Abstract
Nonmalleable codes (Dziembowski et al., ICS’10 and J. ACM’18) are a natural relaxation of error correcting/detecting codes with useful applications in cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a message can only leave it unchanged or modify it to the encoding of an unrelated value. This paper introduces continuous nonmalleability, a generalization of standard nonmalleability where the adversary is allowed to tamper continuously with the same encoding. This is in contrast to the standard definition of nonmalleable codes, where the adversary can only tamper a single time. The only restriction is that after the first invalid codeword is ever generated, a special selfdestruct mechanism is triggered and no further tampering is allowed; this restriction can easily be shown to be necessary. We focus on the splitstate model, where an encoding consists of two parts and the tampering functions can be arbitrary as long as they act independently on each part. Our main contributions are outlined below.

We show that continuous nonmalleability in the splitstate model is impossible without relying on computational assumptions.

We construct a computationally secure splitstate code satisfying continuous nonmalleability in the common reference string (CRS) model. Our scheme can be instantiated assuming the existence of collisionresistant hash functions and (doubly enhanced) trapdoor permutations, but we also give concrete instantiations based on standard numbertheoretic assumptions.

We revisit the application of nonmalleable codes to protecting arbitrary cryptographic primitives against relatedkey attacks. Previous applications of nonmalleable codes in this setting required perfect erasures and the adversary to be restricted in memory. We show that continuously nonmalleable codes allow to avoid these restrictions.
Introduction
Physical attacks targeting cryptographic implementations instead of breaking the blackbox security of the underlying algorithm are amongst the most severe threats for cryptographic systems. A particularly important attack on implementations is the socalled tampering attack, where the adversary changes the secret key to some related value and observes the effect of such changes at the output. Traditional blackbox security notions do not incorporate adversaries that change the secret key to some related value; even worse, as shown in the celebrated work of Boneh et al. [22], already minor changes to the key suffice for complete security breaches. Unfortunately, tampering attacks are also rather easy to carry out: A virus corrupting a machine can gain partial control over the state, or an adversary that penetrates the cryptographic implementation with physical equipment may induce faults into keys stored in memory.
In recent years, a growing body of work (see [4, 11, 55, 64, 70, 76, 84]) developed new cryptographic techniques to tackle tampering attacks. Nonmalleable codes introduced by Dziembowski, Pietrzak and Wichs [55, 56] are an important approach to achieve this goal. Intuitively a code is nonmalleable w.r.t. a family of tampering functions \({\mathcal {F}}\) if the message contained in a codeword modified via a function \(f\in {\mathcal {F}}\) is either the original message, or a completely unrelated value. Nonmalleable codes can be used to protect any cryptographic functionality against tampering with the memory. Instead of storing the key, we store its encoding and decode it each time the functionality wants to access the key. As long as the adversary can only apply tampering functions from the family \({\mathcal {F}}\), the nonmalleability property guarantees that the (possibly tampered) decoded value is not related to the original key.
The standard notion of nonmalleability considers a oneshot game: the adversary is allowed to tamper a single time with the codeword, after which it obtains the decoded output. In this work we introduce continuously nonmalleable codes, where nonmalleability is guaranteed even if the adversary continuously applies functions from the family \({\mathcal {F}}\) to the same codeword. We show that our new security notion is not only a natural extension of the standard definition, but moreover allows to protect against tampering attacks in important settings where earlier constructions fall short to achieve security.
Continuous Nonmalleability
A code consists of two polynomialtime algorithms \(\Gamma = (\textsf {Enc},\textsf {Dec})\) satisfying the following correctness property: For all messages \(m\in {\mathcal {M}} \), it holds that \(\textsf {Dec}(\textsf {Enc}(m)) = m\) (with probability one over the randomness of the encoding). To define nonmalleability for a function family \({\mathcal {F}}\), consider the following experiment \(\mathbf{Tamper} ^{\mathcal {F}}_{{\textsf {A}},\Gamma }(\lambda ,b)\) with hidden bit \(b\in \{0,1\}\) and featuring a (possibly unbounded) adversary \({\textsf {A}}\).

1.
The adversary chooses two messages \((m_0,m_1) \in {\mathcal {M}} ^2\).

2.
The challenger computes a target codeword using the encoding procedure.

3.
The adversary picks a tampering function \(f\in {\mathcal {F}}\), which yields a tampered codeword \(\tilde{c}= f(c)\). Hence:

If \(\tilde{c}= c\), then the attacker receives a special symbol \(\diamond \) denoting that tampering did not modify the target codeword;

Else, the adversary is given \(\textsf {Dec}(\tilde{c}) \in {\mathcal {M}} \cup \{\bot \}\), where \(\bot \) is a special symbol denoting that the tampered codeword \(\tilde{c}\) is invalid.


4.
The attacker outputs a guess \(b'\in \{0,1\}\).
A code \(\Gamma \) is said to be statistically (onetime) nonmalleable w.r.t. \({\mathcal {F}}\) if for all attackers \({\mathbb {P}}\left[ b' = b\right]  1/2\) is negligible in the security parameter. This is equivalent to saying that the experiments \(\mathbf{Tamper} ^{\mathcal {F}}_{\Gamma ,{\textsf {A}}}(\lambda ,0)\) and \(\mathbf{Tamper} ^{{\mathcal {F}}}_{\Gamma ,{\textsf {A}}}(\lambda ,1)\) are statistically close. Computational nonmalleability can be obtained by simply relaxing the above guarantee to computational indistinguishability (for all PPT adversaries).
To define continuously nonmalleable codes, we allow the adversary to repeat^{Footnote 1} step 3 from the above game a polynomial number of times, where in each iteration the attacker can adaptively choose a tampering function \(f^{(i)} \in {\mathcal {F}}\). We emphasize that this change of the tampering game allows the adversary to tamper continuously with the target codeword \(c\). As shown by Gennaro et al. [70], such a strong security notion is impossible to achieve without further assumptions. To this end, we rely on the following selfdestruct mechanism: Whenever in step 3 the experiment detects an invalid codeword and returns \(\bot \) for the first time, all future tampering queries will automatically be answered with \(\bot \). This is a rather mild assumption as it can, for instance, be implemented using a public, onetime writable, untamperable bit.
From nonmalleable codes to tamper resilience As discussed above, the main application of nonmalleable codes is to protecting cryptographic schemes against tampering with the secret key [55, 56, 84]. Consider a reactive functionality \(\textsf {F}\) with secret state \(\sigma \). Using a nonmalleable code, earlier work showed how to transform the functionality \((\textsf {F},\sigma )\) into a socalled hardened functionality \((\hat{\textsf {F}},c)\) that is secure against memory tampering. The transformation works as follows: Initially, \(c\) is set to \(\textsf {Enc}(\sigma )\). Then, each time \(\hat{\textsf {F}}\) is executed on input x, the transformed functionality reads the encoding \(c\) from the memory, decodes it to obtain \(\sigma = \textsf {Dec}(c)\), and runs the original functionality \(\textsf {F}(\sigma ,x)\) obtaining an output y and a new state \(\sigma '\). Finally, it erases the memory and overwrites \(c\) with \(\textsf {Enc}(\sigma ')\).
Besides executing evaluation queries, the adversary can issue tampering queries \(f^{(i)} \in {\mathcal {F}}\). The effect of such a query is to overwrite the current codeword \(c\) stored in the memory with a tampered codeword \(\tilde{c}= f^{(i)}(c)\), so that the functionality \(\hat{\textsf {F}}\) will take \(\tilde{c}\) as input when answering the next evaluation query. The first time that \(\textsf {Dec}(\tilde{c}) = \bot \), the functionality \(\hat{\textsf {F}}\) sets the memory to a dummy value (which essentially results in a selfdestruct).
The above transformation guarantees continuous tamper resilience even if the underlying nonmalleable code is secure only against onetime tampering. This security “boost” is achieved by reencoding the secret state after each execution of \(\hat{\textsf {F}}\). As onetime nonmalleability suffices for the above cryptographic application, one may ask why we need continuously nonmalleable codes. Besides being a natural generalization of the standard nonmalleability notion, our new definition has several important advantages that we discuss in the next two paragraphs.
Tamper resilience without erasures The transformation described above necessarily requires that after each execution the entire content of the memory is erased. While such perfect erasures may be feasible in some settings, they are rather problematic in the presence of tampering. To illustrate this issue consider a setting where besides the encoding of a key, the memory also contains other nonencoded data. In the tampering setting, we cannot restrict the erasure to just the part that stores the encoding of the key as a tampering adversary may copy the encoding to some different part of the memory. A simple solution to this problem is to erase the entire memory, but such an approach is not possible in most cases: for instance, think of the memory as being the harddisk of your computer that besides the encoding of a key stores other important files that you don’t want to be erased. Notice that this situation is quite different from the leakage setting, where we also require perfect erasures to achieve continuous leakage resilience. In the leakage setting, however, the adversary cannot mess around with the state of the memory by, e.g., copying an encoding of a secret key to some free space, which makes erasures significantly easier to implement.
One option to prevent the adversary from keeping permanent copies is to encode the entire state of the memory. Such an approach has, however, the following drawbacks.

It is unnatural In many cases, secret data, e.g., a cryptographic key, are stored together with nonconfidential data. Each time we want to read some small part of the memory, e.g., the key, we need to decode and reencode the entire state—including also the nonconfidential data.

It is inefficient Decoding and reencoding the entire state of the memory for each access introduces additional overhead and would result in highly inefficient solutions. This gets even worse as most current constructions of nonmalleable codes are rather inefficient.
The second issue may be solved employing locally decodable and updatable nonmalleable codes [42,43,44,45,46], which intuitively allow to access/update a portion of the message without reading/modifying the entire codeword. Using our new notion of continuously nonmalleable codes we can avoid both issues in one go, and achieve continuous tamper resilience without using erasures or relying on inefficient solutions that encode the entire state.
Stateless tamperresilient transformations To achieve tamper resistance from onetime nonmalleability, we necessarily need to reencode the state using fresh randomness. This not only reduces the efficiency of the proposed construction, but moreover makes the transformation stateful. Thanks to continuously nonmalleable codes we get continuous security without the need to refresh the encoding after each usage. This is particularly useful when the underlying primitive that we want to protect is stateless itself (e.g., in the case of any standard blockcipher construction that typically keeps the same key). Using continuously nonmalleable codes, the tamperresilient implementation of such stateless primitives does not need to keep any secret state. We discuss the protection of stateless primitives in further detail in Sect. 5.
Our Contribution
Our main contribution is the first construction of continuously nonmalleable codes in the splitstate model, first introduced in the leakage setting [50, 54]. Various recent works study the splitstate model for nonmalleable codes [3, 4, 30, 53, 84] (see more details on related work in Sect. 1.3). In the splitstate tampering model, the codeword consists of two halves \(c_0\) and \(c_1\) that are stored on two different parts of the memory. The adversary is assumed to tamper with both parts independently, but otherwise can apply any efficiently computable tampering function. That is, the adversary picks two polynomialtime computable functions \(f_0\) and \(f_1\) and replaces the codeword \((c_0,c_1)\) with \((f_0(c_0), f_1(c_1))\). Similar to the earlier work of Liu and Lysyanskaya [84], our construction assumes a public untamperable common reference string (CRS). Notice that this is a rather mild assumption, as the CRS can be hardwired into the functionality and is independent of any secret data.
Continuous nonmalleability of existing constructions The first construction of onetime splitstate nonmalleable codes (without random oracles) was given by Liu and Lysyanskaya [84]. At a highlevel their construction encrypts the message \(m\) with a leakageresilient encryption scheme, and generates a noninteractive zeroknowledge (NIZK) proof of knowledge showing that (i) the public/secret key of the PKE are valid, and (ii) the ciphertext is an encryption of \(m\) under the public key. Then, \(c_0\) is set to the secret key while \(c_1\) holds the corresponding public key, the ciphertext, and the NIZK proof.
Unfortunately, it is rather easy to break the nonmalleable code of Liu and Lysyanskaya in the continuous setting. Recall that our security notion of continuously nonmalleable codes allows the adversary to interact in the following game. First, we sample an encoding \(({\hat{c_{0}}},{\hat{c}_{1}})\) of \(m\), and then we repeat the following process a polynomial number of times.

1.
The adversary submits two polynomialtime computable functions \((f_0,f_1)\) resulting in a tampered codeword \((\tilde{c}_0,\tilde{c}_1) = (f_0({\hat{c}_{0}}), f_1({\hat{c}_{1}}))\).

2.
We consider three different cases:

If \((\tilde{c}_0,\tilde{c}_1) = ({\hat{c}_{0}},{\hat{c}_{1}})\), then return \(\diamond \).

Else, let \(\tilde{m}\) be the decoding of \((\tilde{c}_0,\tilde{c}_1)\). If \(\tilde{m}\ne \bot \), then return \(\tilde{m}\).

Else, if \(\tilde{m}= \bot \) selfdestruct and terminate the experiment.

The main observation that enables the attack against the scheme of [84] is as follows: For a fixed (but adversarially chosen) part \(c_0\) it is easy to come up with two corresponding parts \(c_1\) and \(c_1'\) such that both \((c_0,c_1)\) and \((c_0,c_1')\) form a valid encoding (i.e., a codeword whose decoding does not yield \(\bot \)). Suppose further that decoding \((c_0,c_1)\) yields a message \(m\) that is different from the message \(m'\) obtained by decoding \((c_0,c_1')\). Then, under continuous tampering, the adversary may permanently replace the original encoding \({\hat{c}_{0}}\) with \(c_0\), while depending on whether the ith bit of \({\hat{c}_{1}}\) being 0 or 1 either replace \({\hat{c}_{1}}\) by \(c_1\) or \(c_1'\). This allows to recover the entire \({\hat{c}_{1}}\) by just n tampering queries (where n is the size of \({\hat{c}_{1}}\)). Once \({\hat{c}_{1}}\) is known to the adversary, it is easy^{Footnote 2} to tamper with \({\hat{c}_{0}}\) in a way that depends on the message \({{\hat{m}}}\) corresponding to \(({\hat{c}_{0}},{\hat{c}_{1}})\).
Somewhat surprisingly, our attack can be generalized to break any nonmalleable code that is secure in the informationtheoretic setting. Hence, also the recent breakthrough results on information theoretic nonmalleability [3,4,5, 53] fail to provide security under continuous attacks. Moreover, we emphasize that our attack does not only work for the code itself, but (in most cases) can be applied to the tamperprotection application of cryptographic functionalities.
Uniqueness The attack above exploits that for a fixed known part \(c_0\) it is easy to come up with two valid parts \(c_1,c_1'\). For the encoding of [84] this is indeed easy to achieve. If the secret key \(c_0\) is known, it is easy to come up with two valid parts \(c_1,c_1'\): just encrypt two arbitrary messages \(m,m'\) such that \(m\ne m'\), and generate the corresponding proofs. The above weakness motivates a new property that nonmalleable codes shall satisfy in order to achieve continuous nonmalleability. We call this property uniqueness, which informally guarantees that for any (adversarially chosen) valid encoding \((c_0,c_1)\) it be computationally hard to come up with \(c_1' \ne c_1\) such that \((c_0, c_{1}')\) forms a valid encoding.^{Footnote 3} Clearly, the uniqueness property prevents the above described attack, and hence is a crucial requirement for continuous nonmalleability in the splitstate model.
A new construction In light of the above discussion, we need to build a nonmalleable code that achieves our uniqueness property. Our construction uses as building blocks a leakageresilient storage (LRS) scheme [50, 52] for the splitstate model (one may view this as a generalization of the leakageresilient PKE used in [84]), a collisionresistant hash function, and (similar to [84]) an extractable NIZK. At a highlevel we use the LRS to encode the secret message, hash the resulting shares using the hash function, and generate a NIZK proof of knowledge that indeed the resulting hash values are correctly computed from the shares. While it is easy to show that collision resistance of the hash function guarantees the uniqueness property, a careful analysis is required to prove continuous nonmalleability. We refer the reader to Sect. 4.1 for the details of our construction, and to Sect. 4.2 for an outline of the proof.
Tamper resilience for stateless and stateful primitives We can use our new construction of continuously nonmalleable codes to protect arbitrary computation against continuous tampering attacks. In contrast to earlier works, our construction does not need to reencode the secret state after each usage, which besides being more efficient avoids the use of erasures. As discussed above, erasures are problematic in the tampering setting as one would essentially need to encode the entire state (possibly including large nonconfidential data).
Additionally, our transformation does not need to keep any secret state. Hence, if our transformation is used to protect stateless primitives, then the resulting scheme remains stateless. This solves an open problem posed by Dziembowski, Pietrzak and Wichs [55, 56]. Notice that while we do not need to keep any secret state, the transformed functionality requires one bit of state to activate the selfdestruct mechanism. This bit can be public, but must be untamperable, and can, for instance, be implemented through a onetime writable memory. As shown in the work of Gennaro et al. [70], continuous tamper resilience is impossible to achieve without such a mechanism for selfdestruction.
Of course, our construction can also be used for stateful primitives, in which case our functionality will reencode the new state during execution. Note that in our setting, where data are never erased, an adversary can always reset the functionality to a previous valid state. To avoid this, our transformation uses an untamperable public counter^{Footnote 4} that helps us detecting whenever the attacker tries to reset the functionality to a previous state (in which case, a selfdestruct is triggered). We notice that such an untamperable counter is necessary, as otherwise there is no way to protect against the above resetting attack.^{Footnote 5}
Bounded leakage resilience As an additional contribution, we show that our code is also secure against bounded leakage attacks. This is similar to the works of [53, 84] who also consider bounded leakage resilience of their encoding scheme. Furthermore, as we prove, bounded leakage resilience is also inherited by functionalities that are protected using our transformation.
Notice that without perfect erasures bounded leakage resilience is the best we can achieve, as there is no hope for security if an encoding that is produced at some point in time is gradually revealed to the adversary.
Related Work
Constructions of nonmalleable codes Besides showing feasibility by a probabilistic argument, Dziembowski et al. [55, 56] also built nonmalleable codes for bitwise tampering (later improved in [9, 10, 32, 34, 36]) and gave a construction in the splitstate model using a random oracle. This result was followed by [33], which proposed nonmalleable codes that are secure against blockwise tampering. The first construction of nonmalleable codes in the splitstate model without random oracles was given by Liu and Lysyanskaya [84], in the computational setting, assuming an untamperable CRS. Several followup works focused on constructing splitstate nonmalleable codes in the informationtheoretic setting [1, 3, 4, 7, 28, 53].
See also [9, 10, 12,13,14,15,16,17, 24, 25, 27, 31, 37, 45, 57, 64, 67, 77, 79,80,81,82] for other recent advances on the construction of nonmalleable codes. We also notice that the work of Gennaro et al. [70] proposed a generic method that allows to protect arbitrary computation against continuous tampering attacks, without requiring erasures. We refer the reader to [55, 56] for a more detailed comparison between nonmalleable codes and the solution of [70].
Other works on tamper resilience A large body of work shows how to protect specific cryptographic schemes against tampering attacks (see [18, 20, 21, 47, 48, 78, 86] and many more). While these works consider a strong tampering model (e.g., they do not require the splitstate assumption), they only offer security for specific schemes. In contrast nonmalleable codes are generally applicable and can provide tamper resilience of any cryptographic scheme.
In all the above works, including ours, it is assumed that the circuitry that computes the cryptographic algorithm using the potentially tampered key runs correctly, and is not subject to tampering attacks. An important line of works analyze to what extent we can guarantee security when even the circuitry is prone to tampering attacks [39, 40, 66, 69, 76, 83]. These works typically consider a restricted class of tampering attacks (e.g., individual bit tampering) and assume that large parts of the circuit (and memory) remain untampered.
Subsequent work A preliminary version of this paper appeared as [62]. Subsequent work showed that our impossibility result on informationtheoretic continuous nonmalleability can be circumvented in weaker tampering models, such as bitwise tampering [34,35,36], highminentropy and fewfixed points tampering [77], 8splitstate tampering [6], permutations and overwrites [49], and spacebounded tampering [29, 61], or by assuming that the number of tampering queries is a priori fixed [26] and that tampering is persistent [8].
Continuously nonmalleable codes have also been used to protect Random Access Machines against tampering attacks with the memory and the computation [63], and to obtain domain extension for nonmalleable publickey encryption [34, 36, 49].
A recent work by DachmanSoled and Kulkarni [41] shows that the strong flavor of continuous nonmalleability in the splitstate model considered in this paper (sometimes known as super nonmalleability [64, 65]) is impossible to achieve in the plain model (i.e., without assuming an untamperable CRS). On the other hand, Ostrovsky et al. [85] proved that continuous weak nonmalleability in the splitstate model (i.e., the standard flavor of nonmalleability in which the attacker only learns the output of the decoding corresponding to each tampered codeword) is possible in the plain model (assuming onetoone oneway functions). Faonio and Venturi [58, 59] further consider continuously nonmalleable splitstate codes with a special refreshing procedure allowing to update codewords.
Finally, the concept of continuous nonmalleability has also been recently studied in the more general setting of nonmalleable secret sharing [23, 60, 71].
Preliminaries
Notation
For a string x, we denote its length by x; if \(\mathcal {X}\) is a set, \(\mathcal {X}\) represents the number of elements in \(\mathcal {X}\). When x is chosen randomly in \(\mathcal {X}\), we write . When \(\textsf {A}\) is a randomized algorithm, we write to denote a run of \(\textsf {A}\) on input x (and implicit random coins r) and output y; the value y is a random variable, and \(\textsf {A}(x;r)\) denotes a run of \(\textsf {A}\) on input x and randomness r. A randomized algorithm \(\textsf {A}\) is probabilistic polynomialtime (PPT) if for any input \(x,r\in \{0,1\}^*\) the computation of \(\textsf {A}(x;r)\) terminates in a polynomial number of steps (in the size of the input). For a PPT algorithm \(\textsf {A}\), we denote by \(\langle {\textsf {A}}\rangle \) its description using polymany bits.
Negligible functions We denote with \(\lambda \in {\mathbb {N}}\) the security parameter. A function p is a polynomial, denoted \(p(\lambda )\in \texttt {poly}(\lambda )\), if \(p(\lambda )\in O(\lambda ^c)\) for some constant \(c>0\). A function \(\varepsilon :{\mathbb {N}}\rightarrow [0,1]\) is negligible in the security parameter (or simply negligible) if it vanishes faster than the inverse of any polynomial in \(\lambda \), i.e., \(\varepsilon (\lambda ) \in O(1/\lambda ^c)\) for every constant \(c > 0\). We often write \(\varepsilon (\lambda )\in \texttt {negl}(\lambda )\) to denote that \(\varepsilon (\lambda )\) is negligible.
Unless stated otherwise, throughout the paper, we implicitly assume that the security parameter is given as input (in unary) to all algorithms.
Random variables For a random variable \(\mathbf{X} \), we write \({\mathbb {P}}\left[ \mathbf{X} = x\right] \) for the probability that \(\mathbf{X} \) takes on a particular value \(x\in \mathcal {X}\) (with \(\mathcal {X}\) being the set where \(\mathbf{X} \) is defined). Given two ensembles and , we write \(\mathbf{X} {\mathop {\approx }\limits ^{\text {s}}}\mathbf{Y} \) (resp. \(\mathbf{X} {\mathop {\approx }\limits ^{\text {c}}}\mathbf{Y} \)) to denote that \(\mathbf{X} \) and \(\mathbf{Y} \) are statistically (resp. computationally) close, i.e., for all unbounded (resp. PPT) distinguishers \({\textsf {D}}\):
If the above distance is zero, we say that \(\mathbf{X} \) and \(\mathbf{Y} \) are identically distributed, denoted \(\mathbf{X} \equiv \mathbf{Y} \).
We extend the notion of computational indistinguishability to the case of interactive experiments (a.k.a. games) featuring an adversary \({\textsf {A}}\). In particular, let \(\mathbf{G} _{\textsf {A}}(\lambda )\) be the random variable corresponding to the output of \({\textsf {A}}\) at the end of the experiment, where \({\textsf {A}}\) outputs a decision bit. Given two experiments \(\mathbf{G} _{\textsf {A}}(\lambda ,0)\) and \(\mathbf{G} _{{\textsf {A}}}(\lambda ,1)\), we write if for all PPT \({\textsf {A}}\) it holds that
The above naturally generalizes to statistical distance (in case of unbounded adversaries).
CollisionResistant Hashing
A family of hash functions \(\Pi :=(\textsf {Gen},\textsf {Hash})\) is a pair of efficient algorithms specified as follows: (i) The randomized algorithm \(\textsf {Gen}\) takes as input the security parameter and outputs a hashkey \(\textit{hk}\). (ii) The deterministic algorithm \(\textsf {Hash}\) takes as input the hashkey \(\textit{hk}\) and a value \(x\in \{0,1\}^*\), and outputs a value \(y\in \{0,1\}^\lambda \).
Definition 1
(Collision resistance) Let \(\Pi = (\textsf {Gen},\textsf {Hash})\) be a family of hash functions. We say that \(\Pi \) is collision resistant if for all PPT adversaries \({\textsf {A}}\) there exists a negligible function \(\nu :{\mathbb {N}}\rightarrow [0,1]\) such that:
Noninteractive Zero Knowledge
Let \(\mathcal {R}\) be an NP relation, corresponding to an NP language \({\mathcal {L}} \). A noninteractive argument system for \(\mathcal {R}\) is a tuple of efficient algorithms \(\Pi = (\textsf {CRSGen}, \textsf {Prove}, \textsf {Ver})\) specified as follows: (i) The randomized algorithm \(\textsf {CRSGen}\) takes as input the security parameter and outputs a common reference string \(\omega \); (ii) The randomized algorithm \(\textsf {Prove}(\omega ,\phi , (x, w))\), given \((x, w) \in \mathcal {R}\) and a label \(\phi \in \{0,1\}^*\), outputs an argument \(\pi \); (iii) The deterministic algorithm \(\textsf {Ver}(\omega ,\phi , (x, \pi ))\), given an instance \(x\), an argument \(\pi \), and a label \(\phi \in \{0,1\}^*\), outputs either 0 (for “reject”) or 1 (for “accept”). We say that \(\Pi \) is correct if for every \(\lambda \in {\mathbb {N}}\), all \(\omega \) as output by \(\textsf {CRSGen}(1^{\lambda })\), any label \(\phi \in \{0,1\}^*\), and any \((x,w) \in \mathcal {R}\), we have that \(\textsf {Ver}(\omega , \phi , (x, \textsf {Prove}(\omega , \phi , (x, w))))=1\) (with probability one over the randomness of the prover algorithm).
We define two properties of a noninteractive argument system. The first property says that honestly computed arguments do not reveal anything beyond the fact that \(x\in {\mathcal {L}} \).
Definition 2
(Adaptive multitheorem zeroknowledge) A noninteractive argument system \(\Pi \) for a relation \(\mathcal {R}\) satisfies adaptive multitheorem zeroknowledge if there exists a PPT simulator \(\textsf {S}:= (\textsf {S}_0,\textsf {S}_1)\) such that the following holds:

(i)
\(\textsf {S}_0\) outputs \(\omega \), a simulation trapdoor \(\zeta \) and an extraction trapdoor \(\xi \).

(ii)
For all PPT distinguishers \({\textsf {D}}\), we have that
is negligible in \(\lambda \), where the oracle \({\mathcal {O}} _\mathsf{sim}(\zeta ,\cdot ,(\cdot ,\cdot ))\) takes as input a tuple \((\phi ,(x,w))\) and returns \(\textsf {S}_1(\zeta ,\phi ,x)\) iff \((x,w)\in \mathcal {R}\) (and otherwise it returns \(\bot \)).
Groth [73] introduced the concept of simulation extractability, which informally states that knowledge soundness should hold even if the adversary can see simulated arguments for possibly false statements of its choice. For our purpose, it will suffice to consider the weaker notion of truesimulation extractability, as defined by Dodis et al. [51].
Definition 3
(Truesimulation extractability) Let \(\Pi \) be a noninteractive argument system for a relation \(\mathcal {R}\), that satisfies adaptive multitheorem zeroknowledge w.r.t. a simulator \(\textsf {S}:= (\textsf {S}_0,\textsf {S}_1)\). We say that \(\Pi \) is truesimulation extractable (tSE) if there exists a PPT algorithm \(\textsf {K}\) such that for all PPT adversaries \({\textsf {A}}\), it holds that
is negligible in \(\lambda \), where the oracle \({\mathcal {O}} _\mathsf{sim}(\zeta ,\cdot ,(\cdot ,\cdot ))\) takes as input a tuple \((\phi ,(x,w))\) and returns \(\textsf {S}_1(\zeta ,\phi ,x)\) iff \((x,w)\in \mathcal {R}\) (and otherwise it returns \(\bot \)), and the list \({\mathcal {Q}} \) contains all pairs \((\phi ,x)\) queried by \({\textsf {A}}\) to its oracle, along with the corresponding answer \(\pi \).
Note that the above definition allows the attacker to win using a pair label/statement \((\phi ^*,x^*)\) for which it already obtained a simulated argument, as long as the value \(\pi ^*\) is different from the argument \(\pi \) obtained from the oracle. This flavor is sometimes known as strong tSE, and it can be obtained generically from nonstrong tSE (i.e., the attacker needs to win using a fresh pair \((\phi ^*,x^*)\)) using any strongly unforgeable onetime signature scheme [51].
LeakageResilient Storage
We recall the definition of leakageresilient storage (LRS) from [50]. A leakageresilient storage \(\Sigma = (\textsf {LREnc},\textsf {LRDec})\) is a pair of algorithms defined as follows: (i) The randomized algorithm \(\textsf {LREnc}\) takes as input message \(m\in \{0,1\}^k\) and outputs two shares \((s_0,s_1)\in \{0,1\}^{2n}\). (ii) The deterministic algorithm \(\textsf {LRDec}\) takes as input shares \((s_0,s_1)\in \{0,1\}^{2n}\) and outputs a value in \(\{0,1\}^k\). We say that \((\textsf {LREnc},\textsf {LRDec})\) satisfies correctness if for all \(m\in \{0,1\}^k\) it holds that \(\textsf {LRDec}(\textsf {LREnc}(m))=m\) (with probability 1 over the randomness of \(\textsf {LREnc}\)).
Security of LRS demands that, for any choice of messages \(m_0,m_1\in \{0,1\}^k\), it be hard for an attacker to distinguish bounded, independent, leakage from a target encoding of either \(m_0\) or \(m_1\). Below, we state such a property in the informationtheoretic setting, as this flavor is met by known constructions. In what follows, for a leakage parameter \(\ell \in {\mathbb {N}}\), let \({\mathcal {O}}_\textsf {leak}^\ell (s,\cdot )\) be a stateful oracle taking as input functions \(g:\{0,1\}^n\rightarrow \{0,1\}^*\), and returning \(g(s)\) for a maximum of at most \(\ell \) bits.
Definition 4
(Leakageresilient storage) We call \((\textsf {LREnc},\textsf {LRDec})\) an \(\ell \)leakageresilient storage (\(\ell \)LRS for short) if it holds that
where for \({\textsf {A}}:= ({\textsf {A}}_0,{\textsf {A}}_1)\) and \(b\in \{0,1\}\) we set:
For our construction, we will need a slight variant of the above definition where at the end of the game the attacker is further allowed to obtain one of the two shares in full. Following [2], we refer to this variant as augmented LRS.
Definition 5
(Augmented leakageresilient storage) We call \((\textsf {LREnc},\textsf {LRDec})\) an augmented \(\ell \)LRS if for all \(\sigma \in \{0,1\}\) it holds that
where for \({\textsf {A}}= ({\textsf {A}}_0,{\textsf {A}}_1,{\textsf {A}}_2)\) and \(b\in \{0,1\}\) we set:
The lemma below^{Footnote 6} shows the equivalence between Definitions 5 and 4 up to a loss of a single bit in the leakage parameter.
Theorem 1
Let \(\Sigma = (\textsf {LREnc},\textsf {LRDec})\) be an \(\ell \)LRS. Then, \(\Sigma \) is an augmented \((\ell 1)\)LRS.
Proof
We prove the lemma by contradiction. Assume that there exists some adversary \({\textsf {A}}^{+} = ({\textsf {A}}^{+}_0,{\textsf {A}}^{+}_1,{\textsf {A}}^{+}_2)\) able to distinguish with nonnegligible probability between \(\mathbf{Leak} ^{+}_{\Sigma ,{\textsf {A}}^{+}}(\lambda ,0,\sigma )\) and \(\mathbf{Leak} ^{+}_{\Sigma ,{\textsf {A}}^{+}}(\lambda ,1,\sigma )\) for some fixed \(\sigma \in \{0,1\}\) and using \(\ell 1\) bits of leakage. We construct another adversary \({\textsf {A}}= ({\textsf {A}}_0,{\textsf {A}}_1)\) which can distinguish between \(\mathbf{Leak} _{\Sigma ,{\textsf {A}}}(\lambda ,0)\) and \(\mathbf{Leak} _{\Sigma ,{\textsf {A}}}(\lambda ,1)\) with the same distinguishing advantage, using \(\ell \) bits of leakage. A description of \({\textsf {A}}\) follows:
\(\underline{\hbox {Adversary }{\textsf {A}}:}\)
\({\textsf {A}}_0\) simply runs \({\textsf {A}}_0^{+}(1^\lambda )\) and returns its output \((m_0,m_1,\alpha _1)\).
\({\textsf {A}}_1\) first runs \({\textsf {A}}_1^{+}(1^\lambda ,\alpha _1)\) by simply forwarding its leakage queries to its own target left/right leakage oracle.
Denote by \(\alpha _2\) the output of \({\textsf {A}}_1^{+}\), and let \({\hat{g}}^{{\textsf {A}}_2^{+},\alpha _2}_{\sigma }\) be the leakage function that hardwires (a description of) \({\textsf {A}}_2^{+}\) and the auxiliary information \(\alpha _2\), and upon input \(s_\sigma \) returns the same as \({\textsf {A}}_2^{+}(1^\lambda ,\alpha _2,s_\sigma )\).
\({\textsf {A}}_1\) forward \({\hat{g}}^{{\textsf {A}}_2^{+},\alpha _2}_{\sigma }\) to the leakage oracle \({\mathcal {O}}_\textsf {leak}^\ell (s_\sigma ,\cdot )\) obtaining a bit \(b'\), and finally outputs \(b'\) as its guess.
It is clear that \({\textsf {A}}\) leaks at most \(\ell 1+1=\ell \) bits. Moreover, \({\textsf {A}}\) perfectly simulates the view of \({\textsf {A}}^{+}\), and thus, it retains the same advantage. This finishes the proof. \(\square \)
Continuous NonMalleability
In this section, we formalize the notion of continuous nonmalleability against splitstate tampering in the common reference string (CRS) model. To that end, we start by describing the syntax of splitstate codes in the CRS model.
Formally, a splitstate code in the CRS model is a tuple of algorithms \(\Gamma = (\textsf {Init},\textsf {Enc},\textsf {Dec})\) specified as follows: (i) The randomized algorithm \(\textsf {Init}\) takes as input the security parameter and outputs a CRS . (ii) The randomized encoding algorithm \(\textsf {Enc}\) takes as input some message \(m\in \{0,1\}^{k}\) and the CRS, and outputs a codeword consisting of two parts \(c:= (c_0,c_1)\in \{0,1\}^{2n}\) where \(c_0,c_1\in \{0,1\}^n\). (iii) The deterministic algorithm \(\textsf {Dec}\) takes as input a codeword \((c_0,c_1)\in \{0,1\}^{2n}\) and the CRS, and outputs either a message \(m'\in \{0,1\}^{k}\) or a special symbol \(\bot \).
As usual, we say that \(\Gamma \) is correct if for all \(\lambda \in {\mathbb {N}}\), for all \(\omega \in \textsf {Init}(1^\lambda )\), and for all \(m\in \{0,1\}^k\), it holds that \(\textsf {Dec}(\omega ,\textsf {Enc}(\omega ,m))=m\) (with probability 1 over the randomness of \(\textsf {Enc}\)).
The Definition
Intuitively, nonmalleability captures a setting where an adversary \({\textsf {A}}\) tampers a single time with a target encoding \(c:= (c_0,c_1)\) of some message \(m\). The tampering attack is arbitrary, as long as it modifies the two parts \(c_0\) and \(c_1\) of the target codeword \(c\) independently, i.e., the attacker can choose any tampering function \(f:= (f_0,f_1)\) where \(f_0,f_1:\{0,1\}^n\rightarrow \{0,1\}^n\). This results in a modified codeword \(\tilde{c} := (\tilde{c}_0,\tilde{c}_1) := (f_0(c_0),f_1(c_1))\), and different flavors of nonmalleability are possible depending on what information the attacker obtains about the decoding of \(\tilde{c}\):

Weak nonmalleability In this case the attacker obtains the decoded message \(\tilde{m}\in \{0,1\}^k\cup \{\bot \}\) corresponding to \(\tilde{c}\), unless \(\tilde{m} = m\) (in which case the adversary gets a special “same” symbol \(\diamond \));

Strong nonmalleability In this case the attacker obtains the decoded message \(\tilde{m}\in \{0,1\}^k\cup \{\bot \}\) corresponding to \(\tilde{c}\), unless \(\tilde{c} = c\) (in which case the adversary gets a special “same” symbol \(\diamond \));

Super nonmalleability In this case the attacker obtains \(\tilde{c}\), unless \(\tilde{c}\) is invalid (in which case the adversary gets \(\bot \)), or \(\tilde{c} = c\) (in which case the adversary gets a special “same” symbol \(\diamond \)).
Super nonmalleability is the strongest flavor, as it implies that not even the mauled codeword reveals information about the underlying message (as long as it is valid and different from the original codeword). Similarly, one can see that strong nonmalleability is strictly stronger than weak nonmalleability. For the rest of this paper, whenever we write “nonmalleability” (without specifying the flavor weak/strong/super) we implicitly mean “super nonmalleability”.
Continuous nonmalleability generalizes the above setting to the case where the attacker tampers adaptively with the same target codeword \(c\), and for each attempt obtains some information about the decoding of the modified codeword \(\tilde{c}\) (as above). The only restriction is that whenever a tampering attempt yields an invalid codeword, the system “selfdestructs”. Toward defining continuous nonmalleability, consider the following oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\), which is parameterized by a codeword \((c_0,c_1)\) and takes as input functions \(f_{0},f_{1}:\{0,1\}^{n}\rightarrow \{0,1\}^{n}\).
\(\underline{\hbox {Oracle }{\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_{0},f_{1}))}:\)
\((\tilde{c}_0,\tilde{c}_1) = (f_{0}(c_0),f_{1}(c_1))\)
If \((\tilde{c}_0,\tilde{c}_1) = (c_0,c_1)\) return \(\diamond \)
If \(\textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1)) = \bot \), return \(\bot \) and “selfdestruct”
Else return \((\tilde{c}_0,\tilde{c}_1)\).
By “selfdestruct” we mean that once \(\textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1))\) outputs \(\bot \), the oracle will answer \(\bot \) to any further query. We are now ready to define (leakageresilient) continuous nonmalleability.
Definition 6
(Continuous nonmalleability) Let \(\Gamma = (\textsf {Init},\textsf {Enc},\textsf {Dec})\) be a splitstate code in the CRS model. We say that \(\Gamma \) is \(\ell \)leakageresilient continuously supernonmalleable (\(\ell \)CNMLR for short), if it holds that
where for \({\textsf {A}}:= ({\textsf {A}}_0,{\textsf {A}}_1)\) and \(b\in \{0,1\}\) we set:
Codewords Uniqueness
As we argue below, constructions that satisfy our new Definition 6 have to meet the following requirement: For any (possibly adversarially chosen) side of an encoding \(c_0\) it is computationally hard to find two corresponding sides \(c_{1}\) and \(c_{1}'\) such that both \((c_0,c_{1})\) and \((c_0,c_{1}')\) form a valid encoding; moreover, a similar property holds if we fix the right side \(c_1\) of a codeword.
Definition 7
(Codewords uniqueness) Let \(\Gamma = (\textsf {Init},\textsf {Enc},\textsf {Dec})\) be a splitstate code in the CRS model. We say that \(\Gamma \) satisfies codewords uniqueness if for all PPT adversaries \({\textsf {A}}\) we have:
The following attack shows that codewords uniqueness is necessary to achieve Definition 6.
Lemma 1
Let \(\Gamma \) be a 0leakageresilient continuously supernonmalleable splitstate code. Then, \(\Gamma \) must satisfy codewords uniqueness.
Proof
For the sake of contradiction, assume that there exists a PPT attacker \({\textsf {A}}'\) that outputs a triple \((c_0,c_1,c_1')\) violating uniqueness of \(\Gamma \), i.e., such that \((c_0,c_{1})\) and \((c_0,c_{1}')\) are both valid, with \(c_1 \ne c_1'\). We show how to construct a PPT attacker \({\textsf {A}}:= ({\textsf {A}}_0,{\textsf {A}}_1)\) breaking continuous nonmalleability of \(\Gamma \). Attacker \({\textsf {A}}_0\), given the CRS, outputs any two messages \(m_0,m_1\in \{0,1\}^k\) which differ, say, in the first bit; denote by \(({\hat{c}_{0}},{\hat{c}_{1}})\) the target codeword corresponding to \(m_b\) in the experiment \(\mathbf{Tamper} _{\Gamma ,{\textsf {A}}}(\lambda ,b)\). Attacker \({\textsf {A}}_1\) runs \({\textsf {A}}'\), and then queries the tampering oracle \({\mathcal {O}}_\mathsf{maul}(({\hat{c}_{0}},{\hat{c}_{1}}),\cdot )\) with a sequence of \(n\in \texttt {poly}(\lambda )\) tampering queries, where the ith query \((f_0^{(i)},f_1^{(i)})\) is specified as follows:

Function \(f_0^{(i)}\) overwrites \({\hat{c}_{0}}\) with \(c_0\).

Function \(f_1^{(i)}\) reads the ith bit \({\hat{c}_{1}}[i]\) of \({\hat{c}_{1}}\); in case \({\hat{c[i]}}=0\) it overwrites \({\hat{c}_{1}}\) with \(c_1\), and else it overwrites \({\hat{c}_{1}}\) with \(c_1'\).
Note that, as long as \({\textsf {A}}'\) breaks codewords uniqueness, \(\tilde{c}^{(i)} = (f_0^{(i)}(c_0),f_1^{(i)}(c_1))\) is a valid codeword for all \(i\in [n]\). This allows \({\textsf {A}}_1\) to fully recover \({\hat{c}_{1}}\) after \(n\) tampering queries, unless \(({\hat{c}_{0}},{\hat{c}_{1}})\in \{(c_0,c_1),(c_0,c_1')\}\).^{Footnote 7}
Finally, \({\textsf {A}}_1\) asks an additional tampering query \((f_{0}^{(n+1)},f_{1}^{(n+1)})\) to \({\mathcal {O}}_\mathsf{maul}(({\hat{c}_{0}},{\hat{c}_{1}}),\cdot )\):

\(f_{0}^{(n+1)}({\hat{c}_{0}})\) hardwires \({\hat{c}_{1}}\) and computes \(m= \textsf {Dec}(\omega ,({\hat{c}_{0}},{\hat{c}_{1}}))\); if the first bit of \(m\) is 0, then it behaves like the identity function, and otherwise it overwrites \({\hat{c}_{0}}\) with \(0^n\).

\(f_{1}^{(n+1)}({\hat{c}_{1}})\) is the identity function.
The above clearly allows to learn the first bit of the message in the target encoding, and hence contradicts the fact that \(\Gamma \) is continuously nonmalleable. \(\square \)
Attacking existing schemes The attack of Lemma 1 can be used to show that the code of [84] does not satisfy continuous nonmalleability as per our definition. Recall that in [84] a message \(m\) is encoded as \(c_0 = (\textit{pk},\gamma :=\textsf {Encrypt}(\textit{pk},m), \pi )\) and \(c_1 = \textit{sk}\). Here, \((\textit{pk},\textit{sk})\) is a valid public/secret key pair and \(\pi \) is an argument of knowledge of \((m,\textit{sk})\) such that \(\gamma \) decrypts to \(m\) under \(\textit{sk}\) and \((\textit{pk},\textit{sk})\) is well formed. Clearly, for any fixed \(c_1 = \textit{sk}\) it is easy to find two corresponding parts \(c_0 \ne c_0'\) such that both \((c_0,c_1)\) and \((c_0',c_1)\) are valid.^{Footnote 8}
Let us mention two important extensions of the above attack, leading to even stronger security breaches.

1.
In case the pair of valid codewords \((c_0,c_1)\), \((c_0,c'_1)\) violating the uniqueness property are such that \(\textsf {Dec}(\omega ,(c_0,c_1)) \ne \textsf {Dec}(\omega ,(c_0,c'_1))\), one can show that Lemma 1 even rules out continuous weak nonmalleability.^{Footnote 9} The latter flavor of uniqueness is sometimes referred to as message uniqueness [60, 85].

2.
In case it is possible to find both \((c_0,c_1,c'_1)\) and \((c_0,c'_0,c_1)\) violating uniqueness, a simple variant of the attack from Lemma 1 allows to recover both halves of the target encoding, which is a total breach of security. However, it is not clear how to do that for the scheme of [84], as once we fix \(c_0 = (\textit{pk},\gamma ,\pi )\), it shall be hard to find two valid secret keys \(c_1 = \textit{sk}\ne \textit{sk}' = c_1'\) corresponding to \(\textit{pk}\).
A simple adaptation of the above attack shows that continuous nonmalleability in the splitstate model is impossible in the informationtheoretic setting.
Theorem 2
There is no splitstate code \(\Gamma \) in the CRS model that is 0leakageresilient continuously supernonmalleable in the presence of a computationally unbounded adversary.
Proof
By contradiction, assume that there exists an informationtheoretically secure continuously nonmalleable splitstate code \(\Gamma \) with \(2n\)bit codewords. By Lemma 1, the code \(\Gamma \) must satisfy codewords uniqueness. In the informationtheoretic setting, this means that for all CRSs \(\omega \in \textsf {Init}(1^\lambda )\), and for any codeword \((c_0,c_1)\in \{0,1\}^{2n}\) such that \(\textsf {Dec}(\omega ,(c_0,c_1))\ne \bot \), the following two properties hold: (i) for all \(c'_1\in \{0,1\}^{n}\) such that \(c'_1\ne c_1\), we have \(\textsf {Dec}(\omega ,(c_0,c'_1)) = \bot \); (ii) for all \(c'_0\in \{0,1\}^{n}\) such that \(c'_0\ne c_0\), we have \(\textsf {Dec}(\omega ,(c'_0,c_1)) = \bot \).
Let now \(({\hat{c}}_0,{\hat{c}}_1)\) be a target encoding of some secret \(m\in \{0,1\}^k\). An unbounded attacker \({\textsf {A}}\) can define the following tampering query \((f_0,f_1)\):

\(f_0\), given \({\hat{c}_{0}}\) as input, tries all possible \({\hat{c}_{1}}\in \{0,1\}^{n}\) until one is found such that \(\textsf {Dec}(\omega ,({\hat{c}_{0}},{\hat{c}_{1}})) \ne \bot \). Hence, it runs \(m= \textsf {Dec}(\omega ,({\hat{c}_{0}},{\hat{c}_{1}}))\), and it leaves \({\hat{c}}_0\) in case the first bit of the message is zero whereas it overwrites \({\hat{c}_{0}}\) with \(0^n\) otherwise.

\(f_{1}\) is the identity function.
Note that by properties (i) and (ii) above, we know that for all \({{\hat{c}}}'_{1} \ne {\hat{c}_{1}}\), the decoding algorithm \(\textsf {Dec}(\omega ,({\hat{c}_{0}},{\hat{c}_{1}}'))\) outputs \(\bot \). Thus, the above tampering query allows to learn the first bit of \(m\) with overwhelming probability, which is a clear breach of nonmalleability.
\(\square \)
Note that although the attack of Theorem 2 uses a single (inefficient) tampering query, it crucially relies on the assumption that the code \(\Gamma \) be continuously nonmalleable, in that it uses the fact that \(\Gamma \) satisfies codewords uniqueness. This is consistent with the fact that all splitstate codes that achieve onetime nonmalleability in the informationtheoretic setting do not satisfy uniqueness.
The Code
We describe our splitstate code in Sect. 4.1. A detailed outline of the security proof can be found in Sect. 4.2, whereas the formal proof is given in Sect. 4.3–4.5 Finally, in Sect. 4.6, we explain how to instantiate our scheme both from generic and concrete assumptions.
Description
Our construction combines a hash function \((\textsf {Gen}, \textsf {Hash})\) (cf. Sect. 2.2), a noninteractive argument system \((\textsf {CRSGen},\textsf {Prove},\textsf {Ver})\) for proving knowledge of a preimage of a hash value (cf. Sect. 2.3), and a leakageresilient storage \(\Sigma = (\textsf {LREnc},\textsf {LRDec})\) (cf. Sect. 2.4), as depicted in Fig. 1.
The main idea behind the scheme is as follows: The CRS includes the CRS \(\omega \) for the argument system and the hash key \(\textit{hk}\) for the hash function. Given a message \(m\in \{0,1\}^k\), the encoding procedure first encodes \(m\) using \(\textsf {LREnc}\), obtaining shares \((s_0,s_1)\). Hence, it hashes both \(s_0\) and \(s_1\), obtaining values \(h_0\) and \(h_1\), and generates a noninteractive argument \(\pi _0\) (resp. \(\pi _1\)) for the statement \(h_0\in {\mathcal {L}} _\mathsf{hash}^{\textit{hk}}\) (resp. \(h_1\in {\mathcal {L}} _\mathsf{hash}^{\textit{hk}}\)) using \(h_1\) (resp. \(h_0\)) as label. The left part \(c_0\) (resp. right part \(c_1\)) of the codeword \(c^*\) consists of \(s_0\) (resp. \(s_1\)), along with the value \(h_1\) (resp. \(h_0\)), and with the arguments \(\pi _0,\pi _1\).
The decoding algorithm proceeds in the natural way. Namely, given a codeword \(c^* = (c_0,c_1)\) it first checks that the arguments contained in the left and right part are equal, and moreover that the hash values are consistent with the shares; further, it checks that the noninteractive arguments verify correctly w.r.t. the corresponding statement and label. If any of the above checks fails, the algorithm returns \(\bot \), and otherwise it outputs the same as \(\textsf {LRDec}(s_0,s_1)\).
Correctness of the code \(\Gamma ^*\) follows directly by the correctness properties of the LRS and of the noninteractive argument system. As for security, we establish the following result.
Theorem 3
Let \(\ell \in {\mathbb {N}}\). Assume that:

(i)
\((\textsf {LREnc},\textsf {LRDec})\) is an augmented \(\ell \)leakageresilient storage;

(ii)
\((\textsf {Gen},\textsf {Hash})\) is a collisionresistant hash function;

(iii)
\((\textsf {CRSGen},\textsf {Prove},\textsf {Ver})\) is a truesimulation extractable noninteractive zeroknowledge argument system for the language \({\mathcal {L}} _\mathsf{hash}^{\textit{hk}} = \{h\in \{0,1\}^\lambda :\exists s\in \{0,1\}^n\text { s.t. }\textsf {Hash}(\textit{hk},s)=h\}\).
Then, the splitstate code \(\Gamma ^*\) described in Fig. 1 is an \(\ell ^*\)leakageresilient continuously supernonmalleable code in the CRS model, as long as \(\ell ^* \le \ell /2  O(\lambda \log (\lambda ))\).
Proof Outline
Our goal is to show that no PPT attacker \({\textsf {A}}^*\) can distinguish the experiments \(\mathbf{Tamper} _{\Gamma ^*,{\textsf {A}}^*}(\lambda ,0)\) and \(\mathbf{Tamper} _{\Gamma ^*,{\textsf {A}}^*}(\lambda ,1)\) (cf. Definition 6). Recall that \({\textsf {A}}^*\), after seeing the CRS, can select two messages \(m_0,m_1\in \{0,1\}^k\), and then adaptively tamper with, and leak from, a target encoding \(c^* = (c_0,c_1)\) of either \(m_0\) or \(m_1\), where both the tampering and the leakage act independently on the two parts \(c_0\) and \(c_1\).
In order to prove the theorem, we introduce two hybrid experiments, as outlined below.
 \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda ,b)\)::

In the first hybrid, we modify the distribution of the target codeword \(c^* = (c_0,c_1)\). In particular, we first use the simulator \(\textsf {S}_0\) of the noninteractive argument system to program the CRS \(\omega \), yielding simulation trapdoor \(\zeta \) and extraction trapdoor \(\xi \), and then we compute the argument \(\pi _0\) (resp. \(\pi _1\)) by running the simulator \(\textsf {S}_1\) upon input \(\zeta \), statement \(h_0\) (resp. \(h_1\)) and label \(h_1\) (resp. \(h_0\)).
 \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda ,b)\)::

In the second hybrid, we modify the way tampering queries are answered. In particular, let \((f_0,f_1)\) be a generic tampering query, and \(\tilde{c}^* = (\tilde{c}_0,\tilde{c}_1) = (f_0(c_0),f_1(c_1))\) be the corresponding mauled codeword. Note that \(\tilde{c}_0\) can be parsed as \(\tilde{c}_0 = (\tilde{s}_0, \tilde{h}_1, \tilde{\pi }_{0,0},\tilde{\pi }_{1,0})\), and similarly \(\tilde{c}_1 = (\tilde{s}_1, \tilde{h}_{0}, \tilde{\pi }_{0,1},\tilde{\pi }_{1,1})\). The modified tampering oracle then proceeds as follows, for each \(\beta \in \{0,1\}\).
 (a):

In case \(\tilde{c}_\beta = c_\beta \), define \(\Theta _\beta := \diamond \) (cf. TypeA queries in Fig. 2).
 (b):

In case \(\tilde{c}_\beta \ne c_\beta \), but either of the arguments in \(\tilde{c}_\beta \) does not verify correctly, define \(\Theta _\beta := \bot \) (cf. TypeB queries in Fig. 2).
 (c):

In case \(\tilde{c}_\beta \ne c_\beta \) and both the arguments in \(\tilde{c}_\beta \) verify correctly, let \(\tilde{h}_{\beta ,\beta } := \textsf {Hash}(\textit{hk},\tilde{s}_\beta )\). Check if \((\tilde{h}_{1\beta },\tilde{h}_{\beta ,\beta },\tilde{\pi }_{1\beta ,\beta }) = (h_{1\beta },h_{\beta },\pi _{1\beta })\); if not (in which case we cannot extract from \(\tilde{\pi }_{1\beta }\)), then define \(\Theta _\beta := \bot \) (cf. TypeC queries in Fig. 2).
 (d):

Otherwise, run the knowledge extractor \(\textsf {K}\) of the underlying noninteractive argument system upon input extraction trapdoor \(\xi \), statement \(\tilde{h}_{1\beta }\), argument \(\tilde{\pi }_{1\beta ,\beta }\), and label \(\tilde{h}_{\beta ,\beta } := \textsf {Hash}(\textit{hk},\tilde{s}_\beta )\), yielding a share \(\tilde{s}_{1\beta }\). Thus, let \(\tilde{c}_{1\beta } = (\tilde{s}_{1\beta },\tilde{h}_{\beta ,\beta },\tilde{\pi }_{0,\beta },\tilde{\pi }_{1,\beta })\) and define \(\Theta _\beta := (\tilde{c}_0,\tilde{c}_1)\) (cf. TypeD queries in Fig. 2).
As a first step, we argue that \(\mathbf{Tamper} _{\Gamma ^*, {\textsf {A}}^*}(\lambda ,b)\) and \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda ,b)\) are computationally close. This follows readily from adaptive multitheorem zero knowledge of the noninteractive argument system, as the only difference between the two experiments is the fact that in the latter the arguments \(\pi _0,\pi _1\) are simulated. As a second step, we prove that \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda ,b)\) and \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}}^2(\lambda ,b)\) are also computationally indistinguishable. More in details, we show how to bound the probability that the output of the tampering oracle in the two experiments differs in the above described cases (a), (b), (c) and (d):

(a)
For TypeA queries, note that when \(\tilde{c}_\beta = c_\beta \), we must have \(\tilde{c}_{1\beta } = c_{1\beta }\) with overwhelming probability, as otherwise, say, \((c_0,c_1,\tilde{c}_1)\) would violate codewords uniqueness, which for our code readily follows from collision resistance of the hash function.

(b)
For TypeB queries, the decoding process in the previous hybrid would also return \(\bot \), so these queries always yield the same output in the two experiments.

(c)
For TypeC queries, we use the facts that (i) the underlying noninteractive argument system is truesimulation extractable, and (ii) the hash function is collision resistant, to show that \(\tilde{c}_\beta \) must be of the form \(\tilde{c}_\beta = (s_\beta ,h_{1\beta },\tilde{\pi }_{0,\beta },\pi _{1,\beta })\) with \(\tilde{\pi }_{0,\beta } \ne \pi _{1,\beta }\). As we show, the latter contradicts security of the underlying LRS.

(d)
For TypeD queries, note that whenever we run the extractor either the statement \(\tilde{h}_{1\beta }\), or the argument \(\tilde{\pi }_{1\beta ,\beta }\), or the label \(\tilde{h}_{\beta ,\beta }\) are fresh, which ensures the witness must be valid with overwhelming probability by (truesimulation) extractability of the noninteractive argument system.
Next, we show that no PPT attacker \({\textsf {A}}^*\) can distinguish between experiments \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda ,0)\) and \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda ,1)\) with better than negligible probability. To this end, we build a reduction \({\textsf {A}}\) to the security of the underlying LRS. In order to keep the exposition simple, let us first assume that \({\textsf {A}}^*\) is not allowed to ask leakage queries. Roughly, the reduction works as follows:

Simulate the CRS: At the beginning, \({\textsf {A}}\) samples a programmed CRS \(\omega \) and the hash key \(\textit{hk}\) exactly as defined in \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda ,b)\), and runs \({\textsf {A}}^*\) upon \(\omega ^* := (\omega ,\textit{hk})\) and fresh randomness r. Upon receiving \((m_0,m_1)\) from \({\textsf {A}}^*\), then \({\textsf {A}}\) forward the same pair of messages to the challenger.

Learn the selfdestruct index: Note that in the last hybrid, the tampering oracle answers \({\textsf {A}}^*\)’s tampering queries by computing both \(\Theta _0\) (looking only at \(c_0\)) and \(\Theta _1\) (looking only at \(c_1\)), and then \(\Theta _0\) is returned as long as \(\Theta _0 = \Theta _1\) (and otherwise a selfdestruct is triggered). Since \({\textsf {A}}\) can leak independently from \(s_0\) and \(s_1\), it can compute all the values \(\Theta _\beta \) by running \({\textsf {A}}^*\) with hardwired^{Footnote 10} randomness r inside^{Footnote 11} each of its leakage oracles, and then use a pairwise independent hash function to determine using a binary search the first index \(i^*\) corresponding to the tampering query where \(\Theta _0 \ne \Theta _1\). By pairwise independence, this yields the index of the query \(i^*\) in which \({\textsf {A}}^*\) provokes a selfdestruct with overwhelming probability, and by leaking at most \(O(\lambda \log \lambda )\) bits from each block.

Play the game: Once the selfdestruct index \(i^*\) is known, \({\textsf {A}}\) obtains^{Footnote 12}\(s_\sigma \) and can thus restart \({\textsf {A}}^*\) outside the leakage oracle, using the same randomness r, and answer to the first \(i^*1\) tampering queries using \(c_\sigma = (s_\sigma ,h_{1\sigma },\pi _{0},\pi _{1})\), after which the answer to all remaining tampering queries is set to be \(\bot \). This yields a perfect simulation of how tampering queries are handled in the last hybrid, so that \({\textsf {A}}\) keeps the advantage of \({\textsf {A}}^*\).
Finally, let us explain how to remove the simplifying assumption that \({\textsf {A}}^*\) cannot leak from the target codeword. The difficulty when considering leakage is that we cannot run anymore the entire experiment with \({\textsf {A}}^*\) inside the leakage oracle, as the answer to \({\textsf {A}}^*\)’s leakage queries depends on the other half of the target codeword. However, note that in this case we can stop the execution and inform the reduction to leak from the other side whatever information is needed to continue the execution of each copy of \({\textsf {A}}^*\) inside the leakage oracle.
This allows to obtain the answers to all leakage queries of \({\textsf {A}}^*\) up to a selfdestruct occurs. In order to obtain the answers to the remaining queries, we must rerun \({\textsf {A}}\) inside the leakage oracle and adjust the simulation consistently with the selfdestruct index being \(i^*\). In the worst case, this requires \(2\ell ^*\) bits of leakage, yielding the final bound of \(2\ell ^* + O(\lambda \log \lambda )\). At the end, the reduction knows the answer to all leakage queries of \({\textsf {A}}^*\) with hardwired randomness r, which allows to play the game with the challenger as explained above.
Hybrids
Let us start by recalling the definition of experiment \(\mathbf{Tamper} _{\Gamma ^*, {\textsf {A}}^*}(\lambda , b)\) for our code from Fig. 1.
Consider the following hybrid experiments.

\(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda , b)\): Let \(\textsf {S}= (\textsf {S}_0, \textsf {S}_1)\) be the zeroknowledge simulator guaranteed by the noninteractive argument system. This hybrid is identical to the original experiment, except that the instructions and are replaced by and respectively.

\(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda , b)\): Identical to the previous experiment, except that the oracle \({\mathcal {O}}_\mathsf{maul}\) is replaced by \({\mathcal {O}}_\mathsf{maul}'\) described in Fig. 2.
We first prove, in Sect. 4.4, that
Then, in Sect. 4.5, we show that the above hybrids are computationally close, i.e., for all \(b\in \{0,1\}\):
thus proving continuous nonmalleability:
The Main Reduction
Lemma 2
Proof
The proof is down to the augmented leakage resilience (cf. Definition 5) of the underlying LRS \((\textsf {LREnc},\textsf {LRDec})\). The reduction relies on a family of weakly universal^{Footnote 13} hash functions \(\Psi \). By contradiction, assume that there exists a PPT adversary \({\textsf {A}}^* = ({\textsf {A}}^*_0,{\textsf {A}}^*_1)\) that can tell apart \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda , 0)\) and \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda , 1)\) with nonnegligible probability. Consider the following PPT attacker \({\textsf {A}}\) against leakage resilience of \((\textsf {LREnc},\textsf {LRDec})\), which relies on the leakage functions defined in Fig. 3 on the following page.
\(\underline{\hbox {Attacker }{\textsf {A}}\hbox { for }(\textsf {LREnc},\textsf {LRDec}):}\)
 1.
(Setup phase.) Simulate the CRS as follows:
 (a)
Run and ; set \(\omega ^* = (\omega , \textit{hk})\).
 (b)
Sample , and run .
 (c)
Forward \((m_0, m_1)\) to the challenger, obtaining access to the leakage oracles \({\mathcal {O}}_\textsf {leak}^\ell (s_0,\cdot )\) and \({\mathcal {O}}_\textsf {leak}^\ell (s_1,\cdot )\).
 (d)
For each \(\beta \in \{0,1\}\), query \(g_\beta ^\mathsf{hash}(\textit{hk}, \cdot )\) to \({\mathcal {O}}_\textsf {leak}^\ell (s_\beta ,\cdot )\), obtaining \(h_\beta = \textsf {Hash}(\textit{hk},s_\beta )\).
 (e)
For each \(\beta \in \{0,1\}\) generate the argument .
 (f)
Let \({{\hat{\alpha }}} := (\omega ,\textit{hk},\xi ,h_0,h_1,\pi _0,\pi _1,\langle {\textsf {A}}_1^*\rangle ,\alpha _1,r_1)\), and \(\Lambda _0,\Lambda _1 := (\varepsilon , \ldots , \varepsilon )\) be initially empty arrays.
 2.
(Obtain the temporary leakages.) Run the following loop:
 (a)
Query alternatively \({\mathcal {O}}_\textsf {leak}^\ell (s_0,\cdot )\) and \({\mathcal {O}}_\textsf {leak}^\ell (s_1,\cdot )\) with \(g_0^\mathsf{temp}({{\hat{\alpha }}}, \Lambda _0,\Lambda _1,\cdot )\) and \(g_1^\mathsf{temp}({{\hat{\alpha }}}, \Lambda _0,\Lambda _1,\cdot )\).
 (b)
For any \(j\ge 1\), after the jth query, if at least one of the oracles returns \((0,\Lambda _\beta ^{(j)})\) update the jth entry of \(\Lambda _\beta \) as in \(\Lambda _\beta [j] = \Lambda _\beta ^{(j)}\).
 (c)
If both oracles return \((1,q_0)\) and \((1,q_1)\), respectively, break the loop obtaining the (temporary) leakages \(\Lambda _0,\Lambda _1\) and the (temporary) number of tampering queries \(q = \min \{q_0,q_1\}\).
 3.
(Learn the selfdestruct index.) Set \((q_\mathsf{min}, q_\mathsf{max}) = (0, q)\). Run the following loop:
 (a)
If \(q_\mathsf{min} = q_\mathsf{max}\), break the loop obtaining the selfdestruct index \(i^* := q_\mathsf{min} = q_\mathsf{max}\); else, set \(q_\mathsf{med} = \lfloor \frac{q_\mathsf{min} + q_\mathsf{max}}{2}\rfloor \).
 (b)
Sample .
 (c)
For each \(\beta \in \{0,1\}\), query \(g_\beta ^\mathsf{sd}({{\hat{\alpha }}}, \Lambda _0, \Lambda _1, \psi _t,q_\mathsf{med}, \cdot )\) to \({\mathcal {O}}_\textsf {leak}^\ell (s_\beta ,\cdot )\) obtaining a value \(y_\beta \in \{0,1\}^\lambda \).
 (d)
If \(y_0 \ne y_1\), update \((q_\mathsf{min}, q_\mathsf{max}) \leftarrow (q_\mathsf{min}, q_\mathsf{med})\); else, update \((q_\mathsf{min}, q_\mathsf{max}) \leftarrow (q_\mathsf{med} + 1, q_\mathsf{max})\).
 4.
(Correct the leakages.) Set \(\Lambda _0,\Lambda _1 \leftarrow (\varepsilon ,\ldots ,\varepsilon )\), i.e., discard all the temporary leakages. Run the following loop:
 (a)
Query alternatively \({\mathcal {O}}_\textsf {leak}^\ell (s_0,\cdot )\) and \({\mathcal {O}}_\textsf {leak}^\ell (s_1,\cdot )\) with \(g_0^\mathsf{leak}({{\hat{\alpha }}}, \Lambda _0,\Lambda _1, i^*,\cdot )\) and \(g_1^\mathsf{leak}({{\hat{\alpha }}}, \Lambda _0,\Lambda _1, i^*,\cdot )\).
 (b)
For any \(j\ge 1\), after the jth query, if at least one of the oracles returns \((0,\Lambda _\beta ^{(j)})\) update the jth entry of \(\Lambda _\beta \) as in \(\Lambda _\beta [j] = \Lambda _\beta ^{(j)}\).
 (c)
If both oracles return 1, break the loop obtaining the final leakages \(\Lambda _0,\Lambda _1\).
 5.
(Play the game.) Run the following loop:
 (a)
Forward \(\sigma = 0\) to the challenger, obtaining \(s_0\).
 (b)
Set \(c_0 = (s_0,h_1,\pi _0,\pi _1)\), then start \({\textsf {A}}_1^*(1^\lambda ,\alpha _1;r_1)\).
 (c)
Upon input the jth leakage query \((g_0^{(j)},g_1^{(j)})\) from \({\textsf {A}}_1^*\), return \((\Lambda _0^{(j)},\Lambda _1^{(j)})\).
 (d)
Upon input the ith tampering query \((f_0^{(i)},f_1^{(i)})\) from \({\textsf {A}}_1^*\):
If \(i < i^*\), answer with \(\Theta _0^{(i)} = \textsf {SimTamp}(c_0,f_0^{(i)})\).
If \(i \ge i^*\), return \(\bot \).
 (e)
Upon input a guess \(b'\) from \({\textsf {A}}_1^*\), forward \(b'\) to the challenger and terminate.
For the analysis, we must show that \({\textsf {A}}\) does not leak too much information and that the reduction is correct (in the sense that the view of \({\textsf {A}}^*\) is simulated correctly). Note that \({\textsf {A}}\) makes leakage queries in steps 1d, 2a, 3c, and 4a. The leakage amount in step 1d is equal to \(\lambda \) bits per share (i.e., the size of a hash value). The leakage amount in step 2a is bounded by \(\ell ^* + O(\log \lambda )\) bits per share (i.e., the maximum leakage asked by \({\textsf {A}}^*\) plus the indexes \(q_0,q_1\)); by a similar argument, the leakage in step 4a consists of at most \(\ell ^*\) bits per share. Finally, the leakage in step 3c is bounded by \(O(\lambda \log (\lambda ))\) (as the loop for the binary search is run at most \(O(\log \lambda )\) times, and each time the reduction leaks \(\lambda \) bits per share). Putting it all together, the overall leakage is bounded by
where the inequality follows by the bound on \(\ell ^*\) in the theorem statement.
Next, we argue that \({\textsf {A}}\) perfectly simulates the view of \({\textsf {A}}^*\) except with negligible probability. Indeed:

The distribution of the CRS \(\omega ^* = (\omega ,\textit{hk})\) is perfect.

For each \(\beta \in \{0,1\}\), the distribution of the value \(c_\beta \) assembled inside the leakage oracle \({\mathcal {O}}_\textsf {leak}^\ell (s_\beta ,\cdot )\) is identical to that of the target codeword \(c^* = (c_0,c_1)\) in \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda ,b)\), where b is the hidden bit in the security game for \((\textsf {LREnc},\textsf {LRDec})\).

The simulation of \({\textsf {A}}^*\)’s leakage queries is perfect. Note that the simulated leakages \(\Lambda _0,\Lambda _1\) might be inconsistent after the loop of step 2 terminates. This is because there may exist an index \(i\in [q]\) such that \(\Theta _0^{(i)} \ne \Theta _1^{(i)}\) (i.e., the answer to the ith tampering query should be \(\bot \), but a different value is passed to \({\textsf {A}}_1^*\) inside the leakage oracle), which causes a wrong simulation of all leakage queries \(j \ge i\) (if any). However, the reduction adjusts the leakages later in step 4, after the index \(i^*\) corresponding to the selfdestruct query is known.

Except with negligible probability, the index \(i^*\) coincides with the index corresponding to the selfdestruct query, i.e. the minimum \(i^*\in [q]\) such that \(\Theta _0^{(i^*)} \ne \Theta _1^{(i^*)}\) in \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^2(\lambda ,b)\). The latter follows readily from the weak universality of \(\Psi \), as for each query \(g_0^\mathsf{sd}({{\hat{\alpha }}},\Lambda _0,\Lambda _1,\psi _t,q_\mathsf{med},\cdot )\) and \(g_1^\mathsf{sd}({{\hat{\alpha }}},\Lambda _0,\Lambda _1,\psi _t,q_\mathsf{med},\cdot )\) the probability that
$$\begin{aligned} y_0 = \psi _t(\Theta _0^{(1)}\cdots \Theta _0^{(q_\mathsf{med})}) = \psi _t(\Theta _1^{(1)}\cdots \Theta _1^{(q_\mathsf{med})})=y_1, \end{aligned}$$but \(\Theta _0^{(1)}\cdots \Theta _0^{(q_\mathsf{med})} \ne \Theta _1^{(1)}\cdots \Theta _1^{(q_\mathsf{med})}\) is at most \(2^{\lambda }\) (over the choice of ), and thus, by the union bound, the simulation is wrong with probability at most \(q\cdot 2^{\lambda }\).

In step 5, the reduction obtains \(c_0\), and thus can use the knowledge of the final corrected leakages \(\Lambda _0,\Lambda _1\) and of the selfdestruct index \(i^*\) to perfectly simulate all the queries of \({\textsf {A}}_1^*\).
Hence, we have shown that there exists a polynomial \(p(\lambda )\in \texttt {poly}(\lambda )\) and a negligible function \(\nu :{\mathbb {N}}\rightarrow [0,1]\) such that
This concludes the proof. \(\square \)
Indistinguishability of the Hybrids
We first establish some useful lemmas, and then analyze each of the two game hops individually.
Useful Lemmata
Lemma 3
The code \(\Gamma ^* = (\textsf {Init}^*,\textsf {Enc}^*,\textsf {Dec}^*)\) satisfies codewords uniqueness. Moreover, the latter still holds if we modify \((\textsf {Init}^*,\textsf {Enc}^*)\) as defined in \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda , b)\).
Proof
We show that Definition 7 is satisfied for \(\beta = 0\). The proof for \(\beta = 1\) is analogous, and therefore omitted.
Assume that there exists a PPT adversary \({\textsf {A}}^*\) that, given as input \(\omega ^* = (\omega ,\textit{hk})\), is able to produce \((c_0,c_1,c_1')\) such that both \((c_0,c_1)\) and \((c_0,c_1')\) are valid, but \(c_1 \ne c_1'\). Let \(c_0 = (s_0,h_1,\pi _0,\pi _1)\), \(c_1 = (s_1,h_0,\pi _0,\pi _1)\), and \(c_1' = (s_1',h_0',\pi _0',\pi _1')\). Since \(s_0\) is the same in both codewords, we must have \(h_0 = h_0'\) as the hash function is deterministic. Furthermore, since both \((c_0,c_1)\) and \((c_0,c_1')\) are valid, the arguments on the right parts must be equal to the ones on the left part, i.e., \(\pi _0' = \pi _0\) and \(\pi _1' = \pi _1\). It follows that \(c_1' = (s_1',h_0,\pi _0,\pi _1)\), with \(s_1' \ne s_1\), and thus \((s_1,s_1')\) are a collision for \(\textsf {Hash}(\textit{hk},\cdot )\). The latter contradicts collision resistance of \((\textsf {Gen},\textsf {Hash})\), as it can be seen by the simple reduction that given a target hash key \(\textit{hk}\) embeds it in the CRS \(\omega ^* = (\omega ,\textit{hk})\), runs \({\textsf {A}}^*(1^\lambda ,\omega ^*)\) obtaining \((c_0,c_1,c_1')\), and outputs \((s_1,s_1')\).
The second part of the statement of the lemma follows by the noninteractive zeroknowledge property of the argument system. In fact, the latter implies that the advantage of any PPT adversary \({\textsf {A}}^*\) in breaking codewords uniqueness must be close (up to a negligible distance) in the first hybrid and in the original experiment. \(\square \)
Lemma 4
Whenever \({\textsf {A}}^*\) outputs a TypeD query in \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda , b)\) the following holds: For all \(\beta \in \{0,1\}\) the codeword \((\tilde{c}_{0,\beta },\tilde{c}_{1,\beta })\) contained in \(\Theta _\beta \) must be valid with overwhelming probability.
Proof
Fix any \(\beta \in \{0,1\}\), and let \((f_0,f_1)\) be a generic query of Type D. Denote by \(\Theta _\beta = (\tilde{c}_{0,\beta },\tilde{c}_{1,\beta })\) the answer to any tampering query \((f_0,f_1)\) as it would be computed by \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0,f_1))\), i.e., \(\tilde{c}_{\beta ,\beta } = (\tilde{s}_\beta ,\tilde{h}_{1\beta },\tilde{\pi }_{0,\beta },\tilde{\pi }_{1,\beta })\) and \(\tilde{c}_{1\beta ,\beta } = (\tilde{s}_{1\beta },\tilde{h}_{\beta ,\beta },\tilde{\pi }_{0,\beta },\tilde{\pi }_{1,\beta })\) with \(\tilde{h}_{\beta ,\beta } = \textsf {Hash}(\textit{hk},\tilde{s}_\beta )\). By construction, \((\tilde{c}_{0,\beta },\tilde{c}_{1,\beta })\) is invalid if and only if \(\textsf {Hash}(\textit{hk},\tilde{s}_{1\beta }) \ne \tilde{h}_{1\beta }\).
Fix \(b\in \{0,1\}\). Let now \({\textsf {A}}^*\) be a PPT adversary for \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda , b)\) that with probability at least \(1/\texttt {poly}(\lambda )\) outputs a TypeD tampering query \((f_0,f_1)\) such that \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0,f_1))\) would yield an invalid codeword \(\Theta _\beta \) as described above. We construct a PPT attacker \({\textsf {A}}\) against truesimulation extractability (cf. Definition 3) of the noninteractive argument system. A description of \({\textsf {A}}\) follows:
\(\underline{\hbox {Attacker }{\textsf {A}}\hbox { for }(\textsf {CRSGen}, \textsf {Prove}, \textsf {Ver}):}\)
Upon receiving the target CRS \(\omega \), generate and let \(\omega ^* := (\omega , \textit{hk})\).
Run , and let .
Compute \(h_0 = \textsf {Hash}(\textit{hk},s_0)\) and \(h_1 = \textsf {Hash}(\textit{hk},s_1)\); forward \((h_{1},(s_0,h_0))\) and \((h_0,(s_1,h_1))\) to the challenger, obtaining arguments \(\pi _0\) and \(\pi _1\).
Let \(c^* = (c_0,c_1) = ((s_0,h_1,\pi _0,\pi _1),(s_1,h_0,\pi _0,\pi _1))\), and pick where \(q\in \texttt {poly}(\lambda )\) is an upper bound for the number of \({\textsf {A}}^*\)’s tampering queries.
Run \({{\textsf {A}}_1^*}^{{\mathcal {O}}_\textsf {leak}^{\ell ^*}(c_0,\cdot ),{\mathcal {O}}_\textsf {leak}^{\ell ^*}(c_1,\cdot ),{\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )}(1^\lambda ,\alpha _1)\) by answering all of its leakage and tampering queries as follows:
Upon input a leakage query \(g_0\) (resp. \(g_1\)) for \({\mathcal {O}}_\textsf {leak}^{\ell ^*}(c_0,\cdot )\) (resp. \({\mathcal {O}}_\textsf {leak}^{\ell ^*}(c_1,\cdot )\)), return \(g_0(c_0)\) (resp. \(g_1(c_1)\)).
Upon input a tampering query \((f_0,f_1)\) for \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(\cdot ,\cdot ))\), if this is not the \(j^*\)th tampering query answer in the same way as \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(\cdot ,\cdot ))\) would do. Else, run \(\tilde{c}_\beta = (\tilde{s}_\beta ,\tilde{h}_{1\beta },\tilde{\pi }_{0,\beta },\tilde{\pi }_{1,\beta }) = f_\beta (c_\beta )\), compute \(\tilde{h}_{\beta ,\beta } = \textsf {Hash}(\textit{hk},s_\beta )\) and forward \((\tilde{h}_{1\beta },\tilde{h}_{\beta ,\beta },\tilde{\pi }_{1,\beta })\) to the challenger.
For the analysis, note that the simulation done by \({\textsf {A}}\) is perfect. In particular, both the distribution of the CRS and the answer to \({\textsf {A}}^*\)’s leakage and tampering queries is identical to that of \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda ,b)\). It follows that, with probability at least \(1/q \cdot 1/\texttt {poly}(\lambda ) \in 1/\texttt {poly}(\lambda )\), the \(j^*\)th tampering query output by attacker \({\textsf {A}}^*\) is such that all of the following conditions are met: (i) \(\textsf {Ver}(\omega ,\tilde{h}_{\beta ,\beta },(\tilde{h}_{1\beta },\tilde{\pi }_{1,\beta })) = 1\); (ii) \((\tilde{h}_{1\beta },\tilde{h}_{\beta ,\beta },\tilde{\pi }_{1\beta ,\beta })\) is fresh, i.e., it is different from \((h_{1\beta },h_\beta ,\pi _{1\beta })\); (iii) \(\textsf {K}(\xi ,\tilde{h}_{\beta ,\beta },(\tilde{h}_{1\beta },\tilde{\pi }_{1,\beta }))\) outputs a value \(\tilde{s}_{1\beta }\) such that \(\textsf {Hash}(\textit{hk},\tilde{s}_{1\beta }) \ne \tilde{h}_{1\beta }\) (i.e., \((\tilde{h}_{1\beta },\tilde{s}_{1\beta }) \not \in \mathcal {R}_\mathsf{hash}^\textit{hk}\)). Further, note that \({\textsf {A}}\) obtains only simulated arguments for true statements. Thus, \({\textsf {A}}\) breaks truesimulation extractability with nonnegligible probability. The lemma follows: \(\square \)
First Game Hop
Lemma 5
\(\forall b\in \{0,1\}\):
Proof
The proof is down to the adaptive multitheorem zeroknowledge property (cf. Definition 2) of the underlying noninteractive argument system. By contradiction, assume that there exists a PPT attacker \({\textsf {A}}^* = ({\textsf {A}}_0^*, {\textsf {A}}_1^*)\) that, for any fixed \(b\in \{0,1\}\), can distinguish between and with nonnegligible probability. Consider the following PPT distinguisher \({\textsf {D}}\) attacking the zeroknowledge property.
\(\underline{\hbox {Distinguisher }{\textsf {D}}\hbox { for }(\textsf {CRSGen}, \textsf {Prove}, \textsf {Ver}):}\)
Upon receiving the target CRS \(\omega \), generate and let \(\omega ^* := (\omega , \textit{hk})\).
Run , and let .
For each \(\beta \in \{0,1\}\), compute \(h_\beta = \textsf {Hash}(\textit{hk},s_\beta )\).
For each \(\beta \in \{0,1\}\), forward \((h_{1\beta },(h_\beta ,s_\beta ))\) to the challenger, obtaining \(\pi _0,\pi _1\).
Let \(c^* = (c_0,c_1) = ((s_0,h_1,\pi _0,\pi _1),(s_1,h_0,\pi _0,\pi _1))\).
Run .
Output \(b'\).
For the analysis, note that the simulation done by \({\textsf {D}}\) is perfect. In particular, depending on the game that \({\textsf {D}}\) is playing, the CRS \(\omega \) is either generated by running \(\textsf {CRSGen}(1^\lambda )\) or \(\textsf {S}_0(1^\lambda )\); similarly, the arguments \(\pi _0,\pi _1\) are either obtained by running or . Moreover, the reduction can perfectly emulate the oracles \({\mathcal {O}}_\mathsf{maul}\) and \({\mathcal {O}}_\textsf {leak}^{\ell ^*}\) since it holds a simulated codeword \(c^*\) that is either distributed according to \(\mathbf{Tamper} _{\Gamma ^*, {\textsf {A}}^*}(\lambda , b)\) or \(\mathbf{Hyb} _{\Gamma ^*, {\textsf {A}}^*}^1(\lambda , b)\). Thus, \({\textsf {D}}\) has the same distinguishing advantage as that of \({\textsf {A}}^*\). The lemma follows: \(\square \)
Second Game Hop
Lemma 6
\(\forall b\in \{0,1\}\):
Proof
Fix \(b\in \{0,1\}\). We will prove that, with all but a negligible probability, the output of the tampering oracles \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\) and \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),\cdot )\) are identical up to the first tampering query that is answered with \(\bot \) in \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\). (Afterward, both oracles selfdestruct and thus always return \(\bot \).) Let \(q\in \texttt {poly}(\lambda )\) be an upper bound on the number of tampering queries in either of the hybrids. Consider the following events, defined over the probability space of both \(\mathbf{Hyb} _{\Sigma ^*, {\textsf {A}}}^1(\lambda , b)\) and \(\mathbf{Hyb} _{\Sigma ^*, {\textsf {A}}}^2(\lambda , b)\):

Event \(\mathbf{Bad} _\mathsf{same}\): There exists an index \(i\in [q]\), corresponding to a tampering query \((f_0^{(i)},f_1^{(i)})\), such that oracle \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs \(\diamond \), whereas oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) would output a value in \(\{0,1\}^{2n} \cup \{\bot \}\).

Event \(\mathbf{Bad} _{\bot }\): There exists an index \(i\in [q]\), corresponding to a tampering query \((f_0^{(i)},f_1^{(i)})\), such that oracle \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs \(\bot \), whereas oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) would output a value in \(\{0,1\}^{2n} \cup \{\diamond \}\).

Event \(\mathbf{Bad} _\mathsf{cdw}\): There exists an index \(i\in [q]\), corresponding to a tampering query \((f_0^{(i)},f_1^{(i)})\), such that oracle \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs a codeword \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\), whereas oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) would output either a different codeword or a value in \(\{\diamond ,\bot \}\).
Denote by \(\mathbf{Bad} := \mathbf{Bad} _\mathsf{same} \cup \mathbf{Bad} _{\bot } \cup \mathbf{Bad} _\mathsf{cdw}\). Since the two hybrids are identical conditioned on \(\mathbf{Bad} \) not happening, by a standard argument, it suffices to prove that \(\mathbf{Bad} \) happens with at most a negligible probability. In what follows, we always write
for the tampered codeword \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\) associated with \((f_0^{(i)},f_1^{(i)})\), and \(\tilde{h}_{\beta ,\beta }\) for the value \(\textsf {Hash}(\textit{hk},\tilde{s}_\beta )\).
Claim 1
\({\mathbb {P}}\left[ \mathbf{Bad} _\mathsf{same}\right] = 0\).
Proof
Note that \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs \(\diamond \) if and only if \((f_0^{(i)},f_1^{(i)})\) is of Type A, i.e., \(\tilde{c}_0^{(i)} = f_0^{(i)}(c_0) = c_0\) and \(\tilde{c}_1^{(i)} = f_1^{(i)}(c_1) = c_1\). However, for such a query, oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) would also return \(\diamond \), and thus the event \(\mathbf{Bad} _\mathsf{same}\) never happens. \(\square \)
Claim 2
\({\mathbb {P}}\left[ \mathbf{Bad} _{\bot }\right] \in \texttt {negl}(\lambda )\).
Proof
Note that \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs \(\bot \) if and only if either (i) \(\exists \beta \in \{0,1\}:\Theta _\beta [i] = \bot \), or if (ii) \(\bot \ne \Theta _0[i] \ne \Theta _1[i] \ne \bot \). We treat each of these subcases separately.
The case \(\exists \beta \in \{0,1\}:\Theta _\beta [i] = \bot \). We observe that \(\Theta _\beta [i] = \bot \) if and only if one of the following events happen: (a) \(f_\beta ^{(i)}\) is of Type B; (b) \(f_\beta ^{(i)}\) is of Type C; (c) \(f_\beta ^{(i)}\) is of Type D, and the extractor \(\textsf {K}\) returns \(\bot \). Below, we analyze each such case.
 TypeB queries::

Recall that function \(f_\beta ^{(i)}\) is of Type B if:
$$\begin{aligned} \textsf {Ver}(\omega ,\tilde{h}_{1\beta }^{(i)},(\tilde{h}_{\beta ,\beta }^{(i)},\tilde{\pi }_{\beta ,\beta }^{(i)})) = 0 \vee \textsf {Ver}(\omega ,\tilde{h}_{\beta ,\beta }^{(i)},(\tilde{h}_{1\beta }^{(i)},\tilde{\pi }_{1\beta ,\beta }^{(i)})) = 0. \end{aligned}$$The above means that the local check on \(\tilde{c}_\beta ^{(i)}\) (as run by the original decoding algorithm) fails, and thus \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) would also return \(\bot \).
 TypeC queries::

Wlog. assume that \(f_0^{(i)}\) is of Type C (the proof in case \(f_1^{(i)}\) is of Type C being analogous). Recall that function \(f_0^{(i)}\) is of Type C if:
$$\begin{aligned} (\tilde{h}_{1}^{(i)},\tilde{h}_{0,0}^{(i)},\tilde{\pi }_{1,0}^{(i)}) = (h_{1},h_{0},\pi _{1}). \end{aligned}$$
Next, we prove that the above contradicts security of the LRS. By contradiction, assume that there exists an adversary \({\textsf {A}}^*\) that with nonnegligible probability outputs a tampering query \((f_0^{(i)},f_1^{(i)})\) such that \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)}) = ((s_0,h_1,\tilde{\pi }_0^{(i)},\pi _1),(s_1,h_0,\tilde{\pi }_0^{(i)},\pi _1))\), with \(\tilde{\pi }_0^{(i)} \ne \pi _0\) (otherwise \(f_0^{(i)}\) would be of Type A). Since \(\tilde{\pi }_0^{(i)}\) is accepting, by truesimulation extractability of the argument system \((\textsf {CRSGen},\textsf {Prove},\textsf {Ver})\), it holds that \(\textsf {K}(\xi ,h_{1},(h_{0},\tilde{\pi }_{0}^{(i)}))\) outputs a value \(\tilde{s}_0^{(i)}\) such that \(\textsf {Hash}(\textit{hk},\tilde{s}_0^{(i)}) = h_0\) with all but a negligible probability.^{Footnote 15} Moreover, collision resistance of \((\textsf {Gen},\textsf {Hash})\) implies that in this case \(\tilde{s}_0^{(i)} = s_0\) with overwhelming probability.^{Footnote 16} Consider now the following attacker \({\textsf {A}}\).
\(\underline{\hbox {Attacker }{\textsf {A}}\hbox { against }(\textsf {LREnc},\textsf {LRDec}):}\)
Run steps 1–4 as described in the reduction \({\textsf {A}}\) in the proof of Lemma 2. This yields target messages \(m_0,m_1\) (as returned by \({\textsf {A}}_0^*\)), the final corrected leakages \(\Lambda _0,\Lambda _1\), the index \(i^*\) corresponding to the selfdestruct query, and auxiliary information \({{\hat{\alpha }}} = (\omega ,\textit{hk},\xi ,h_0,h_1,\pi _0,\pi _1,\langle {\textsf {A}}_1^*\rangle ,\alpha _1,r_1)\).
Forward \(\sigma = 1\) to the challenger, obtaining \(s_1\).
Set \(c_1 = (s_1,h_0,\pi _0,\pi _1)\), sample , and then start \({\textsf {A}}_1^*(1^\lambda ,\alpha _1;r_1)\).
Upon input the jth leakage query \((g_0^{(j)},g_1^{(j)})\) from \({\textsf {A}}_1^*\), return \((\Lambda _0^{(j)},\Lambda _1^{(j)})\).
Upon input the ith tampering query \((f_0^{(i)},f_1^{(i)})\) from \({\textsf {A}}_1^*\):
If \(i \ne j^* < i^*\), answer with \(\Theta _1^{(i)} = \textsf {SimTamp}(c_1,f_1^{(i)})\).
If \(i = j^*\), let \(\tilde{c}_1^{(i)} = (\tilde{s}_1^{(i)},\tilde{h}_0^{(i)},\tilde{\pi }^{(i)}_{0,1},\tilde{\pi }^{(i)}_{1,1}):=f_1^{(i)}(s_1,h_0,\pi _0,\pi _1)\). Run \(\tilde{s}_0^{(i)} := \textsf {K}(\xi ,h_{1},(h_{0},\tilde{\pi }_{0,1}^{(i)}))\). If there exists \(b'\in \{0,1\}\) such that \(\textsf {LRDec}(\tilde{s}_0^{(i)},\tilde{s}_1^{(i)}) = m_{b'}\), forward \(b'\) to the challenger and terminate; else, abort the simulation and terminate.
An argument identical to that used in the proof of Lemma 2 shows that \({\textsf {A}}\) leaks at most \(\ell \) bits and perfectly simulates the view of \({\textsf {A}}^*\). Since with probability \(1/\texttt {poly}(\lambda )\) attacker \({\textsf {A}}^*\) outputs a tampering query \((f_0^{(i)},f_1^{(i)})\) such that \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)}) = ((s_0,h_1,\tilde{\pi }_0^{(i)},\pi _1),(s_1,h_0,\tilde{\pi }_0^{(i)},\pi _1))\), with \(\tilde{\pi }_0^{(i)} \ne \pi _0\), and moreover with probability \(1/i^*\) this is the \(j^*\)th tampering query, it follows that \(b' = b\) in experiment \(\mathbf{Leak} ^{+}_{\Sigma ,{\textsf {A}}}(\lambda ,b)\) with probability at least \(1/\texttt {poly}(\lambda )\texttt {negl}(\lambda )\).
 TypeD queries::

Wlog. assume that \(f_0^{(i)}\) is of Type D (the proof in case \(f_1^{(i)}\) is of Type D being analogous). Recall that function \(f_0^{(i)}\) is of Type D if:
$$\begin{aligned} (\tilde{h}_{1}^{(i)},\tilde{h}_{0,0}^{(i)},\tilde{\pi }_{1,0}^{(i)}) \ne (h_{1},h_{0},\pi _{1}), \end{aligned}$$and moreover the argument \(\tilde{\pi }_{1,0}^{(i)}\) is valid w.r.t. statement \(\tilde{h}_{1}^{(i)}\) and label \(\tilde{h}_{0,0}^{(i)}\). Lemma 4 implies that in such a situation the extractor \(\textsf {K}\) yields a valid witness, so that \(\Theta _0[i] \ne \bot \) with overwhelming probability.
The case \(\bot \ne \Theta _0[i] \ne \Theta _1[i] \ne \bot \). First note that both \(\Theta _0[i]\) and \(\Theta _1[i]\) must be different from \(\diamond \). This is because if \(\Theta _0[i] = \diamond \), it must be the case that \(\Theta _1[i] \ne \diamond \), and thus \(\tilde{c}_1^{(i)} = f_1^{(i)}(c_1) \ne c_1\) as otherwise \((f_0^{(i)},f_1^{(i)})\) would be of Type A. Since \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) does not output \(\bot \), the above implies that both \((c_0,c_1)\) and \((c_0,\tilde{c}_1^{(i)})\) are valid codewords, which contradicts codewords uniqueness. More formally, given an efficient attacker \({\textsf {A}}^*\) that provokes the above event, it is straightforward^{Footnote 17} to construct an efficient attacker \({\textsf {A}}\) that breaks uniqueness, which in turn contradicts Lemma 3.
It remains to analyze the case where both \(\Theta _0[i]\) and \(\Theta _1[i]\) contain values in \(\{0,1\}^{2n}\), i.e., \(\Theta _0[i] = (\tilde{c}_{0,0}^{(i)},\tilde{c}_{1,0}^{(i)})\) and \(\Theta _1[i] = (\tilde{c}_{0,1}^{(i)},\tilde{c}_{1,1}^{(i)})\) with \((\tilde{c}_{0,0}^{(i)},\tilde{c}_{1,0}^{(i)}) \ne (\tilde{c}_{0,1}^{(i)},\tilde{c}_{1,1}^{(i)})\). By definition of \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\), for all \(\beta \in \{0,1\}\), we can write:
However, since \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) does not return \(\bot \), it must hold that \(\tilde{\pi }_{0,0}^{(i)} = \tilde{\pi }_{0,1}^{(i)} := \tilde{\pi }_{0}^{(i)}\) and \(\tilde{\pi }_{1,0}^{(i)} = \tilde{\pi }_{1,1}^{(i)} := \tilde{\pi }_{1}^{(i)}\), and furthermore \(\tilde{h}_{0,0}^{(i)} = \tilde{h}_0^{(i)} := \textsf {Hash}(\textit{hk},\tilde{s}_0^{(i)})\) and \(\tilde{h}_{1,1}^{(i)} = \tilde{h}_1^{(i)} := \textsf {Hash}(\textit{hk},\tilde{s}_1^{(i)})\). But this implies \(\tilde{c}_{0,0} = (\tilde{s}_{0}^{(i)},\tilde{h}_{1}^{(i)},\tilde{\pi }_{0}^{(i)},\tilde{\pi }_{1}^{(i)}) = \tilde{c}_{0,1}\), and similarly \(\tilde{c}_{1,0} = (\tilde{s}_{1}^{(i)},\tilde{h}_{0}^{(i)},\tilde{\pi }_{0}^{(i)},\tilde{\pi }_{1}^{(i)}) = \tilde{c}_{1,1}\), a contradiction. \(\square \)
Claim 3
\({\mathbb {P}}\left[ \mathbf{Bad} _\mathsf{cdw}\right] \in \texttt {negl}(\lambda )\).
Proof
Note that \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\) if and only if \(\Theta _0[i] = (\tilde{c}_{0,0}^{(i)},\tilde{c}_{1,0}^{(i)})\), \(\Theta _1[i] = (\tilde{c}_{0,1}^{(i)},\tilde{c}_{1,1}^{(i)})\), and moreover \((\tilde{c}_{0,0}^{(i)},\tilde{c}_{1,0}^{(i)}) = (\tilde{c}_{0,1}^{(i)},\tilde{c}_{1,1}^{(i)}) := (\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\). Let us write \(\tilde{c}_0^{(i)} = (\tilde{s}_{0}^{(i)},\tilde{h}_{1}^{(i)},\tilde{\pi }_{0}^{(i)},\tilde{\pi }_{1}^{(i)})\) and \(\tilde{c}_1^{(i)} = (\tilde{s}_{1}^{(i)},\tilde{h}_{0}^{(i)},\tilde{\pi }_{0}^{(i)},\tilde{\pi }_{1}^{(i)})\). By Lemma 4, we know that \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\) is a valid codeword with overwhelming probability.
First, we claim that \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) cannot output \(\diamond \). This is because the latter would imply that \(\tilde{c}_0^{(i)} = c_0\) and \(\tilde{c}_1^{(i)} = c_1\), which means \((f_0^{(i)},f_1^{(i)})\) would be of Type A.
Second, let us argue that \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) cannot output \(\bot \) either. This is because the latter would imply that either (i) \(\exists \beta \in \{0,1\}:\textsf {Hash}(\textit{hk},\tilde{s}_\beta ^{(i)}) \ne \tilde{h}_\beta ^{(i)}\), or (ii) \(\exists \beta \in \{0,1\}:\textsf {Ver}(\omega ,\tilde{h}_\beta ^{(i)},(\tilde{h}_{1\beta }^{(i)},\tilde{\pi }_{1\beta }^{(i)})) = 0\). However, both these conditions contradict the fact that \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\) must be valid.
It remains to consider the case where \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\) outputs a codeword \(({\hat{c}_{0}}^{(i)},{\hat{c}_{1}}^{(i)}) \ne (\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\), where \(({\hat{c}_{0}}^{(i)},{\hat{c}_{1}}^{(i)})\) is a valid codeword. Let us generically write \({\hat{c}_{0}}^{(i)} = f_0^{(i)}(c_0) = ({\hat{s}_{0}}^{(i)},{\hat{h}_{1}}^{(i)},{\hat{\pi }}_{0}^{(i)},{\hat{\pi }_{1}}^{(i)})\) and \({\hat{c}_{1}}^{(i)} = f_1^{(i)}(c_1) = ({\hat{s}}_{1}^{(i)},{\hat{h}}_{0}^{(i)},{\hat{\pi }_{0}}^{(i)},{\hat{\pi }_{1}}^{(i)})\) for the tampered codeword as computed by \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\). By definition of \({\mathcal {O}}_\mathsf{maul}'((c_0,c_1),(f_0^{(i)},f_1^{(i)}))\), however, it must be the case that \(\tilde{s}_0^{(i)} = {\hat{s}}_0^{(i)}\) and \(\tilde{s}_1^{(i)} = {\hat{s}_{1}}^{(i)}\), which in turn implies \(\tilde{h}_0^{(i)} = \textsf {Hash}(\textit{hk},\tilde{s}_0^{(i)}) = {\hat{h}_{0}}^{(i)}\) and \(\tilde{h}_{1} = \textsf {Hash}(\textit{hk},\tilde{s}_1) = {\hat{h}_{1}}^{(i)}\), and furthermore \((\tilde{\pi }_0^{(i)},\tilde{\pi }_1^{(i)}) = ({\hat{\pi }_{0}}^{(i)},{\hat{\pi }_{1}}^{(i)})\). Hence, \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)}) = ({\hat{c}_{0}}^{(i)},{\hat{c}_{1}}^{(i)})\), a contradiction.
\(\square \)
The statement of the lemma now follows by the above claims, together with a union bound. \(\square \)
Concrete Instantiation
Below, we explain how to instantiate the building blocks required for our code, both from generic and concrete assumptions.

LeakageResilient Storage As shown in [50, 52], this primitive exists unconditionally. Let \({\mathbb {F}}= \mathbb {GF}(2^k)\) be the Galois field with \(2^k\) elements, and \(t\in {\mathbb {N}}\) be a parameter. Given \(m\in \{0,1\}^k\), algorithm \(\textsf {LREnc}\) interprets \(m\) as an element of \({\mathbb {F}}\) and outputs random \(s_0,s_1\in {\mathbb {F}}^t\) subject to \(\langle s_0,s_1\rangle := \sum _{i=1}^ts_0[i]\cdot s_1[i] = m\). For any \(\delta \in [0,1]\), this yields an \(\ell \)LRS with \(\ell = kt/4  \log (1/\delta )\), where \(\delta \) is the statistical distance between the experiments of Definition 4. By Theorem 1, this is also an augmented \((kt/4  \log (1/\delta )1)\)LRS.

CollisionResistant Hash Function Let \({\mathbb {G}}\) be a cyclic group of prime order q, with generators \(g_1,\ldots ,g_t\) for some parameter \(t\in {\mathbb {N}}\). Assuming hardness of the Discrete Logarithm problem, we can take \(\textsf {Hash}(\textit{hk},s) := \prod _{i=1}^t g_i^{s[i]}\) where \(s= (s[1],\ldots ,s[t])\in {\mathbb {Z}}_q^t\) and \(\textsf {Hash}:{\mathbb {Z}}_q^t\rightarrow {\mathbb {G}}\).

TrueSimulation Extractable NIZK It is well known that simulation extractable NIZKs (i.e., NIZKs that are extractable even in case the attacker observes simulated arguments of possibly false statements) can be obtained for all of NP assuming (doubly enhanced) trapdoor permutations [51, 68, 87]. More concretely, using the collisionresistant hash function from the previous bullet point, we need to consider the NPrelation:
$$\begin{aligned} \mathcal {R}_\mathsf{hash}^{({\mathbb {G}},g_1,\ldots ,g_t,q)} := \left\{ (h,s):~h= \prod _{i=1}^tg_i^{s[i]}\right\} \subseteq {\mathbb {G}} \times {\mathbb {Z}}_q^t. \end{aligned}$$Following [51], an efficient tSE NIZK for the above relation can be obtained under the DLIN assumption by combining classical Groth–Sahai NIZKs [74, 75] with Cramer–Shoup encryption [38]. We leave the count of the exact number of group elements as an exercise to the reader.
Application to TamperResilient Security
In this section we revisit the classical application of nonmalleable codes to protecting arbitrary cryptographic primitives against memorytampering attacks [55, 56, 84], highlighting in particular the benefits that our new notion of continuous nonmalleability brings to the picture.
In what follows, let \(\textsf {F}(\kappa ,\cdot )\) be an efficiently computable functionality taking a secret key \(\kappa \in \{0,1\}^{k}\) and value \(x\in \{0,1\}^{*}\) as input, and producing some output \(y\in \{0,1\}^{*}\). We are concerned about attackers changing the original key \(\kappa \) into a related key \(\tilde{\kappa }\), and observing the effect of such changes at the output. For concreteness, we will focus on the setting in which the key material is stored into two separate parts of the memory that can be tampered independently, but the results in this section can be easily extended to general tampering (parameterized by a tampering family supported by the nonmalleable code). As explained below, we distinguish between stateless and stateful functionalities.
Stateless Functionalities
In the case of stateless functionalities, the key \(\kappa \) is fixed once and for all. The main idea is to transform the original functionality \(\textsf {F}\) into some kind of “hardened” functionality \(\hat{\textsf {F}}\) using a nonmalleable code \(\Gamma \) to encode the key. Previous transformations aiming at protecting stateless functionalities [55, 56, 84] required to freshly reencode the key \(\kappa \) each time the functionality is invoked. Our approach avoids the reencoding of the key at each invocation, leading to a stateless transformation. This solves an open question from [55, 56]. Moreover, we consider a setting where the encoded key is stored into a memory \({\mathcal {M}}:= ({\mathcal {M}} _0,{\mathcal {M}} _1)\) which is much larger than the size needed to store the encoding itself (say \({\mathcal {M}} _0 = {\mathcal {M}} _1 = p(n)\) where \(p(n)\) is polynomial in the length n of the encoding). When (perfect) erasures are not possible, this feature naturally allows the adversary to make copies of the initial encoding and tamper continuously with it.
Let us formally define what it means to harden a stateless functionality.
Definition 8
(Stateless hardened functionality) Let \(\Gamma = (\textsf {Init},\textsf {Enc},\textsf {Dec})\) be a splitstate code in the CRS model, with kbit messages and 2nbit codewords. Let \(\textsf {F}:\{0,1\}^{k}\times \{0,1\}^{*}\rightarrow \{0,1\}^{*}\) be a stateless functionality, and \(\delta \in \{0,1\}\) be a public value. We define a stateless hardened functionality \(\hat{\textsf {F}}^\Gamma :=\hat{\textsf {F}}:\{0,1\}^{2p}\times \{0,1\}^{*}\rightarrow \{0,1\}^{*}\) with \(p= \texttt {poly}(n)\) as a tuple of algorithms \((\textsf {Setup},\textsf {MemCompile},\textsf {Exec})\) described as follows:

: Sample , initialize \(\delta = 0\), and return \({\hat{\omega }}= (\omega ,\delta )\).

: Let . Parse \({\hat{\omega }}= (\omega ,\delta )\). For \(\beta \in \{0,1\}\), store \(c_\beta \) in the first n bits of \({\mathcal {M}} _\beta \); the remaining bits of \({\mathcal {M}} _\beta \) are set to \(0^{pn}\). Define \({\mathcal {M}}:= ({\mathcal {M}} _0,{\mathcal {M}} _1)\).

: Parse \({\hat{\omega }}= (\omega ,\delta )\). In case \(\delta = 1\) output \(\bot \); else, let \(\tilde{c}_\beta = {\mathcal {M}} _\beta [1,\ldots ,n]\) for \(\beta \in \{0,1\}\). Run \(\tilde{\kappa }= \textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1))\): If \(\tilde{\kappa }= \bot \), then output \(\bot \) and set \(\delta = 1\). Else, output . Finally, update the CRS to \({\hat{\omega }}:= (\omega ,\delta )\).
Remark 1
(On \(\delta \)) The public value \(\delta \) is just a way how to implement the selfdestruct feature. An alternative approach would be to let the hardened functionality simply output a dummy value and overwrite \(({\mathcal {M}} _0,{\mathcal {M}} _1)\) with the allzero string. As we do not want to assume perfect erasures, we use the first approach here.
Note that we assume that \(\delta \) is untamperable and onetime writable. The latter is necessary, as an adversary tampering with \(\delta \) could always switchoff the selfdestruct feature and apply a variant of the attack from [70] to recover the secret state.
Similarly to [55, 56, 84], security of \(\hat{\textsf {F}}\) is defined via the comparison of a real and an ideal experiment. The real experiment features an adversary \({\textsf {A}}\) interacting with \(\hat{\textsf {F}}\); the adversary is allowed to honestly run the functionality on any chosen input, but also to modify the memory and retrieve a bounded amount of information from it. The ideal experiment features a simulator \(\textsf {S}\) that is given blackbox access to the original functionality \(\textsf {F}\) and to the adversary \({\textsf {A}}\), but is not allowed any tampering or leakage query. The two experiments are formally described below.
Experiment \(\mathbf{Real} _{\hat{\textsf {F}},{\textsf {A}}}(\lambda ,\kappa )\). First and are run, and \({\hat{\omega }}\) is given to \({\textsf {A}}\). Then, \({\textsf {A}}\) can issue the following commands polynomially many times (in any order):

\(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \): In response to the jth leakage query compute \(\Lambda _{0}^{(j)} = g_{0}^{(j)}({\mathcal {M}} _0)\) and \(\Lambda _{1}^{(j)} = g_{1}^{(j)}({\mathcal {M}} _1)\), and output \(\Lambda ^{(j)}:=(\Lambda _{0}^{(j)},\Lambda _{1}^{(j)})\).

\(\langle \texttt {Tamper},(f_{0}^{(j)}, f_{1}^{(j)})\rangle \): In response to the jth tampering query compute \({\widetilde{{\mathcal {M}}}}_0 = f_{0}^{(j)}({\mathcal {M}} _0)\) and \({{\widetilde{{\mathcal {M}}}}}_1 = f_{1}^{(j)}({\mathcal {M}} _1)\), and replace \({\mathcal {M}} =({\mathcal {M}} _0,{\mathcal {M}} _1)\) with \({{\widetilde{{\mathcal {M}}}}}=({{\widetilde{{\mathcal {M}}}}}_0,{{\widetilde{{\mathcal {M}}}}}_1)\).

\(\langle \texttt {Eval}, x^{(j)}\rangle \): In response to the jth evaluation query run : If \(y^{(j)} = \bot \), output \(\bot \) and selfdestruct; else, output \(y^{(j)}\).
At the end of the experiment, \({\textsf {A}}\) outputs a bit that is an arbitrary function of its view (and this is also the output of the experiment).
Experiment \(\mathbf{Ideal} _{\textsf {F},{\textsf {A}},\textsf {S}}(\lambda ,\kappa )\). The simulator sets up the CRS \({\hat{\omega }}= (\omega ,\delta )\) and is given blackbox access to the functionality \(\textsf {F}(\kappa ,\cdot )\) and the adversary \({\textsf {A}}\). At the end of the experiment, \({\textsf {A}}\) outputs a bit that is an arbitrary function of its view (and this is also the output of the experiment).
Definition 9
(Continuous tamper simulatability) Let \(\Gamma \) be a splitstate encoding scheme in the CRS model and consider a stateless functionality \(\textsf {F}\) with corresponding hardened functionality \(\hat{\textsf {F}}:= \hat{\textsf {F}}^\Gamma \). We say that \(\Gamma \) is \(\ell \)leakage continuously tamper simulatable in the splitstate model (for stateless functionalities), if for all PPT adversaries \({\textsf {A}}\) leaking at most \(\ell \) bits from each memory part, there exists a PPT simulator \(\textsf {S}\) such that for any initial state \(\kappa \in \{0,1\}^k\):
The theorem below says that any continuously nonmalleable splitstate code is automatically continuously tamper simulatable.
Theorem 4
Let \(\Gamma \) be any \(\ell \)leakageresilient continuously super^{Footnote 18} nonmalleable splitstate code in the CRS model. Then \(\Gamma \) is \(\ell \)leakage continuously tamper simulatable in the splitstate model (for stateless functionalities).
Proof
Consider the following simulator \(\textsf {S}\). At the outset, \(\textsf {S}\) samples and sets \(\delta = 0\), yielding \({\hat{\omega }}= (\omega ,\delta )\). Then, it samples a random encoding of zero, namely and sets \({\mathcal {M}} _\beta [1,\ldots ,n] := c_\beta \) for \(\beta \in \{0,1\}\). The remaining bits of \(({\mathcal {M}} _0,{\mathcal {M}} _1)\) are set to \(0^{p n}\). Next, \(\textsf {S}\) runs \({\textsf {A}}(1^\lambda ,{\hat{\omega }})\) and answers to its queries alternating between the following two modes (starting with the normal mode):

Normal Mode. Given state \(({\mathcal {M}} _0,{\mathcal {M}} _1)\), while \({\textsf {A}}\) continues issuing queries, answer as follows:

\(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \): Upon input the jth leakage query, compute \(\Lambda _\beta ^{(j)} = g_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\), and reply with \((\Lambda _0^{(j)},\Lambda _1^{(j)})\).

\(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \): Upon input the jth tampering query, compute \({{\widetilde{{\mathcal {M}}}}}_\beta = f_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\). Let \((\tilde{c}_0,\tilde{c}_1) := ({{\widetilde{{\mathcal {M}}}}}_{0}[1,\ldots ,n],{{\widetilde{{\mathcal {M}}}}}_{1}[1,\ldots ,n])\). If \((\tilde{c}_0,\tilde{c}_1) = (c_0,c_1)\), continue in the current mode. Else, go to the overwritten mode with state \(({\mathcal {M}} _0,{\mathcal {M}} _1) := ({{\widetilde{{\mathcal {M}}}}}_0,{{\widetilde{{\mathcal {M}}}}}_1)\), and, if \(\textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1)) = \bot \), update the CRS to \({\hat{\omega }}:= (\omega ,1)\).

\(\langle \texttt {Eval}, x^{j}\rangle \): Upon input the jth evaluation query, invoke \(\textsf {F}(\kappa ,\cdot )\) to get and reply with \(y^{(j)}\).


Overwritten Mode. Given state \({\mathcal {M}}:=({\mathcal {M}} _0,{\mathcal {M}} _1)\), while \({\textsf {A}}\) continues issuing queries, answer as follows:

\(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \): Upon input the jth leakage query, compute \(\Lambda _\beta ^{(j)} = g_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\), and reply with \((\Lambda _0^{(j)},\Lambda _1^{(j)})\).

\(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \): Upon input the jth tampering query \((f_{0}^{(j)}, f_{1}^{(j)})\), compute \({{\widetilde{{\mathcal {M}}}}}_\beta = f_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\). Let \((\tilde{c}_0,\tilde{c}_1) := ({{\widetilde{{\mathcal {M}}}}}_{0}[1,\ldots ,n],{{\widetilde{{\mathcal {M}}}}}_{1}[1,\ldots ,n])\). If \((\tilde{c}_0,\tilde{c}_1) = (c_0,c_1)\), go to the normal mode with state \(({\mathcal {M}} _0,{\mathcal {M}} _1) := ({{\widetilde{{\mathcal {M}}}}}_0,{{\widetilde{{\mathcal {M}}}}}_1)\). Else, continue in the current mode, and, if \(\textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1)) = \bot \), update the CRS to \({\hat{\omega }}:= (\omega ,1)\).

\(\langle \texttt {Eval}, x^{(j)}\rangle \): Upon input the jth evaluation query, run and reply with \(y^{(j)}\).

Intuitively, since the code is nonmalleable, the adversary can either keep the encoding of the secret key unchanged or overwrite it with the encoding of an unrelated value. These two cases are captured in the above modes: The simulator starts in the normal mode and then, whenever the adversary modifies the initial encoding, it switches to the overwritten mode. However, note that the adversary can use the extra space to keep a copy of the original encoding and place it back at some later point in time. When this happens, the simulator switches back to the normal mode; this feature is important to maintain simulation.
By contradiction, assume that there exists a PPT attacker \({\textsf {A}}\), and some key \(\kappa \in \{0,1\}^{k}\), such that the following holds for the above defined simulator \(\textsf {S}\):
We build a PPT attacker \({\textsf {A}}'\) breaking continuous nonmalleability of the code \(\Gamma \). A description of \({\textsf {A}}'\) follows:
\(\underline{\hbox {Attacker }{\textsf {A}}'\hbox { for }(\textsf {Init},\textsf {Enc},\textsf {Dec}):}\)
 1.
Upon receiving the CRS \(\omega \), forward \((m_0 := \kappa ,m_1 := 0^k)\) to the challenger.
 2.
Initialize \(\tilde{\kappa }:= \varepsilon \), and \(\mathtt {mode}\) to \(\mathtt {normal}\). Set \(\delta =0\), and pass \({\hat{\omega }}:= (\omega ,\delta )\) to \({\textsf {A}}\).
 3.
Upon input a command \(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \) from \({\textsf {A}}\), define the functions \(f_\mathsf{pad}:\{0,1\}^n\rightarrow \{0,1\}^p\) and \(f_\mathsf{cut}: \{0,1\}^p\rightarrow \{0,1\}^n\) as \(f_\mathsf{pad}(x) = (x0^{pn})\) and \(f_\mathsf{cut}(xx') = x\), for any \(x \in \{0,1\}^n\) and \(x'\in \{0,1\}^{pn}\). Query the tampering oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\) with the pair of functions \(({\hat{f}_{0}}^{(j)},{\hat{f}_{1}}^{(j)})\), where for each \(\beta \in \{0,1\}\) function \({\hat{f}}_{\beta }^{(j)}\) is defined as
$$\begin{aligned} {\hat{f}}_{\beta }^{(j)}(\cdot ) := f_\mathsf{cut}\circ f_{\beta }^{(j)}\circ f_{\beta }^{(j1)}\circ \cdots \circ f_{\beta }^{(1)}\circ f_\mathsf{pad}(\cdot ). \end{aligned}$$(2)Then:
If the oracle returns \(\bot \), update the CRS to \({{\hat{\omega }}} := (\omega ,1)\).
If the oracle returns \(\diamond \), set \(\mathtt {mode}\) to \(\mathtt {normal}\).
If the oracle returns a codeword \(\tilde{c}^{(j)}:=(\tilde{c}_0^{(j)},\tilde{c}_1^{(j)})\), set \(\mathtt {mode}\) to \(\mathtt {overwritten}\) and overwrite \(\tilde{\kappa }:= \textsf {Dec}(\omega ,(\tilde{c}_0^{(j)},\tilde{c}_1^{(j)}))\).
 4.
Upon input a command \(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \) from \({\textsf {A}}\), query oracle \({\mathcal {O}}_\textsf {leak}^\ell (c_0,\cdot )\) and \({\mathcal {O}}_\textsf {leak}^\ell (c_1,\cdot )\) with functions \({\hat{g}_{0}}^{(j)}\) and \({\hat{g}_{1}}^{(j)}\), where for each \(\beta \in \{0,1\}\) function \({\hat{g}}_{\beta }^{(j)}\) is defined as
$$\begin{aligned} {\hat{g}}_{\beta }^{(j)}(\cdot ) := g_{\beta }^{(j)}\circ f_{\beta }^{(i)}\circ \cdots \circ f_{\beta }^{(1)}\circ f_\mathsf{pad}(\cdot ), \end{aligned}$$(3)where i is the index of the last tampering query. Then, forward the answer \((\Lambda _0^{(j)},\Lambda _1^{(j)})\) to \({\textsf {A}}\).
 5.
Upon input a command \(\langle \texttt {Eval},x^{(j)}\rangle \) from \({\textsf {A}}\), if \(\delta =1\) return \(\bot \) to \({\textsf {A}}\). Else, proceed as follows:
If \(\mathtt {mode} = \mathtt {normal}\), let and return \(y^{(j)}\) to \({\textsf {A}}\).
Else, if \(\mathtt {mode} = \mathtt {overwritten}\), let and return \(y^{(j)}\) to \({\textsf {A}}\).
 6.
Upon receiving a guess \(b'\) from \({\textsf {A}}\), output \(b'\) and terminate.
For the analysis, first note that \({\textsf {A}}'\) runs in polynomial time. Next, we claim that the simulation done by \({\textsf {A}}'\) is perfect. This is because:

The CRS \({\hat{\omega }}\) is distributed identically to the CRS in \(\mathbf{Real} _{\hat{\textsf {F}},{\textsf {A}},\kappa }(\lambda )\) and \(\mathbf{Ideal} _{\textsf {F},{\textsf {A}},\textsf {S},\kappa }(\lambda )\).

Depending on the target encoding \((c_0,c_1)\) being either an encoding of \(\kappa \) or an encoding of \(0^k\), the queries of \({\textsf {A}}\) are answered exactly as in \(\mathbf{Real} _{\hat{\textsf {F}},{\textsf {A}},\kappa }(\lambda )\) or in \(\mathbf{Ideal} _{\textsf {F},{\textsf {A}},\textsf {S},\kappa }(\lambda )\). More precisely:

Tampering queries are handled using the oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\). However, note that \({\textsf {A}}'\) cannot directly forward the tampering functions \((f_0^{(j)},f_1^{(j)})\) to this oracle. In fact: (i) Each of \(f_0^{(j)},f_1^{(j)}\) maps p bits into p bits, whereas \({\textsf {A}}'\)’s tampering oracle expects functions mapping n bits into n bits; (ii) In both \(\mathbf{Real} _{\hat{\textsf {F}},{\textsf {A}},\kappa }(\lambda )\) and \(\mathbf{Ideal} _{\textsf {F},{\textsf {A}},\textsf {S},\kappa }(\lambda )\) the tampering functions are applied to the current memory content \(({\mathcal {M}} _0,{\mathcal {M}} _1)\), whereas the tampering oracle always uses the target codeword \((c_0,c_1)\). However, the reduction can easily handle this mismatch by padding each part of the target codeword with zeroes, recover the current memory, and define the tampered codeword to be the first n bits of \({{\widetilde{{\mathcal {M}}}}}_0 := f_0^{(j)}({\mathcal {M}} _0)\) and \({{\widetilde{{\mathcal {M}}}}}_1 := f_1^{(j)}({\mathcal {M}} _1)\) (cf. Eq. (2)).

Leakage queries are handled using the oracles \({\mathcal {O}}_\textsf {leak}^\ell (c_0,\cdot )\) and \({\mathcal {O}}_\textsf {leak}^\ell (c_1,\cdot )\). By a similar argument as above, the reduction perfectly emulates such queries by adjusting them as in Eq. (3). Furthermore, if \({\textsf {A}}\) leaks at most \(\ell \) bits from each side of the memory, \({\textsf {A}}'\) leaks at most \(\ell \) bits from each side of the target codeword.

Evaluation queries are perfectly emulated. Indeed, whenever \(\mathtt {mode}\) equals \(\mathtt {normal}\), the reduction answers evaluation queries by running \(\textsf {F}\) on key \(\kappa \) (this corresponds to the normal mode of simulator \(\textsf {S}\)). Similarly, whenever \(\mathtt {mode}\) equals \(\mathtt {overwritten}\), the reduction answers evaluation queries by running \(\textsf {F}\) on the current tampered key \(\tilde{\kappa }\) which results from applying the tampering functions to the initial memory (this corresponds to the overwritten mode of simulator \(\textsf {S}\)).

It follows that in case \((c_0,c_1)\) is an encoding of \(\kappa \), the reduction perfectly emulates the view of \({\textsf {A}}\) in \(\mathbf{Real} _{\hat{\textsf {F}},{\textsf {A}},\kappa }(\lambda )\). Similarly, when \((c_0,c_1)\) is an encoding of \(0^k\), the reduction perfectly emulates the view of \({\textsf {A}}\) in \(\mathbf{Ideal} _{\hat{\textsf {F}},\textsf {S}{\textsf {A}},\kappa }(\lambda )\). Hence, Eq. (1) implies
a contradiction. \(\square \)
Stateful Functionalities
In the case of stateful functionalities, the function \(\textsf {F}\) has a secret state \(\sigma \) that is updated at each invocation, i.e., . As the state gets updated, in this setting we inherently need to reencode the new state after each execution.
Furthermore, since we do not assume erasures in our model, the following subtlety arises. An adversary can first copy some old (encoded) state to a different part of the memory, and later replace the current (encoded) state by the old one. This essentially corresponds to a reset attack, that cannot be simulated given only blackbox access to the original functionality. To overcome this obstacle, our transformation leverages an untamperable public counter \(\gamma \in {\mathbb {N}}\) that helps us detecting whenever the functionality is reset to a previous state, in which case a selfdestruct is triggered; note that such a counter can be implemented using \(\log (\lambda )\) bits (plus the additional bit to implement the selfdestruct mechanism).^{Footnote 19}
Below, we define what it means to harden a stateful functionality.
Definition 10
(Stateful hardened functionality) Let \(\Gamma = (\textsf {Init},\textsf {Enc},\textsf {Dec})\) be a splitstate code in the CRS model, with \((k + \log (\lambda ))\)bit messages and 2nbit codewords. Let \(\textsf {F}:\{0,1\}^{k}\times \{0,1\}^{*}\rightarrow \{0,1\}^{k}\times \{0,1\}^{*}\) be a stateful functionality, \(\delta \in \{0,1\},\gamma \in \{0,1\}^\lambda \) be a public values. We define a stateful hardened functionality \(\hat{\textsf {F}}^\Gamma :=\hat{\textsf {F}}:\{0,1\}^{2p}\times \{0,1\}^{*}\rightarrow \{0,1\}^{2p}\times \{0,1\}^{*}\) where \(p= \texttt {poly}(n)\) as a tuple of algorithms \((\textsf {Setup}, \textsf {MemCompile}, \textsf {Exec})\) described as follows:

: Sample , initialize \((\gamma ,\delta ) = (1,0)\), and return \({\hat{\omega }}:= (\omega ,\gamma ,\delta )\).

: Parse \({\hat{\omega }}= (\omega ,\gamma ,\delta )\). Let . For \(\beta \in \{0,1\}\), store \(c_\beta \) in the first n bits of \({\mathcal {M}} _\beta \); the remaining bits of \({\mathcal {M}} _\beta \) are set to \(0^{pn}\). Define \({\mathcal {M}}:= ({\mathcal {M}} _0,{\mathcal {M}} _1)\).

: Parse \({\hat{\omega }}= (\omega ,\gamma ,\delta )\). In case \(\delta = 1\) output \(\bot \); else, let \(\tilde{c}_\beta = {\mathcal {M}} _\beta [1,\ldots ,n]\) for \(\beta \in \{0,1\}\). Run \(\tilde{\sigma }\tilde{\gamma }= \textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1))\): If either \(\tilde{\sigma }= \bot \) or \(\tilde{\gamma }\ne \gamma \), then output \(\bot \) and set \(\delta = 1\). Else, output y such that , run , and for each \(\beta \in \{0,1\}\) write \(c_\beta '\) in the first n bits of \({\mathcal {M}} _\beta \). Finally, update the CRS to \({\hat{\omega }}:= (\omega ,\gamma +1,\delta )\).
Remark 2
(On \((\gamma ,\delta )\)) As in the case of stateless functionalities, we require \(\delta \) to be untamperable and onetime writable (cf. Remark 1). Moreover, the counter \(\gamma \) is assumed to be untamperable and polytime writable. The latter is necessary, as otherwise the attacker can use the extra memory to reset the functionality to a previous valid state, which cannot be simulated with blackbox access to the original functionality.
Security of a stateful hardened functionality is defined analogously to the stateless case (cf. Definition 9). We show the following result:
Theorem 5
Let \(\Gamma \) be any \(\ell \)leakageresilient continuously super nonmalleable splitstate code in the CRS model. Then \(\Gamma \) is \(\ell \)leakage continuously tamper simulatable in the splitstate model (for stateful functionalities).
Proof
Similarly to the proof of Theorem 4, we describe a simulator \(\textsf {S}\) running in experiment \(\mathbf{Ideal} _{\textsf {F},{\textsf {A}},\textsf {S}}(\lambda ,\sigma )\) which simulates the view of adversary \({\textsf {A}}\) in the experiment \(\mathbf{Real} _{\hat{\textsf {F}},{\textsf {A}}}(\lambda ,\sigma )\) for every possible initial state \(\sigma \in \{0,1\}^k\). As usual, the simulator \(\textsf {S}\) is given blackbox access to \({\textsf {A}}\) (which can issue \(\texttt {Tamper}\), \(\texttt {Leak}\), and \(\texttt {Eval}\) commands), and to the reactive functionality \(\textsf {F}(\sigma ,\cdot )\) with initial state \(\sigma \). In order to simplify the simulator, we are going to assume that the attacker \({\textsf {A}}\) issues commands in rounds, where each round consist exactly of one leakage query, one tampering query, and one execute query (in this order). A generalization is straightforward.
At the outset, \(\textsf {S}\) samples and sets \((\gamma ,\delta ) = (1,0)\), yielding \({\hat{\omega }}:= (\omega ,\gamma ,\delta )\). Next, \(\textsf {S}\) runs \({\textsf {A}}(1^\lambda ,{\hat{\omega }})\) and answers to its queries using the following two modes (starting with the normal mode):

Normal Mode. Given state \(({\mathcal {M}} _0,{\mathcal {M}} _1)\), while \({\textsf {A}}\) continues issuing queries, answer as follows:

Sample , and let \({\mathcal {M}} _\beta [1,\ldots ,n] := c_\beta \) for \(\beta \in \{0,1\}\). If \(j=1\) (i.e., during the first round), the remaining bits of \(({\mathcal {M}} _0,{\mathcal {M}} _1)\) are set to \(0^{p n}\).

\(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \): Upon input the jth leakage query, compute \(\Lambda _\beta ^{(j)} = g_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\), and reply with \((\Lambda _0^{(j)},\Lambda _1^{(j)})\).

\(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \): Upon input the jth tampering query, compute \({{\widetilde{{\mathcal {M}}}}}_\beta = f_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\). Let \((\tilde{c}_0,\tilde{c}_1) := ({{\widetilde{{\mathcal {M}}}}}_{0}[1,\ldots ,n],{{\widetilde{{\mathcal {M}}}}}_{1}[1,\ldots ,n])\). If \((\tilde{c}_0,\tilde{c}_1) = (c_0^{(j)},c_1^{(j)})\), continue in the current mode. Else, go to the overwritten mode with state \(({\mathcal {M}} _0,{\mathcal {M}} _1) := ({{\widetilde{{\mathcal {M}}}}}_0,{{\widetilde{{\mathcal {M}}}}}_1)\), and, if \(\textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1)) \in \{\bot ,\tilde{\sigma }\tilde{\gamma }\}\) for some \(\tilde{\gamma }\ne \gamma \), update the CRS to \({\hat{\omega }}:= (\omega ,\gamma ,1)\).

\(\langle \texttt {Eval}, x^{(j)}\rangle \): Upon input the jth evaluation query, invoke \(\textsf {F}(\sigma ,\cdot )\) to obtain \(y^{(j)}\) s.t. , where \(\sigma \) is the current state of the functionality and \(\sigma '\) is the new state^{Footnote 20} (which is unknown to \(\textsf {S}\)), and reply with \(y^{(j)}\). Update the CRS to \({\hat{\omega }}:= (\omega ,\gamma +1,\delta )\).


Overwritten Mode. Given state \({\mathcal {M}}:=({\mathcal {M}} _0,{\mathcal {M}} _1)\), while \({\textsf {A}}\) continues issuing queries, answer as follows:

\(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \): Upon input the jth leakage query, compute \(\Lambda _\beta ^{(j)} = g_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\), and reply with \((\Lambda _0^{(j)},\Lambda _1^{(j)})\).

\(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \): Upon input the jth tampering query \((f_{0}^{(j)}, f_{1}^{(j)})\), compute \({{\widetilde{{\mathcal {M}}}}}_\beta = f_{\beta }^{(j)}({\mathcal {M}} _\beta )\) for \(\beta \in \{0,1\}\). Let \((\tilde{c}_0,\tilde{c}_1) := ({{\widetilde{{\mathcal {M}}}}}_{0}[1,\ldots ,n],{{\widetilde{{\mathcal {M}}}}}_{1}[1,\ldots ,n])\). Continue in the current mode with state \(({\mathcal {M}} _0,{\mathcal {M}} _1) := ({{\widetilde{{\mathcal {M}}}}}_0,{{\widetilde{{\mathcal {M}}}}}_1)\), and, if \(\textsf {Dec}(\omega ,(\tilde{c}_0,\tilde{c}_1)) \in \{\bot ,\tilde{\sigma }\tilde{\gamma }\}\) for some \(\tilde{\gamma }\ne \gamma \), update the CRS to \({\hat{\omega }}:= (\omega ,\gamma ,1)\).

\(\langle \texttt {Eval}, x^{(j)}\rangle \): Upon input the jth evaluation query, run and reply with \(y^{(j)}\). Compute , and update the first n bits of \({\mathcal {M}} _\beta \) to \(c_\beta \) for each \(\beta \in \{0,1\}\), and the CRS to \({\hat{\omega }}:= (\omega ,\gamma +1,\delta )\).

The intuition behind the above simulation strategy is similar to that in the proof of Theorem 4. One important difference is the fact that, after the simulator switches to the overwritten mode, it never goes back to the normal mode. Intuitively, this is because the untamperable counter ensures that the attacker can never copy an old state back to the first part of the memory. A further difficulty in the analysis is that in the case of stateful functionalities the state is reencoded after each invocation, and thus we cannot directly reduce to the security of the underlying continuously nonmalleable code.
Experiment \(\mathbf{Hyb} ^{(i)}_{\textsf {F},{\textsf {A}},\textsf {S}}(\lambda ,\sigma )\). In order to overcome the above difficulty, we consider a sequence of mental experiments. Let \(q \in \texttt {poly}(\lambda )\) be an upper bound on the total number of queries (and thus rounds). For all \(i \in [q]\), consider the following hybrid experiment where the simulator runs a modified normal mode and the same overwritten mode.

First is run, and \({\hat{\omega }}\) is given to \({\textsf {A}}\).

For the first i rounds, \({\textsf {A}}\)’s commands are answered exactly as in experiment \(\mathbf{Ideal} _{\textsf {F},{\textsf {A}},\textsf {S}}(\lambda ,\sigma )\).

Starting from round \(i+1\), if the simulator \(\textsf {S}\) is already in the overwritten mode, then continue simulating as in the ideal world. Otherwise, proceed with the following modified normal mode:

Sample , and let \({\mathcal {M}} _\beta [1,\ldots ,n] := c_\beta \) for \(\beta \in \{0,1\}\). If \(j=1\) (i.e., during the first round), the remaining bits of \(({\mathcal {M}} _0,{\mathcal {M}} _1)\) are set to \(0^{p n}\).

\(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \): As in the ideal world.

\(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \): As in the ideal world.

\(\langle \texttt {Eval}, x^{(j)}\rangle \): Upon input the jth evaluation query, run where \(\sigma \) is the current state of the functionality and \(\sigma '\) is the new state, and reply with \(y^{(j)}\). Redefine \(\sigma := \sigma '\), and update the CRS to \({\hat{\omega }}:= (\omega ,\gamma := \gamma +1,\delta )\).

Clearly, Moreover, This is because the modified normal mode of the simulator corresponds to answering \({\textsf {A}}\)’s commands exactly as in the real experiment. Hence, the theorem follows by the lemma below.
Lemma 7
Proof
Fix \(i\in [q]\). By contradiction, assume that there exists a PPT attacker \({\textsf {A}}\), and some state \(\sigma \in \{0,1\}^{k}\), such that the following holds for the above defined simulator \(\textsf {S}\):
We build a PPT attacker \({\textsf {A}}'\) breaking continuous nonmalleability of the code \(\Gamma \). A description of \({\textsf {A}}'\) follows:
\(\underline{\hbox {Attacker }{\textsf {A}}'\hbox { for }(\textsf {Init},\textsf {Enc},\textsf {Dec}):}\)
 1.
Upon receiving the CRS \(\omega \), set \((\gamma ,\delta ) = (1,0)\), and pass \({\hat{\omega }}:= (\omega ,\gamma ,\delta )\) to \({\textsf {A}}\).
 2.
For each round \(j \le i1\), reply to \({\textsf {A}}\)’s commands as described in the ideal experiment. Let \(\sigma := \sigma ^{(i)}\) and \({{\hat{\omega }}} = (\omega ,i,\delta )\) be, respectively, the current state^{Footnote 21} of the functionality and the CRS at the end of the \((i1)\)th round.
 3.
Forward \((m_0 := \sigma ^{(i)}i,m_1 := 0^k0^{\log {\lambda }})\) to the challenger, and initialize \(\tilde{\sigma }\tilde{\gamma }:= \varepsilon \) and \(\mathtt {mode}\) to \(\mathtt {normal}\). In case the simulation of the first \(i1\) tampering queries has already caused the simulator to enter the overwritten mode, output a random \(b'\) and terminate; else, continue.
 4.
For each round \(j \ge i\), upon input a command \(\langle \texttt {Tamper}, (f_{0}^{(j)}, f_{1}^{(j)})\rangle \) from \({\textsf {A}}\), query the tampering oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\) with the pair of functions \(({\hat{f}_{0}}^{(j)},{\hat{f}_{1}}^{(j)})\) of Eq. (2). Then:
If the oracle returns \(\bot \), update the CRS to \({{\hat{\omega }}} := (\omega ,\gamma ,1)\).
If the oracle returns \(\diamond \), do nothing.
If the oracle returns a codeword \(\tilde{c}^{(j)} := (\tilde{c}_0^{(j)},\tilde{c}_1^{(j)})\), set \(\mathtt {mode}\) to \(\mathtt {overwritten}\) and overwrite \(\tilde{\sigma }\tilde{\gamma }:= \textsf {Dec}(\omega ,(\tilde{c}_0^{(j)},\tilde{c}_1^{(j)}))\). If \(\tilde{\gamma }\ne \gamma \), update the CRS to \({{\hat{\omega }}} := (\omega ,\gamma ,1)\).
 5.
For each round \(j \ge i\), upon input a command \(\langle \texttt {Leak},(g_{0}^{(j)}, g_{1}^{(j)})\rangle \) from \({\textsf {A}}\), query oracle \({\mathcal {O}}_\textsf {leak}^\ell (c_0,\cdot )\) and \({\mathcal {O}}_\textsf {leak}^\ell (c_1,\cdot )\) with the functions \({\hat{g}_{0}}^{(j)}\) and \({\hat{g}_{1}}^{(j)}\) of Eq. (3). Then, forward the answer \((\Lambda _0^{(j)},\Lambda _1^{(j)})\) to \({\textsf {A}}\).
 6.
For each round \(j \ge i\), upon input a command \(\langle \texttt {Eval},x^{(j)}\rangle \) from \({\textsf {A}}\), if \(\delta =1\) return \(\bot \) to \({\textsf {A}}\). Else, proceed as follows:
If \(\mathtt {mode} = \mathtt {normal}\), let and return \(y^{(j)}\) to \({\textsf {A}}\).
If \(\mathtt {mode} = \mathtt {overwritten}\), let and return \(y^{(j)}\) to \({\textsf {A}}\).
Update the CRS to \({{\hat{\omega }}} = (\omega ,\gamma +1,\delta )\), and redefine \(\sigma := \sigma '\).
 7.
Upon receiving a guess \(b'\) from \({\textsf {A}}\), output \(b'\) and terminate.
For the analysis, first note that \({\textsf {A}}'\) runs in polynomial time. Next, we claim that the simulation done by \({\textsf {A}}'\) is perfect. This is because:

The CRS \({\hat{\omega }}\) is distributed identically to the CRS in \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i1)}(\lambda ,\sigma )\) and \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i)}(\lambda ,\sigma )\).

The first \(i1\) leakage/tampering/execute queries are answered as in the ideal experiment, which corresponds to the way such queries are answered in both \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i1)}(\lambda ,\sigma )\) and \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i1)}(\lambda ,\sigma )\).

Let \(\mathbf{W} \) be the event that the simulation has already entered the overwritten mode while answering the first \(i1\) tampering queries. Note that conditioning on \(\mathbf{W} \), the random variables \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i1)}(\lambda ,\sigma )\) and \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i)}(\lambda ,\sigma )\) are identical, and thus Eq. (4) implies that \({\mathbb {P}}\left[ \lnot \mathbf{W} \right] \ge 1/\texttt {poly}(\lambda )\).

For each round \(j\ge i\), conditioning on \(\lnot \mathbf{W} \) and depending on the target encoding \((c_0,c_1)\) being either an encoding of \(\sigma ^{(i)}i\) or an encoding of \(0^k0^{\log {\lambda }}\), the queries of \({\textsf {A}}\) are answered exactly as in \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i1)}(\lambda ,\sigma )\) or in \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i)}(\lambda ,\sigma )\). More precisely:

The remaining leakage and tampering queries are handled using the oracle \({\mathcal {O}}_\mathsf{maul}((c_0,c_1),\cdot )\). As in the proof of Theorem 4, the reduction needs to adjust the leakage/tampering functions taking into account the initial padding of the memory and the previous tampering queries. This can be done using Eq. (2) and Eq. (3) as before.

The remaining evaluation queries are perfectly emulated. Indeed, whenever \(\mathtt {mode}\) equals \(\mathtt {normal}\), the reduction answers evaluation queries by running \(\textsf {F}\) on the current state \(\sigma \) (this corresponds to the normal mode of simulator \(\textsf {S}\)). Similarly, whenever \(\mathtt {mode}\) equals \(\mathtt {overwritten}\), the reduction answers evaluation queries by running \(\textsf {F}\) on the current tampered state \(\tilde{\sigma }\) which results from applying the tampering functions to the initial memory (this corresponds to the overwritten mode of simulator \(\textsf {S}\)).

It follows that in case \((c_0,c_1)\) is an encoding of \(\sigma ^{(i)}i\) and conditioning on \(\lnot \mathbf{W} \), the reduction perfectly emulates the view of \({\textsf {A}}\) in \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i1)}(\lambda ,\sigma )\). Similarly, when \((c_0,c_1)\) is an encoding of \(0^k0^{\log \lambda }\) and conditioning on \(\lnot \mathbf{W} \), the reduction perfectly emulates the view of \({\textsf {A}}\) in \(\mathbf{Hyb} _{\textsf {F},{\textsf {A}},\textsf {S}}^{(i)}(\lambda ,\sigma )\). Finally, \({\mathbb {P}}\left[ \lnot \mathbf{W} \right] \ge 1/\texttt {poly}(\lambda )\), and additionally conditioning on \(\mathbf{W} \) we have that \({\mathbb {P}}\left[ b'=b\right] = 1/2\). Hence, we have obtained:
a contradiction. This concludes the proof. \(\square \)
Notes
 1.
Our actual definition is stronger, in that as long as the tampered codeword \(\tilde{c}\) is valid, and \(\tilde{c}\ne c\), the adversary is even given \(\tilde{c}\) (and not just the corresponding decoded message). See Sect. 3 for a discussion.
 2.
For example, hardwire \({\hat{c}_{1}}\), decode \(({\hat{c}_{0}},{\hat{c}_{1}})\), and overwrite \({\hat{c}_{0}}\) with garbage if the first bit of \({{\hat{m}}}\) is zero (otherwise leave it unchanged).
 3.
Of course, a similar guarantee must hold if we fix the right part \(c_1\) of the encoding.
 4.
Note that a counter only requires a logarithmic (in the security parameter) number of bits.
 5.
 6.
A similar statement holds for computationally secure LRS.
 7.
If not, \({\textsf {A}}_1\) obtains \(\diamond \) as answer to one of its tampering queries, and thus it can safely conclude that \({\hat{c}_{0}} = c_0\) and \({\hat{c}_{1}} \in \{c_1,c_1'\}\). Once \({\hat{c}_{0}}\) is known it is trivial to break nonmalleability using an additional tampering query.
 8.
Namely, just have \(c_0\) (resp. \(c_1\)) contain \(\textit{pk}\), the encryption \(\gamma \) (resp. \(\gamma '\)) of any message \(m\) (resp. \(m' \ne m\)) under \(\textit{pk}\), and the corresponding argument \(\pi \) (resp. \(\pi '\)).
 9.
Note that this applies in particular to the encoding of [84].
 10.
To be more precise, this also requires to leak the initial hash values, to simulate the noninteractive arguments as done in the last hybrid, and to hardwire those values in each leakage query.
 11.
This makes the reduction nonblackbox, as it needs to run \({\textsf {A}}^*\) inside the leakage oracles.
 12.
Recall that the underlying LRS satisfies augmented leakage resilience (cf. Definition 5).
 13.
A family of hash functions \(\Psi = \{\psi _t: \{0,1\}^{2n} \rightarrow \{0,1\}^\lambda \}_{t\in \{0,1\}^\lambda }\) is weakly universal if for all distinct \(x_1, x_2 \in \{0,1\}^{2n}\) the following holds: . Such families exist unconditionally.
 14.
Given an attacker \({\textsf {A}}^*\) that with nonnegligible probability outputs a tampering query \((f_0^{(i)},f_1^{(i)})\) such that \((\tilde{c}_0^{(i)},\tilde{c}_1^{(i)})\) is valid with \(\tilde{h}_0^{(i)} = h_0\) and \(\tilde{s}_0^{(i)} \ne s_0\), we can build an attacker \({\textsf {A}}\) breaking collision resistance of \((\textsf {Gen},\textsf {Hash})\). The reduction is straightforward: Given \(\textit{hk}\), adversary \({\textsf {A}}\) simply runs \({\textsf {A}}^*\) honestly after embedding \(\textit{hk}\) in the CRS, until it outputs the query \((f_0^{(i)},f_1^{(i)})\), which yields the collision \((s_0,\tilde{s}_0^{(i)})\).
 15.
The reduction is analogous to the one in Lemma 4, and therefore omitted.
 16.
The reduction is analogous to the one in Footnote 14.
 17.
Attacker \({\textsf {A}}\) simply runs \({\textsf {A}}^*\) on a simulated codeword \((c_0,c_1)\) generated exactly as in the last hybrid, and answers to both leakage and tampering queries honestly until \({\textsf {A}}^*\) outputs the query \((f_0^{(i)},f_1^{(i)})\) breaking uniqueness.
 18.
We stress that weak nonmalleability actually suffices for this application. We use super nonmalleability for simplicity (and to be consistent with the rest of the paper).
 19.
 20.
After such a query, the functionality internally redefines \(\sigma := \sigma '\).
 21.
Note that the reduction can compute \(\sigma ^{(i)}\), as it receives the initial state \(\sigma \) as auxiliary input.
References
 1.
D. Aggarwal, Affineevasive sets modulo a prime. Inf. Process. Lett. 115(2), 382–385 (2015).
 2.
D. Aggarwal, S. Agrawal, D. Gupta, H. K. Maji, O. Pandey, M. Prabhakaran, Optimal computational splitstate nonmalleable codes, in TCC (2016), pp. 393–417.
 3.
D. Aggarwal, Y. Dodis, T. Kazana, M. Obremski, Nonmalleable reductions and applications, in STOC (2015), pp. 459–468.
 4.
D. Aggarwal, Y. Dodis, S. Lovett, Nonmalleable codes from additive combinatorics, in STOC (2014), pp. 774–783.
 5.
D. Aggarwal, Y. Dodis, S. Lovett, Nonmalleable codes from additive combinatorics. SIAM J. Comput. 47(2), 524–546 (2018).
 6.
D. Aggarwal, N. Döttling, J, B. Nielsen, M. Obremski, E. Purwanto, Continuous nonmalleable codes in the 8splitstate model, in EUROCRYPT (2019), pp. 531–561.
 7.
D. Aggarwal, S. Dziembowski, T. Kazana, M. Obremski, Leakageresilient nonmalleable codes, in TCC (2015), pp. 398–426.
 8.
D. Aggarwal, T. Kazana, M. Obremski, Inception makes nonmalleable codes stronger, in TCC (2017), pp. 319–343.
 9.
S. Agrawal, D. Gupta, H. K. Maji, O. Pandey, M. Prabhakaran, Explicit nonmalleable codes against bitwise tampering and permutations, in CRYPTO (2015), pp. 538–557.
 10.
S. Agrawal, D. Gupta, H. K. Maji, O. Pandey, M. Prabhakaran, A rateoptimizing compiler for nonmalleable codes against bitwise tampering and permutations, in TCC (2015), pp. 375–397.
 11.
P. Austrin, K.M. Chung, M. Mahmoody, R. Pass, K. Seth, On the impossibility of cryptography with tamperable randomness, in CRYPTO (2014), pp. 462–479.
 12.
M. Ball, D. DachmanSoled, S. Guo, T. Malkin, L.Y. Tan, Nonmalleable codes for smalldepth circuits, in FOCS (2018), pp. 826–837.
 13.
M. Ball, D. DachmanSoled, M. Kulkarni, H. Lin, T. Malkin, Nonmalleable codes against bounded polynomial time tampering, in EUROCRYPT (2019), pp. 501–530.
 14.
M. Ball, D. DachmanSoled, M. Kulkarni, T. Malkin, Nonmalleable codes for bounded depth, bounded fanin circuits, in EUROCRYPT (2016), pp. 881–908.
 15.
M. Ball, D. DachmanSoled, M. Kulkarni, T. Malkin. Nonmalleable codes from averagecase hardness: \({{\sf AC}}^{0}\), decision trees, and streaming spacebounded tampering, in EUROCRYPT (2018), pp. 618–650.
 16.
M. Ball, D. DachmanSoled, M. Kulkarni, T. Malkin, Limits to nonmalleability, in ITCS (2020), pp. 80:1–80:32.
 17.
M. Ball, S. Guo, D. Wichs, Nonmalleable codes for decision trees, in CRYPTO (2019), pp. 413–434.
 18.
M. Bellare, D. Cash, R. Miller, Cryptography secure against relatedkey attacks and tampering, in ASIACRYPT (2011), pp. 486–503.
 19.
M. Bellare, M. Fischlin, S. Goldwasser, S. Micali, Identification protocols secure against reset attacks, in EUROCRYPT (2001), pp. 495–511.
 20.
M. Bellare, T. Kohno, A theoretical treatment of relatedkey attacks: RKAPRPs, RKAPRFs, and applications, in EUROCRYPT (2003), pp. 491–506.
 21.
M. Bellare, K. G. Paterson, S. Thomson, RKA security beyond the linear barrier: IBE, encryption and signatures, in ASIACRYPT (2012), pp. 331–348.
 22.
D. Boneh, R. A. DeMillo, R. J, Lipton. On the importance of eliminating errors in cryptographic computations, J. Cryptol. 14(2), 101–119 (2001).
 23.
G. Brian, A. Faonio, D. Venturi, Continuously nonmalleable secret sharing for general access structures, in TCC (2019), pp. 211–232.
 24.
N. Chandran, V. Goyal, P. Mukherjee, O. Pandey, J. Upadhyay, Blockwise nonmalleable codes, in ICALP (2016), pp. 31:1–31:14.
 25.
N. Chandran, B. Kanukurthi, S. Raghuraman Informationtheoretic local nonmalleable codes and their applications, in TCC (2016), pp. 367–392.
 26.
E. Chattopadhyay, V. Goyal, X. Li, Nonmalleable extractors and codes, with their many tampered extensions, in STOC (2016), pp. 285–298.
 27.
E. Chattopadhyay, X. Li, Nonmalleable codes and extractors for smalldepth circuits, and affine functions, in STOC (2017), pp. 1171–1184.
 28.
E. Chattopadhyay, D. Zuckerman, Nonmalleable codes against constant splitstate tampering, in FOCS (2014), pp. 306–315.
 29.
B. Chen, Y. Chen, K. Hostáková, P. Mukherjee, Continuous spacebounded nonmalleable codes from stronger proofsofspace, in CRYPTO (2019), pp. 467–495.
 30.
M. Cheraghchi, V. Guruswami, Nonmalleable coding against bitwise and splitstate tampering, in TCC (2014), pp. 440–464.
 31.
M. Cheraghchi, V. Guruswami, Capacity of nonmalleable codes. IEEE Trans. Inf. Theory, 62(3), 1097–1118 (2016).
 32.
M. Cheraghchi, V. Guruswami, Nonmalleable coding against bitwise and splitstate tampering, J. Cryptol. 30(1), 191–241 (2017).
 33.
S. G. Choi, A. Kiayias, T. Malkin, BiTR: Builtin tamper resilience, in ASIACRYPT (2011), pp. 740–758.
 34.
S. Coretti, Y. Dodis, B. Tackmann, D. Venturi. Nonmalleable encryption: simpler, shorter, stronger, in TCC (2016), pp. 306–335.
 35.
S. Coretti, A. Faonio, D. Venturi, Rateoptimizing compilers for continuously nonmalleable codes, in ACNS (2019), pp. 3–23.
 36.
S. Coretti, U. Maurer, B. Tackmann, D. Venturi, From singlebit to multibit publickey encryption via nonmalleable codes, in TCC (2015), pp. 532–560.
 37.
R. Cramer, I. Damgård, N. Döttling, I. Giacomelli, C. Xing, Lineartime nonmalleable codes in the bitwise independent tampering model, in ICITS (2017), pp. 1–25.
 38.
R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in CRYPTO (1998), pp. 13–25.
 39.
D. DachmanSoled, Y. T. Kalai, Securing circuits against constantrate tampering, in CRYPTO (2012), pp. 533–551.
 40.
D. DachmanSoled, Y. T. Kalai, Securing circuits and protocols against 1/poly(k) tampering rate, in TCC (2014), pp. 540–565.
 41.
D. DachmanSoled, M. Kulkarni, Upper and lower bounds for continuous nonmalleable codes, in PKC (2019), pp. 519–548.
 42.
D. DachmanSoled, M. Kulkarni, A. Shahverdi, Tight upper and lower bounds for leakageresilient, locally decodable and updatable nonmalleable codes, in PKC (2017), pp. 310–332.
 43.
D. DachmanSoled, M. Kulkarni, A. Shahverdi, Local nonmalleable codes in the bounded retrieval model, in PKC (2018), pp. 281–311.
 44.
D. DachmanSoled, M. Kulkarni, A. Shahverdi, Tight upper and lower bounds for leakageresilient, locally decodable and updatable nonmalleable codes, Inf. Comput. p. 268 (2019)
 45.
D. DachmanSoled, F.H. Liu, E. Shi, H.S. Zhou, Locally decodable and updatable nonmalleable codes and their applications, in TCC (2015), pp. 427–450.
 46.
D. DachmanSoled, F.H. Liu, E. Shi, H.S. Zhou, Locally decodable and updatable nonmalleable codes and their applications. J. Cryptol. 33(1), 319–355 (2020).
 47.
I. Damgård, S. Faust, P. Mukherjee, D. Venturi, Bounded tamper resilience: How to go beyond the algebraic barrier, in ASIACRYPT (2013), pp. 140–160.
 48.
I. Damgård, S. Faust, P. Mukherjee, D. Venturi, The chaining lemma and its application, in ICITS (2015), pp. 181–196.
 49.
I. Damgård, T. Kazana, M. Obremski, V. Raj, L. Siniscalchi, Continuous NMC secure against permutations and overwrites, with applications to CCA secure commitments, in TCC (2018), pp. 225–254.
 50.
F. Davì, S. Dziembowski, D. Venturi, Leakageresilient storage, in SCN (2010), pp. 121–137.
 51.
Y. Dodis, K. Haralambiev, A. LópezAlt, D. Wichs, Efficient publickey cryptography in the presence of key leakage, in ASIACRYPT (2010), pp. 613–631.
 52.
S. Dziembowski, S. Faust, Leakageresilient cryptography from the innerproduct extractor, in ASIACRYPT (2011), pp. 702–721.
 53.
S. Dziembowski, T. Kazana, M. Obremski, Nonmalleable codes from twosource extractors, in CRYPTO (2013), pp. 239–257.
 54.
S. Dziembowski, K. Pietrzak, Leakageresilient cryptography. In FOCS (2008), pp. 293–302.
 55.
S. Dziembowski, K. Pietrzak, D. Wichs, Nonmalleable codes, in ICS (2010), pp. 434–452.
 56.
S. Dziembowski, K. Pietrzak, D. Wichs, Nonmalleable codes. J. ACM, 65(4), 20:1–20:32 (2018).
 57.
A. Faonio, J. B. Nielsen, Nonmalleable codes with splitstate refresh, in PKC (2017), pp. 279–309.
 58.
A. Faonio, J. B. Nielsen, M. Simkin, D. Venturi, Continuously nonmalleable codes with splitstate refresh, in ACNS (2018), pp. 121–139.
 59.
A. Faonio, J. B. Nielsen, M. Simkin, D. Venturi, Continuously nonmalleable codes with splitstate refresh. Theor. Comput. Sci. 759, 98–132 (2019).
 60.
A. Faonio, D. Venturi, Nonmalleable secret sharing in the computational setting: adaptive tampering, noisyleakage resilience, and improved rate, in CRYPTO (2019), pp. 448–479.
 61.
S. Faust, K. Hostáková, P. Mukherjee, D. Venturi, Nonmalleable codes for spacebounded tampering, in CRYPTO (2017), pp. 95–126.
 62.
S. Faust, P. Mukherjee, J. B. Nielsen, D. Venturi, Continuous nonmalleable codes, in TCC (2014), pp. 465–488.
 63.
S. Faust, P. Mukherjee, J. B. Nielsen, D. Venturi, A tamper and leakage resilient von Neumann architecture, in PKC (2015), pp. 579–603.
 64.
S. Faust, P. Mukherjee, D. Venturi, D. Wichs, Efficient nonmalleable codes and keyderivation for polysize tampering circuits, in EUROCRYPT (2014), pp. 111–128.
 65.
S. Faust, P. Mukherjee, D. Venturi, D. Wichs, Efficient nonmalleable codes and key derivation for polysize tampering circuits. IEEE Trans. Inf. Theory 62(12), 7179–7194 (2016).
 66.
S. Faust, K. Pietrzak, D. Venturi, Tamperproof circuits: How to trade leakage for tamperresilience, in ICALP (2011), pp. 391–402.
 67.
S. Fehr, P. Karpman, B. Mennink, Short nonmalleable codes from relatedkey secure block ciphers. IACR Trans. Symmetr. Cryptol. 2018(1), 336–352 (2018).
 68.
U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs based on a single random string (extended abstract), in FOCS (1990), pp. 308–317.
 69.
D. Genkin, Y. Ishai, M. Prabhakaran, A. Sahai, E. Tromer, Circuits resilient to additive attacks with applications to secure computation, in STOC (2014), pp. 495–504.
 70.
R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, T. Rabin, Algorithmic tamperproof (ATP) security: theoretical foundations for security against hardware tampering, in TCC (2004), pp. 258–277.
 71.
V. Goyal, A. Kumar, Nonmalleable secret sharing, in STOC (2018), pp. 685–698.
 72.
V. Goyal, A. Sahai, Resettably secure computation, in EUROCRYPT (2009), pp. 54–71.
 73.
J. Groth, Simulationsound NIZK proofs for a practical language and constant size group signatures, in ASIACRYPT (2006), pp. 444–459.
 74.
J. Groth, A. Sahai, Efficient noninteractive proof systems for bilinear groups, in EUROCRYPT (2008), pp. 415–432.
 75.
Jens Groth and Amit Sahai. Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput., 41(5):1193–1232, 2012.
 76.
Y. Ishai, M. Prabhakaran, A. Sahai, D. Wagner, Private circuits II: Keeping secrets in tamperable circuits, in EUROCRYPT (2006), pp. 308–327.
 77.
Z. Jafargholi, D. Wichs, Tamper detection and continuous nonmalleable codes, in TCC (2015), pp. 451–480.
 78.
Y. T. Kalai, B. Kanukurthi, A. Sahai, Cryptography with tamperable and leaky memory, in CRYPTO (2015), pp. 373–390.
 79.
B. Kanukurthi, S. L. B. Obbattu, S. Sekar, Fourstate nonmalleable codes with explicit constant rate, in TCC (2017), pp. 344–375.
 80.
B. Kanukurthi, S. L. B. Obbattu, S. Sekar, Fourstate nonmalleable codes with explicit constant rate. J. Cryptol. 33(3), 1044–1079 (2020).
 81.
A. Kiayias, F.H. Liu, Y. Tselekounis, Practical nonmalleable codes from \(l\)more extractable hash functions, in CCS (2016), pp. 1317–1328.
 82.
A. Kiayias, F.H. Liu, Y. Tselekounis, Nonmalleable codes for partial functions with manipulation detection, in CRYPTO (2018), pp. 577–607.
 83.
A. Kiayias, Y. Tselekounis, Tamper resilient circuits: The adversary at the gates, in ASIACRYPT (2013), pp. 161–180.
 84.
F.H. Liu, A. Lysyanskaya, Tamper and leakage resilience in the splitstate model, in CRYPTO (2012), pp. 517–532.
 85.
R. Ostrovsky, G. Persiano, D. Venturi, I. Visconti. Continuously nonmalleable codes in the splitstate model from minimal assumptions, in CRYPTO (2018), pp. 608–639.
 86.
K. Pietrzak, Subspace LWE, in TCC (2012), pp. 548–563.
 87.
A. D. Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai, Robust noninteractive zero knowledge, in CRYPTO (2001), pp. 566–598.
 88.
S. Yilek, Resettable publickey encryption: How to encrypt on a virtual machine, in CTRSA (2010), pp. 41–56.
Acknowledgements
Open access funding provided by Università degli Studi di Roma La Sapienza within the CRUICARE Agreement.
Author information
Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Communicated by Jonathan Katz.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Faust, S., Mukherjee, P., Nielsen, J.B. et al. Continuously Nonmalleable Codes in the SplitState Model. J Cryptol 33, 2034–2077 (2020). https://doi.org/10.1007/s0014502009362z
Received:
Revised:
Published:
Issue Date:
Keywords
 Nonmalleable codes
 Tamper resistance
 Splitstate model