ldots , \varPi ((i1)B))\) exhibits the same distribution as that of a uniformly random permutation.
We define events \(\mathcal {E}_1\) and \(\mathcal {E}_2\) as follows. \(\mathcal {E}_1\) is the event that \(\varPi (1+(i1)B) \notin \mathsf {Id}'\), and \(\mathcal {E}_2\) is the event that \(\varPi (2+(i1)B) \notin \mathsf {Fr}'\). That is, \(\mathcal {E}_1\) occurs when the adversary does not leave the first bit of the ith block of C intact, and \(\mathcal {E}_2\) occurs when the adversary does not freeze the second bit of the ith block. We are interested in lower bounding the probability that both \(\mathcal {E}_1\) and \(\mathcal {E}_2\) occur, conditioned on any particular realization of \((\varPi (1), \ldots , \varPi ((i1)B))\).
Suppose the parameters are set up so that
Under this assumption, we show that even conditioned on any fixing of \((\varPi (1), \ldots , \varPi ((i1)B))\), we can ensure that
and
To see (9), note that among the particular outcomes of \(\varPi (1), \ldots , \varPi ((i1)B)\), at most \((i1)B < \ell \) can fall outside \(\mathsf {Id}'\). Since we have assumed that the distribution of \(\varPi (1+(i1)B)\) remains uniformly random conditioned on \((\varPi (1), \ldots , \varPi ((i1)B))\), it follows that
where for the last equality we recall that \(n_b = n_2/b\).
Similarly, in order to verify (10) we note that among the particular outcomes of \(\varPi (1), \ldots , \varPi ((i1)B), \varPi (1+(i1)B)\), at most \((i1)B+1 \leqslant \ell \) can fall outside \(\mathsf {Fr}'\). Again we recall that the distribution of \(\varPi (2+(i1)B)\) is uniformly random conditioned on \((\varPi (1), \ldots , \varPi ((i1)B), \varPi (1+(i1)B))\) and write
Note that (9) and (10) together imply that
We let \(\gamma ''_2\) to be the righthand side of the above inequality.
In general, when the random permutation is \(\ell \)wise \(\delta \)dependent for \(\delta \geqslant 0\), the above probability lower bound in (11) can only be affected by at most \(\delta \) (by the definition of statistical distance). Thus, under the assumption that
we may still ensure that
Let \(X_i \in \{0,1\}\) indicate the event that \({\mathsf {Dec}}_0(\bar{C}_i) = \perp \). We can write
where the last inequality follows from (13). However, by property 5 of Lemma 3.5 (error detection) that is attained by the inner code \(\mathcal {C}_0\), we also know that
and therefore it follows that
Observe that by the argument above, (14) holds even conditioned on the realization of the permutation \(\varPi \) on the first \(i1\) blocks of C. By recalling that we have fixed the randomness of \({\mathsf {Enc}}_2\), and that each inner block is independently encoded by \({\mathsf {Enc}}_0\), we can deduce that, letting \(X_0 := 0\),
Using the above result for all \(i \in \{1, \ldots , \lfloor \ell /B \rfloor \}\), we conclude that
where (16) holds since the lefthand side event is a subset of the righthand side event, and (17) follows from (15) and the chain rule.
Thus, by appropriately setting the parameters as we will do later, we can ensure that the decoder outputs \(\perp \) with high probability. This ensures nonmalleability of the code in this case with the choice of \(\mathcal {D}_f\) in Definition 2.3 being entirely supported on \(\{ \perp \}\) and error bounded by the right hand side of (17).
Case 3: The Decoder Estimates an Independent Permutation
In this case, we consider the event that \(\bar{\varPi }\) attains a particular value \(\bar{\pi }\). Suppose it so happens that under this conditioning, the distribution of \(\varPi \) remains unaffected; that is, \(\bar{\varPi } = \pi \) and \(\varPi \sim \mathsf {Perm}(\mathcal {U}_{k_1})\). This situation may occur if the adversary completely freezes the part of the encoding corresponding to \(Z'\) to a fixed valid codeword of \(\mathcal {C}_1\). Recall that the random variable \(\varPi \) is determined by the random string Z and that it is independent of the remaining randomness used by the encoder \({\mathsf {Enc}}\). Similar to the previous case, our goal is to upper bound the probability that \({\mathsf {Dec}}\) does not output \(\perp \). Furthermore, we can again assume that Case 1 does not occur; i.e., more than \(t_2/b\) bits of \(C'\) are not frozen by the adversary. For the analysis of this case, we can fix the randomness of \({\mathsf {Enc}}_2\) and thus assume that \(S'\) is fixed to a particular value.
As before, our goal is to determine how each block \(C_i\) of the inner code is related to its perturbation \(\bar{C}_i\) induced by the adversary. Recall that
We observe that, without loss of generality, we can assume that \(\bar{\pi }\) is the identity permutation, which would substantially clean up the notation in the analysis. To see this, first note that for any fixed permutation \(\sigma :[n] \rightarrow [n]\), the nonmalleability analysis for some joint distribution of permutations \((\varPi , \bar{\varPi })\) and a bitwise tampering adversary f(x) is equivalent to the analysis with respect to joint distribution of permutations \((\sigma \circ \varPi , \sigma \circ \bar{\varPi })\) and bitwise tampering adversary \(f'(x) := \sigma (f( \sigma ^{1}(x) ))\). That is, if the bitwise tampering function f is replaced by \(f'\) (that simply permutes the action of adversary with respect to \(\sigma \)), the nonmalleability requirement would be satisfied with respect to f if and only if it is satisfied with respect to \(f'\) when the encoder uses permutation \(\sigma \circ \varPi \) instead of \(\varPi \) and the decoder perceives the permutation \(\sigma \circ \bar{\varPi }\) instead of \(\bar{\varPi }\) (or in other words, the components used by the analysis, that is the adversary and permutations used by the encoder and decoder, are all permuted with respect to the same permutation \(\sigma \)). In the present case, we may take \(\sigma := \bar{\pi }^{1}\) so that \(\sigma \circ \bar{\varPi }\) becomes the identity permutation and observe that 1) the distribution of \(\sigma \circ \varPi \) remains \(\ell \)wise \(\delta \)dependent and 2) the bitwise tampering adversary \(f'(x)\) only permutes the action of the original tampering function f, resulting in the same number of frozen, unchanged, and flipped bits.
Fixing \(\bar{\pi }\) to the identity permutation allows us to simplify \(\bar{C'} = \bar{C}\) (since \(\bar{C'} = \bar{\pi }(\bar{C})\)), and
For any \(\tau \in [n_b]\), let \(f_\tau :\{0,1\}^B \rightarrow \{0,1\}^B\) denote the restriction of the adversary to the positions included in the \(\tau \)th block of \(\bar{C}\).
Assuming that \(\ell \leqslant t_2\) (which is implied by (8)), let \(T \subseteq [n]\) be any set of size \(\lfloor \ell /B \rfloor \leqslant \lfloor t_2/B \rfloor \leqslant t_2/b\) of the coordinate positions of \(C'\) that are either left unchanged or flipped by f. Let \(T' \subseteq [n_b]\) (where \(T' \leqslant T\)) be the set of blocks of \(\bar{C}\) that contain the positions picked by T. With slight abuse of notation, for any \(\tau \in T'\), denote by \(\varPi ^{1}(\tau ) \subseteq [n]\) the set of indices of the positions belonging to the block \(\tau \) after applying the permutation \(\varPi ^{1}\) to each one of them. In other words, \(\bar{C}_{\tau }\) (the \(\tau \)th block of \(\bar{C}\)) is determined by taking the restriction of C to the bits in \(\varPi ^{1}(\tau )\) (in their respective order), and applying \(f_\tau \) on those bits (recall that for \(\tau \in T'\) we are guaranteed that \(f_\tau \) does not freeze all the bits).
In the sequel, our goal is to show that with high probability, \({\mathsf {Dec}}(\bar{Z}, \bar{C'}) = \perp \). In order to do so, we first assume that \(\delta = 0\); i.e., that \(\varPi \) is exactly an \(\ell \)wise independent permutation. Suppose \(T' = \{ \tau _1, \ldots , \tau _{T'} \}\), and consider any \(i \in T'\).
We wish to lower bound the probability that \({\mathsf {Dec}}_0(\bar{C}_{\tau _i}) = \perp \), conditioned on the knowledge of \(\varPi \) on the first \(i1\) blocks in \(T'\). Subject to the conditioning, the values of \(\varPi \) becomes known on up to \((i1)B \leqslant (T'1)B \leqslant \ell B\) points. Since \(\varPi \) is \(\ell \)wise independent, \(\varPi \) on the B bits belonging to the ith block remains Bwise independent. Now, assuming
we know that even subject to the knowledge of \(\varPi \) on any \(\ell \) positions of C, the probability that a uniformly random element within the remaining positions falls in a particular block of C is at most \(B/(n\ell ) \leqslant 2B/n\).
Now, for \(j \in \{2, \ldots , B\}\), consider the jth position of the block \(\tau _i\) in \(T'\). By the above argument, the probability that \(\varPi ^{1}\) maps this element to a block of C chosen by any of the previous \(j1\) elements is at most 2B / n. By a union bound on the choices of j, with probability at least
the elements of the block \(\tau _i\) all land in distinct blocks of C by the permutation \(\varPi ^{1}\). Now we observe that if \(\delta > 0\), the above probability is only affected by at most \(\delta \). Moreover, if the above distinctness property occurs, the values of C at the positions in \(\varPi ^{1}(\tau )\) become independent random bits; since \({\mathsf {Enc}}\) uses fresh randomness upon each call of \({\mathsf {Enc}}_0\) for encoding different blocks of the inner code (recall that the randomness of the first layer using \({\mathsf {Enc}}_2\) is fixed).
Recall that by the bounded independence property of \(\mathcal {C}_0\) (i.e., property 4 of Lemma 3.5), each individual bit of C is \(\exp (\varOmega (\gamma _0 B))\)close to uniform. Therefore, using Proposition 5.19, with probability at least \(12B^2/n\delta \) (in particular, at least 7 / 8 when
and assuming \(\delta \leqslant 1/16\)) we can ensure that the distribution of C restricted to positions picked by \(\varPi ^{1}(\tau )\) is \(O(B \exp (\varOmega (\gamma _0 B)))\)close to uniform, or in particular (1 / 4)close to uniform when B is larger than a suitable constant. If this happens, we can conclude that distribution of the block \(\tau _i\) of \(\bar{C}\) is (1 / 4)close to a subcube with at least one random bit (since we have assumed that \(\tau \in T'\) and thus f does not fix all the bit of the \(\tau \)th block). Now, the cube property of \(\mathcal {C}_0\) (i.e., property 3 of Lemma 3.5) implies that
where the extra term 1 / 4 accounts for the statistical distance of \(\bar{C}_{\tau _i}\) from being a perfect subcube.
Finally, using the above probability bound, and running i over all the blocks in \(T'\), and recalling the assumption that \(\bar{C} = \bar{C'}\), we deduce that
where the last inequality follows from the fact that \(T' \geqslant \lfloor \ell /b \rfloor /B\).
In a similar way to Case 2.2 above, this concludes nonmalleability of the code in this case with the choice of \(\mathcal {D}_f\) in Definition 2.3 being entirely supported on \(\{ \perp \}\) and error bounded by the righthand side of (20).
The General Case
Recall that Case 1 eliminates the situation in which the adversary freezes too many of the bits. For the remaining cases, Cases 2 and 3 consider the special situations where the two permutations \(\varPi \) and \(\bar{\varPi }\) used by the encoder and the decoder either completely match or are completely independent. However, in general we may not reach any of the two cases. Fortunately, the fact that the code \(\mathcal {C}_1\) encoding the permutation \(\varPi \) is nonmalleable ensures that we always end up with a combination of the Case 2 and 3. In other words, in order to analyze any event depending on the joint distribution of \((\varPi , \bar{\varPi })\), it suffices to consider the two special cases where \(\varPi \) is always the same as \(\bar{\varPi }\), or when \(\varPi \) and \(\bar{\varPi }\) are fully independent.
The joint distribution of \((\varPi , \bar{\varPi })\) may be understood using Lemma 5.18. Namely, the lemma applied on the nonmalleable code \(\mathcal {C}_1\) implies that the joint distribution of \((\varPi , \bar{\varPi })\) is \(\epsilon _1\)close (recall that \(\epsilon _1\) is the error of nonmalleable code \(\mathcal {C}_1\)) to the convex combination
for some parameter \(\alpha \in [0,1]\) and an independent random variable \(\varPi '\) distributed over \(\mathcal {S}_n\).
For a random variable \(\bar{P}\) jointly distributed with \(\varPi \) over \(\mathcal {S}_n\), and with a slight overload of notation, define the random variable \(D_{s,\bar{P}}\) over \(\{0,1\}^k \cup \{\perp \}\) as the output of the following experiment (recall that \(s \in \{0,1\}^k\) is the message to be encoded):

1.
Let \((Z', C') := {\mathsf {Enc}}(s)\) be the encoding \({\mathsf {Enc}}(s)\), as described in Sect. 4.1.2, and \((\bar{Z}', \bar{C}') = f(Z', C')\) be the corrupted codeword under the adversary f.

2.
Apply the decoder’s procedure, described in Sect. 4.1.3, where in the second line of the procedure the assignment \(\bar{\varPi } := \mathsf {Perm}(\bar{Z})\) is replaced with \(\bar{\varPi } := \bar{P}\), and output the result.
Intuitively, \(D_{s, \bar{P}}\) captures decoding of the perturbed codeword when the decoder uses an arbitrary estimate \(\bar{P}\) (given in the subscript) of the random permutation \(\varPi \) instead of reading it off the codeword (i.e., instead of \(\bar{\varPi } := \mathsf {Perm}(\bar{Z})\) defined by the decoder’s procedure). Using this notation, \(D_{s, \bar{\varPi }}\) (that is, when the choice of \(\bar{P}\) is indeed the natural estimate \(\mathsf {Perm}(\bar{Z})\)) is the same as \({\mathsf {Dec}}(f({\mathsf {Enc}}(s)))\).
Define \(D_s := D_{s, \bar{\varPi }}\), \(D'_s := D_{s, \varPi }\) and \(D''_s := D_{s, \varPi '}\). The results obtained in Cases 2 and 3 can be summarized as follows:

(Case 2): There is a distribution \(\mathcal {D}'_f\) over \(\{0,1\}^k \cup \{ {\underline{\mathsf {same}}}, \perp \}\) such that the statistical distance between the distribution of \(D'_s\) and \(\mathsf {copy}(\mathcal {D}'_f, s)\) (that is, the distribution obtained by reassigning the mass of \({\underline{\mathsf {same}}}\) in \(\mathcal {D}'_f\) to s) is at most
$$\begin{aligned} \Big (1\gamma ''_2/6\Big )^{\lfloor \ell /B \rfloor } \end{aligned}$$(in fact, \(\mathcal {D}'_s\) is entirely supported on \(\{ \perp , {\underline{\mathsf {same}}}\}\)).

(Case 3): There is a distribution \(\mathcal {D}''_f\) over \(\{0,1\}^k \cup \{ {\underline{\mathsf {same}}}, \perp \}\) such that the statistical distance between the distribution of \(D''_s\) and \(\mathsf {copy}(\mathcal {D}''_f, s)\) is at most
$$\begin{aligned} \exp (\varOmega (\ell /B^2)) \end{aligned}$$(in fact, \(\mathcal {D}''_s\) is the distribution entirely supported on \(\{ \perp \}\)).
The convex decomposition (21) implies that the distribution of \(D_s\) may be decomposed as a convex combination as well, that is (recalling that the action of f on the part of the codeword corresponding to \(C'\) is independent of \(Z'\) and that the randomness used by \({\mathsf {Enc}}_1\) is independent of the randomness used by \({\mathsf {Enc}}_2\) and each invocation of \({\mathsf {Enc}}_0\)),
Now we set
and define
From the above observations, it follows that the distribution of \(D_s\) (equivalently, \({\mathsf {Dec}}(f({\mathsf {Enc}}(s)))\)) is \({\epsilon '}\)close to \(\mathsf {copy}(\mathcal {D}_f, s)\). This proves nonmalleability of the code in the general case with error bounded by \({\epsilon '}\).
Setting up the Parameters
The final encoder \({\mathsf {Enc}}\) maps k bits into
bits. Thus the rate R of the final code is
We set up \(\gamma _1, \gamma _2 \in [\gamma _0/2, \gamma _0]\) so as to ensure that
Thus, the rate of the final code can be made arbitrarily close to 1 if \(\gamma _0\) is chosen to be a sufficiently small constant.
Before proceeding with the choice of other parameters, we recap the constraints that we have assumed on the parameters; namely, (7), (25), (26), (18), (12) (where we recall that \(\gamma ''_2 = \delta _2 \gamma '_2 \left( \frac{n_2}{2 b n}\right) ^2)\) which are again listed below to assist the reader.
For the particular choice of \(\gamma _0\), there is a constant
for which Lemma 3.5 holds.
Note that the choice of B only depends on the constant \(\gamma _0\). If desired, a bruteforce search^{Footnote 5} can thus find an explicit choice for the inner code \(\mathcal {C}_0\) in time only depending on \(\gamma _0\). Moreover, (25) can be satisfied as long as \(N \geqslant N_0\) for some \(N_0 = \mathsf {poly}(1/\gamma _0)\).
Now, for the assumed value for the constant \(\gamma _2 \approx \gamma _0\), one can use Corollary 5.14 and set up \(\mathcal {C}_2\) to be an \((\varOmega (\gamma _0 n_2/\log n_2), \varOmega (\gamma _0 n_2/\log n_2))\)linear errorcorrecting secret sharing code. Thus, we may assume that \(\delta _2 = \gamma '_2 = \varOmega (\gamma _0 / \log N)\) (since, trivially, \(n_2 \leqslant N\)) and also satisfy (24).
Finally, using Theorem 4.1 we can set up \(\mathsf {Perm}\) so that \(\ell = \varOmega (\gamma _1 r n/\log n) = \varOmega (\gamma _0 r n/\log n)\) and \(\delta \leqslant 1/n^\ell \). We can lower the value of \(\ell \) if necessary (since an \(\ell \)wise \(\delta \)dependent permutation is also an \(\ell '\)wise \(\delta \)dependent permutation for any \(\ell ' \leqslant \ell \)) so as to ensure that \(\ell = \varOmega (\gamma _0 r n/(B \log n))\) and the assumptions (26) and (27) are satisfied (recall that \(n_2/b = n_b = n/B\) and \(r \leqslant 1\)). Observe that our choices of the parameters imply that the quantity \(\gamma ''_2\) defined in (11) satisfies \(\gamma ''_2 = \varOmega (\gamma _0^2 / (B \log N)^2)\). We see that the choice of \(\delta \) is small enough to satisfy the assumption (28).
By our choice of the parameters, the upper bound on the failure probability in (17) is
which can be seen by recalling the lower bound on \(\gamma ''_2\) and the fact that \(N=n(1+\gamma _1) \in [n, 2n]\).
On the other hand, the upper bound on the failure probability in (20) can be written as
which is dominated by the estimate in (30).
Now we can substitute the upper bound (29) on B to conclude that (30) is at most
where
We conclude that the error of the final coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) which is upper bounded by \({\epsilon '}\) as defined in (23) is at most
Instantiations
We present two possible choices for the nonmalleable code \(\mathcal {C}_1\) based on existing constructions. The first construction, due to Dziembowski et al. [15], is a Monte Carlo result that is summarized below.
Theorem 4.5
[15, Theorem 4.2] For every integer \(n > 0\), there is an efficient coding scheme \(\mathcal {C}_1\) of block length n, rate at least .18, that is nonmalleable against bittampering adversaries achieving error \(\epsilon = \exp (\varOmega (n))\). Moreover, there is an efficient randomized algorithm that, given n, outputs a description of such a code with probability at least \(1\exp (\varOmega (n))\).
More recently, Aggarwal et al. [2] construct an explicit coding scheme which is nonmalleable against the much more general class of splitstate adversaries. However, this construction achieves inferior guarantees than the one above in terms of the rate and error. Below we rephrase this result restricted to bittampering adversaries.
Theorem 4.6
[2, impliedbyTheorem 5] For every integer \(k > 0\) and \(\epsilon > 0\), there is an efficient and explicit^{Footnote 6} coding scheme \(\mathcal {C}_1\) of message length k that is nonmalleable against bittampering adversaries achieving error at most \(\epsilon \). Moreover, the block length n of the coding scheme satisfies
By choosing \(\epsilon := \exp (k)\), we see that we can have \(\epsilon = \exp (\tilde{\varOmega }(n^{1/7}))\), while the rate r of the code satisfies
By instantiating Theorem 4.3 with the Monte Carlo construction of Theorem 4.5, we arrive at the following corollary.
Corollary 4.7
For every integer \(n > 0\) and every positive parameter \(\gamma _0 = \varOmega (1/(\log n)^{O(1)})\), there is an efficient coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of block length n and rate at least \(1\gamma _0\) such that the following hold.

1.
The coding scheme is nonmalleable against bittampering adversaries, achieving error at most \(\exp (\tilde{\varOmega }(n))\),

2.
There is an efficient randomized algorithm that, given n, outputs a description of such a code with probability at least \(1\exp (\varOmega (n))\). \(\square \)
If, instead, we instantiate Theorem 4.3 with the construction of Theorem 4.6, we obtain the following nonmalleable code.
Corollary 4.8
For every integer \(n > 0\) and every positive parameter \(\gamma _0 = \varOmega (1/(\log n)^{O(1)})\), there is an explicit and efficient coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of block length n and rate at least \(1\gamma _0\) such that the coding scheme is nonmalleable against bittampering adversaries and achieves error at most \(\exp (\tilde{\varOmega }(n^{1/7}))\). \(\square \)
Construction of Nonmalleable Codes Using Nonmalleable Extractors
For decades, randomness extractors (cf. [24, Chapter 6]) have served as a fundamental building block in building combinatorial objects with various pseudorandom properties, including errorcorrecting codes. Intuitively, a randomness extractor is a function that takes a weak source of randomness and a short truly random seed and outputs a sequence of nearly independent unbiased coin flips of length close to the entropy of the weak source. Recently a nonmalleable variation of classical randomness extractors has found applications in nonmalleable cryptography, namely for privacy amplification in presence of tampering adversaries [13]. The output of a nonmalleable extractor remains close to uniform to an adversary even given the knowledge of the randomness seed and the extractor’s output on any different seed. Intuitively this means that the truth tables of the extractor function restricted to different seeds are uncorrelated even if the input is sampled from a weak random source.
In this section, we introduce the notion of seedless nonmalleable extractors that extends the existing definition of seeded nonmalleable extractors (as defined in [13]) to sources that exhibit structures of interest. This is similar to how classical seedless extractors are defined as an extension of seeded extractors to sources with different kinds of structure.^{Footnote 7}
Furthermore, we obtain a reduction from the nonmalleable variation of twosource extractors to nonmalleable codes for the splitstate model. Dziembowski et al. [14] obtain a construction of nonmalleable codes encoding onebit messages based on a variation of strong (standard) twosource extractors. This brings up the question of whether there is a natural variation of twosource extractors that directly leads to nonmalleable codes for the splitstate model encoding messages of arbitrary lengths (and ideally, achieving constant rate). Our notion of nonmalleable twosource extractors can be regarded as a positive answer to this question.
At an intuitive level, the reduction takes a twosource extractor with a certain nonmalleability property as the decoder of a coding scheme, so the encoder would take a uniformly random preimage of the decoder function for the given message. The nonmalleability property, as we define later in this section, implies that the knowledge of the extractor’s output, when one or both of the extractor’s inputs are tampered by an adversary, reveals no information about the extractor’s output on the original (untampered) inputs. That is, the extractor’s output remains nearly uniform even conditioned on the adversary’s knowledge. In terms of the coding scheme, this property implies that the knowledge of decoder’s output on any tampered encoding reveals essentially no information about the original message, and this is exactly the requirement of a nonmalleable coding scheme.
Our reduction does not imply a characterization of nonmalleable codes using extractors, and nonmalleable codes for the splitstate model do not necessarily correspond to nonmalleable extractors (since those implied by our reduction achieve slightly suboptimal rates). However, since seeded nonmalleable extractors (as studied in the line of research starting [13]) are already subject of independent interest, we believe our characterization may be seen as a natural approach (albeit not the only possible approach) for improved constructions of nonmalleable codes. Furthermore, the definition of twosource nonmalleable extractors (especially the criteria described in Remark 5.5 below) is somewhat cleaner and easier to work with than the definition of nonmalleable codes (Definition 2.3) that involves subtleties such as the extra care for the “\({\underline{\mathsf {same}}}\)” symbol.
It should also be noted that our reduction can be modified to obtain nonmalleable codes for different classes of adversaries (by appropriately defining the family of extractors based on the tampering family being considered) such as the variation of splitstate model where the adversary may arbitrarily choose in advance how to partition the encoding into two blocks (in which case one has to consider the nonmalleable variation of mixed twosource extractors studied by Raz and Yehudayoff [23]).
Seedless Nonmalleable Extractors
Before defining seedless nonmalleable extractors, it is convenient to introduce a related notion of nonmalleable functions that is defined with respect to a function and a distribution over its inputs. As it turns out, nonmalleable “extractor” functions with respect to the uniform distribution and limited families of adversaries are of particular interest for construction of nonmalleable codes.
Definition 5.1
A function \(g:\Sigma \rightarrow \varGamma \) is said to be nonmalleable with error \(\epsilon \) with respect to a distribution \(\mathcal {X}\) over \(\Sigma \) and a tampering function \(f:\Sigma \rightarrow \Sigma \) if there is a distribution \(\mathcal {D}\) over \(\varGamma \cup \{{\underline{\mathsf {same}}}\}\) such that for an independent \(Y \sim \mathcal {D}\),
Using the above notation, we can now define seedless nonmalleable extractors as follows.
Definition 5.2
A function \(\mathsf {NMExt}:\{0,1\}^n \rightarrow \{0,1\}^m\) is a (seedless) nonmalleable extractor with respect to a class \(\mathfrak {X}\) of sources over \(\{0,1\}^n\) and a class \(\mathcal {F}\) of tampering functions acting on \(\{0,1\}^n\) if, for every distribution \(\mathcal {X}\in \mathfrak {X}\), and for every tampering function \(f \in \mathcal {F}\), \(f:\{0,1\}^n \rightarrow \{0,1\}^n\), the following hold for an error parameter \(\epsilon > 0\).

1.
\(\mathsf {NMExt}\) is an extractor for the distribution \(\mathcal {X}\); that is, \(\mathsf {NMExt}(\mathcal {X}) \approx _\epsilon \mathcal {U}_m.\)

2.
\(\mathsf {NMExt}\) is a nonmalleable function with error \(\epsilon \) for the distribution \(\mathcal {X}\) and with respect to the tampering function f.
Of particular interest is the notion of twosource seedless extractors. This is a special case of Definition 5.2 where \(\mathfrak {X}\) is the family of two sources (i.e., each \(\mathcal {X}\) is a product distribution \((\mathcal {X}_1, \mathcal {X}_2)\), where \(\mathcal {X}_1\) and \(\mathcal {X}_2\) are arbitrary distributions defined over the first and second half of the input, each having a sufficient amount of entropy. Moreover, the family of tampering functions consists of functions that arbitrarily but independently tamper each half of the input. Formally, we distinguish this special case of Definition 5.2 as follows.
Definition 5.3
A function \(\mathsf {NMExt}:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^m\) is a twosource nonmalleable \((k_1, k_2, \epsilon )\)extractor if, for every product distribution \((\mathcal {X}, \mathcal {Y})\) over \(\{0,1\}^n \times \{0,1\}^n\) where \(\mathcal {X}\) and \(\mathcal {Y}\) have minentropy at least \(k_1\) and \(k_2\), respectively, and for any arbitrary functions \(f_1:\{0,1\}^n \rightarrow \{0,1\}^n\) and \(f_2:\{0,1\}^n \rightarrow \{0,1\}^n\), the following hold.

1.
\(\mathsf {NMExt}\) is a twosource extractor for \((\mathcal {X}, \mathcal {Y})\); that is, \(\mathsf {NMExt}(\mathcal {X}, \mathcal {Y}) \approx _\epsilon \mathcal {U}_m.\)

2.
\(\mathsf {NMExt}\) is a nonmalleable function with error \(\epsilon \) for the distribution \((\mathcal {X}, \mathcal {Y})\) and with respect to the tampering function \( (X, Y) \mapsto (f_1(X), f_2(Y)) \).
In general, a tampering function may have fixed points and act as the identity function on a particular set of inputs. Definitions of nonmalleable codes, functions, and extractors all handle the technicalities involved with such fixed points by introducing a special symbol \({\underline{\mathsf {same}}}\). Nevertheless, it is more convenient to deal with adversaries that are promised to have no fixed points. For this restricted model, the definition of twosource nonmalleable extractors can be modified as follows. We call extractors satisfying the less stringent requirement relaxed twosource nonmalleable extractors. Formally, the relaxed definition is as follows.
Definition 5.4
A function \(\mathsf {NMExt}:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^m\) is a relaxed twosource nonmalleable \((k_1, k_2, \epsilon )\)extractor if, for every product distribution \((\mathcal {X}, \mathcal {Y})\) over \(\{0,1\}^n \times \{0,1\}^n\) where \(\mathcal {X}\) and \(\mathcal {Y}\) have minentropy at least \(k_1\) and \(k_2\), respectively, the following holds. Let \(f_1:\{0,1\}^n \times \{0,1\}^n\) and \(f_2:\{0,1\}^n \times \{0,1\}^n\) be functions such that for every \(x \in \{0,1\}^n\), \(f_1(x) \ne x\) and \(f_2(x) \ne x\). Then, for \((X, Y) \sim (\mathcal {X}, \mathcal {Y})\),

1.
\(\mathsf {NMExt}\) is a twosource extractor for \((\mathcal {X}, \mathcal {Y})\); that is, \(\mathsf {NMExt}(\mathcal {X}, \mathcal {Y}) \approx _\epsilon \mathcal {U}_m.\)

2.
\(\mathsf {NMExt}\) is a nonmalleable function with error \(\epsilon \) for the distribution of (X, Y) and with respect to all of the tampering functions
$$\begin{aligned} (X, Y) \mapsto (f_1(X), Y), \qquad (X, Y) \mapsto (X, f_2(Y)), \qquad (X, Y) \mapsto (f_1(X), f_2(Y)). \end{aligned}$$
Remark 5.5
In order to satisfy the requirements of Definition 5.4, it suffices (but not necessary^{Footnote 8}) to satisfy the following conditions which closely resemble the requirements of seeded nonmalleable extractors (as defined in [13]) and may be more convenient to work with:
The Proof of Theorem 5.10 shows that these stronger requirements can be satisfied with high probability by random functions.
It immediately follows from the definitions that a twosource nonmalleable extractor (according to Definition 5.3) is a relaxed nonmalleable twosource extractor (according to Definition 5.4) and with the same parameters. However, nonmalleable extractors are in general meaningful for arbitrary tampering functions that may potentially have fixed points. Interestingly, below we show that the two notions are equivalent up to a slight loss in the parameters.
Lemma 5.6
Let \(\mathsf {NMExt}\) be a relaxed twosource nonmalleable \((k_1  \log (1/\epsilon ), k_2  \log (1/\epsilon ), \epsilon )\)extractor. Then, \(\mathsf {NMExt}\) is a twosource nonmalleable \((k_1, k_2, 4 \epsilon )\)extractor.
Proof
Since the twosource extraction requirement of Definition 5.4 implies the extraction requirement of Definition 5.3, it suffices to prove the nonmalleability condition of Definition 5.3.
Let \(f_1:\{0,1\}^n \rightarrow \{0,1\}^n\) and \(f_2:\{0,1\}^n \rightarrow \{0,1\}^n\) be a pair of tampering functions, \((\mathcal {X}, \mathcal {Y})\) be a product (without loss of generality, componentwise flat) distribution with minentropy at least \((k_1, k_2)\), and \((X, Y) \sim (\mathcal {X}, \mathcal {Y})\). Define the parameters
Moreover, define the distributions \(\mathcal {X}_0, \mathcal {X}_1\) to be the distribution of X conditioned on the events \(f_1(X) = X\) and \(f_1(X) \ne X\), respectively. Let \(\mathcal {Y}_0, \mathcal {Y}_1\) be similar conditional distributions for the random variable Y and the events \(f_2(Y) = Y\) and \(f_2(Y) \ne Y\). Let \(X_0, X_1, Y_0, Y_1\) be random variables drawn independently and in order from \(\mathcal {X}_0, \mathcal {X}_1, \mathcal {Y}_0, \mathcal {Y}_1\). Observe that \((\mathcal {X}, \mathcal {Y})\) is now a convex combination of four product distributions:
where
We now need to verify Definition 5.3 for the tampering function
Let us consider the distribution
Suppose \(\alpha _{01} \geqslant \epsilon \), which implies \(\epsilon _1 \geqslant \epsilon \) and \(1\epsilon _2 \geqslant \epsilon \). Thus, \(\mathcal {X}_0\) and \(\mathcal {Y}_1\) have minentropy at least \(k_1  \log (1/\epsilon )\) and \(k_2  \log (1/\epsilon )\), respectively. In particular, since \(f_2(\mathcal {Y}_1)\) has no fixed points, by Definitions 5.4 and 5.1, there is an distribution \(\mathcal {D}_{01}\) over \(\{0,1\}^m \cup \{ {\underline{\mathsf {same}}}\}\) (where m is the output length of \(\mathsf {NMExt}\)) such that for an independent random variable \(E_{01} \sim \mathcal {D}_{01}\),
For \(\alpha _{01} < \epsilon \), the above distributions may be 1far; however, we can still write the following for general \(\alpha _{01} \in [0,1]\):
where in the above notation, we interpret distributions as vectors of probabilities that can be multiplied by a scalar (i.e., \(\alpha _{01}\)) and use half the \(\ell _1\) distance of vectors as the measure of proximity. Similar results hold for
and
so that for distributions \(\mathcal {D}_{10}\) and \(\mathcal {D}_{01}\) over \(\{0,1\}^m \cup \{ {\underline{\mathsf {same}}}\}\) and independent random variables \(E_{10} \sim \mathcal {D}_{10}\) and \(E_{11} \sim \mathcal {D}_{11}\),
and
We can also write, using the fact that \(\mathsf {NMExt}\) is an ordinary extractor,
where \(U \sim \mathcal {U}_m\).
Denote by \(\mathcal {D}'_{01}\) the distribution \(\mathcal {D}_{01}\) conditioned on the complement of the event \(\{ {\underline{\mathsf {same}}}\}\). Thus, \(\mathcal {D}'_{01}\) is a distribution over \(\{0,1\}^m\). Similarly, define \(\mathcal {D}'_{10}\) and \(\mathcal {D}'_{11}\) from \(\mathcal {D}_{10}\) and \(\mathcal {D}_{11}\) by conditioning on the event \(\{0,1\}^m {\setminus } \{ {\underline{\mathsf {same}}}\}\). Observe that
where \(p_{01} = \Pr [E_{01} = {\underline{\mathsf {same}}}]\). Similarly, one can write
and
Now, we can add up (32), (33), (34), and (35), using the triangle inequality, and expand each righthand side according to (36), (33), and (34) to deduce that
for some distribution \(\mathcal {D}'\) which is a convex combination
and coefficient \(p = \alpha _{00} + \alpha _{01} p_{01}+ \alpha _{10} p_{10} + \alpha _{11} p_{11}\). Let \(\mathcal {D}\) be a distribution given by
and observe that the righthand side of (39) is equal to \(\mathscr {D}(U_m, \mathsf {copy}(E, U_m))\), where \(E \sim \mathcal {D}\) is an independent random variable. Thus, we conclude that
which implies the nonmalleability requirement of Definition 5.3. \(\square \)
From Nonmalleable Extractors to Nonmalleable Codes
In this section, we show a reduction from nonmalleable extractors to nonmalleable codes. For concreteness, we focus on tampering functions in the splitstate model. That is, when the input is divided into two blocks of equal size, the adversary may choose arbitrary functions that independently tamper each block. It is straightforward to extend the reduction to different families of tampering functions, for example:

1.
When the adversary divides the input into \(b \geqslant 2\) known parts, not necessarily of the same length, and applies an independent tampering function on each block. In this case, a similar reduction from nonmalleable codes to multiplesource nonmalleable extractors may be obtained.

2.
When the adversary behaves as in the splitstate model, but the choice of the two parts is not known in advance. That is, when the code must be simultaneously nonmalleable for every splitting of the input into two equalsized parts. In this case, the needed extractor is a nonmalleable variation of the mixedsources extractors studied by Raz and Yehudayoff [23].
We note that Theorem 5.7 below (and similar theorems that can be obtained for the other examples above) only require nonmalleable extraction from the uniform distribution. However, the reduction from arbitrary tampering functions to ones without fixed points (e.g., Lemma 5.6) reduces the entropy requirement of the source while imposing a structure on the source distribution which is related to the family of tampering functions being considered.
Theorem 5.7
Let \(\mathsf {NMExt}:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^k\) be a twosource nonmalleable \((n, n, \epsilon )\)extractor. Define a coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) with message length k and block length 2n as follows. The decoder \({\mathsf {Dec}}\) is defined by \({\mathsf {Dec}}(x) := \mathsf {NMExt}(x)\).
The encoder, given a message s, outputs a uniformly random string in \(\mathsf {NMExt}^{1}(s)\). Then, the pair \(({\mathsf {Enc}}, {\mathsf {Dec}})\) is a nonmalleable code with error \(\epsilon ' := \epsilon (2^k+1)\) for the family of splitstate adversaries.
Proof
By construction, for every \(s \in \{0,1\}^k\), \({\mathsf {Dec}}({\mathsf {Enc}}(s)) = s\) with probability 1. It remains to verify nonmalleability.
Take a uniformly random message \(S \sim \mathcal {U}_k\), and let \(Y := {\mathsf {Enc}}(S)\) be its encoding. First, we claim that Y is close to be uniformly distributed on \(\{0,1\}^{2n}\).\(\square \)
Claim 5.8
The distribution of \({\mathsf {Enc}}(S)\) is \(\epsilon \)close to uniform.
Proof
Let \(Y' \sim \mathcal {U}_{2n}\), and \(S' := {\mathsf {Dec}}(Y') = \mathsf {NMExt}(Y')\). Observe that, since \(\mathsf {NMExt}\) is an ordinary extractor for the uniform distribution,
On the other hand, since \({\mathsf {Enc}}(s)\) samples a uniformly random element of \(\mathsf {NMExt}^{1}(s)\), it follows that \(\mathscr {D}({\mathsf {Enc}}(S')) = \mathscr {D}(Y') = \mathcal {U}_{2n}\). Since S and \(S'\) correspond to statistically close distributions [by (40)], this implies that
\(\square \)
In light of the above claim, in the sequel without loss of generality we can assume that Y is exactly uniformly distributed at the cost of an \(\epsilon \) increase in the final error parameter.
Let \(Y = (Y_1, Y_2)\) where \(Y_1, Y_2 \in \{0,1\}^n\). The assumption that \(\mathsf {NMExt}\) is a nonmalleable extractor according to Definition 5.3 implies that it is a nonmalleable function with respect to the distribution of Y and tampering function \(f:\{0,1\}^{2n} \rightarrow \{0,1\}^{2n}\)
for any choice of the functions \(f_1\) and \(f_2\). Let \(\mathcal {D}_f\) be the distribution \(\mathcal {D}\) defined in Definition 5.1 that assures nonmalleability of the extractor \(\mathsf {NMExt}\) and observe that its choice only depends on the functions \(f_1\) and \(f_2\) and not the particular value of S. We claim that this is the right choice of \(\mathcal {D}_f\) required by Definition 2.3.
Let \(S'' \sim \mathcal {D}_f\) be sampled independently from \(\mathcal {D}_f\). Since, by Definition 5.3, \(\mathsf {NMExt}\) is a nonmalleable function with respect to the distribution of Y, Definition 5.1 implies that
which, after appropriate substitutions, simplifies to
Let \(s \in \{0,1\}^k\) be any fixed message. We can now condition the above equation on the event \(S = s\), and deduce, using Proposition 5.17, that
or more simply, that
which is the condition required to satisfy Definition 2.3. It follows that \(({\mathsf {Enc}}, {\mathsf {Dec}})\) is a nonmalleable coding scheme with the required parameters. \(\square \)
We can now derive the following corollary, using the tools that we have developed so far.
Corollary 5.9
Let \(\mathsf {NMExt}:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^m\) be a relaxed twosource nonmalleable \((k_1, k_2, \epsilon )\)extractor, where \(m = \varOmega (n)\), \(nk_1 = \varOmega (n)\), \(nk_2 = \varOmega (n)\), and \(\epsilon = \exp (\varOmega (m))\). Then, there is a \(k = \varOmega (n)\) such that the following holds. Define a coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) with message length k and block length 2n (thus rate \(\varOmega (1)\)) as follows. The decoder \({\mathsf {Dec}}\), given \(x \in \{0,1\}^{2n}\), outputs the first k bits of \(\mathsf {NMExt}(x)\). The encoder, given a message x, outputs a uniformly random string in \({\mathsf {Dec}}^{1}(x)\). Then, the pair \(({\mathsf {Enc}}, {\mathsf {Dec}})\) is a nonmalleable code with error \(\exp (\varOmega (n))\) for the family of splitstate adversaries.
Proof
Take \(k = \frac{1}{2} \min \{ m, nk_1, nk_2, \log (1/\epsilon ) \}\), which implies that \(k = \varOmega (n)\) by the assumptions on parameters. Furthermore, we let \(\epsilon ' := 2^{2k} \geqslant \epsilon \).
Let \(\mathsf {NMExt}':\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^k\) to be defined from \(\mathsf {NMExt}\) by truncating the output to the first k bits. Observe that as in ordinary extractors, truncating the output of a nonmalleable extractor does not affect any of the parameters other than the output length. In particular, \(\mathsf {NMExt}'\) is also a relaxed twosource nonmalleable \((k_1, k_2, \epsilon )\)extractor with output length \(\varOmega (n)\).
In fact, our setup implies that \(\mathsf {NMExt}'\) is a relaxed twosource nonmalleable \((n  \log (1/\epsilon '), n  \log (1/\epsilon '), \epsilon ')\)extractor with output length \(\varOmega (n)\). By Lemma 5.6, we see that \(\mathsf {NMExt}'\) is a twosource nonmalleable \((n, n, 4\epsilon ')\)extractor. We can now apply Theorem 5.7 to conclude that \(({\mathsf {Enc}}, {\mathsf {Dec}})\) is a nonmalleable code with error \(4\epsilon '(2^k + 1) = \varOmega (2^{k}) = \exp (\varOmega (n))\) for splitstate adversaries.\(\square \)
Existence Bounds on Nonmalleable Extractors
So far we have introduced different notions of seedless nonmalleable extractors without focusing on their existence. In this section, we show that the same technique used by [13] applies in a much more general setting and can in fact show that nonmalleable extractors exist with respect to every family of randomness sources and every family of tampering adversaries, both of bounded size. The main technical tool needed for proving this general claim is the following theorem.
Theorem 5.10
Let \(\mathcal {X}\) be a distribution over \(\{0,1\}^n\) having minentropy at least k, and consider arbitrary functions \(f:\{0,1\}^n \rightarrow \{0,1\}^n\) and \(g:\{0,1\}^n \rightarrow \{0,1\}^d\). Let \(\mathsf {NMExt}:\{0,1\}^n \rightarrow \{0,1\}^m\) be a uniformly random function. Then, for any \(\epsilon > 0\), with probability at least \(18\exp (2^{2m+d}\epsilon ^3 2^{k6})\) the following hold.

1.
The function \(\mathsf {NMExt}\) extracts the randomness of \(\mathcal {X}\) even conditioned on the knowledge of g(X); i.e.,
$$\begin{aligned} \mathscr {D}(g(X), \mathsf {NMExt}(X)) \approx _\epsilon \mathscr {D}(g(X), \mathcal {U}_m). \end{aligned}$$(42) 
2.
Let \(X \sim \mathcal {X}\) and \(U \sim \mathcal {U}_m\). Define the following random variable over \(\{0,1\}^m \cup \{ {\underline{\mathsf {same}}}\}\):
$$\begin{aligned} Y := {\left\{ \begin{array}{ll} {\underline{\mathsf {same}}}&{} \text {if } f(X) = X \\ \mathsf {NMExt}(f(X)) &{} \text {if } f(X) \ne X. \end{array}\right. } \end{aligned}$$(43)Then,
$$\begin{aligned} \mathscr {D}(g(X), \mathsf {NMExt}(X), \mathsf {NMExt}(f(X))) \approx _\epsilon \mathscr {D}(g(X), U, \mathsf {copy}(Y, U)). \end{aligned}$$(44) 
3.
\(\mathsf {NMExt}\) is a nonmalleable function with respect to the distribution \(\mathcal {X}\) and tampering function f.
Proof
The proof borrows ideas from the existence proof of seeded nonmalleable extractors in [13]. The only difference is that we observe the same argument holds in a much more general setting.
First, we observe that it suffices to prove (44), since (42) follows from (44). Also, the result on nonmalleability of the function \(\mathsf {NMExt}\) follows from (44); in particular, one can use the explicit choice (43) of the random variable Y in Definition 5.1. Thus, it suffices to prove (44).
Let \(X \sim \mathcal {X}\), \(S := \mathsf {supp}(X)\), and \(N := 2^n\), \(K := 2^k\), \(M := 2^m\), \(D := 2^d\). We will use the shorthands
and
We separate the analysis between the fixed points of f (i.e., inputs x such that \(f(x) = x\)) and the rest of inputs. In order to do so, let \(\beta = \Pr [f(X) \ne X]\), and let us first assume that \(\beta \geqslant \epsilon /2\). Let \(\mathcal {X}'\) be the distribution of X conditioned on the event \(f(X) \ne X\), and \(X' \sim \mathcal {X}'\). The minentropy of \(\mathcal {X}'\) is
Instead of working with the tampering function f, for technical reasons it is more convenient to consider a related function \(f'\) that does not have any fixed points. Namely, let \(f':\{0,1\}^n \rightarrow \{0,1\}^n\) be any function such that
We now consider the distribution \(\mathcal {X}'\) (instead of the original \(\mathcal {X}\)) and the adversary \(f'\) (which behaves the same as f on \(\mathcal {X}'\)). By construction, \(\Pr [f'(X') = X'] = 0\) (and in fact, also \(\Pr [f'(X) = X] = 0\)).
Consider any distinguisher \(h:\{0,1\}^d \times \{0,1\}^{2m} \rightarrow \{0,1\}\). Let
and
Here, the probability is taken only over the random variable \(X'\) and with respect to the particular realization of the function \(\mathsf {NMExt}\). That is, P and \(\bar{P}\) are random variables depending on the randomness of the random function \(\mathsf {NMExt}\). Our goal, in order to prove the statistical closeness in (44), is to show that for any distinguisher h as defined above, the distribution of the bit output by h is insensitive (up to a bias change of \(\epsilon \)) to whether the distinguisher is given a sample from the lefthand side of (44) or the right hand side of (44). In fact, in the sequel we show that this is the case with overwhelming probability over the randomness of the choice of extractor \(\mathsf {NMExt}\) and we will then take a union bound on all possible choices of h.
For \(x \in \{0,1\}^n\), we define
and
Note that \(P_x\) and \(\bar{P}_x\) are defined similarly to P and \(\bar{P}\) but with respect to a fixed choice of x (thus P and \(\bar{P}\) would be the expectation of \(P_x\) and \(\bar{P}_x\), respectively, when x is randomly drawn from \(\mathcal {X}'\)). Again, \(P_x\) and \(\bar{P}_x\) are random variables depending only on the randomness of the function \(\mathsf {NMExt}\). Since for any x, \(\mathsf {NMExt}(x)\) and \(\mathsf {NMExt}(f'(x))\) are uniformly distributed and independent (due to the assumption that \(f'(x) \ne x\)), it follows that \(P_x\) and \(\bar{P}_x\) both have the same distribution as \(h(g(x), \mathcal {U}_{2m})\) and thus
As in [13], we represent \(f'\) as a directed graph \(G=(V,E)\) with \(V := \{0,1\}^n\) and \((x, y) \in E\) iff \(f'(x) = y\). By construction, G has no self loops and the outdegree of each vertex is one. As shown in [13, Lemma 39 of the full version], V can be partitioned as \(V = V_1 \cup V_2\) such that \(V_1 = V_2\) and moreover, restrictions of G to the vertices in \(V_1\) and \(V_2\) (respectively, denoted by \(G_1\) and \(G_2\)) are both acyclic graphs.
For \(x \in \{0,1\}^n\), define \(q(x) := \Pr [X' = x]\). It is clear that
and,
and consequently,
Let \(x_1, \ldots , x_{N/2}\) be the sequence of vertices of \(G_1\) in reverse topological order. This means that for every \(i \in [N/21]\),
In general, the random variables \((P_x  \bar{P}_x)\) are not necessarily independent for different values of x. However, (45) allows us to assert conditional independence of these variables in the following form.
Therefore, the sequence
forms a Martingale, and by Azuma’s inequality, we have the concentration bound
The assumption on the minentropy of \(X'\), on the other hand, implies that
A similar result can be proved for \(V_2\); and using the above bounds combined with triangle inequality we can conclude that
That is, with probability at least \(1\eta \) over the randomness of \(\mathsf {NMExt}\),
Since f and \(f'\) are designed to act identically on the support of \(X'\), in the above result we can replace \(f'\) by f. Moreover, by taking a union bound on all possible choices of the distinguisher, we can ensure that with probability at least \(1\eta 2^{M^2 D}\), the realization of \(\mathsf {NMExt}\) is so that
We conclude that, regardless of the value of \(\beta \), we can write
where in the above notation, probability distributions are seen as vectors of probabilities that can be multiplied by a scalar \(\beta \), and the distance measure is half the \(\ell _1\) distance between vectors (note that (48) trivially holds for the case \(\beta < \epsilon /2\)).
Observe that (47) in particular implies that
and the argument above does not use any property of the tampering functions f and \(f'\) (i.e., not having fixed points on \(\mathsf {supp}(X')\)) in order to prove (49) holds with high probability (note that the tampering functions f and \(f'\) do not appear in the expression (49) and that (49) simply represents the guarantee that needs to be satisfied by standard extractors). That is, in the above we have shown that (49) holds with probability at least \(1\eta 2^{M^2 D}\) regardless of what the functions f and \(f'\) are.
Now we consider the distribution of X conditioned on the event \(f(X) = X\), that we denote by \(\mathcal {X}''\). Again, we first assume that \(1\beta \geqslant \epsilon /2\), in which case we get
In this case, the above argument leading to (49) (this time, with the random variable \(X'\) replaced by \(X''\)) shows that with probability at least \(1\eta 2^{M^2 D}\) over the choice of \(\mathsf {NMExt}\), and for \(U \sim \mathcal {U}_m\), we have
For general \(\beta \), we can thus write (in a similar fashion to (48))
Now, we may add up (48) and (50) and use the triangle inequality to deduce that, with probability at least \(12\eta 2^{M^2 D}\) over the choice of \(\mathsf {NMExt}\),
The result (44) now follows after observing that the convex combination on the righthand side of (51) is the same as \(\mathscr {D}(g(X), U, \mathsf {copy}(Y, U))\). \(\square \)
As mentioned before, the above theorem is powerful enough to show existence of any desired form of nonmalleable extractors, as long as the class of sources and the family of tampering functions (which are even allowed to have fixed points) are of bounded size. In particular, it is possible to use the theorem to recover the result in [13] on the existence of strong seeded nonmalleable extractors by considering both the seed and input of the extractor as an nbit string, and letting “the side information function” g(X) be one that simply outputs the seed part of the input. The family of tampering functions, on the other hand, would be all functions that act on the portion of the nbit string corresponding to the extractor’s seed.
For our particular application, we apply Theorem 5.10 to show existence of twosource nonmalleable extractors. In fact, it is possible to prove existence of strong twosource extractors in the sense that we may allow any of the two sources revealed to the distinguisher, and still guarantee extraction and nonmalleability properties. However, such strong extractors are not needed for our particular application.
Theorem 5.11
Let \(\mathsf {NMExt}:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^m\) be a uniformly random function. For any \(\gamma , \epsilon > 0\) and parameters \(k_1, k_2 \leqslant n\), with probability at least \(1\gamma \) the function \(\mathsf {NMExt}\) is a twosource nonmalleable \((k_1, k_2, \epsilon )\)extractor provided that
Proof
First we note that, similar to ordinary extractors, Definition 5.3 remains unaffected if one only considers random sources where each component is a flat distribution.
Let \(K_1 := 2^{k_1}\), \(K_2 := 2^{k_2}\), \(N := 2^n\), \(M := 2^m\). Without loss of generality, assume that \(K_1\) and \(K_2\) are integers. Let \(\mathfrak {X}\) be the class of distributions \(\mathcal {X}= (\mathcal {X}_1, \mathcal {X}_2)\) over \(\{0,1\}^n \times \{0,1\}^n\) such that \(\mathcal {X}_1\) and \(\mathcal {X}_2\) are flat sources with minentropy at least \(k_1\) and \(k_2\), respectively. Note that the minentropy of \(\mathcal {X}\) is at least \(k_1 + k_2\). Without loss of generality, we assume that \(k_1 \leqslant k_2\). The number of such sources can be bounded as
The family \(\mathcal {F}\) of tampering functions can be written as \(\mathcal {F}= \mathcal {F}_1 \times \mathcal {F}_2\), where \(\mathcal {F}_1\) and \(\mathcal {F}_2\) contain functions that act on the first and second n bits, respectively. For the family \(\mathcal {F}_1\), it suffices to only consider functions that act arbitrarily on some set of \(K_1\) points in \(\{0,1\}^n\), but are equal to the identity function on the remaining inputs. This is because a tampering function \(f_1 \in \mathcal {F}_1\) will be applied to some distribution \(\mathcal {X}_1\) which is only supported on a particular set of \(K_1\) points in \(\{0,1\}^n\), and thus the extractor’s behavior on \(\mathcal {X}_1\) is not affected by how \(f_1\) is defined outside the support of \(\mathcal {X}_1\). From this observation, we can bound the size of \(\mathcal {F}\) as
Now, we can apply Theorem 5.10 on the input domain \(\{0,1\}^n \times \{0,1\}^n\). The choice of the function g is not important for our result, since we do not require twosource extractors that are strong with respect to either of the two sources. We can thus set \(g(x) = 0\) for all \(x \in \{0,1\}^{2n}\). By taking a union bound on all choices of \(\mathcal {X}\in \mathfrak {X}\) and \((f_1, f_2) \in \mathcal {F}\), we deduce that the probability that \(\mathsf {NMExt}\) fails to satisfy Definition 5.3 for some choice of the two sources in \(\mathfrak {X}\) and tampering function in \(\mathcal {F}\) is at most
This probability can be made less than \(\gamma \) provided that
as desired. \(\square \)
We are finally ready to prove that there are nonmalleable twosource extractors defining coding schemes secure in the splitstate model and achieving constant rates; in particular, arbitrarily close to 1 / 5.
Corollary 5.12
For every \(\alpha > 0\), there is a choice of \(\mathsf {NMExt}\) in Theorem 5.7 that makes \(({\mathsf {Enc}}, {\mathsf {Dec}})\) a nonmalleable coding scheme against splitstate adversaries achieving rate \(1/5\alpha \) and error \(\exp (\varOmega (\alpha n))\).
Proof
First, for some \(\alpha '\), we use Theorem 5.11 to show that if \(\mathsf {NMExt}:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^k\) is randomly chosen, with probability at least .99 it is a twosource nonmalleable \((n, n, 2^{k(1+\alpha ')})\)extractor, provided that
which can be satisfied for some \(k \geqslant (2/5) n  \varOmega (\alpha ' n)\). Now, we can choose \(\alpha ' = \varOmega (\alpha )\) so as to ensure that \(k \geqslant 2n(1\alpha )\) (thus, keeping the rate above \(1\alpha \)) while having \(\epsilon \leqslant 2^{k} \exp (\varOmega (\alpha n))\). We can now apply Theorem 5.7 to attain the desired result. \(\square \)
Notes
 1.
Throughout the paper, by pseudorandom permutation we mean twise independent permutation (as in Definition 2.7) for an appropriate choice of t. This should not be confused with cryptographic pseudorandom permutations, which are not used in this work.
 2.
Several of these constructions are structured enough to easily allow for efficient sampling of a uniform preimage from \(\mathsf {Ext}^{1}(s)\).
 3.
Although we use LECSS codes in our explicit construction, contrary to [15] we do not directly use the linearity of the code for our proof.
 4.
We can extend the construction to arbitrary block lengths N by standard padding techniques and observing that the set of block lengths for which the construction is defined is dense enough to allow padding without affecting the rate.
 5.
Alternatively, it is possible to sample a random choice for \(\mathcal {C}_0\) and then verify that it satisfies properties of Lemma 3.5, thereby obtaining a Las Vegas construction which is more efficient (in terms of the dependence on the constant \(\gamma _0\)) than a bruteforce search. The construction would be even more efficient in Monte Carlo form; i.e., if one avoids verification of the candidate \(\mathcal {C}_0\).
 6.
To be precise, explicitness is guaranteed assuming that a large prime \(p = \exp (\tilde{\varOmega }(k+\log (1/\epsilon )))\) is available.
 7.
For a background on standard seeded and seedless extractors, see [7, Chapter 2].
 8.
To see that the listed conditions do not necessarily follow from Definition 5.4 for every pair of adversaries \((f_1, f_2)\), suppose \(\mathcal {X}\) and \(\mathcal {Y}\) are fully uniform and consider the function (with a singlebit output) \(\mathsf {NMExt}(X, Y) = \langle X+Y, \varvec{1}^n \rangle \), where the addition is bitwise XOR, the inner product is over the binary field, and \(\varvec{1}^n\) is the all ones vector of length n. Trivially, \(\mathsf {NMExt}(X, Y)\) is uniform in this case. Now consider tampering functions \(f_1(X)\) and \(f_2(Y)\) that respectively flip the first two bits of X and Y. Note that \(\mathsf {NMExt}(f_1(X), Y) = \mathsf {NMExt}(X, f_2(Y)) = \mathsf {NMExt}(f_1(X), f_2(Y)) = \mathsf {NMExt}(X,Y)\). Therefore, with respect to the chosen adversaries, the function \(\mathsf {NMExt}\) can be seen to be nonmalleable according to Definition 5.1 by taking a onepoint distribution \(\mathcal {D}\) that is fully supported on \(\{{\underline{\mathsf {same}}}\}\). However, in this case none of the requirements listed in Remark 5.5 is satisfied.
References
 1.
D. Aggarwal, Y. Dodis, T. Kazana, M. Obremski, Nonmalleable reductions and applications, in Cryptology ePrint Archive, Report 2014/821 (2014). http://eprint.iacr.org/
 2.
D. Aggarwal, Y. Dodis, S. Lovett, Nonmalleable codes from additive combinatorics, in Proceedings of the 46th Annual ACM Symposium on Theory of Computing (2014), pp.774–783
 3.
B. Barak, A. Rao, R. Shaltiel, A. Wigderson, 2Source dispersers for subpolynomial entropy and Ramsey graphs beating the Frankl–Wilson construction. Ann. Math. 176(3), 1483–1544 (2012)
 4.
J. Bourgain, More on the Sum–Product phenomenon in prime fields and its applications. Int. J. Number Theory 1(1), 1–32 (2005)
 5.
E. Chattopadhyay, V. Goyal, X. Li, Nonmalleable extractors and codes, with their many tampered extensions. Preprint arXiv:1505.00107 (2015)
 6.
E. Chattopadhyay, D. Zuckerman, Nonmalleable codes against constant splitstate tampering, in Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (2014), pp. 306–315
 7.
M. Cheraghchi, Applications of Derandomization Theory in Coding. Ph.D. Thesis, Swiss Federal Institute of Technology (EPFL), Lausanne, Switzerland (2010). http://eccc.hpiweb.de/static/books/Applications_of_Derandomization_Theory_in_Coding/
 8.
M. Cheraghchi, V. Guruswami, Capacity of nonmalleable codes, in Proceedings of Innovations in Theoretical Computer Science (ITCS 2014) (2014)
 9.
M. Cheraghchi, V. Guruswami, Nonmalleable coding against bitwise and splitstate tampering, in Proceedings of Theory of Cryptography Conference (TCC 2014) (2014)
 10.
B. Chor, O. Goldreich, Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput., 2(17), 230–261 (1988)
 11.
R. Cramer, H. Chen, S. Goldwasser, R. de Haan, V. Vaikuntanathan, Secure computation from random errorcorrecting codes, in Proceedings of Eurocrypt 2007 (2007), pp. 291–310
 12.
R. Cramer, Y. Dodis, S. Fehr, C. Padró, D. Wichs, Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors, in Proceedings of EUROCRYPT 2008 (2008), pp. 471–488
 13.
Y. Dodis, D. Wichs, Nonmalleable extractors and symmetric key cryptography from weak secrets, in Proceedings of the 41st annual ACM Symposium on Theory of Computing (2009), pp. 601–610. Full version published in Cryptology ePrint Archive, Report 2008/503 (eprint.iacr.org/2008/503)
 14.
S. Dziembowski, T. Kazana, M. Obremski, Nonmalleable codes from twosource extractors, in Proceedings of CRYPTO (2013), pp. 239–257
 15.
S. Dziembowski, K. Pietrzak, D. Wichs, Nonmalleable codes, in Proceedings of Innovations in Computer Science (ICS 2010) (2010)
 16.
G.D. Forney, Concatenated Codes (MIT Press, Cambridge, 1966)
 17.
V. Guruswami, A. Smith. Codes for computationally simple channels: Explicit constructions with optimal rate, in Proceedings of FOCS 2010 (2010), pp. 723–732
 18.
J. Justesen, A class of constructive asymptotically good algebraic codes. IEEE Trans. Inf. Theory 18, 652–656 (1972)
 19.
Y. Kalai, X. Li, A. Rao, in 2th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (2009), pp. 617–626
 20.
E. Kaplan, M. Naor, O. Reingold, Derandomized constructions of \(k\)wise (almost) independent permutations, in Proceedings of RANDOM 2005 (2005), pp. 113–133
 21.
A. Rao, A 2source almostextractor for linear entropy, in Proceedings of RANDOM 2008 (2008), pp. 549–556
 22.
R. Raz, Extractors with weak random seeds, in Proceedings of the37th Annual ACM Symposium on Theory of Computing (STOC) (2005), pp. 11–20
 23.
R. Raz, A. Yehudayoff, Multilinear formulas, maximalpartition discrepancy and mixedsources extractors. J. Comput. Syst. Sci 77(1), 167–190 (2011)
 24.
S. Vadhan, Pseudorandomness. Found. Trends Theor. Comput. Sci. 7(1–3), 1–336 (2012)
Acknowledgments
The authors would like to thank anonymous referees for their careful reading of an earlier draft of this work and their numerous helpful comments.
Author information
Affiliations
Corresponding author
Additional information
A preliminary version of this article appears under the same title in proceedings of Theory of Cryptography Conference (TCC 2014) [9]; Mahdi Cheraghchi: Research supported in part by V. Guruswami’s Packard Fellowship, MSRCMU Center for Computational Thinking, and the Swiss National Science Foundation research grant PA00P2141980. Work done for the most part while the author was with the Computer Science Department of Carnegie Mellon University and MIT Computer Science and Artificial Intelligence Laboratory; Venkatesan Guruswami: Research supported in part by the National Science Foundation under Grant No. CCF0963975. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Communicated by Rafail Ostrovsky.
Appendices
Appendix 1: Construction of LECSS Codes
In this section, we recall a wellknown construction of LECSS codes based on linear errorcorrecting codes [11, 15]. Construction 2 defines the reduction.
The main tool that we use is the following lemma, which appears (in a slightly different form) in [15] (which in turn is based on [11]). We include a proof for completeness.
Lemma 5.13
The pair \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of Construction 2 is a \((\delta N/\log q, \tau N/\log q)\)linear errorcorrecting coding scheme.
Proof
First, observe that the linearity condition of Definition 2.8 follows from the fact that \({\mathsf {Enc}}\) is an injective linear function of \((s_1, \ldots , s_k)\) as defined in Construction 2. Furthermore, the distance property of the coding scheme follows from the fact that \({\mathsf {Enc}}\) encodes an errorcorrecting of distance at least \(\delta n = \delta N/(\log q)\).
In order to see the bounded independence property of Definition 2.8, consider a fixed message \(s \in \{0,1\}^K\), which in turn fixes the vector \((s_{k_0+1}, \ldots , s_k)\) in Construction 2. Let \(G_0\) denote the submatrix of G defined by the first \(k_0\) rows. Consider the vector \(S' \in \mathbb {F}_q^n\) given by
where \(a \in \mathbb {F}_q^n\) is an affine shift uniquely determined by s. Recall that the assumption on the dual distance of the code spanned by the rows of \(G_0\) implies that every \(\tau n\) columns of \(G_0\) are linearly independent. Since \((s_1, \ldots , s_{k_0})\) is a uniformly random vector, this implies that the restriction of \(S'\) to any set of \(\tau n = \tau N/(\log q)\) coordinates is uniformly random (as a vector in \(\mathbb {F}_q^{\tau n}\)). Since \({\mathsf {Enc}}(s)\) is the bitrepresentation of \(S'\), it follows that the random vector \({\mathsf {Enc}}(s)\) is \((\tau N/(\log q))\)wise independent. \(\square \)
Instantiation Using Reed–Solomon codes
A simple way to instantiate Construction 2 is using ReedSolomon codes. For a target rate parameter \(r := 1\alpha \), we set up the parameters as follows. For simplicity, assume that n is a power of two.

1.
The field size is \(q := n\). Therefore, \(N = n \log n\).

2.
Set \(k := \lceil n(1\alpha /2) \rceil \) and \(k_0 := \lfloor \alpha n/2 \rfloor \). Therefore, \(K := (kk_0) \log q \geqslant n(1\alpha ) \log n\), which ensures that the rate of the coding scheme is at least \(1\alpha \).

3.
Since G generates a Reed–Solomon code, which is an MDS code, we have \(\delta = 1k/n \geqslant \alpha /21/n = \varOmega (\alpha )\).

4.
We note that the matrix G is a \(k \times n\) Vandermonde matrix whose first \(k_0\) rows also form a Vandermonde matrix spanning a Reed–Solomon code. The dual distance of the code formed by the span of the first \(k_0\) rows of G is thus equal to \(\tau = k_0/n \geqslant \alpha /2  1/n = \varOmega (\alpha )\).
In particular, Lemma 5.13 applied to the above set up of the parameters implies that the resulting coding scheme is an \((\varOmega (\alpha N/\log n), \varOmega (\alpha N/\log n))\)linear errorcorrecting secret sharing code.
When n is not a power of two, it is still possible to pick the least \(q \geqslant n\) which is a power of two and obtain similar results. In general, we have the following corollary of Lemma 5.13.
Corollary 5.14
For every integer \(n \geqslant 1\) and \(\alpha \in (0,1)\), there is an explicit construction of a binary coding scheme \(({\mathsf {Enc}}, {\mathsf {Dec}})\) of block length n and message length \(k \geqslant n(1\alpha )\) which is an \((\varOmega (\alpha n/\log n), \varOmega (\alpha n/\log n))\)linear errorcorrecting secret sharing code. \(\square \)
Appendix 2: Useful Tools
In some occasions in the paper, we deal with a chain of correlated random variables \(0 = X_0, X_1, \ldots , X_n\) where we wish to understand an event depending on \(X_i\) conditioned on the knowledge of the previous variables. That is, we wish to understand
The following proposition shows that in order to understand the above quantity, it suffices to have an estimate with respect to a more restricted event than the knowledge of \(X_0, \ldots , X_{i1}\). Formally, we can state the following, where X stands for \(X_i\) in the above example and Y stands for \((X_0, \ldots , X_{i1})\).
Proposition 5.15
Let X and Y be possibly correlated random variables and let Z be a random variable such that the knowledge of Z determines Y; that is, \(Y = f(Z)\) for some function f. Suppose that for every possible outcome of the random variable Z, namely, for every \(z \in \mathsf {supp}(Z)\), and for some realvalued function g, we have
for a particular interval I. Then, for every \(y \in \mathsf {supp}(Y)\),
Proof
Let \(T = \{ z \in \mathsf {supp}(Z):f(z) = y \}\), and let \(p(z) := \Pr [Z = z  Y = y]\). Then,
Since by (52), each \(\mathbb {E}[g(X)  Z = z]\) lies in I and \(\sum _{z \in T} p(z) = 1\), we deduce that
\(\square \)
Proposition 5.16
Let the random variable \(X \in \{0,1\}^n\) be uniform on a set of size at least \((1\epsilon )2^n\). Then, \(\mathscr {D}(X)\) is \((\epsilon /(1\epsilon ))\)close to \(\mathcal {U}_n\).
Proposition 5.17
Let \(\mathcal {D}\) and \(\mathcal {D}'\) be distributions over the same finite space \(\varOmega \), and suppose they are \(\epsilon \)close to each other. Let \(E \subseteq \varOmega \) be any event such that \(\mathcal {D}(E) = p\). Then, the conditional distributions \(\mathcal {D}E\) and \(\mathcal {D}'E\) are \((\epsilon /p)\)close.
Lemma 5.18
Let \(({\mathsf {Enc}}, {\mathsf {Dec}})\) be a coding scheme of message length k which is nonmalleable with respect to a family \(\mathcal {F}\) of adversaries with error \(\epsilon \). Let \(S \in \{0,1\}^k\) be a message drawn randomly according to any distribution and \(S' := {\mathsf {Dec}}(f({\mathsf {Enc}}(S)))\) for some \(f \in \mathcal {F}\). Then, there is an independent random variable \(S'' \in \{0,1\}^k\) and parameter \(\alpha \in [0,1]\) only depending on the code and f such that
Proof
Let \(\mathcal {D}_f\) be the distribution from Definition 2.3 over \(\{0,1\}^k \cup \{{\underline{\mathsf {same}}}\}\) and let \(\alpha = \mathcal {D}_f({\underline{\mathsf {same}}})\) be the probability assigned to \({\underline{\mathsf {same}}}\) by \(\mathcal {D}_f\). Let \(S_0 \sim \mathcal {D}_f\) be an independent random variable and \(S''\) be an independent random variable drawn from the distribution of \(S_0\) conditioned on the event \(S_0 \ne {\underline{\mathsf {same}}}\). By Definition 2.3, we have
which can be seen by applying the definition for every fixing of S and taking a convex combination. In turn, we have
which completes the proof. \(\square \)
Proposition 5.19
Let \(\mathcal {D}\) be the distribution of n independent bits, where each bit is \(\epsilon \)close to uniform. Then, \(\mathcal {D}\) is \(O(n\epsilon )\)close to \(\mathcal {U}_n\).
Proof
Let \(x \in \{0,1\}^n\) be any fixed string. Then
Similarly, one can show that \(\mathcal {D}(x) \geqslant 2^{n} (1O(\epsilon n))\). Now, the claim follows from the definition of statistical distance and using the above bounds for each x. \(\square \)
We will use the following tail bound on summation of possibly dependent random variables, which is a direct consequence of Azuma’s inequality.
Proposition 5.20
Let \(0 = X_0, X_1, \ldots , X_n\) be possibly correlated indicator random variables such that for every \(i \in [n]\) and for some \(\gamma \geqslant 0\),
Then, for every \(c \geqslant 1\),
or equivalently, for every \(\delta > \gamma \),
Proof
See [8] for a proof. \(\square \)
In a similar fashion (using Azuma’s inequality for submartingales rather than supermartingales in the proof), we may obtain a tail bound when we have a lower bound on conditional expectations.
Proposition 5.21
Let \(0 = X_0, X_1, \ldots , X_n\) be possibly correlated random variables in [0, 1] such that for every \(i \in [n]\) and for some \(\gamma \geqslant 0\),
Then, for every \(\delta < \gamma \),
The lemma below shows that it is possible to sharply approximate a distribution \(\mathcal {D}\) with finite support by sampling possibly correlated random variables \(X_1, \ldots , X_n\) where the distribution of each \(X_i\) is close to \(\mathcal {D}\) conditioned on the previous outcomes, and computing the empirical distribution of the drawn samples.
Lemma 5.22
[8] Let \(\mathcal {D}\) be a distribution over a finite set \(\Sigma \) such that \(\mathsf {supp}(\mathcal {D}) \leqslant r\). For any \(\eta , \epsilon , \gamma > 0\) such that \(\gamma < \epsilon \), there is a choice of
such that for every \(n \geqslant n_0\) the following holds. Suppose \(0 = X_0, X_1, \ldots , X_n \in \Sigma \) are possibly correlated random variables such that for all \(i \in [n]\) and all values \(0 = x_0, x_1 \ldots , x_n \in \mathsf {supp}(\mathcal {D})\),
Then, with probability at least \(1\eta \), the empirical distribution of the outcomes \(X_1, \ldots , X_n\) is \(\epsilon \)close to \(\mathcal {D}\).
Rights and permissions
About this article
Cite this article
Cheraghchi, M., Guruswami, V. Nonmalleable Coding Against BitWise and SplitState Tampering. J Cryptol 30, 191–241 (2017). https://doi.org/10.1007/s001450159219z
Received:
Published:
Issue Date:
Keywords
 Information theory
 Tamperresilient cryptography
 Coding theory
 Error detection
 Randomness extractors