Non-Malleable Codes Against Bounded Polynomial Time Tampering

  • Marshall BallEmail author
  • Dana Dachman-Soled
  • Mukul Kulkarni
  • Huijia Lin
  • Tal Malkin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11476)


We construct efficient non-malleable codes (NMC) that are (computationally) secure against tampering by functions computable in any fixed polynomial time. Our construction is in the plain (no-CRS) model and requires the assumptions that (1) \(\mathbf {E}\) is hard for \(\mathbf {NP}\) circuits of some exponential \(2^{\beta n}\) (\(\beta >0\)) size (widely used in the derandomization literature), (2) sub-exponential trapdoor permutations exist, and (3) \(\mathbf {P}\)-certificates with sub-exponential soundness exist.

While it is impossible to construct NMC secure against arbitrary polynomial-time tampering (Dziembowski, Pietrzak, Wichs, ICS ’10), the existence of NMC secure against \(O(n^c)\)-time tampering functions (for any fixed c), was shown (Cheraghchi and Guruswami, ITCS ’14) via a probabilistic construction. An explicit construction was given (Faust, Mukherjee, Venturi, Wichs, Eurocrypt ’14) assuming an untamperable CRS with length longer than the runtime of the tampering function. In this work, we show that under computational assumptions, we can bypass these limitations. Specifically, under the assumptions listed above, we obtain non-malleable codes in the plain model against \(O(n^c)\)-time tampering functions (for any fixed c), with codeword length independent of the tampering time bound.

Our new construction of NMC draws a connection with non-interactive non-malleable commitments. In fact, we show that in the NMC setting, it suffices to have a much weaker notion called quasi non-malleable commitments—these are non-interactive, non-malleable commitments in the plain model, in which the adversary runs in \(O(n^c)\)-time, whereas the honest parties may run in longer (polynomial) time. We then construct a 4-tag quasi non-malleable commitment from any sub-exponential OWF and the assumption that \(\mathbf {E}\) is hard for some exponential size \(\mathbf {NP}\)-circuits, and use tag amplification techniques to support an exponential number of tags.



The first and fifth authors are supported in part by NSF grant #CCF1423306 and the Leona M. & Harry B. Helmsley Charitable Trust. The first author is additionally supported in part by an IBM Research PhD Fellowship.The second and third authors are supported in part by NSF grants #CNS-1840893, #CNS-1453045 (CAREER), by a research partnership award from Cisco and by financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology. The fourth author is supported by NSF grants #CNS-1528178, #CNS-1514526, #CNS-1652849 (CAREER), a Hellman Fellowship, the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236, and a subcontract No. 2017-002 through Galois. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government. This work was performed, in part, while the first author was visiting IDC Herzliya’s FACT center and supported in part by ISF grant no. 1790/13 and the Check Point Institute for Information Security.


  1. 1.
    Applebaum, B., Artemenko, S., Shaltiel, R., Yang, G.: Incompressible functions, relative-error extractors, and the power of nondeterministic reductions. Comput. Complex. 25(2), 349–418 (2016). Scholar
  2. 2.
    Babai, L., Fortnow, L., Nisan, N., Wigderson, A.: BPP has subexponential time simulations unlessexptime has publishable proofs. Comput. Complex. 3(4), 307–318 (1993). Scholar
  3. 3.
    Ball, M., Dachman-Soled, D., Guo, S., Malkin, T., Tan, L.Y.: Non-malleable codes for small-depth circuits. FOCS IEEE Computer Society Press, October 2018 (to appear).
  4. 4.
    Ball, M., Dachman-Soled, D., Kulkarni, M., Lin, H., Malkin, T.: Non-malleablecodes against bounded polynomial time tampering. Cryptology ePrint Archive, Report 2018/1015 (2018).
  5. 5.
    Ball, M., Dachman-Soled, D., Kulkarni, M., Malkin, T.: Non-malleable codesfor bounded depth, bounded fan-in circuits. In: Fischlin and Coron [30], pp. 881–908CrossRefGoogle Scholar
  6. 6.
    Ball, M., Dachman-Soled, D., Kulkarni, M., Malkin, T.: Non-malleable codes from average-case hardness: \({\sf A\mathit{}{\sf C}}^0\), decision trees, and streaming space-bounded tampering. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 618–650. Springer, Cham (2018). Scholar
  7. 7.
    Barak, B.: Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In: 43rd FOCS, pp. 345–355. IEEE Computer Society Press, November 2002Google Scholar
  8. 8.
    Barak, B., Ong, S.J., Vadhan, S.: Derandomization in cryptography. SIAM J. Comput. 37(2), 380–400 (2007). Scholar
  9. 9.
    Barak, B., Pass, R.: On the possibility of one-message weak zero-knowledge. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 121–132. Springer, Heidelberg (2004). Scholar
  10. 10.
    Bitansky, N., Lin, H.: One-message zero knowledge and non-malleable commitments. Cryptology ePrint Archive, Report 2018/613 (2018).
  11. 11.
    Chandran, N., Goyal, V., Mukherjee, P., Pandey, O., Upadhyay, J.: Block-wise non-malleable codes. In: Chatzigiannakis, I., Mitzenmacher, M., Rabani, Y., Sangiorgi, D. (eds.) ICALP 2016. LIPIcs, vol. 55, pp. 31:1–31:14. Schloss Dagstuhl (2016)Google Scholar
  12. 12.
    Chattopadhyay, E., Goyal, V., Li, X.: Non-malleable extractors and codes, withtheir many tampered extensions. In: Wichs and Mansour [69], pp. 285–298Google Scholar
  13. 13.
    Chattopadhyay, E., Li, X.: Non-malleable codes and extractors for small-depth circuits, and affine functions. In: Hatami, H., McKenzie, P., King, V. (eds.) 49th ACM STOC, pp. 1171–1184. ACM Press, June 2017Google Scholar
  14. 14.
    Cheraghchi, M., Guruswami, V.: Capacity of non-malleable codes. In: Naor, M. (ed.) ITCS 2014, pp. 155–168. ACM, January 2014Google Scholar
  15. 15.
    Chung, K.M., Lin, H., Pass, R.: Constant-round concurrent zero knowledge from P-certificates. In: FOCS 2013 [32] , pp. 50–59Google Scholar
  16. 16.
    Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Concurrent non-malleable commitments (and more) in 3 rounds. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 270–299. Springer, Heidelberg (2016). Scholar
  17. 17.
    Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Four-round concurrentnon-malleable commitments from one-way functions. In: Katz and Shacham [44], pp. 127–157CrossRefGoogle Scholar
  18. 18.
    Coron, J.S., Holenstein, T., Künzler, R., Patarin, J., Seurin, Y., Tessaro, S.: How to build an ideal cipher: the indifferentiability of the Feistel construction. J. Cryptol. 29(1), 61–114 (2016)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Dachman-Soled, D., Katz, J., Thiruvengadam, A.: 10-round Feistel isindifferentiable from an ideal cipher. In: Fischlin and Coron [30], pp. 649–678CrossRefGoogle Scholar
  20. 20.
    Dai, Y., Steinberger, J.: Indifferentiability of 8-round feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). Scholar
  21. 21.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Rev. 45(4), 727–784 (2003)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Drucker, A.: Nondeterministic direct product reductions and the success probability of SAT solvers. In: FOCS 2013 [32], pp. 736–745Google Scholar
  23. 23.
    Dubrov, B., Ishai, Y.: On the randomness complexity of efficient sampling. In: Kleinberg, J.M. (ed.) 38th ACM STOC, pp. 711–720. ACM Press, May 2006Google Scholar
  24. 24.
    Dwork, C., Naor, M.: Zaps and their applications. In: FOCS 2000 [31], pp. 283–293Google Scholar
  25. 25.
    Dziembowski, S., Pietrzak, K., Wichs, D.: Non-malleable codes. In: Yao, A.C.C. (ed.) ICS 2010, pp. 434–452. Tsinghua University Press, January 2010Google Scholar
  26. 26.
    Faust, S., Hostáková, K., Mukherjee, P., Venturi, D.: Non-malleablecodes for space-bounded tampering. In: Katz and Shacham [44], pp. 95–126CrossRefGoogle Scholar
  27. 27.
    Faust, S., Mukherjee, P., Venturi, D., Wichs, D.: Efficient non-malleable codes and key-derivation for poly-size tampering circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 111–128. Springer, Heidelberg (2014). Scholar
  28. 28.
    Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Feige, U., Lund, C.: On the hardness of computing the permanent of random matrices. Comput. Complex. 6(2), 101–132 (1997)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Fischlin, M., Coron, J.-S. (eds.): EUROCRYPT 2016, Part II. LNCS, vol. 9666. Springer, Heidelberg (2016). Scholar
  31. 31.
    41st FOCS. IEEE Computer Society Press, November 2000Google Scholar
  32. 32.
    54th FOCS. IEEE Computer Society Press, October 2013Google Scholar
  33. 33.
    58th FOCS. IEEE Computer Society Press (2017)Google Scholar
  34. 34.
    Fortnow, L., Vadhan, S.P. (eds.): 43rd ACM STOC. ACM Press, June 2011Google Scholar
  35. 35.
    Goldreich, O., Wigderson, A.: Derandomization that is rarely wrong from short advice that is typically good. In: Rolim, J.D.P., Vadhan, S. (eds.) RANDOM 2002. LNCS, vol. 2483, pp. 209–223. Springer, Heidelberg (2002). Scholar
  36. 36.
    Goyal, V.: Constant round non-malleable protocols using one way functions. In: Fortnow and Vadhan [34], pp. 695–704Google Scholar
  37. 37.
    Goyal, V., Pandey, O., Richelson, S.: Textbook non-malleable commitments. In: Wichs and Mansour [69], pp. 1128–1141Google Scholar
  38. 38.
    Goyal, V., Richelson, S., Rosen, A., Vald, M.: An algebraic approach to non-malleability. In: 55th FOCS, pp. 41–50. IEEE Computer Society Press, October 2014Google Scholar
  39. 39.
    Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). Scholar
  40. 40.
    Gutfreund, D., Shaltiel, R., Ta-Shma, A.: Uniform hardness versus randomness tradeoffs for Arthur-Merlin games. Comput. Complex. 12(3–4), 85–130 (2003)MathSciNetzbMATHGoogle Scholar
  41. 41.
    Harnik, D., Naor, M.: On the compressibility of \(\cal{NP}\) instances and cryptographic applications. SIAM J. Comput. 39(5), 1667–1713 (2010)MathSciNetCrossRefGoogle Scholar
  42. 42.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefGoogle Scholar
  43. 43.
    Impagliazzo, R., Wigderson, A.: P = BPP if E requires exponential circuits: derandomizing the XOR lemma. In: 29th ACM STOC, pp. 220–229. ACM Press, May 1997Google Scholar
  44. 44.
    Katz, J., Shacham, H. (eds.): CRYPTO 2017, Part II. LNCS, vol. 10402. Springer, Cham (2017). Scholar
  45. 45.
    Khurana, D.: Round optimal concurrent non-malleability from polynomial hardness. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 139–171. Springer, Cham (2017). Scholar
  46. 46.
    Khurana, D., Sahai, A.: How to achieve non-malleability in one or two rounds. In: FOCS 2017 [33], pp. 564–575Google Scholar
  47. 47.
    Klivans, A.R., Van Melkebeek, D.: Graph nonisomorphism has subexponential size proofs unless the polynomial-time hierarchy collapses. SIAM J. Comput. 31(5), 1501–1526 (2002)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Lin, H., Pass, R.: Non-malleability amplification. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 189–198. ACM Press, May/June 2009Google Scholar
  49. 49.
    Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: Fortnow and Vadhan [34], pp. 705–714Google Scholar
  50. 50.
    Lin, H., Pass, R., Soni, P.: Two-round and non-interactive concurrent non-malleable commitments from time-lock puzzles. In: FOCS 2017 [33], pp. 576–587Google Scholar
  51. 51.
    Lin, H., Pass, R., Venkitasubramaniam, M.: Concurrent non-malleable commitments from any one-way function. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 571–588. Springer, Heidelberg (2008). Scholar
  52. 52.
    Lindell, Y.: A simpler construction of CCA2-secure public-key encryption under general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 241–254. Springer, Heidelberg (2003). Scholar
  53. 53.
    Lipton, R.J.: New directions in testing. In: Feigenbaum, J., Merritt, M. (eds.) Distributed Computing and Cryptography, Proceedings of a DIMACS Workshop, Princeton, New Jersey, USA, 4–6 October 1989, pp. 191–202 (1989)Google Scholar
  54. 54.
    Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)MathSciNetCrossRefGoogle Scholar
  55. 55.
    Miltersen, P.B., Vinodchandran, N.V.: Derandomizing Arthur-Merlin games using hitting sets. Comput. Complex. 14(3), 256–279 (2005)MathSciNetCrossRefGoogle Scholar
  56. 56.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC, pp. 427–437. ACM Press, May 1990Google Scholar
  57. 57.
    Nisan, N., Wigderson, A.: Hardness vs randomness. J. Comput. Syst. Sci. 49(2), 149–167 (1994). Scholar
  58. 58.
    Ostrovsky, R., Persiano, G., Venturi, D., Visconti, I.: Continuously non-malleable codes in the split-state model from minimal assumptions. Cryptology ePrint Archive, Report 2018/542 (2018).
  59. 59.
    Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: 46th FOCS, pp. 563–572. IEEE Computer Society Press, October 2005Google Scholar
  60. 60.
    Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 533–542. ACM Press, May 2005Google Scholar
  61. 61.
    Pass, R., Wee, H.: Constant-round non-malleable commitments from sub-exponential one-way functions. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 638–655. Springer, Heidelberg (2010). Scholar
  62. 62.
    Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto (1996)Google Scholar
  63. 63.
    Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: 40th FOCS, pp. 543–553. IEEE Computer Society Press, October 1999Google Scholar
  64. 64.
    Shaltiel, R., Umans, C.: Simple extractors for all min-entropies and a new pseudorandom generator. J. ACM (JACM) 52(2), 172–216 (2005)MathSciNetCrossRefGoogle Scholar
  65. 65.
    Shaltiel, R., Umans, C.: Pseudorandomness for approximate counting and sampling. Comput. Complex. 15(4), 298–341 (2006)MathSciNetCrossRefGoogle Scholar
  66. 66.
    Shaltiel, R., Umans, C.: Low-end uniform hardness versus randomness tradeoffs for AM. SIAM J. Comput. 39(3), 1006–1037 (2009)MathSciNetCrossRefGoogle Scholar
  67. 67.
    Sudan, M., Trevisan, L., Vadhan, S.: Pseudorandom generators without the XOR Lemma. J. Comput. Syst. Sci. 62(2), 236–266 (2001). Scholar
  68. 68.
    Trevisan, L., Vadhan, S.P.: Extracting randomness from samplable distributions. In: FOCS 2000 [31], pp. 32–42Google Scholar
  69. 69.
    Wichs, D., Mansour, Y. (eds.): 48th ACM STOC. ACM Press, June 2016Google Scholar
  70. 70.
    Yao, A.C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3–5 November 1982, pp. 80–91. IEEE Computer Society (1982).

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Marshall Ball
    • 1
    Email author
  • Dana Dachman-Soled
    • 2
  • Mukul Kulkarni
    • 2
  • Huijia Lin
    • 3
  • Tal Malkin
    • 1
  1. 1.Columbia UniversityNew YorkUSA
  2. 2.University of MarylandCollege ParkUSA
  3. 3.University of WashingtonSeattleUSA

Personalised recommendations