NonMalleable Functions and Their Applications
 8 Citations
 1.5k Downloads
Abstract
We formally study “nonmalleable functions” (NMFs), a general cryptographic primitive which simplifies and relaxes “nonmalleable oneway/hash functions” (NMOWHFs) introduced by Boldyreva et al. (ASIACRYPT 2009) and refined by Baecher et al. (CTRSA 2010). NMFs focus on deterministic functions, rather than probabilistic oneway/hash functions considered in the literature of NMOWHFs.
We mainly follow Baecher et al. to formalize a gamebased definition. Roughly, a function f is nonmalleable if, given an image \(y^* \leftarrow f(x^*)\) for a randomly chosen \(x^*\), it is hard to output a mauled image y with a \(\phi \) from some transformation class s.t. \(y = f(\phi (x^*))\). A distinctive strengthening of our nonmalleable notion is that \(\phi (x^*) = x^*\) is always allowed. We also consider adaptive nonmalleability which stipulates nonmalleability maintains even when an inversion oracle is available.
We investigate the relations between nonmalleability and onewayness in depth. In the nonadaptive setting, we show that for any achievable transformation class, nonmalleability implies onewayness for polytoone functions but not vise versa. In the adaptive setting, we show that for most algebrainduced transformation class, adaptive nonmalleability (ANM) is equivalent to adaptive onewayness (AOW) for injective functions. These two results establish interesting theoretical connections between nonmalleability and onewayness for functions, which extend to trapdoor functions as well, and thus resolve some open problems left by Kiltz et al. (EUROCRYPT 2010). Notably, the implication AOW \(\Rightarrow \) ANM not only yields constructions of NMFs from adaptive trapdoor functions, which partially solves an open problem posed by Boldyreva et al. (ASIACRYPT 2009), but also provides key insight into addressing nontrivial copy attacks in the area of relatedkey attacks (RKA).
Finally, we show that NMFs lead to a simple blackbox construction of continuous nonmalleable key derivation functions recently proposed by Qin et al. (PKC 2015), which have proven to be very useful in achieving RKAsecurity for numerous cryptographic primitives.
Keywords
Nonmalleable functions Oneway functions Algebrainduced transformations Relatedkey attacks Copy attacks Key derivation1 Introduction
Nonmalleability is an important notion for cryptographic primitives which ensures some level of independence of outputs with respect to related inputs. This notion, first treated formally in the seminal work of Dolev, Dwork and Naor [25], has been studied extensively for many randomized primitives, such as commitments [22, 23, 29, 44], encryptions [12], zeroknowledge proofs [39, 42, 49], obfuscations [20], and codes [26, 27, 28]. However, little attention has been paid on deterministic primitives. Particularly, the study dedicated to nonmalleability for deterministic functions, which is arguably the most basic primitive, is still open. With the goal to fill this gap, we initiate the study of nonmalleability for deterministic functions in this work.
1.1 Related Work
NonMalleable OneWay and Hash Functions. Boldyreva et al. [16] initiated the foundational study of nonmalleable oneway and hash functions (NMOWHFs).^{1} They gave a simulationbased definition of nonmalleability, basically saying that, for any adversary mauling a function value \(y^*\) into a related value y, there exists a simulator which does just well even without seeing \(y^*\). They provided a construction of NMOWHFs from perfectly oneway hash functions (POWHF) and simulationsound noninteractive zeroknowledge proof of knowledge (NIZKPoK). However, they regarded this construction as a feasibility result due to its inefficiency. They also discussed applications of NMOWHFs to partially instantiating random oracles in the BellareRogaway encryption scheme [11] and OAEP [17], as well as enhancing the security of cryptographic puzzles.
Being aware of several deficiencies in the simulationbased definition of nonmalleability [16],^{2} Baecher et al. [3] reverted the core idea behind nonmalleability and proposed a gamebased definition which is more handy to work with. Their definition avoids simulator completely and rather asks for the following: given a function value \(y^* \leftarrow f(x^*)\) of an unknown preimage \(x^*\), no probabilistic polynomial time (PPT) adversary is able to output a mauled image y together with a transformation \(\phi \) from a prefixed transformation class \(\varPhi \) such that \(y = f(\phi (x^*))\). To demonstrate the usefulness of their gamebased definition, they proved that the strengthened MerkleDamgård transformation satisfies their nonmalleability notion w.r.t. bit flips, and their nonmalleability notion suffices for improving security of the BellareRogaway encryption scheme.
We identify the following gaps in the NMOWHFs literature [3, 16].

Both [16] and [3] considered nonmalleability for a very general syntax of functions, comprising both classical oneway functions and collision resistant hash functions. In their cases, the underlying functions could be probabilistic and are assumed to be oneway.^{3} Despite such treatment is of utmost generality, it is somewhat bulky and even inapplicable for some natural applications, e.g., when the functions are probabilistic, two independent parties computing with the same input will not necessarily get the same output [16]. Moreover, to some extent, it blurs the relations between nonmalleability and onewayness.

The gamebased nonmalleable notion [3] is not strong enough in the sense that the adversary is restricted to output \(\phi \in \varPhi \) such that \(\phi (x^*) \ne x^*\). Note that \(\varPhi \) is introduced to capture all admissible transformations chosen by the adversary, this restriction translates to the limit that \(\varPhi \) does not contain \(\phi \) that has fixed points, which is undesirable because many widely used transformations (e.g., affine functions and polynomials) are excluded.

Boldyreva et al.’s construction of NMOWHF is in the standard model, but the uses of POWHF and NIZKPoK render it probabilistic, and inefficient for practical applications [16] (e.g., cryptographic puzzles for network protocols). The strengthened MerkleDamgård transformation does constitute an efficient NMOWHF construction [3], but its nonmalleability inherently relies on modeling the compression function as a random oracle [3]. An efficient, deterministic solution in the standard model was left open [16].

Though NMOWHFs are powerful, their cryptographic applications are only known for partially instantiating random oracles for some publickey encryption schemes and enhancing the design of cryptographic puzzles. Further applications of NMOWHFs in other areas were expected [16].
Kiltz et al. [38] introduced a strengthening of trapdoor oneway functions called adaptive oneway trapdoor functions (ATDFs), which remain oneway even when the adversary is given access to an inversion oracle. They gave a blackbox construction of chosenciphertext secure publickey encryption (CCAsecure PKE) from ATDFs, and showed how to construct ATDFs from either lossy TDFs [45] or correlatedproduct TDFs [48]. Their work suggested a number of open problems; in particular, considering nonmalleability for TDFs, exploring its relation to existing notions for TDFs and implications for PKE, and realizing them from standard assumptions.
1.2 Motivation
Based on the above discussion, we find that the state of the art of NMOWHFs is not entirely satisfactory. In particular, the study of nonmalleability dedicated to deterministic functions and its relation to onewayness are still open.
In this work, we continue the study of nonmalleable primitive, but restrict our attention to deterministic functions, rather than probabilistic oneway/hash functions considered in prior works. Apart from being a natural question which deserves study in its own right, a direct treatment of deterministic functions (without imposing any other cryptographic property) provides three main benefits. First, it shares the same underlying object of “classical” oneway functions and hence allows us to explore the relations between nonmalleability and onewayness. Second, this may further lead to efficient constructions of deterministic NMFs in the standard model, by leveraging a vast body of works on oneway functions. Third, deterministic primitives are more versatile, making deterministic NMFs more attractive being used a building block for higherlevel cryptographic protocols.
In summary, we are motivated to consider the following intriguing questions:
What is the strong yet handy nonmalleable notion for deterministic functions? What are the relations between nonmalleability and onewayness? Can we construct efficient deterministic NMFs in the standard model? Are there new appealing applications of deterministic NMFs?
1.3 Our Contributions
We give positive answers to the above questions, which we summarize below.
NonMalleable Functions. In Sect. 3, we introduce a new cryptographic primitive called deterministic NMFs,^{4} which simplifies and relaxes NMOWHFs in that the underlying functions are deterministic and not required to have any cryptographic property. Informally, NMFs stipulate no PPT adversary is able to modify a function value into a meaningfully related one. We mainly follow the gamebased approach [3] to define nonmalleability for deterministic functions w.r.t. relatedpreimage deriving transformation^{5} (RPDT) class \(\varPhi \), that is, given \(y^* \leftarrow f(x^*)\) for a randomly chosen \(x^*\), no PPT adversary is able to output a transformation \(\phi \in \varPhi \) and a function value y such that \(y = f(\phi (x^*))\).
In our definition, adversary’s power is neatly expressed through \(\varPhi \) and there is no other restriction. In particular, \(\phi (x^*) = x^*\) is always allowed even when \(y =~y^*\), whereas existing definition of NMOWHFs [3, Section3.1] demands \(\phi (x^*) \ne x^*\). As we will see in Sects. 7 and 8, this strengthening surfaces as an important property when applying to the area of RKA security. We also introduce adaptive NMFs, which remain nonmalleable even the adversary has access to an inversion oracle. This stronger notion is desirable when NMFs are used in more adversarial environment, as we will show in Sect. 8.4.
Novel Properties of RPDTs. Our nonmalleability notion is stronger if \(\varPhi \) is larger. To capture broad yet achievable RPDT class, in Sect. 4 we introduce two novel properties for RPDT class that we call bounded root space (BRS) and sampleable root space (SRS). Let \(\mathsf {id}\) and \(\phi _c\) represent identity transformation and any constant transformation respectively. The two properties demand that for each \(\phi \in \varPhi \), the root spaces of composite transformations \(\phi  \phi _c\) and \(\phi  \mathsf {id}\) are polynomially bounded and allow efficient uniform sampling.
BRS and SRS are general enough in that they are met by most algebrainduced transformations considered in the literature, including linear functions, affine functions, and low degree polynomials (with \(\mathsf {id}\) and \(\phi _c\) being punctured). We let \(\varPhi _{\text {brs}}^{\text {srs}}\) denote the general RPDT class satisfying the BRS & SRS properties.
In the nonadaptive setting, we show that w.r.t. any achievable RPDT class \(\varPhi \), nonmalleability (NM) implies onewayness (OW) for polytoone functions (cf. Definition 1), but not vise versa. This rigorously confirms the intuition that in common cases NM is strictly stronger than OW. In the adaptive setting, we show that w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\), adaptive nonmalleability (ANM) is equivalent to adaptive onewayness (AOW) for injective functions. While the implication ANM \(\Rightarrow \) AOW is obvious, the converse is much more technically involved. In Sect. 5.3, we prove the implication AOW \(\Rightarrow \) ANM via a novel algebraic technique, leveraging the injectivity of the underlying functions and the BRS & SRS properties of \(\varPhi _{\text {brs}}^{\text {srs}}\). The rough idea is that: if an adversary breaks nonmalleability (outputting a mauled image along with a transformation), the reduction can obtain a solvable equation about the preimage and thus contradicts the assumed onewayness.
All these results indicate that the preimage size is a fundamental parameter of NMFs. We also note that all the above results apply equally well to trapdoor functions. Most importantly, the equivalence \(\text {AOW} \Leftrightarrow \text {ANM}\) answers the aforementioned open problems left by Kiltz et al. [38].
Both OW and NM can be considered with auxiliary information of preimage \(x^*\), which is modeled by a hint function \(\mathsf {hint}(x^*)\). We refer to the standard (default) notions without hint as hintfree notions, and refer to the ones with hint as hinted notions. Compared to hintfree notions, hinted ones are generally more useful for cryptographic applications, as we will demonstrate in Sect. 8. While hinted notions trivially implies hintfree ones, the converse becomes more subtle. In Sect. 6, we will show that w.r.t. statistically/computationally simulatable \(\mathsf {hint}(x^*)\), hinted notions are implied by hintfree ones.
Benefits of AOW \(\Rightarrow \)ANM. Given the fact that ATDFs are efficiently realizable from a variety of hardness assumptions, the implication AOW \(\Rightarrow \) ANM immediately gives rise to efficient deterministic NMFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\) in the standard model. This partially^{6} resolves an open question raised in [16]. In the full version [21] of this work, by using the technique underlying AOW \(\Rightarrow \) ANM, we prove that the MerkleDamgård transformation is actually \(\varPhi _{\text {brs}}^{\text {srs}}\)nonmalleable. This greatly improves prior result [3], and thus provides an efficient candidate of NMFs w.r.t. a large RPDT class, though in the random oracle model.
Apart from yielding efficient constructions of NMFs, we find that the implication AOW \(\Rightarrow \) ANM is also useful elsewhere. In Sect. 7, we discuss how the highlevel idea underlying AOW \(\Rightarrow \) ANM provides a key insight in the RKA area, that is, resilience against nontrivial copy attacks w.r.t. most algebrainduced relatedkey deriving class is in fact a builtin security.
Applications of NMFs. Boldyreva et al. [16] showed how to design cryptographic puzzles using NMOWHFs. We note that polytoone NMFs can replace NMOWHFs in their design, making it more applicable for securing practical network protocols.
In Sect. 8, we revisit continuous nonmalleable key derivation functions (KDFs) recently proposed by Qin et al. [47], which have proven to be useful in achieving RKAsecurity for numerous cryptographic primitives. The existing construction of continuous nonmalleable KDFs is somewhat complicated, which employs onetime lossy filter, onetime signature, and pairwiseindependent functions as ingredients. We propose an exquisitely simple and elegant construction of continuous nonmalleable KDFs based solely on polytoone NMFs. Comparatively, our construction not only has potential advantages in efficiency, but also admits a direct and modular proof.
1.4 Additional Related Work
NonMalleable Codes. Dziembowski, Pietrzak and Wichs [26] introduced the notion of “nonmalleable codes” (NMCs) which relaxes the notion of errorcorrection and errordetection codes. Roughly, NMCs require that given a code \(c^* \leftarrow \mathsf {NMC}(m^*)\) for a sourcemessage \(m^*\), the decoded message m of the tampered codeword \(c = \phi (c^*)\) is either equal or completely unrelated to \(m^*\). We note that NMFs are somehow dual to NMCs. The duality comes from the fact that NMFs stipulate given \(y^* \leftarrow \mathsf {NMF}(x^*)\), \(\mathsf {NMF}(\phi (x^*))\) is still hard to compute. Very informally, we can think of in NMCs the tampering takes place on code (which could be interpreted as image of message), whereas in NMFs the “tampering” takes place on preimage.
CorrelatedInput Hash Functions. Goyal, O’Neill and Rao [35] undertook the study of correlatedinput hash functions (CIHs), which maintain security when the adversary sees hash values \(h(c_i(r))\) of related inputs \(c_i(r)\) sharing the same random coins, where \(c_i\) is a sequence of circuits chosen by the adversary. In particular, unpredictable CIHs require that no PPT adversary is able to predicate \(h(c_{n+1}(r))\) after seeing \(h(c_i(r))\) for \(i \in [n]\). NMFs can be roughly viewed as a weakening of unpredictable CIHs by restricting \(n=1\) and \(c_1 = \mathsf {id}\). Yet, our motivation, definitional framework, as well as techniques are quite different from their work. Until now, instantiation of unpredictable CIHs is only known w.r.t. specific circuit class (tie to scheme algebra), and based on specific numbertheoretic assumption.
2 Preliminaries
Basic Notations. For a distribution or random variable X, we write \(x \leftarrow X\) to denote the operation of sampling a random x according to X. For a set X, we use \(x \xleftarrow {\tiny R }X\) to denote the operation of sampling x uniformly at random from X, and use X to denote its size. We denote \(\lambda \in \mathbb {N}\) as the security parameter. Unless described otherwise, all quantities are implicit functions of \(\lambda \) (we reserve \(n(\lambda )\) and \(m(\lambda )\) to denote the input length and output length of a function respectively), and all cryptographic algorithms (including the adversary) take \(\lambda \) as an input.
We use standard asymptotic notation O, o, \(\varOmega \), and \(\omega \) to denote the growth of functions. We write \(\mathsf {poly}(\lambda )\) to denote an unspecified function \(f(\lambda ) = O(\lambda ^c)\) for some constant c. We write \(\mathsf {negl}(\lambda )\) to denote some unspecified function \(f(\lambda )\) such that \(f(\lambda ) = o(\lambda ^{c})\) for every constant c. We say that a probability is overwhelming if it is \(1  \mathsf {negl}(\lambda )\), and a probability is noticeable if it is \(\varOmega (1/\mathsf {poly}(\lambda ))\).
A probabilistic polynomial time (PPT) algorithm is a randomized algorithm that runs in time \(\mathsf {poly}(\lambda )\). If \(\mathcal {A}\) is a randomized algorithm, we write \(z \leftarrow \mathcal {A}(x_1, \dots , x_n;r)\) to indicate that \(\mathcal {A}\) outputs z on inputs \((x_1, \dots , x_n)\) and random coins r. We will omit r and write \(z \leftarrow \mathcal {A}(x_1, \dots , x_n)\).

\(A \Rightarrow B\): if all constructions of \(\varPi \) meeting security notion A also meet security notion B.

\(A \nRightarrow B\): if there exists a construction of \(\varPi \) which meets security notion A but does not meet security notion B.
Following [7], we call a result of the first type an implication, and a result of the second type a separation. If \(A \Rightarrow B\), we say A is stronger than B. If we further have \(B \nRightarrow A\), we say that A is strictly stronger than B. If we further have \(B \Rightarrow A\), we say that A is equivalent to B.
3 OneWay and NonMalleable Functions
We first recall the general syntax of a family of efficiently computable deterministic functions.
Definition 1

Sample a function: \(\mathsf {Gen}(\lambda )\) outputs a function index \(i \in I_\lambda \). Each value of i output by \(\mathsf {Gen}(\lambda )\) defines a deterministic function \(f_i: D_\lambda \rightarrow R_\lambda \).

Sample a preimage: \(\mathsf {Samp}(\lambda )\) samples a random preimage \(x \in D_\lambda \) according to some distribution \(\mathcal {C}_\lambda \) over \(D_\lambda \).^{7} Typically \(\mathcal {C}_\lambda \) is a uniform distribution over \(D_\lambda \), and we simply write \(x \xleftarrow {\tiny R }D_\lambda \) in this case.

Evaluate a function: on input \((i, x) \in I_\lambda \times D_\lambda \), \(\mathsf {Eval}(i, x)\) outputs \(f_i(x)\).
In the rest of this work, we simply say \(\mathcal {F}\) is a family of functions when the context is clear. For an element \(y \in R_\lambda \) we denote its preimage set under \(f_i\) by \(f_i^{1}(y) = \{x \in D_\lambda : f_i(x) = y\}\). We say \(\mathcal {F}\) is injective if each \(f_i \in \mathcal {F}\) is injective. Following [8], we measure the amount of “noninjectivity” by looking at the maximum preimage size. Specifically, we say that \(\mathcal {F}\) has polynomially bounded preimage size if \(f_i^{1}(y) \le \mathsf {poly}(\lambda )\) for all \(f_i \in \mathcal {F}\), all \(y \in R_\lambda \) and all \(\lambda \in \mathbb {N}\). For brevity, we simply say \(\mathcal {F}\) is polytoone.
We say \(\mathcal {F}\) is a family of trapdoor functions if \(\mathsf {Gen}(\lambda )\) additionally outputs a trapdoor \(td_i\), and there is a PPT algorithm \(\mathsf {TdInv}(td_i, y)\) that computes a preimage \(x \in f_i^{1}(y)\). If a value y is not in the image \(f_i(D_i)\), i.e., \(f_i^{1}(y)\) is empty, then the behavior of \(\mathsf {TdInv}(td_i, y)\) is unspecified.
Remark 1
When things are clear from the context, we will slightly abuse the notation for simplicity and write: I for \(I_\lambda \), D for \(D_\lambda \), R for \(R_\lambda \), \(\mathcal {C}\) for \(\mathcal {C}_\lambda \), td for \(td_i\), \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\) for (\(i \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), f := \(f_i\)). The above definition considers the domains and ranges that depend only on \(\lambda \). It is easy to generalize the definition so that the domains and ranges also depend on the function index i.
Next, we recall the notion of onewayness and formally define the notion of nonmalleability for deterministic functions. We also define the corresponding adaptive notions, in which the adversary is given access to an inversion oracle \(\mathcal {O}_\mathsf {inv}(\cdot )\). For trapdoor functions, \(\mathcal {O}_\mathsf {inv}(y) := \mathsf {TdInv}(td, y)\). For functions without trapdoor, \(\mathcal {O}_\mathsf {inv}(y)\) returns a preimage \(x \in f^{1}(y)\) if \(y \in f(D)\), while its behavior is unspecified otherwise. We emphasize that in the security experiments of adaptive notions the challenger is not necessarily to be efficient and could be unbounded for simulating \(\mathcal {O}_\mathsf {inv}(\cdot )\).
Definition 2
Definition 3
The wellknown GoldreichLevin theorem [34] says that if \(\mathcal {F}\) is oneway, then it has a hardcore \(\mathcal {H}\). More precisely, Goldreich and Levin [34] showed that the inner product of preimage x with a random string r (the latter could be viewed as part of the description of h) is a hardcore predicate (which is a special hardcore function with onebit outputs) for any OWFs.
Definition 4
We give several technical remarks about the above notions.
Impossible Classes. Obviously, our nonmalleable notion is impossible to realize w.r.t. RPDT class that contains “regular” transformations, namely, identity transformation \(\mathsf {id}\) and constant transformations \(\phi _c\). If \(\varPhi \) contains \(\mathsf {id}\), an adversary can simply win by outputting \((\mathsf {id}, y^*)\). If \(\varPhi \) contains \(\phi _c\), an adversary can win by outputting \((\phi _c, f(c))\). It is easy to see that inclusion of the transformations near to the regular ones^{8} will also make \(\varPhi \)nonmalleability unachievable. In this regard, we call the regular transformations and the transformations near to the regular ones as “dangerous” transformations. So, a primary task is to distill the characterizations on \(\varPhi \) for excluding “dangerous” transformations yet maintaining its generality to the largest extent.
Parameterized Adaptivity. Let q be the maximum number of inversion queries that an PPT adversary is allowed to make in the experiments of adaptive onewayness/nonmalleability. Typically q is assumed to be polynomially bounded and omitted from the definitions. Nevertheless, explicitly parameterizing adaptive notions with q yields more refined notions, i.e., qadaptive onewayness/nonmalleability. Clearly, adaptive notions degenerate to nonadaptive ones when \(q=0\). We will adopt the refined adaptive notions in Sect. 5.3 to give a dedicated relation between adaptive onewayness and adaptive nonmalleability.
Hinted Notions. In the nonmalleability notions of oneway/hash functions considered in [3, 16], in addition to the challenge \(y^*\), the adversary is also given some hint of \(x^*\) to capture the auxiliary information that might has been collected from previous actions that involve \(x^*\). The hint of \(x^*\) is modeled by \(\mathsf {hint}(x^*)\), where \(\mathsf {hint}\) is a probabilistic function from \(D_\lambda \) to \(\{0,1\}^{m(\lambda )}\). Analogously, in the security experiments of both onewayness and nonmalleability for deterministic functions, we can also make the adversaries more powerful by giving them \(\mathsf {hint}(x^*)\).^{9} We say that the resulting notions are hinted, and the original notions are hintfree. Hinted notions are very useful in cryptographic applications in which the adversaries may obtain some auxiliary information about \(x^*\) other than merely its image \(y^*\), as we demonstrate in Sect. 8.
Next, we first seek for an achievable yet large RPDT class in Sect. 4, then explore the connections among nonmalleability and onewayness in Sect. 5, working with hintfree notions for simplicity. We postpone the study of the relations between hintfree notions and hinted ones to Sect. 6, since we need some result in Sect. 5 as prerequisite.
4 RelatedPreimage Deriving Transformation Class
Following [3], our notion of nonmalleability for a family of deterministic functions is defined w.r.t. a RPDT class \(\varPhi \), in which \(\phi : D \rightarrow D\) maps a preimage to a related preimage. We require transformations in \(\varPhi \) should be efficiently recognizable and computable. Hereafter, we use \(\mathsf {id}\) to denote the identity transformation \(f(x) = x\) and use \(\mathsf {cf}\) to denote the set of all constant transformations \(\{\phi _c(x) = c\}_{x \in D}\). When D under addition forms a group, we use 0 to denote the identity. For \(\phi _1, \phi _2 \in \varPhi \), we define \(\phi := \phi _1  \phi _2\) as \(\phi (x) = \phi _1(x)  \phi _2(x)\).
As remarked before, we cannot hope to achieve nonmalleability for any RPDT class \(\varPhi \). We are thus motivated to distill some characterizations on \(\varPhi \) that make nonmalleability achievable while keeping \(\varPhi \) still general enough. Towards this goal, we introduce two novel properties for RPDT classes as below.
Definition 5
(Bounded Root Space). Let \(r(\lambda )\) be a quantity of \(\lambda \). A transformation \(\phi \) has \(r(\lambda )\)bounded root space if \(\phi ^{1}(0) \le r(\lambda )\). A RPDT class \(\varPhi \) has \(r(\lambda )\)bounded root space if for each \(\phi \in \varPhi \) and each \(\phi _c \in \mathsf {cf}\), the composite transformations \(\phi ' = \phi  \mathsf {id}\) and \(\phi ' = \phi  \phi _c\) both have \(r(\lambda )\)bounded root space.
Definition 6
(Sampleable Root Space). A transformation \(\phi \) has sampleable root space if there exists a PPT algorithm \(\mathsf {SampRS}\) that takes \(\phi \) as input and outputs an element from \(\phi ^{1}(0)\) uniformly at random.^{10} A RPDT class \(\varPhi \) has sampleable root space if for each \(\phi \in \varPhi \) and each \(\phi _c \in \mathsf {cf}\), the composite transformations \(\phi ' = \phi  \mathsf {id}\) and \(\phi '' = \phi  \phi _c\) both have sampleable root spaces.
In this work, we restrict our attention to root spaces whose size is polynomially bounded,^{11} i.e., \(r(\lambda ) \le \mathsf {poly}(\lambda )\). Hereafter, we let \(\varPhi _{\text {brs}}^{\text {srs}}\) denote the RPDT class satisfying the bounded root space (BRS) & sampleable root space (SRS) properties. The BRS property immediately rules out the regular transformations from \(\varPhi \) and stipulates that each \(\phi \in \varPhi \) is far away from regular ones, i.e., having at most polynomially many intersection points with them. As we will see shortly, with the confining of the BRS property, an adversary’s correct solution \((\phi , y)\) such that \(f(\phi (x^*)) = y\) provides enough information about \(x^*\) and thus reduces the minentropy of \(x^*\) to \(O(\log (\lambda ))\). The SRS property further guarantees that a polynomialtime reduction can extract the right \(x^*\) with noticeable probability.
Remark 2
Recent works [36, 47] introduced two general properties called high output entropy (HOE) and inputoutput collision resistance (IOCR) for transformation class \(\varPhi \). The former states that for each \(\phi \in \varPhi \), the minentropy of \(\phi (x)\) is sufficiently high when \(x \xleftarrow {\tiny R }D\), i.e., \(\mathsf {H}_\infty (\phi (x)) = \omega (\log \lambda )\). The latter states that for each \(\phi \in \varPhi \), \(\Pr [\phi (x) = x] = \mathsf {negl}(\lambda )\) when \(x \xleftarrow {\tiny R }D\). We observe here that BRS implies HOE & IOCR. To see this, notice that: (1) for each \(c \in D\) the equation \(\phi (x)  c = 0\) having at most polynomial number of roots implies that \(\max _{c \in D}\Pr [\phi (x) = c] \le \mathsf {poly}(\lambda )/D = \mathsf {negl}(\lambda )\) when \(x \xleftarrow {\tiny R }D\); (2) the equation \(\phi (x)  x = 0\) having at most polynomial number of roots implies that \(\Pr [\phi (x) = x] \le \mathsf {poly}(\lambda )/D = \mathsf {negl}(\lambda )\) when \(x \xleftarrow {\tiny R }D\). We can alternatively think of the BRS property captures the characterization that all \(\phi \in \varPhi \) are far from regular transformations in an algebraic view.
The notion of root sampleable RPDTs (RPDT class that meets the SRS property) is reminiscent of the notion of preimage sampleable functions introduced in [32]. The former one is weaker than the latter one in that it only insists two special forms of transformations are preimage sampleable at zero point obeying uniform distribution. We note that it suffices to relax uniform distribution to some appropriate distribution.
We conclude this section by showing that the BRS & SRS properties are met by most algebrainduced transformation classes (excluding \(\mathsf {id}\) and \(\mathsf {cf}\)) considered in the literature, which we recall as below.
GroupInduced Transformations. When D under \(\odot \) forms a group \(\mathbb {G}\), let \(\varPhi ^\text {lin} = \{\phi _a\}_{a \in \mathbb {G}}\) with \(\phi _a(x) = a \odot x\) be the class of linear transformations, which generalize several important classes, for example, “bit flips” (exclusive or, XOR) \(\phi _a(x) = a \oplus x\) and modular additions \(\phi _a(x) = a + x \mod 2^n\) when \(D = \{0,1\}^n\).
RingInduced Transformations. When D under addition \(+\) and multiplication \(\cdot \) forms a ring \(\mathbb {R}\), let \(\varPhi ^\text {aff} = \{\phi _{a,b}\}_{a,b \in \mathbb {R}}\) with \(\phi _{a,b}(x) = ax + b\) be the class of affine transformations.
FieldInduced Transformations. When D under addition \(+\) and multiplication \(\cdot \) forms a field \(\mathbb {F}\), let p be the characteristic of \(\mathbb {F}\) and \(d \ge 0\) be any fixed integer. Let \(\varPhi ^\text {poly(d)} = \{\phi _q\}_{q \in \mathbb {F}_d(x)}\) with \(\phi _q(x) = q(x)\) be the class of polynomial functions, where \(\mathbb {F}_d(x)\) denotes single variable polynomials over \(\mathbb {F}\) with degree bounded by d. When d and p are small (i.e., \(d = \mathsf {poly}(\lambda )\) and \(p = \mathsf {poly}(\lambda )\)), one can find all roots for any \(q \in \mathbb {F}_d(x)\) in polynomial time \(O(d^3p)\) using Berlekamp’s algorithm [14]. When d is small but p is large, one can find all roots for any \(q \in \mathbb {F}_d(x)\) in expected polynomial time \(O(d^{2+\varepsilon }+d^{1+\varepsilon } \log p)\) using Gathen and Shoup’s algorithm [31].
It is easy to verify that \(\varPhi ^\text {lin} \backslash \mathsf {id}\), \(\varPhi ^\text {aff} \backslash (\mathsf {id} \cup \mathsf {cf})\), and \(\varPhi ^{\text {poly}(d)} \backslash (\mathsf {id} \cup \mathsf {cf})\) for \(d = \mathsf {poly}(\lambda )\) all satisfy the BRS and SRS properties.
5 Relations Among NonMalleability and OneWayness
In this section, we explore the relations among (adaptive) nonmalleability and (adaptive) onewayness for deterministic functions. For simplicity, we work with hintfree notions. All the results obtained extend naturally among hinted notions.
5.1 NonMalleability \(\Rightarrow \) OneWayness
Lemma 1
For any achievable RPDT class \(\varPhi \), \(\varPhi \)NonMalleability \(\Rightarrow \) OneWayness when \(\mathcal {F}\) is polytoone.
Proof
Suppose there is an adversary \(\mathcal {A}\) that breaks the onewayness of \(\mathcal {F}\) with nonnegligible probability, then we can build an algorithm \(\mathcal {B}\) that breaks nonmalleability of \(\mathcal {F}\) also with nonnegligible probability. \(\mathcal {B}\) works by simulating \(\mathcal {A}\)’s challenger in the onewayness experiment as follows:
Setup: Given \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\) and a challenge \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), \(\mathcal {B}\) forwards \((f, y^*)\) to \(\mathcal {A}\).
Attack: When \(\mathcal {A}\) outputs its solution x against onewayness, \(\mathcal {B}\) simply picks a random \(\phi \in \varPhi \), then outputs \((\phi , f(\phi (x))\) as its solution.
Since \(\mathcal {F}\) is polytoone, conditioned on \(\mathcal {A}\) succeeds (\(x \in f^{1}(y^*)\)), we have \(\Pr [x = x^* y^*] \ge 1/\mathsf {poly}(\lambda )\), where the probability is over the choice of \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\). This is because there are at most \(\mathsf {poly}(\lambda )\) values x such that \(f(x) =~y^*\), and they are all equally likely in \(\mathcal {A}\)’s view. Therefore, if \(\mathcal {A}\) breaks the onewayness of \(\mathcal {F}\) with nonnegligible probability, then \(\mathcal {B}\) breaks the nonmalleability of \(\mathcal {F}\) also with nonnegligible probability. This lemma follows. \(\square \)
The above reduction loses a factor of \(1/\mathsf {poly}(\lambda )\). When \(\mathcal {F}\) is injective, the reduction becomes tight.
5.2 OneWayness \(\nRightarrow \) NonMalleability
Lemma 2
OneWayness \(\nRightarrow \)\(\varPhi _\mathrm{{brs}}^\mathrm{{srs}}\)NonMalleability.
Proof
Let \(\mathcal {F}\) be a family of oneway functions. To prove this lemma, we show how to modify \(\mathcal {F}\) into \(\mathcal {F}'\) so that \(\mathcal {F}'\) is still oneway but malleable w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\). Suppose \(\mathcal {F}.\mathsf {Gen}(\lambda )\) outputs a function \(f: \{0,1\}^n \rightarrow \{0,1\}^m\), we construct \(\mathcal {F}'.\mathsf {Gen}(\lambda )\) as follows: run \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), output a function \(f': \{0,1\}^{n+1} \rightarrow \{0,1\}^{m+1}\) where \(f'(x\beta ) := f(x)\beta \) and \(\beta \) denotes the last bit of its input. We then proceed to prove the following two claims.
Claim 1
\(\mathcal {F}'\) is oneway.
Proof
It is easy to see that \(\mathcal {F}'\) inherits the onewayness from \(\mathcal {F}\). We omit the proof here since it is straightforward. \(\square \)
Claim 2
\(\mathcal {F}'\) is \((\varPhi ^\mathrm{{xor}} \backslash \mathsf {id})\)malleable.
Proof
Given \(f'\) and a challenge \(y'^* = f'(x'^*)\) where \(x'^* = x^*\beta ^*\) is randomly chosen from \(\{0,1\}^{n+1}\), we build an adversary \(\mathcal {A}'\) against the nonmalleability of \(\mathcal {F}'\) as follows: parse \(y'^*\) as \(y^*\beta ^*\), set \(a = 0^n1\), then output \(\phi _a\) together with \(y' = y^*  (\beta ^* \oplus 1)\). It is easy to see that \(\phi _a \in \varPhi ^\text {xor} \backslash \mathsf {id}\) and \(y' = f'(x^*(\beta ^* \oplus 1)) = f'(\phi _a(x'^*))\). This proves Claim 2. \(\square \)
As shown in Sect. 4, \(\varPhi ^\text {xor}\) is a special case of groupinduced class, and thus \(\varPhi ^\text {xor} \backslash \mathsf {id} \subseteq \varPhi _{\text {brs}}^{\text {srs}}\). The lemma immediately follows from the above two claims. \(\square \)
While this is just a contrived counterexample for one particular attempt, there exist more natural counterexamples. For instance, a \(\varPhi \)homomorphic oneway function^{12}f is also \(\varPhi \)malleable since \(f(x^*) = y^*\) implies \(f(\phi (x^*)) = \phi (y^*)\). All these counterexamples indicate that functions with nice algebraic structure are unlikely to be nonmalleable.
5.3 Adaptive NonMalleability \(\Leftrightarrow \) Adaptive OneWayness
Lemma 3
For any achievable RPDT class \(\varPhi \), qAdaptive \(\varPhi \)NonMalleability \(\Rightarrow \)qAdaptive OneWayness when \(\mathcal {F}\) is polytoone.
Proof
The proof can be easily adapted from that of Lemma 1. We omit it here for since it is straightforward. \(\square \)
Lemma 4
\((q+1)\)Adaptive OneWayness \(\Rightarrow \)qAdaptive \(\varPhi _\mathrm{{brs}}^\mathrm{{srs}}\)NonMalleability when \(\mathcal {F}\) is injective.
We first outline the highlevel idea of the proof. Since the task of finding the preimage \(x^*\) appears to be harder than that of mauling its image, the major technical difficulty is how to utilize the power of an adversary \(\mathcal {A}\) against adaptive nonmalleability to break adaptive onewayness.
It is instructive to see that a challenge instance of onewayness has already provided an equation about \(x^*\), i.e., \(f(x^*) = y^*\). When \(\mathcal {A}\) outputs its solution \((\phi , y)\) against nonmalleability, the reduction immediately obtains another equation about \(x^*\), that is, \(f(\phi (x^*)) = y\). However, these two equations are hard to solve on their own due to the involvement of f (which could be complex). Luckily, by utilizing either the injectivity of f or the inversion oracle, the reduction is able to obtain a new solvable equation about \(x^*\) without the presence of f: (1) for the case of \(y = y^*\), the reduction gets \(\phi (x^*) = x^*\) due to the injectivity of f; (2) for the case of \(y \ne y^*\), the reduction first queries the inversion oracle at point y, then gets \(\phi (x^*) = \mathcal {O}_\mathsf {inv}(y)\). In both cases, the reduction successfully confines \(x^*\) in a polybounded root space (due to the BRS property), then correctly extracts it with noticeable probability (due to the SRS property). This justifies the usefulness of BRS & SRS properties. See the formal proof as follows.
Proof
Suppose there is an adversary \(\mathcal {A}\) against the adaptive nonmalleability of \(\mathcal {F}\), we can build an adversary \(\mathcal {B}\) against the adaptive onewayness of \(\mathcal {F}\). \(\mathcal {B}\) simulates \(\mathcal {A}\)’s challenger in the adaptive nonmalleability experiment as follows:
Setup: Given \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\) and a challenge \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), \(\mathcal {B}\) forwards \((f, y^*)\) to \(\mathcal {A}\).
 1.
Case \(y = y^*\): \(\mathcal {B}\) runs \(\mathsf {SampRS}(\phi ')\) to output a random solution of \(\phi '(\alpha ) = 0\) where \(\phi '(\alpha ) = \phi (\alpha )  \alpha \).
 2.
Case \(y \ne y^*\): \(\mathcal {B}\) queries the inversion oracle \(\mathcal {O}_\mathsf {inv}(\cdot )\) at point y and gets the response x, then runs \(\mathsf {SampRS}(\phi '')\) to output a random solution of \(\phi ''(\alpha ) = 0\) where \(\phi ''(\alpha ) = \phi (\alpha )  x\).
We justify the correctness of \(\mathcal {B}\)’s strategy as follows. For case 1, conditioned on \(\mathcal {A}\) succeeds (\(f(\phi (x^*)) = y^*\)), due to the injectivity of \(\mathcal {F}\), we have \(\phi (x^*) =~x^*\), i.e., \(x^*\) is a solution of \(\phi '(\alpha ) = 0\). For case 2, conditioned on \(\mathcal {A}\) succeeds (\(f(\phi (x^*)) =~y\)), due to the injectivity of \(\mathcal {F}\), we have \(\phi (x^*) = x\), i.e., \(x^*\) is a solution of \(\phi ''(\alpha ) = 0\). Taking the two cases together, conditioned on \(\mathcal {A}\) succeeds by making at most q inversion queries, then according to the BRS & SRS properties of \(\varPhi _{\text {brs}}^{\text {srs}}\), \(\mathcal {B}\) will output the right \(x^*\) with probability \(1/\mathsf {poly}(\lambda )\) by making at most \((q+1)\) inversion queries. We stress that the probability here is taken over the randomness of \(\mathsf {SampRS}\), but not \(\mathcal {F}.\mathsf {Samp}\). Thereby, if \(\mathcal {A}\) breaks the qadaptive nonmalleability with nonnegligible probability, \(\mathcal {B}\) breaks the \((q+1)\)adaptive onewayness also with nonnegligible probability. This proves this lemma. \(\square \)
Combining Lemmas 3 and 4 together, we conclude that for injective functions, adaptive \(\varPhi _{\text {brs}}^{\text {srs}}\)nonmalleability is equivalent to adaptive onewayness.
Remark 3
Analogous to the RKA security notion, our nonmalleability notion is of “unique” flavor, in which the adversary is only considered to be successful if its output is a related image of the preimage \(x^*\) exactly chosen by the challenger. Precis for this reason, the injectivity of \(\mathcal {F}\) is crucial for the reduction from adaptive nonmalleability to adaptive onewayness. If \(\mathcal {F}\) is noninjective, the reduction is not guaranteed to get the right equation about \(x^*\). For example, in case \(y = y^*\), if the adversary \(\mathcal {A}\) always outputs \(\phi \in \varPhi \) such that \(\phi (x) \ne x\) for any \(x \in D\), the reduction will never get a right solvable equation about \(x^*\).
5.4 NonMalleability \(\nRightarrow \) Adaptive NonMalleability
At first glance, one might think nonmalleability does imply adaptive nonmalleability based on the intuition that the inversion oracle does not help. Suppose \(\mathcal {A}\) is an adversary against adaptive nonmalleability. Given \(y^* \leftarrow f(x^*)\) for randomly chosen \(x^*\) and an inversion oracle, \(\mathcal {A}\) is asked to output \((\phi , y)\) such that \(f(\phi (x^*)) = y\). Since \(\mathcal {A}\) is not allowed to query the inversion oracle on \(y^*\), it seems the only strategy is to firstly maul \(y^*\) to some related y, then query the inversion oracle on y, and use the answer x to help figuring out a transformation \(\phi \) s.t. \(\phi (x^*) = x\). As we showed in Lemma 1, if \(\mathcal {F}\) is nonmalleable and polytoone, it is also oneway and thus \(x^*\) is computationally hidden from \(\mathcal {A}\). Thus, it seems impossible for \(\mathcal {A}\) to determine \(\phi \) without the knowledge of \(x^*\).
However, the above intuition is deceptive in thinking that the inversion algorithm always behave benignly, namely, returning the preimages of its inputs. Actually, contrived inversion algorithm may reveal critical information (e.g. trapdoor) when its inputs fall outside the image of f, and thus make f not adaptively nonmalleable. This is similar in spirit to the separation NMCPA \(\nRightarrow \) INDCCA1 [7, Sect. 3.2] in the publickey encryption setting.
Lemma 5
For any achievable RPDT class \(\varPhi \), \(\varPhi \)NonMalleability \(\nRightarrow \) Adaptive \(\varPhi \)NonMalleability when \(\mathcal {F}\) is polytoone.
Due to page limit, we defer the proof of this lemma to the full version [21].
In the above, we work with hintfree (standard) nonmalleability notion and onewayness notion for simplicity. It is easy to see that all these relations apply equally well to the hinted nonmalleability notion and the hinted onewayness notion, with respect to the same hint function.
Construction of NMFs. Baecher et al. [3, Construction4.1] showed that the strengthened MerkleDamgård (MD) transformation is nonmalleable w.r.t. \(\varPhi ^\text {xor} \backslash \mathsf {id}\)), assuming the compression function is a random oracle. We improve over their result by showing that the strengthened MD transformation is essentially nonmalleable w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\). This result gives us an efficient candidate of NMFs w.r.t. large RPDT class, though in the random oracle model. Due to page limit, we defer the details of this part to the full version [21].
As to the construction of NMFs in the standard model, Lemma 4 shows that any injective ATDFs are indeed \(\varPhi _{\text {brs}}^{\text {srs}}\)nonmalleable, while [38] demonstrates that injective ATDFs can be constructed from either a number of cryptographic primitives such as correlatedproduct TDFs [48], lossy TDFs [45] and CCAsecure deterministic encryption [4] (which in turn can be efficiently constructed from a variety of standard assumptions) or from some specific assumption, e.g. “instanceindependent” RSA assumption. This indicates that deterministic NMFs are widely realizable in the standard model, and thus partially resolves an open question raised in [16].
Finally, we observe that for the purpose of constructing NMFs, 1ATDFs (which only allows the adversary to query the inversion oracle once) are sufficient. Nevertheless, if 1ATDFs are strictly weaker than qATDFs for \(q > 1\) and if it allows more efficient instantiations, are still unknown to us. Besides, we are only able to construct NMFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\) in this work. Though \(\varPhi _{\text {brs}}^{\text {srs}}\) is very general (comprising most algebrainduced transformations), it is still of great interest to know if it is possible to go beyond the algebraic barrier.
6 Relation Between HintFree and Hinted Notions
In this section, we investigate the relations between hintfree notions and hinted notions. While hinted notions obviously imply hintfree ones, if the reverse implication holds crucially depends on the hint functions. It is intriguing to know for what kind of hint functions, hintfree notions do imply hinted notions.
Let \(\mathcal {F}\) be a family of deterministic functions, \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\) and \(y^* \leftarrow f(x^*)\). Roughly, we say \(\mathsf {hint}(x^*)\) is \(p(\lambda )\)statistically simulatable if there exists a PPT algorithm \(\mathcal {R}\) such that \((y^*, \mathcal {R}(y^*)) \approx _s (y^*, \mathsf {hint}(x^*))\) holds with probability \(p(\lambda )\); we say \(\mathsf {hint}(x^*)\) is \(p(\lambda )\)computationally simulatable if there exists a PPT algorithm \(\mathcal {R}\) such that \((y^*, \mathcal {R}(y^*)) \approx _{c} (y^*, \mathsf {hint}(x^*))\) holds with probability \(p(\lambda )\) based on the hintfree hardness assumption. The probability is over the choice of \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\) and the random coins of \(\mathcal {R}\). It is easy to see that when \(\mathsf {hint}(x^*)\) is either statistically simulatable or computationally simulatable for some noticeable probability \(p(\lambda )\), a reduction algorithm is able to create a game with probability \(p(\lambda )\) such that it is indistinguishable to the real hinted game, and thus reduces hinted notions to hintfree ones. We exemplify these two cases in Lemmas 7 and 8, respectively.
Next, we formally study the relation between onewayness and hinted onewayness, then show the analogous result also holds between nonmalleability and hinted nonmalleability for polytoone functions.
Lemma 6
For a family of functions \(\mathcal {F}\), hinted onewayness w.r.t. any achievable hint function implies onewayness.
Proof
This direction is straightforward and hence the proof is omitted. \(\square \)
We then turn to the inverse direction. We first show that regardless of the construction of \(\mathsf {hint}(\cdot )\), as long as its output length is short, i.e., bounded by \(\log (\mathsf {poly}(\lambda ))\), then \(\mathsf {hint}(x^*)\) is \(1/\mathsf {poly}(\lambda )\)perfectly simulatable (a special case of statistically simulatable) and thus onewayness implies hinted onewayness.
Lemma 7
(Statistically Simulatable Case). For a family of functions \(\mathcal {F}\), onewayness implies hinted onewayness w.r.t. any hint function with output length bounded by \(\log (\mathsf {poly}(\lambda ))\).
Proof
Let \(\mathcal {A}\) be an adversary against hinted onewayness of \(\mathcal {F}\) with advantage \(\mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^\text {how}(\lambda )\). We build an adversary \(\mathcal {B}\) against onewayness by using \(\mathcal {A}\)’s power. Given \((f, y^*)\) where \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), \(\mathcal {B}\) simply makes a random guess of \(\mathsf {hint}(x^*)\), then sends \((f, y^*, \mathsf {hint}(x^*))\) to \(\mathcal {A}\). Finally, \(\mathcal {B}\) forwards \(\mathcal {A}\)’s solution as its solution. Since the output length is bounded by \(\log (\mathsf {poly}(\lambda ))\), \(\mathcal {B}\) guesses the right hint value and thus simulates perfectly with probability \(1/\mathsf {poly}(\lambda )\). Thereby, we conclude that \(\mathsf {Adv}_{\mathcal {B}, \mathcal {F}}^\text {ow}(\lambda ) \ge \mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^\text {how}(\lambda )/\mathsf {poly}(\lambda )\). The lemma immediately follows. \(\square \)
We then show that, for some specific hint functions with output length could possibly beyond \(\log (\mathsf {poly}(\lambda ))\), \(\mathsf {hint}(x^*)\) is computationally simulatable assuming the onewayness of \(\mathcal {F}\), and thus hintfree onewayness also implies hinted onewayness in this case.
Lemma 8
Proof
The highlevel idea of the proof is to show that, assuming the onewayness of \(\mathcal {F}\), \(\mathsf {hint}(x^*; b)\) for \(x^* \xleftarrow {\tiny R }X\) and \(b \xleftarrow {\tiny R }\{0,1\}\) is 1computationally simulatable. We prove this theorem via a sequence of games. Let \(\mathcal {A}\) be an adversary against the hinted onewayness of \(\mathcal {F}\) w.r.t. the hint function defined as above. Let \(S_i\) be the event that \(\mathcal {A}\) wins in Game i.
We now state and prove two claims that establish the lemma.
Claim 3
Game 0 and Game 1 are computationally indistinguishable, assuming the hintfree onewayness of \(\mathcal {F}\).
Proof
Since onewayness of \(\mathcal {F}\) implies pseudorandomness of its hardcore \(\mathcal {H}\) (c.f. Definition 3), it suffices to show that Game 0 and Game 1 are computationally indistinguishable based on the pseudorandomness of \(\mathcal {H}\). We show how to turn a distinguisher \(\mathcal {A}\) into an algorithm \(\mathcal {B}\) against the pseudorandomness of \(\mathcal {H}\).
Claim 4
No PPT adversary has nonnegligible advantage in Game 2 assuming the onewayness of \(\mathcal {F}\).
Proof
Suppose \(\mathcal {A}\) is a PPT adversary that has nonnegligible advantage in Game 2. We show how to use \(\mathcal {A}\)’s power to break the onewayness of \(\mathcal {F}\). Given the onewayness challenge \((f, y^*)\) where \(y^* \leftarrow f(x^*)\) for randomly chosen \(x^*\), \(\mathcal {B}\) simply assigns \(\widetilde{\mathsf {hint}}(x^*;b)\) to be a random string from \(\{0,1\}^{m(\lambda )}\), then sends \((f, y^*, \widetilde{\mathsf {hint}}(x^*;b))\) to \(\mathcal {A}\) as the challenge. Finally, \(\mathcal {A}\) outputs its solution, and \(\mathcal {B}\) forwards it to its own challenger. Clearly, \(\mathcal {B}\) perfectly simulates Game 1. Therefore, \(\mathcal {B}\) breaks the onewayness of \(\mathcal {F}\) with at least the same advantage as \(\mathcal {A}\) succeeds in Game 1. By assuming the onewayness of \(\mathcal {F}\), \(\mathcal {A}\)’s advantage must be negligible in \(\lambda \). This proves the Claim 4. \(\square \)
From Claims 3 and 4, we have \(\Pr [S_1]\Pr [S_0] = \mathsf {negl}(\lambda )\) and \(\Pr [S_1] = \mathsf {negl}(\lambda )\). Putting all the above together, we have \(\mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^{\text {how}}(\lambda ) = \mathsf {negl}(\lambda )\) assuming the onewayness of \(\mathcal {F}\). In other words, onewayness implies hinted onewayness w.r.t. such specific hint function defined as above. The lemma follows. \(\square \)
The above results apply naturally to the adaptive setting.
Remark 4
It is easy to see that the above results also hold between hinted nonmalleability and hintfree nonmalleability for polytoone \(\mathcal {F}\). Particularly, to see hinted NM w.r.t. the hint function defined in Eq. (1) is implied by hintfree NM, just note that such hint function is 1computationally simulatable assuming the onewayness of \(\mathcal {F}\) (as we have shown in Lemma 8), which in turn implied by the nonmalleability of \(\mathcal {F}\) when \(\mathcal {F}\) is polytoone (Lemma 1).
7 BuiltIn Resilience Against Nontrivial Copy Attacks
Here, we extend the idea underlying the implication AOW \(\Rightarrow \) ANM further still to address nontrivial copy attacks in the RKA area. We begin by briefly introducing the background of RKA security and defining what it means for “copy attacks” (including trivial ones and nontrivial ones).
7.1 RKAsecurity Model and Copy Attacks
Traditional security models assume that the internal states (e.g., secret keys and random coins) of cryptographic hardware device are completely protected from the adversary. However, practical fault injection techniques [15, 18] demonstrate that the adversaries are able to launch relatedkey attacks (RKAs), namely, to induce modifications to the keys stored in cryptographic hardware device and subsequently observe the outcome under the modified keys. Bellare and Kohno [9] initiated a theoretical study of RKA security. Their results mainly focused on pseudorandom function/permutation, and their constructions were subsequently improved by [1, 5]. So far, the study of RKA security has expands to other primitives, such as privatekey encryption [2], publickey encryption [51], signature [10], and identitybased encryption [10].
In the RKAsecurity model, modifications to the secret keys are modeled by relatedkey deriving transformation (RKDT) class \(\varPhi \), and cryptographic hardware device is modeled by algorithm \(\mathsf {Func}(sk, x)\), where \(\mathsf {Func}(sk, \cdot )\) denotes some keyedoperations (e.g., signing, decryption) and x denotes its input (e.g., message, ciphertext). A primitive is said to be RKAsecure if it remains secure when the adversary can access to a RKA oracle \(\mathcal {O}_\mathsf {rka}(\phi , x): = \mathsf {Func}(\phi (sk), x)\).
Let \(x^*\) be the challenge in the security experiment. The RKA queries \(\langle \phi , x^* \rangle \) where \(\phi (sk) = sk\) essentially capture a category of attacks known as “copy attacks”. Among copy attacks, we refer to the ones with \(\phi = \mathsf {id}\) as trivial copy attacks and the rest as nontrivial copy attacks. While trivial copy attacks must be excluded to ensure the meaningfulness of the RKAsecurity notion, nontrivial copy attacks should be allowed since they are possible in practice (e.g., via fault injection attacks [15, 18]). However, attaining resilience against nontrivial copy attacks turns out to be difficult.
7.2 Known Techniques in Tackling Nontrivial Copy Attacks
Almost all the known constructions of RKAsecure primitives achieve RKA security by exploiting so called \(\varPhi \)keymalleability as a vital property. Loosely speaking, this property provides a PPT algorithm \(\mathsf {T}\) such that \(\mathsf {Func}(\phi (sk), x) = \mathsf {Func}(sk, \mathsf {T}(\phi , x))\). Let \(\mathcal {O}(x) := \mathsf {Func}(sk, x)\) be the original oracle of the starting primitive. With such property, the reduction is able to reduce the RKA security to the original security of the starting primitive by simulating the RKA oracle via the original oracle, that is, answering \(\mathcal {O}_\mathsf {rka}(\phi , x)\) with \(\mathcal {O}(\mathsf {T}(\phi , x))\). However, a subtlety in the above strategy is that the original oracle \(\mathcal {O}(\cdot )\) will deny query \(\langle x^* \rangle \). As a consequence, the reduction is unable to handle nontrivial copy attacks, i.e., answering RKA queries \(\langle \phi , x^* \rangle \) where \(\phi \ne \mathsf {id}\) but \(\phi (sk) = sk\).
Prior works paid a lot of effort to address this problem. To date, there are three methods dealing with nontrivial copy attacks in the literature. The first method is assuming \(\varPhi \) is clawfree and contains \(\mathsf {id}\). Recall that clawfreeness requires that for all distinct \(\phi , \phi ' \in \varPhi \) and all \(x \in D\), \(\phi (x) \ne \phi '(x)\). With this assumption, such a \(\phi \) is not in \(\varPhi \) and nontrivial copy attacks are automatically ruled out. This is exactly the technical reason of why numerous constructions of \(\varPhi \)RKAsecureprimitives [5, 9, 33, 41] are restricted to clawfree \(\varPhi \). However, as already pinpointed by [1, 6], this assumption is undesirable because many natural and practical RKDT classes are not clawfree. The second method is directly modifying the RKA security experiment to disallow RKA queries \(\langle \phi , x^* \rangle \) where \(\phi \ne \mathsf {id}\) but \(\phi (sk) = sk\). Such method evades nontrivial copy attacks only in the conceptual sense by adopting a potentially weaker RKA notion. It also brings a new technical challenge, that is, checking if \(\phi (sk) = sk\) without knowing sk. To overcome this hurdle, existing works either require the starting primitives to meet extra properties like \(\varPhi \)fingerprinting [37, 40, 51] in the context of publickey encryption or resort to adhoc transform like identityrenaming [10] in the context of identitybased encryption.^{13} The third method in the context of pseudorandom functions is to rely on \(\varPhi \)keycollisionsecurity [1], which requires that for a random key k it is impossible to find two distinct \(\phi _1, \phi _2 \in \varPhi \) such that \(\phi _1(k) = \phi _2(k)\). However, such property is only known to hold w.r.t. specific \(\varPhi \) under concrete numbertheoretic assumptions.
7.3 Our Insight in Addressing Nontrivial Copy Attacks
As discussed above, nontrivial copy attacks have not been well addressed at a general level. Being aware of the similarity between our nonmalleability notion and the RKA security notion, we are curious to know if our strengthening of allowing \(\phi (x^*) = x^*\) can shed light on this problem. Recall that in the proof of Lemma 4 for the case of \(y = y^*\), we essentially proved that by assuming the onewayness of f, no PPT adversary is able to find a \(\phi \in \varPhi _{\text {brs}}^{\text {srs}}\) such that \(\phi (x^*) = x^*\) with nonnegligible probability. The highlevel idea is that as long as the adversary is able to find such a \(\phi \in \varPhi _{\text {brs}}^{\text {srs}}\), then a reduction can obtain an efficiently solvable equation about \(x^*\). Somewhat surprisingly, this idea immediately indicates that w.r.t. RKDT class \(\varPhi = \varPhi _{\text {brs}}^{\text {srs}}\cup \mathsf {id} \cup \mathsf {cf}\), resilience against nontrivial copy attacks is in fact a builtin immunity guaranteed by the security of starting primitives.
We sketch the argument more formally as follows. Let \(\mathcal {A}\) be a RKA adversary and denote by E the event that nontrivial attack happens, i.e., \(\mathcal {A}\) makes at least one RKA query \(\langle \phi , x^* \rangle \) such that \(\phi \in \varPhi _{\text {brs}}^{\text {srs}}\) and \(\phi (sk) = sk\). Let \(l(\lambda )\) be the maximum number of RKA queries \(\mathcal {A}\) makes. Our aim is to prove \(\Pr [E] = \mathsf {negl}(\lambda )\) by only assuming the original security of the starting primitives. Conditioned on E happens, a reduction \(\mathcal {R}\) can pick out a nontrivial copy attack query say \(\langle \phi , x^* \rangle \) and hence obtains a right equation \(\phi (sk) = sk\) about sk, with probability at least \(1/l(\lambda )\). Conditioned on getting the right equation, \(\mathcal {R}\) can further compute the correct sk with probability \(1/\mathsf {poly}(\lambda )\) due to the BRS & SRS properties of \(\varPhi _{\text {brs}}^{\text {srs}}\). Overall, \(\mathcal {R}\) is able to recover sk with probability \(\Pr [E]/l(\lambda )\mathsf {poly}(\lambda )\). Since \(\mathcal {A}\) is a PPT adversary, \(l(\lambda )\) is polybounded. Therefore, if \(\Pr [E]\) is nonnegligible, then \(\mathcal {R}\) can recover sk with nonnegligible probability. This contradicts the security of the starting primitives, and therefore we must have \(\Pr [E] = \mathsf {negl}(\lambda )\).
Somewhat surprisingly, our result indicates that w.r.t. RKDT class \(\varPhi \subseteq \varPhi _{\text {brs}}^{\text {srs}}\cup \mathsf {id} \cup \mathsf {cf}\), resilience against nontrivial copy attacks is essentially a builtin security guaranteed by the starting primitives. Previous RKAsecure schemes w.r.t. algebrainduced RKDTs could benefit from this, that is, “weak” RKA security (disallowing nontrivial copy attacks) can be enhanced automatically without resorting to clawfree assumption or additional properties/transformations.
8 Application to RKAsecure Authenticated KDFs
8.1 Continuous NonMalleable KDFs, Revisited
Qin et al. [47] extended nonmalleable key derivation functions (KDFs) [28] to continuous nonmalleable KDFs, and showed how to use it to compile numerous cryptographic primitives into RKAsecure ones. In what follows, we briefly recall the syntax, security notion, as well as construction of continuously nonmalleable KDFs presented in [47].
Syntax. KDFs consist of three polynomial time algorithms: (1) \(\mathsf {Setup}(\lambda )\), on input \(\lambda \), outputs systemwide public parameters pp, which define the key space S, the public key space \(\varPi \), and the derived key space \(\{0,1\}^m\). (2) \(\mathsf {Sample}(pp)\), on input pp, samples a random key \(s \xleftarrow {\tiny R }S\) and computes public key \(\pi \in \varPi \). (3) \(\mathsf {Derive}(s, \pi )\), on input \((s, \pi )\), outputs a derived key \(r \in \{0,1\}^m\) or \(\bot \) indicating that \(\pi \) is not a valid proof of s.
Security. The continuous nonmalleability of KDFs is defined w.r.t. a transformation class \(\varPhi \), which states that no PPT adversary can distinguish a real derived key \(r \leftarrow \mathsf {Derive}(s^*, \pi ^*)\) from a random one, even if it can continuously query a key derivation oracle \(\mathcal {O}_\mathsf {derive}^\varPhi (\cdot , \cdot )\), which on input \(\phi \in \varPhi \) and \(\pi \in \varPi \), returns a special symbol \(\mathsf {same}^*\) if Open image in new window , or \(\mathsf {Derive}(\phi (s^*), \pi )\) otherwise.
Construction. Let \(\text {LF} = (\mathsf {Gen}, \mathsf {Eval}, \mathsf {LTag})\) be a collection of onetime lossy filters [46] with domain S, range Y, and tag space \(T = \{0,1\}^* \times T_c\). Let \(\text {OTS} = (\mathsf {Gen}, \mathsf {Sign}, \mathsf {Vefy})\) be a strongly onetime signature. Let \(\mathcal {H}\) be a family of pairwise independent functions from S to \(\{0,1\}^m\). The construction is as below.

\(\text {KDF}.\mathsf {Setup}(\lambda )\): run \((ek, td) \leftarrow \text {LF}.\mathsf {Gen}(\lambda )\), pick \(h \xleftarrow {\tiny R }\mathcal {H}\), output \(pp = (ek, h)\). Precisely, pp also includes the public parameters of \(\text {LF}\) and \(\text {OTS}\).

\(\text {KDF}.\mathsf {Sample}(pp)\): run \((vk, sk) \leftarrow \text {OTS}.\mathsf {Gen}(\lambda )\), pick \(t_c \xleftarrow {\tiny R }T_c\), \(s \xleftarrow {\tiny R }S\); compute \(y \leftarrow \text {LF}.\mathsf {Eval}(ek, (vk, t_c), s)\) and \(\sigma \leftarrow \text {OTS}.\mathsf {Sign}(sk, t_cy)\), then set \(t = (vk, t_c, y, \sigma )\), and finally output (s, t).

\(\text {KDF}.\mathsf {Derive}(s, t)\): parse \(t = (vk, t_c, y, \sigma )\), if \(\text {LF}.\mathsf {Eval}(ek, (vk, t_c), s) = y\) and \(\text {OTS}.\mathsf {Vefy}(vk, t_cy, \sigma ) = 1\) hold simultaneously, output h(s), else output \(\bot \).
Qin et al.’s construction requires onetime lossy filter, onetime signature, and pairwiseindependent functions as ingredients. Though ingenious, their construction is somewhat complicated and expensive. Its public parameters consist of those of three ingredients as well as an evaluation key; to compute a tag for a random key, its sampling procedure has to generate a fresh onetime signature key pair, pick a random tag, evaluate a function and also compute a signature; to derive a random key, its key derivation procedure has to verify a signature and a function value before deriving. Compared to standard KDFs, these do add noticeable storage and computation overhead, which could be critical in resourceconstrained scenarios, e.g., embedded systems and lowend smart card.
More Accurate Naming. In standard KDFs, there is no the concept of “public key”, and the key derivation algorithm never fails. In contrast, in the KDFs introduced by Qin et al. [47], each key s is accompanied with an auxiliary “public key” \(\pi \), and the key derivation algorithm reports failure by outputting \(\bot \) if \(\pi \) does not match s. Thus, it is preferable to use the name authenticated KDFs to highlight this functional difference. In addition, \(\pi \) is interpreted as a proof of knowledge of s in [47] . However, in the context of KDFs, the key s is not necessarily belong to any \(\mathcal {NP}\) language. In this regard, it is more appropriate to simply view \(\pi \) as a tag of s, which we will denote by t.
We then reconsider its security notion. The continuous nonmalleable notion considered in [47] is potentially weak in that key derivation queries of the form \(\langle \phi , \pi ^* \rangle \) with \(\phi (s^*) = s^*\) are implicitly rejected by returning \(\mathsf {same}^*\). As a consequence, this notion cannot guarantee the resilience against nontrivial copy attacks for its enabling RKAsecure schemes. Besides, nonmalleability is conventionally used to capture the inability to maul the value of a cryptographic primitive in a controlled way, whereas RKA security ensures that a cryptographic primitive remains secure even an adversary may adaptively learn functions of a sequence of related keys. In light of this distinction, their “continuous nonmalleability” is actually a form of relatedkey security and we use the term “RKAsecure authenticated KDFs” instead of continuous nonmalleable KDFs in the rest of this work.
8.2 RKAsecure Authenticated KDFs
Based on the above discussions, we are motivated to enhance the security notion and propose a simple yet efficient construction for RKAsecure authenticated KDFs (AKDFs) w.r.t. general RKDT class. For completeness, we first present authenticated KDFs with the refined terminology and enhanced security notions.
Definition 7

\(\mathsf {Setup}(\lambda )\): on input \(\lambda \), output system parameters pp, which define the derivation key space S, the tag space T, and the derived key space \(\{0,1\}^m\).

\(\mathsf {Sample}(pp)\): on input pp, pick a random key \(s \xleftarrow {\tiny R }S\) computes it associated tag \(t \in T\), output (s, t).

\(\mathsf {Derive}(s, t)\): on input a key \(s \in S\) and a tag \(t \in T\), output a derived key \(r \in \{0,1\}^m\) or a rejecting symbol \(\bot \) indicating that t is not a valid tag of s.
Definition 8
Our RKA security notion is strong in the sense that only trivial query (underlined as above) is not allowed. By Qin et al.’s result [47], one can use RKAsecure AKDFs to transform a cryptographic primitive to a RKAsecure one in a modular way, as long as the key generation algorithm of the primitive takes uniform random coins to generate (public/secret) keys. Notably, this transform naturally transfers our strong RKA security of AKDFs to the resulting RKAsecure primitives.
8.3 RKAsecure AKDFs from NonMalleable Functions
Before presenting our construction, we first sketch the highlevel idea, which we think may be useful in other places. The main technical hurdle in constructing RKAsecure AKDFs is to answer related key derivation queries without knowing the secret key \(s^*\). As we recalled in Sect. 7, a common approach addressing this hurdle is exploiting keymalleable like property to simulate RKA oracle based on the standard oracle of the starting primitive. However, this approach does not fit for our purpose. On one hand, efficient construction of the starting primitive namely AKDFs is yet unknown to us. On the other hand, keymalleable like property (if exists) is usually tied to some specific algebraic structure and thus cannot yield RKAsecurity w.r.t. general RKDT class. Here we take a complementary approach, that is, acquiring RKA security from nonmalleability. Instead of trying to answer RKA queries, we aim to reject all RKA queries. We do so by stipulating that even after seeing a valid tag \(t^*\) of \(s^*\), no PPT adversary is able to generate a legal related key derivation query \((\phi , \pi )\) (here legal means t is a valid tag of \(\phi (s^*)\)). In this way, the reduction can handle all related key derivation queries without knowing \(s^*\), by simply returning \(\bot \).
With this strategy, an incredibly simple construction of RKAsecure AKDFs comes out by twisting NMFs. Let \(\mathcal {F}\) be a family of polytoone NMFs. The \(\mathsf {Setup}\) algorithm randomly picks f from \(\mathcal {F}\). Let h be a hardcore function of f. To generate a tag for a random key, one simply computes \(t \leftarrow f(s)\). Intuitively, t serves as a deterministic nonmalleable tag of s. To get a derived key from (s, t), one first checks if \(f(s) = t\) and then outputs \(r \leftarrow h(s)\) if so. On a high (and not entirely precise) level, due to the nonmalleability of the underlying NMFs, all relatedkey derivation queries can be safely rejected, and thus the pseudorandomness of the derived key can be reduced to the onewayness of f. A subtlety here is that, in addition to \(t^*\), the adversary can obtain some auxiliary information about \(s^*\), namely, the real or random derived key. In this regard, hinted nonmalleability is required for \(\mathcal {F}\). We present our generic construction and formal security proof in details as below.

\(\text {AKDF}.\mathsf {Setup}(\lambda )\): run \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(h \leftarrow \mathcal {H}.\mathsf {Gen}(\lambda , f)\), output \(pp = (f, h)\).

\(\text {AKDF}.\mathsf {Sample}(pp)\): sample \(s \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), compute \(t \leftarrow f(s)\), output (s, t).

\(\text {AKDF}.\mathsf {Derive}(s, t)\): if \(t \ne f(s)\), output \(\bot \); otherwise output \(r \leftarrow h(s)\).
The RKA security of the above construction follows from the theorem below.
Theorem 1
The above construction of AKDFs is \(\varPhi '\)RKAsecure if \(\mathcal {F}\) is \(\varPhi \)nonmalleable and polytoone, where \(\varPhi ' = \varPhi \cup \mathsf {id} \cup \mathsf {cf}\).
Proof
We prove this theorem via a sequence of games. Let \(S_i\) be the event that \(\mathcal {A}\) wins in Game i.
 1.
\(\mathcal {CH}\) picks \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(h \leftarrow \mathcal {H}.\mathsf {Gen}(\lambda , f)\), sets \(pp = (f,h)\); picks \(s^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), computes \(t^* \leftarrow f(s^*)\), \(r_0^* \leftarrow h(s^*)\), \(r_1^* \xleftarrow {\tiny R }\{0,1\}^m\). Finally, \(\mathcal {CH}\) picks \(b \xleftarrow {\tiny R }\{0,1\}\), sends \((pp, t^*, r_b^*)\) to \(\mathcal {A}\) as the challenge.
 2.
Upon receiving a RKA key derivation query \(\langle \phi , t \rangle \) from \(\mathcal {A}\), if \(\langle \phi , t \rangle = \langle \mathsf {id}, t^* \rangle \), \(\mathcal {CH}\) returns \(\mathsf {same}^*\); else \(\mathcal {CH}\) returns \(h(\phi (s^*))\) if \(\phi (s^*)=t\) or \(\bot \) otherwise.
 3.
\(\mathcal {A}\) outputs a guess \(b'\) for b and wins if \(b'=b\).

\(\phi = \mathsf {id}\) and \(t = t^*\): return \(\mathsf {same}^*\) indicating that the query is illegal.

\(\phi = \mathsf {id}\) and \(t \ne t^*\): return \(\bot \) indicating that the query is invalid. This is because f is a deterministic function and hence each s has an unique tag.

\(\phi \in \mathsf {cf}\) and all t: suppose \(\phi \) is a constant transform that maps all its inputs to a constant c, return h(c) if \(f(c) = t\) and \(\bot \) otherwise.
Lemma 9
\(\Pr [E]\) is negligible in \(\lambda \) assuming the \(\varPhi \)nonmalleability of \(\mathcal {F}\).
What we need to show is that, after seeing \(t^*\) and the auxiliary information \(r_b^*\) about \(s^*\), no PPT adversary is able to output a valid nontrivial RKA query \(\langle \phi , t \rangle \) such that \(\phi (s^*) = t\). Therefore, hintfree nonmalleability is inadequate and hinted nonmalleability is needed. Notice that here the auxiliary information \(r_b^*\) is exactly \(\mathsf {hint}(s^*; b)\), where \(\mathsf {hint}\) is the special hint function defined in Eq. (1). As we have shown Sect. 6, hinted nonmalleability w.r.t. this hint function is implied by hintfree nonmalleability.
Proof
Suppose \(\mathcal {B}\) is an adversary against hinted \(\varPhi \)nonmalleability of \(\mathcal {F}\) w.r.t. the hint function defined in Equation (1). Given \((f, y^*, \mathsf {hint}(x^*;b))\), where \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), and \(b \xleftarrow {\tiny R }\{0,1\}\). \(\mathcal {B}\) simulates \(\mathcal {A}\)’s challenger in Game 2 as below: set \(pp = (f, h)\),^{15}\(t^* = y^*\), \(r_b^* \leftarrow \mathsf {hint}(x^*;b)\), then send \((pp, t^*, r_b^*)\) to \(\mathcal {A}\). Here \(s^*\) is implicitly set to be \(x^*\), which is unknown to \(\mathcal {B}\). This is not a problem since according to the definition of Game 2, \(\mathcal {B}\) is able to handle all RKA queries correctly without \(s^*\). Let L be the list of all nontrivial queries issued by \(\mathcal {A}\). Since \(\mathcal {A}\) is a PPT adversary, we have \(L \le \mathsf {poly}(\lambda )\). At the end of the simulation, \(\mathcal {B}\) picks a random tuple \((\phi , t)\) from the L list as its answer against hinted \(\varPhi \)nonmalleability. Conditioned on E happens, \(\mathcal {B}\) succeeds with probability at least \(1/\mathsf {poly}(\lambda )\). Therefore, if \(\Pr [E]\) is nonnegligible, \(\mathcal {B}\)’s advantage is at least \(\Pr [E]/\mathsf {poly}(\lambda )\), which is also nonnegligible. This breaks the hinted \(\varPhi \)nonmalleability of \(\mathcal {F}\), which in turn contradicts the assumed hintfree \(\varPhi \)nonmalleability of \(\mathcal {F}\) in this case. The lemma immediately follows. \(\square \)
Lemma 10
\(\Pr [S_2]  1/2 = \mathsf {negl}(\lambda )\) assuming the \(\varPhi \)nonmalleability of \(\mathcal {F}\).
Proof
Since \(\mathcal {F}\) is polytoone, according to Lemma 1 \(\varPhi \)nonmalleability implies onewayness, and further implies pseudorandomness of its hardcore \(\mathcal {H}\). Thereby, it suffices to prove \(\Pr [S_2]  1/2 = \mathsf {negl}(\lambda )\) assuming the pseudorandomness of \(\mathcal {H}\). Suppose \(\mathcal {B}\) is an adversary against pseudorandomness of hardcore \(\mathcal {H}\) associated with \(\mathcal {F}\). Given \((f, h, y^*, r_b^*)\), where \(y^* \leftarrow f(x^*)\) for \(x^* \xleftarrow {\tiny R }D\) and \(r_b^*\) is either \(h(x^*)\) when \(b = 0\) or a random string from \(\{0,1\}^m\) when \(b=1\), \(\mathcal {B}\) simulates \(\mathcal {A}\)’s challenger in Game 2 as follows: set \(pp = (f, h)\), \(t^* = y^*\), send \((pp, t^*, r_b^*)\) to \(\mathcal {A}\). According to the definition of Game 2, \(\mathcal {B}\) can handle all the queries without the knowledge of \(s^* = x^*\). At the end of the game, \(\mathcal {B}\) simply forwards \(\mathcal {A}\)’s output as its guess. It is easy to see that if \(\mathcal {A}\) succeeds, so does \(\mathcal {B}\). Therefore, we have \(\mathsf {Adv}_{\mathcal {B},\mathcal {H}}^{\text {rand}}(\lambda ) \ge \Pr [S_2]  1/2\). By the hypothesis that \(\mathcal {H}\) is pseudorandom, we have \(\Pr [S_2]  1/2 = \mathsf {negl}(\lambda )\). This proves the lemma. \(\square \)
Putting it all together, the theorem immediately follows. \(\square \)
By instantiating our generic construction with polytoone NMFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\) (which in turn can be constructed from ATDFs), we obtain RKAsecure AKDFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\cup \mathsf {id} \cup \mathsf {cf}\).
Comparison to Qin et al.’s Construction. While both our construction and Qin et al.’s construction are generic, it is still instructive to make a rough comparison. For efficiency, our construction is built solely from deterministic NMFs, so its public parameters consist of merely the descriptions of a NMF f and a hardcore function h; and its tag generation and authentication procedures are both deterministic. In contrast, Qin et al.’s construction is built from three different cryptographic primitives, and thus its public parameters size is large and its tag generation procedure is randomized. In this regard, our construction has potential advantages over Qin et al.’s construction in terms of small footprint of cryptographic code, compact public parameters size, short tag size, as well as quick tag generation and authentication. For security, our construction is RKAsecure in the strong sense w.r.t. a general RKDT class with a direct and modular proof, whereas Qin et al.’s construction is RKAsecure w.r.t. specific RKDT class [30] with a bit involved proof.
8.4 Optimizations
Relaxation on NMFs. We observe that in the above construction, NMFs can be relaxed to nonmalleable verifiable relations (NMVRs). In NMVRs, instead of requiring f to be efficiently computable, we only require that the distribution (x, f(x)) for a random x is efficiently sampleable and the correctness of sampling is publicly verifiable.^{16} It is easy to see that NMVRs are implied by adaptive trapdoor relations (ATDRs) [50] with publicly verifiability. As shown in [52], publicly verifiable ATDRs can be constructed from allbutone verifiable lossy trapdoor relations, which permit efficient realizations from a variety of standard assumptions. Combining this result with our observation above, we are able to give more efficient constructions of RKAsecure AKDFs.
Stronger RKA Security. In the above RKA security notion for AKDFs, the adversary is only given access to a RKA oracle. In practice, it may also collect some tags and learn the corresponding derivation keys. To defend against such powerful adversaries, it is necessary to make the RKA security stronger by giving the adversary access to a reveal oracle \(\mathcal {O}_\mathsf {reveal}\) that on input a tag t outputs a corresponding key s.^{17} AKDFs satisfying such strong RKA notion can be constructed from adaptive NMFs, which in turn can be constructed from ATDFs. This not only justifies the utility of the adaptive nonmalleability notion, but also supports the view of Kiltz et al. [38] that “ATDFs may be useful in the general context of blackbox constructions of cryptographic primitives secure against adaptive attacks.”
Increasing the Length of Derivation Key. We can always instantiate h via the GoldreichLevin hardcore predicate [34]. Nevertheless, such general instantiation yields only onebit derived key. We may also obtain a hardcore function with linearlymany hardcore bits either by iteration when \(\mathcal {F}\) is a family of oneway permutations or relying on stronger decisional assumptions. A recent work [13] provides us an appealing hardcore function with polymany hardcore bits from any oneway functions, assuming the existence of differinginputs/indistinguishability obfuscation. In applications of RKAsecure AKDFs where the length of the derived key is of great importance, one can further stretch it by applying a normal pseudorandom generator.
9 Conclusion
We formally study nonmalleable functions with simplified syntax and strong gamebased security definition. We establish connections between (adaptive) nonmalleability and (adaptive) onewayness, by exploiting our newly abstracted algebraic properties of transformation class. Notably, the implication AOW \(\Rightarrow \) ANM not only gives efficient construction of NMFs from adaptive trapdoor functions, but also provides insight in addressing nontrivial copy attacks in the RKA area. Using NMFs, we give a simple and efficient construction of RKAsecure authenticated KDFs.
Footnotes
 1.
Historically, Boldyreva et al. [16] aggregated both oneway functions and hash functions under the term hash functions for simplicity.
 2.
See [3] for a detailed discussion on simulationbased nonmalleable notion.
 3.
The basic design principle for cryptographic hash functions is onewayness.
 4.
We will omit “deterministic” and simply say NMFs when the context is clear.
 5.
We use the term transformation to highlight that \(\phi \) has the same domain and range. RPDT was refereed to as admissible transformation in [3].
 6.
We say “partially” since the posed question in [16] is to construct efficient deterministic NMFs in the context of their simulationbased definition.
 7.
Virtually all “interesting” security notions are achievable only for wellspread distributions \(\mathcal {C}_\lambda \) (i.e., with superlogarithmic minentropy). Therefore, we will stick to this requirement in our work.
 8.
Roughly, we say f is near to g if they outputs agree on most inputs.
 9.
Clearly, to make the hinted notions achievable, \(\mathsf {hint}\) must meets some necessary condition. For instance of hinted nonmalleability, \(\mathsf {hint}\) should be at least uninvertible (finding the exact preimage is infeasible). We prefer to keep the definition as general as possible, so we do not explicitly impose concrete restriction to \(\mathsf {hint}\) in definition.
 10.
If \(\phi ^{1}(0)\) is empty, this algorithm simply outputs a distinguished symbol \(\bot \).
 11.
We will continue to use BRS to denote polybounded root space for simplicity.
 12.
\(\varPhi \)homomorphism means that for any \(\phi \in \varPhi \) and any \(x \in D\), \(f(\phi (x)) = \phi (f(x))\).
 13.
Briefly, \(\varPhi \)fingerprinting for requires that \(\phi (sk) \ne sk\) always invalidates the challenge ciphertext \(c^*\). Notice that queries \(\langle \phi , c^* \rangle \) such that \(\phi (sk) = sk\) are already forbidden by the definition, the reduction can thus safely reject all RKA queries of the form \(\langle \phi , c^*\rangle \) without even looking at \(\phi \), since either case \(\phi (sk) = sk\) or case \(\phi (sk) \ne sk\) yields the same output \(\bot \) with respect to \(c^*\).
 14.
As we discussed in Sect. 3, nonmalleability is impossible to achieve if \(\varPhi \) contains \(\mathsf {id}\) or constant transformations. Thus, we assume \(\varPhi \cap (\mathsf {id} \cup \mathsf {cf}) = \emptyset \).
 15.
The description of h is implicit in \(\mathsf {hint}\).
 16.
Here the publicly verifiable property means verification can be done without knowing the secret random coins used in sampling.
 17.
Query on the challenge tag \(t^*\) is not allowed to avoid trivial attack.
Notes
Acknowledgments
We particularly thank Zongyang Zhang for bringing up the work [3] to our attention. We are grateful to Qiong Huang, Marc Fischlin, Jinyong Chang and Fei Tang for helpful discussions and advice. We also thank the anonymous reviewers of PKC 2016 for their useful comments.
Yu Chen is supported by the National Natural Science Foundation of China (Grant No. 61303257), the IIE’s Cryptography Research Project (Grant No. Y4Z0061B02), and the Strategic Priority Research Program of CAS (Grant No. XDA06010701).
Baodong Qin is supported by the National Natural Science Foundation of China (Grant No. 61502400, 61373153 and 61572318).
Jiang Zhang is supported by the National Basic Research Program of China (Grant No. 2013CB338003).
Yi Deng is supported by the National Natural Science Foundation of China (Grant No. 61379141), the IIE’s Cryptography Research Project (Grant No. Y4Z0061802), and the State Key Laboratory of Cryptology’s Open Project (Grant No. MMKFKT201511).
Sherman S.M. Chow is supported by the Early Career Scheme and the Early Career Award of the Research Grants Council, Hong Kong SAR (CUHK 439713).
References
 1.Abdalla, M., Benhamouda, F., Passelègue, A., Paterson, K.G.: Relatedkey security for pseudorandom functions beyond the linear barrier. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 77–94. Springer, Heidelberg (2014)Google Scholar
 2.Applebaum, B., Harnik, D., Ishai, Y.: Semantic security under relatedkey attacksand applications. In: ICS, pp. 45–60 (2010)Google Scholar
 3.Baecher, P., Fischlin, M., Schröder, D.: Expedient nonmalleability notions for hash functions. In: Kiayias, A. (ed.) CTRSA 2011. LNCS, vol. 6558, pp. 268–283. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 4.Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 5.Bellare, M., Cash, D.: Pseudorandom functions and permutations provably secure against relatedkey attacks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 666–684. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 6.Bellare, M., Cash, D., Miller, R.: Cryptography secure against relatedkey attacks and tampering. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 486–503. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 7.Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for publickey encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)CrossRefGoogle Scholar
 8.Bellare, M., Halevi, S., Sahai, A., Vadhan, S.P.: Manytoone trapdoor functions and their relation to publickey cryptosystems. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 283. Springer, Heidelberg (1998)CrossRefGoogle Scholar
 9.Bellare, M., Kohno, T.: A theoretical treatment of relatedkey attacks: RKAPRPs, RKAPRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 10.Bellare, M., Paterson, K.G., Thomson, S.: RKA security beyond the linear barrier: ibe, encryption and signatures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 331–348. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 11.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM CCS, pp. 62–73 (1993)Google Scholar
 12.Bellare, M., Sahai, A.: Nonmalleable encryption: equivalence between two notions, and an indistinguishabilitybased characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 13.Bellare, M., Stepanovs, I., Tessaro, S.: Polymany hardcore bits for any oneway function and a framework for differinginputs obfuscation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 102–121. Springer, Heidelberg (2014)Google Scholar
 14.Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24, 713–735 (1970)CrossRefMathSciNetGoogle Scholar
 15.Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 16.Boldyreva, A., Cash, D., Fischlin, M., Warinschi, B.: Foundations of nonmalleable hash and oneway functions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 524–541. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 17.Boldyreva, A., Fischlin, M.: On the security of OAEP. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 18.Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 19.Canetti, R., Dakdouk, R.R.: Extractable perfectly oneway functions. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 449–460. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 20.Canetti, R., Varia, M.: Nonmalleable obfuscation. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 73–90. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 21.Chen, Y., Qin, B., Zhang, J., Deng, Y., Chow, S.S.: Nonmalleable functions and their applications. Cryptology ePrint Archive, Report 2015/1253 (2015)Google Scholar
 22.Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Noninteractive and nonmalleable commitment. In: STOC, pp. 141–150 (1998)Google Scholar
 23.Di Crescenzo, G., Katz, J., Ostrovsky, R., Smith, A.: Efficient and noninteractive nonmalleable commitment. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 40–59. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 24.Diffie, W., Hellman, M.E.: New directions in cryptograpgy. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)CrossRefMathSciNetzbMATHGoogle Scholar
 25.Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)CrossRefMathSciNetzbMATHGoogle Scholar
 26.Dziembowski, S., Pietrzak, K., Wichs, D.: Nonmalleable codes. In: ICS, pp. 434–452 (2010)Google Scholar
 27.Faust, S., Mukherjee, P., Nielsen, J.B., Venturi, D.: Continuous nonmalleable codes. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 465–488. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 28.Faust, S., Mukherjee, P., Venturi, D., Wichs, D.: Efficient nonmalleable codes and keyderivation for polysize tampering circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 111–128. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 29.Fischlin, M., Fischlin, R.: Efficient nonmalleable commitment schemes. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 413–431. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 30.Fujisaki, E., Xagawa, K.: Note on the rka security of continuously nonmalleable keyderivation function from pkc 2015. Cryptology ePrint Archive, Report 2015/1088 (2015)Google Scholar
 31.von zur Gathen, J., Shoup, V.: Computing frobenius maps and factoring polynomials. In: STOC, pp. 97–105 (1992)Google Scholar
 32.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)Google Scholar
 33.Goldenberg, D., Liskov, M.: On relatedsecret pseudorandomness. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 255–272. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 34.Goldreich, O., Levin, L.A.: A hardcore predicate for all oneway functions. In: STOC, pp. 25–32 (1989)Google Scholar
 35.Goyal, V., O’Neill, A., Rao, V.: Correlatedinput secure hash functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 182–200. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 36.Jafargholi, Z., Wichs, D.: Tamper detection and continuous nonmalleable codes. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 451–480. Springer, Heidelberg (2015)Google Scholar
 37.Jia, D., Lu, X., Li, B., Mei, Q.: RKA secure PKE based on the DDH and HR assumptions. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 271–287. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 38.Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosenciphertext security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 673–692. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 39.Lin, H., Pass, R., Tseng, W.L.D., Venkitasubramaniam, M.: Concurrent nonmalleable zero knowledge proofs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 429–446. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 40.Lu, X., Li, B., Jia, D.: Relatedkey security for hybrid encryption. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 19–32. Springer, Heidelberg (2014)Google Scholar
 41.Lucks, S.: Ciphers secure against relatedkey attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 42.Ostrovsky, R., Persiano, G., Visconti, I.: Constantround concurrent nonmalleable zero knowledge in the bare publickey model. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 548–559. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 43.Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive oneway functions and applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 44.Pass, R., Rosen, A.: Concurrent nonmalleable commitments. In: FOCS, pp. 563–572 (2005)Google Scholar
 45.Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC, pp. 187–196 (2008)Google Scholar
 46.Qin, B., Liu, S.: Leakageresilient chosenciphertext secure publickey encryption from hash proof system and onetime lossy filter. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 381–400. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 47.Qin, B., Liu, S., Yuen, T.H., Deng, R.H., Chen, K.: Continuous nonmalleable key derivation and its application to relatedkey security. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 557–578. Springer, Heidelberg (2015)Google Scholar
 48.Rosen, A., Segev, G.: Chosenciphertext security via correlated products. SIAM J. Comput. 39(7), 3058–3088 (2010)CrossRefMathSciNetzbMATHGoogle Scholar
 49.Sahai, A.: Nonmalleable noninteractive zero knowledge and adaptive chosenciphertext security. In: FOCS, pp. 543–553 (1999)Google Scholar
 50.Wee, H.: Efficient chosenciphertext security via extractable hash proofs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 314–332. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 51.Wee, H.: Public key encryption against related key attacks. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 262–279. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 52.Xue, H., Lu, X., Li, B., Liu, Y.: Lossy trapdoor relation and its applications to lossy encryption and adaptive trapdoor relation. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 162–177. Springer, Heidelberg (2014)Google Scholar