1 Introduction

Non-malleability is an important notion for cryptographic primitives which ensures some level of independence of outputs with respect to related inputs. This notion, first treated formally in the seminal work of Dolev, Dwork and Naor [25], has been studied extensively for many randomized primitives, such as commitments [22, 23, 29, 44], encryptions [12], zero-knowledge proofs [39, 42, 49], obfuscations [20], and codes [2628]. However, little attention has been paid on deterministic primitives. Particularly, the study dedicated to non-malleability for deterministic functions, which is arguably the most basic primitive, is still open. With the goal to fill this gap, we initiate the study of non-malleability for deterministic functions in this work.

1.1 Related Work

Non-Malleable One-Way and Hash Functions. Boldyreva et al. [16] initiated the foundational study of non-malleable one-way and hash functions (NMOWHFs).Footnote 1 They gave a simulation-based definition of non-malleability, basically saying that, for any adversary mauling a function value \(y^*\) into a related value y, there exists a simulator which does just well even without seeing \(y^*\). They provided a construction of NMOWHFs from perfectly one-way hash functions (POWHF) and simulation-sound non-interactive zero-knowledge proof of knowledge (NIZKPoK). However, they regarded this construction as a feasibility result due to its inefficiency. They also discussed applications of NMOWHFs to partially instantiating random oracles in the Bellare-Rogaway encryption scheme [11] and OAEP [17], as well as enhancing the security of cryptographic puzzles.

Being aware of several deficiencies in the simulation-based definition of non-malleability [16],Footnote 2 Baecher et al. [3] reverted the core idea behind non-malleability and proposed a game-based definition which is more handy to work with. Their definition avoids simulator completely and rather asks for the following: given a function value \(y^* \leftarrow f(x^*)\) of an unknown preimage \(x^*\), no probabilistic polynomial time (PPT) adversary is able to output a mauled image y together with a transformation \(\phi \) from a prefixed transformation class \(\varPhi \) such that \(y = f(\phi (x^*))\). To demonstrate the usefulness of their game-based definition, they proved that the strengthened Merkle-Damgård transformation satisfies their non-malleability notion w.r.t. bit flips, and their non-malleability notion suffices for improving security of the Bellare-Rogaway encryption scheme.

We identify the following gaps in the NMOWHFs literature [3, 16].

  • Both [16] and [3] considered non-malleability for a very general syntax of functions, comprising both classical one-way functions and collision resistant hash functions. In their cases, the underlying functions could be probabilistic and are assumed to be one-way.Footnote 3 Despite such treatment is of utmost generality, it is somewhat bulky and even inapplicable for some natural applications, e.g., when the functions are probabilistic, two independent parties computing with the same input will not necessarily get the same output [16]. Moreover, to some extent, it blurs the relations between non-malleability and one-wayness.

  • The game-based non-malleable notion [3] is not strong enough in the sense that the adversary is restricted to output \(\phi \in \varPhi \) such that \(\phi (x^*) \ne x^*\). Note that \(\varPhi \) is introduced to capture all admissible transformations chosen by the adversary, this restriction translates to the limit that \(\varPhi \) does not contain \(\phi \) that has fixed points, which is undesirable because many widely used transformations (e.g., affine functions and polynomials) are excluded.

  • Boldyreva et al.’s construction of NMOWHF is in the standard model, but the uses of POWHF and NIZKPoK render it probabilistic, and inefficient for practical applications [16] (e.g., cryptographic puzzles for network protocols). The strengthened Merkle-Damgård transformation does constitute an efficient NMOWHF construction [3], but its non-malleability inherently relies on modeling the compression function as a random oracle [3]. An efficient, deterministic solution in the standard model was left open [16].

  • Though NMOWHFs are powerful, their cryptographic applications are only known for partially instantiating random oracles for some public-key encryption schemes and enhancing the design of cryptographic puzzles. Further applications of NMOWHFs in other areas were expected [16].

(Adaptive) One-Way Functions. As a fundamental primitive, one-way functions [24] and their variants [19, 43] have been studied extensively. Roughly, one-way functions are a family of deterministic functions where each particular function is easy to compute, but most are hard to invert on average.

Kiltz et al. [38] introduced a strengthening of trapdoor one-way functions called adaptive one-way trapdoor functions (ATDFs), which remain one-way even when the adversary is given access to an inversion oracle. They gave a black-box construction of chosen-ciphertext secure public-key encryption (CCA-secure PKE) from ATDFs, and showed how to construct ATDFs from either lossy TDFs [45] or correlated-product TDFs [48]. Their work suggested a number of open problems; in particular, considering non-malleability for TDFs, exploring its relation to existing notions for TDFs and implications for PKE, and realizing them from standard assumptions.

1.2 Motivation

Based on the above discussion, we find that the state of the art of NMOWHFs is not entirely satisfactory. In particular, the study of non-malleability dedicated to deterministic functions and its relation to one-wayness are still open.

In this work, we continue the study of non-malleable primitive, but restrict our attention to deterministic functions, rather than probabilistic one-way/hash functions considered in prior works. Apart from being a natural question which deserves study in its own right, a direct treatment of deterministic functions (without imposing any other cryptographic property) provides three main benefits. First, it shares the same underlying object of “classical” one-way functions and hence allows us to explore the relations between non-malleability and one-wayness. Second, this may further lead to efficient constructions of deterministic NMFs in the standard model, by leveraging a vast body of works on one-way functions. Third, deterministic primitives are more versatile, making deterministic NMFs more attractive being used a building block for higher-level cryptographic protocols.

In summary, we are motivated to consider the following intriguing questions:

What is the strong yet handy non-malleable notion for deterministic functions? What are the relations between non-malleability and one-wayness? Can we construct efficient deterministic NMFs in the standard model? Are there new appealing applications of deterministic NMFs?

1.3 Our Contributions

We give positive answers to the above questions, which we summarize below.

Non-Malleable Functions. In Sect. 3, we introduce a new cryptographic primitive called deterministic NMFs,Footnote 4 which simplifies and relaxes NMOWHFs in that the underlying functions are deterministic and not required to have any cryptographic property. Informally, NMFs stipulate no PPT adversary is able to modify a function value into a meaningfully related one. We mainly follow the game-based approach [3] to define non-malleability for deterministic functions w.r.t. related-preimage deriving transformationFootnote 5 (RPDT) class \(\varPhi \), that is, given \(y^* \leftarrow f(x^*)\) for a randomly chosen \(x^*\), no PPT adversary is able to output a transformation \(\phi \in \varPhi \) and a function value y such that \(y = f(\phi (x^*))\).

In our definition, adversary’s power is neatly expressed through \(\varPhi \) and there is no other restriction. In particular, \(\phi (x^*) = x^*\) is always allowed even when \(y =~y^*\), whereas existing definition of NMOWHFs [3, Section3.1] demands \(\phi (x^*) \ne x^*\). As we will see in Sects. 7 and 8, this strengthening surfaces as an important property when applying to the area of RKA security. We also introduce adaptive NMFs, which remain non-malleable even the adversary has access to an inversion oracle. This stronger notion is desirable when NMFs are used in more adversarial environment, as we will show in Sect. 8.4.

Novel Properties of RPDTs. Our non-malleability notion is stronger if \(\varPhi \) is larger. To capture broad yet achievable RPDT class, in Sect. 4 we introduce two novel properties for RPDT class that we call bounded root space (BRS) and sampleable root space (SRS). Let \(\mathsf {id}\) and \(\phi _c\) represent identity transformation and any constant transformation respectively. The two properties demand that for each \(\phi \in \varPhi \), the root spaces of composite transformations \(\phi - \phi _c\) and \(\phi - \mathsf {id}\) are polynomially bounded and allow efficient uniform sampling.

BRS and SRS are general enough in that they are met by most algebra-induced transformations considered in the literature, including linear functions, affine functions, and low degree polynomials (with \(\mathsf {id}\) and \(\phi _c\) being punctured). We let \(\varPhi _{\text {brs}}^{\text {srs}}\) denote the general RPDT class satisfying the BRS & SRS properties.

Relations Among Non-Malleability and One-Wayness. In Sects. 5 and 6, we investigate the relations among non-malleability and one-wayness in depth. Figure 1 shows a (rough) pictorial summary.

Fig. 1.
figure 1

Let unhatched arrows represent implications, and hatched arrows represent separations. The left figure is a rough overview of relations among (adaptive) \(\varPhi \)-non-malleability and (adaptive) one-wayness for deterministic functions. See Sect. 5 for concrete requirements on \(\varPhi \) and the underlying functions. The right figure depicts the relation between standard one-wayness/non-malleability and hinted one-wayness/non-malleability. See Sect. 6 for details.

In the non-adaptive setting, we show that w.r.t. any achievable RPDT class \(\varPhi \), non-malleability (NM) implies one-wayness (OW) for poly-to-one functions (cf. Definition 1), but not vise versa. This rigorously confirms the intuition that in common cases NM is strictly stronger than OW. In the adaptive setting, we show that w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\), adaptive non-malleability (ANM) is equivalent to adaptive one-wayness (AOW) for injective functions. While the implication ANM \(\Rightarrow \) AOW is obvious, the converse is much more technically involved. In Sect. 5.3, we prove the implication AOW \(\Rightarrow \) ANM via a novel algebraic technique, leveraging the injectivity of the underlying functions and the BRS & SRS properties of \(\varPhi _{\text {brs}}^{\text {srs}}\). The rough idea is that: if an adversary breaks non-malleability (outputting a mauled image along with a transformation), the reduction can obtain a solvable equation about the preimage and thus contradicts the assumed one-wayness.

All these results indicate that the preimage size is a fundamental parameter of NMFs. We also note that all the above results apply equally well to trapdoor functions. Most importantly, the equivalence \(\text {AOW} \Leftrightarrow \text {ANM}\) answers the aforementioned open problems left by Kiltz et al. [38].

Both OW and NM can be considered with auxiliary information of preimage \(x^*\), which is modeled by a hint function \(\mathsf {hint}(x^*)\). We refer to the standard (default) notions without hint as hint-free notions, and refer to the ones with hint as hinted notions. Compared to hint-free notions, hinted ones are generally more useful for cryptographic applications, as we will demonstrate in Sect. 8. While hinted notions trivially implies hint-free ones, the converse becomes more subtle. In Sect. 6, we will show that w.r.t. statistically/computationally simulatable \(\mathsf {hint}(x^*)\), hinted notions are implied by hint-free ones.

Benefits of AOW \(\Rightarrow \) ANM. Given the fact that ATDFs are efficiently realizable from a variety of hardness assumptions, the implication AOW \(\Rightarrow \) ANM immediately gives rise to efficient deterministic NMFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\) in the standard model. This partiallyFootnote 6 resolves an open question raised in [16]. In the full version [21] of this work, by using the technique underlying AOW \(\Rightarrow \) ANM, we prove that the Merkle-Damgård transformation is actually \(\varPhi _{\text {brs}}^{\text {srs}}\)-non-malleable. This greatly improves prior result [3], and thus provides an efficient candidate of NMFs w.r.t. a large RPDT class, though in the random oracle model.

Apart from yielding efficient constructions of NMFs, we find that the implication AOW \(\Rightarrow \) ANM is also useful elsewhere. In Sect. 7, we discuss how the high-level idea underlying AOW \(\Rightarrow \) ANM provides a key insight in the RKA area, that is, resilience against non-trivial copy attacks w.r.t. most algebra-induced related-key deriving class is in fact a built-in security.

Applications of NMFs. Boldyreva et al. [16] showed how to design cryptographic puzzles using NMOWHFs. We note that poly-to-one NMFs can replace NMOWHFs in their design, making it more applicable for securing practical network protocols.

In Sect. 8, we revisit continuous non-malleable key derivation functions (KDFs) recently proposed by Qin et al. [47], which have proven to be useful in achieving RKA-security for numerous cryptographic primitives. The existing construction of continuous non-malleable KDFs is somewhat complicated, which employs one-time lossy filter, one-time signature, and pairwise-independent functions as ingredients. We propose an exquisitely simple and elegant construction of continuous non-malleable KDFs based solely on poly-to-one NMFs. Comparatively, our construction not only has potential advantages in efficiency, but also admits a direct and modular proof.

1.4 Additional Related Work

Non-Malleable Codes. Dziembowski, Pietrzak and Wichs [26] introduced the notion of “non-malleable codes” (NMCs) which relaxes the notion of error-correction and error-detection codes. Roughly, NMCs require that given a code \(c^* \leftarrow \mathsf {NMC}(m^*)\) for a source-message \(m^*\), the decoded message m of the tampered codeword \(c = \phi (c^*)\) is either equal or completely unrelated to \(m^*\). We note that NMFs are somehow dual to NMCs. The duality comes from the fact that NMFs stipulate given \(y^* \leftarrow \mathsf {NMF}(x^*)\), \(\mathsf {NMF}(\phi (x^*))\) is still hard to compute. Very informally, we can think of in NMCs the tampering takes place on code (which could be interpreted as image of message), whereas in NMFs the “tampering” takes place on preimage.

Correlated-Input Hash Functions. Goyal, O’Neill and Rao [35] undertook the study of correlated-input hash functions (CIHs), which maintain security when the adversary sees hash values \(h(c_i(r))\) of related inputs \(c_i(r)\) sharing the same random coins, where \(c_i\) is a sequence of circuits chosen by the adversary. In particular, unpredictable CIHs require that no PPT adversary is able to predicate \(h(c_{n+1}(r))\) after seeing \(h(c_i(r))\) for \(i \in [n]\). NMFs can be roughly viewed as a weakening of unpredictable CIHs by restricting \(n=1\) and \(c_1 = \mathsf {id}\). Yet, our motivation, definitional framework, as well as techniques are quite different from their work. Until now, instantiation of unpredictable CIHs is only known w.r.t. specific circuit class (tie to scheme algebra), and based on specific number-theoretic assumption.

2 Preliminaries

Basic Notations. For a distribution or random variable X, we write \(x \leftarrow X\) to denote the operation of sampling a random x according to X. For a set X, we use \(x \xleftarrow {\tiny R }X\) to denote the operation of sampling x uniformly at random from X, and use |X| to denote its size. We denote \(\lambda \in \mathbb {N}\) as the security parameter. Unless described otherwise, all quantities are implicit functions of \(\lambda \) (we reserve \(n(\lambda )\) and \(m(\lambda )\) to denote the input length and output length of a function respectively), and all cryptographic algorithms (including the adversary) take \(\lambda \) as an input.

We use standard asymptotic notation O, o, \(\varOmega \), and \(\omega \) to denote the growth of functions. We write \(\mathsf {poly}(\lambda )\) to denote an unspecified function \(f(\lambda ) = O(\lambda ^c)\) for some constant c. We write \(\mathsf {negl}(\lambda )\) to denote some unspecified function \(f(\lambda )\) such that \(f(\lambda ) = o(\lambda ^{-c})\) for every constant c. We say that a probability is overwhelming if it is \(1 - \mathsf {negl}(\lambda )\), and a probability is noticeable if it is \(\varOmega (1/\mathsf {poly}(\lambda ))\).

A probabilistic polynomial time (PPT) algorithm is a randomized algorithm that runs in time \(\mathsf {poly}(\lambda )\). If \(\mathcal {A}\) is a randomized algorithm, we write \(z \leftarrow \mathcal {A}(x_1, \dots , x_n;r)\) to indicate that \(\mathcal {A}\) outputs z on inputs \((x_1, \dots , x_n)\) and random coins r. We will omit r and write \(z \leftarrow \mathcal {A}(x_1, \dots , x_n)\).

Implications and Separations. Consider security notions A and B for a cryptographic primitive \(\varPi \), we say that

  • \(A \Rightarrow B\): if all constructions of \(\varPi \) meeting security notion A also meet security notion B.

  • \(A \nRightarrow B\): if there exists a construction of \(\varPi \) which meets security notion A but does not meet security notion B.

Following [7], we call a result of the first type an implication, and a result of the second type a separation. If \(A \Rightarrow B\), we say A is stronger than B. If we further have \(B \nRightarrow A\), we say that A is strictly stronger than B. If we further have \(B \Rightarrow A\), we say that A is equivalent to B.

3 One-Way and Non-Malleable Functions

We first recall the general syntax of a family of efficiently computable deterministic functions.

Definition 1

(Efficiently Computable Deterministic Functions). A family of efficiently computable functions \(\mathcal {F}\) consists of three polynomial time algorithms \((\mathsf {Gen}, \mathsf {Samp}, \mathsf {Eval})\) such that:

  • Sample a function: \(\mathsf {Gen}(\lambda )\) outputs a function index \(i \in I_\lambda \). Each value of i output by \(\mathsf {Gen}(\lambda )\) defines a deterministic function \(f_i: D_\lambda \rightarrow R_\lambda \).

  • Sample a preimage: \(\mathsf {Samp}(\lambda )\) samples a random preimage \(x \in D_\lambda \) according to some distribution \(\mathcal {C}_\lambda \) over \(D_\lambda \).Footnote 7 Typically \(\mathcal {C}_\lambda \) is a uniform distribution over \(D_\lambda \), and we simply write \(x \xleftarrow {\tiny R }D_\lambda \) in this case.

  • Evaluate a function: on input \((i, x) \in I_\lambda \times D_\lambda \), \(\mathsf {Eval}(i, x)\) outputs \(f_i(x)\).

In the rest of this work, we simply say \(\mathcal {F}\) is a family of functions when the context is clear. For an element \(y \in R_\lambda \) we denote its preimage set under \(f_i\) by \(f_i^{-1}(y) = \{x \in D_\lambda : f_i(x) = y\}\). We say \(\mathcal {F}\) is injective if each \(f_i \in \mathcal {F}\) is injective. Following [8], we measure the amount of “non-injectivity” by looking at the maximum preimage size. Specifically, we say that \(\mathcal {F}\) has polynomially bounded preimage size if \(|f_i^{-1}(y)| \le \mathsf {poly}(\lambda )\) for all \(f_i \in \mathcal {F}\), all \(y \in R_\lambda \) and all \(\lambda \in \mathbb {N}\). For brevity, we simply say \(\mathcal {F}\) is poly-to-one.

We say \(\mathcal {F}\) is a family of trapdoor functions if \(\mathsf {Gen}(\lambda )\) additionally outputs a trapdoor \(td_i\), and there is a PPT algorithm \(\mathsf {TdInv}(td_i, y)\) that computes a preimage \(x \in f_i^{-1}(y)\). If a value y is not in the image \(f_i(D_i)\), i.e., \(f_i^{-1}(y)\) is empty, then the behavior of \(\mathsf {TdInv}(td_i, y)\) is unspecified.

Remark 1

When things are clear from the context, we will slightly abuse the notation for simplicity and write: I for \(I_\lambda \), D for \(D_\lambda \), R for \(R_\lambda \), \(\mathcal {C}\) for \(\mathcal {C}_\lambda \), td for \(td_i\), \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\) for (\(i \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), f := \(f_i\)). The above definition considers the domains and ranges that depend only on \(\lambda \). It is easy to generalize the definition so that the domains and ranges also depend on the function index i.

Next, we recall the notion of one-wayness and formally define the notion of non-malleability for deterministic functions. We also define the corresponding adaptive notions, in which the adversary is given access to an inversion oracle \(\mathcal {O}_\mathsf {inv}(\cdot )\). For trapdoor functions, \(\mathcal {O}_\mathsf {inv}(y) := \mathsf {TdInv}(td, y)\). For functions without trapdoor, \(\mathcal {O}_\mathsf {inv}(y)\) returns a preimage \(x \in f^{-1}(y)\) if \(y \in f(D)\), while its behavior is unspecified otherwise. We emphasize that in the security experiments of adaptive notions the challenger is not necessarily to be efficient and could be unbounded for simulating \(\mathcal {O}_\mathsf {inv}(\cdot )\).

Definition 2

(One-Wayness and Adaptive One-Wayness). \(\mathcal {F}\) is one-way if for any PPT adversary \(\mathcal {A}\) its advantage \(\mathsf {Adv}_{\mathcal {A},\mathcal {F}}^\mathrm{{ow}}(\lambda )\) defined in the security experiment below is negligible in \(\lambda \):

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A},\mathcal {F}}^\mathrm{{ow}}(\lambda ) = \Pr \left[ x \in f^{-1}(y^*):~ \begin{array}{ll} &{} f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda );\\ &{} x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda ); y^* \leftarrow f(x^*);\\ &{} x \leftarrow \mathcal {A}(f, y^*); \end{array} \right] . \end{aligned}$$

\(\mathcal {F}\) is adaptively one-way if one-wayness maintains even when \(\mathcal {A}\) is allowed to query \(\mathcal {O}_\mathsf {inv}(\cdot )\) on any point other than \(y^*\).

Definition 3

(Hardcore Functions). Let \(\mathcal {H}\) be a family of functions that map \(D_\lambda \) to \(\{0,1\}^{m(\lambda )}\). \(\mathcal {H}\) is a hardcore of \(\mathcal {F}\) if for any PPT adversary \(\mathcal {A}\) its advantage \(\mathsf {Adv}_{\mathcal {A},\mathcal {H}}^\mathrm{{rand}}(\lambda )\) defined in the security experiment below is negligible in \(\lambda \):

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A},\mathcal {H}}^\mathrm{{rand}}(\lambda ) = \Pr \left[ b = b':~ \begin{array}{ll} &{} f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda ); h \leftarrow \mathcal {H}.\mathsf {Gen}(\lambda , f);\\ &{} x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda ); y^* \leftarrow f(x^*);\\ &{} r_0^* \leftarrow h(x^*); r_1^* \xleftarrow {\tiny R }\{0,1\}^m; \\ &{} b \xleftarrow {\tiny R }\{0,1\}; \\ &{} b' \leftarrow \mathcal {A}(f, h, y^*, r_b^*); \end{array} \right] - \frac{1}{2}. \end{aligned}$$

The well-known Goldreich-Levin theorem [34] says that if \(\mathcal {F}\) is one-way, then it has a hardcore \(\mathcal {H}\). More precisely, Goldreich and Levin [34] showed that the inner product of preimage x with a random string r (the latter could be viewed as part of the description of h) is a hardcore predicate (which is a special hardcore function with one-bit outputs) for any OWFs.

Definition 4

(Non-Malleability and Adaptive Non-Malleability). Let \(\varPhi \) be a RPDT class defined over the domain D. \(\mathcal {F}\) is \(\varPhi \)-non-malleable if for any PPT adversary \(\mathcal {A}\) its advantage \(\mathsf {Adv}_{\mathcal {A},\mathcal {F}}^\mathrm{{nm}}\) defined in the security experiment below is negligible in \(\lambda \):

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A},\mathcal {F}}^\mathrm{{nm}}(\lambda ) = \Pr \left[ \phi \in \varPhi \wedge y = f(\phi (x^*)):~ \begin{array}{ll} &{} f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda );\\ &{} x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda ); y^* \leftarrow f(x^*);\\ &{} (\phi , y) \leftarrow \mathcal {A}(f, y^*); \end{array} \right] . \end{aligned}$$

\(\mathcal {F}\) is adaptively \(\varPhi \)-non-malleable if \(\varPhi \)-non-malleability maintains even when \(\mathcal {A}\) is allowed to query \(\mathcal {O}_\mathsf {inv}(\cdot )\) on any point other than \(y^*\).

We give several technical remarks about the above notions.

Impossible Classes. Obviously, our non-malleable notion is impossible to realize w.r.t. RPDT class that contains “regular” transformations, namely, identity transformation \(\mathsf {id}\) and constant transformations \(\phi _c\). If \(\varPhi \) contains \(\mathsf {id}\), an adversary can simply win by outputting \((\mathsf {id}, y^*)\). If \(\varPhi \) contains \(\phi _c\), an adversary can win by outputting \((\phi _c, f(c))\). It is easy to see that inclusion of the transformations near to the regular onesFootnote 8 will also make \(\varPhi \)-non-malleability unachievable. In this regard, we call the regular transformations and the transformations near to the regular ones as “dangerous” transformations. So, a primary task is to distill the characterizations on \(\varPhi \) for excluding “dangerous” transformations yet maintaining its generality to the largest extent.

Parameterized Adaptivity. Let q be the maximum number of inversion queries that an PPT adversary is allowed to make in the experiments of adaptive one-wayness/non-malleability. Typically q is assumed to be polynomially bounded and omitted from the definitions. Nevertheless, explicitly parameterizing adaptive notions with q yields more refined notions, i.e., q-adaptive one-wayness/non-malleability. Clearly, adaptive notions degenerate to non-adaptive ones when \(q=0\). We will adopt the refined adaptive notions in Sect. 5.3 to give a dedicated relation between adaptive one-wayness and adaptive non-malleability.

Hinted Notions. In the non-malleability notions of one-way/hash functions considered in [3, 16], in addition to the challenge \(y^*\), the adversary is also given some hint of \(x^*\) to capture the auxiliary information that might has been collected from previous actions that involve \(x^*\). The hint of \(x^*\) is modeled by \(\mathsf {hint}(x^*)\), where \(\mathsf {hint}\) is a probabilistic function from \(D_\lambda \) to \(\{0,1\}^{m(\lambda )}\). Analogously, in the security experiments of both one-wayness and non-malleability for deterministic functions, we can also make the adversaries more powerful by giving them \(\mathsf {hint}(x^*)\).Footnote 9 We say that the resulting notions are hinted, and the original notions are hint-free. Hinted notions are very useful in cryptographic applications in which the adversaries may obtain some auxiliary information about \(x^*\) other than merely its image \(y^*\), as we demonstrate in Sect. 8.

Next, we first seek for an achievable yet large RPDT class in Sect. 4, then explore the connections among non-malleability and one-wayness in Sect. 5, working with hint-free notions for simplicity. We postpone the study of the relations between hint-free notions and hinted ones to Sect. 6, since we need some result in Sect. 5 as prerequisite.

4 Related-Preimage Deriving Transformation Class

Following [3], our notion of non-malleability for a family of deterministic functions is defined w.r.t. a RPDT class \(\varPhi \), in which \(\phi : D \rightarrow D\) maps a preimage to a related preimage. We require transformations in \(\varPhi \) should be efficiently recognizable and computable. Hereafter, we use \(\mathsf {id}\) to denote the identity transformation \(f(x) = x\) and use \(\mathsf {cf}\) to denote the set of all constant transformations \(\{\phi _c(x) = c\}_{x \in D}\). When D under addition forms a group, we use 0 to denote the identity. For \(\phi _1, \phi _2 \in \varPhi \), we define \(\phi := \phi _1 - \phi _2\) as \(\phi (x) = \phi _1(x) - \phi _2(x)\).

As remarked before, we cannot hope to achieve non-malleability for any RPDT class \(\varPhi \). We are thus motivated to distill some characterizations on \(\varPhi \) that make non-malleability achievable while keeping \(\varPhi \) still general enough. Towards this goal, we introduce two novel properties for RPDT classes as below.

Definition 5

(Bounded Root Space). Let \(r(\lambda )\) be a quantity of \(\lambda \). A transformation \(\phi \) has \(r(\lambda )\)-bounded root space if \(|\phi ^{-1}(0)| \le r(\lambda )\). A RPDT class \(\varPhi \) has \(r(\lambda )\)-bounded root space if for each \(\phi \in \varPhi \) and each \(\phi _c \in \mathsf {cf}\), the composite transformations \(\phi ' = \phi - \mathsf {id}\) and \(\phi ' = \phi - \phi _c\) both have \(r(\lambda )\)-bounded root space.

Definition 6

(Sampleable Root Space). A transformation \(\phi \) has sampleable root space if there exists a PPT algorithm \(\mathsf {SampRS}\) that takes \(\phi \) as input and outputs an element from \(\phi ^{-1}(0)\) uniformly at random.Footnote 10 A RPDT class \(\varPhi \) has sampleable root space if for each \(\phi \in \varPhi \) and each \(\phi _c \in \mathsf {cf}\), the composite transformations \(\phi ' = \phi - \mathsf {id}\) and \(\phi '' = \phi - \phi _c\) both have sampleable root spaces.

In this work, we restrict our attention to root spaces whose size is polynomially bounded,Footnote 11 i.e., \(r(\lambda ) \le \mathsf {poly}(\lambda )\). Hereafter, we let \(\varPhi _{\text {brs}}^{\text {srs}}\) denote the RPDT class satisfying the bounded root space (BRS) & sampleable root space (SRS) properties. The BRS property immediately rules out the regular transformations from \(\varPhi \) and stipulates that each \(\phi \in \varPhi \) is far away from regular ones, i.e., having at most polynomially many intersection points with them. As we will see shortly, with the confining of the BRS property, an adversary’s correct solution \((\phi , y)\) such that \(f(\phi (x^*)) = y\) provides enough information about \(x^*\) and thus reduces the min-entropy of \(x^*\) to \(O(\log (\lambda ))\). The SRS property further guarantees that a polynomial-time reduction can extract the right \(x^*\) with noticeable probability.

Remark 2

Recent works [36, 47] introduced two general properties called high output entropy (HOE) and input-output collision resistance (IOCR) for transformation class \(\varPhi \). The former states that for each \(\phi \in \varPhi \), the min-entropy of \(\phi (x)\) is sufficiently high when \(x \xleftarrow {\tiny R }D\), i.e., \(\mathsf {H}_\infty (\phi (x)) = \omega (\log \lambda )\). The latter states that for each \(\phi \in \varPhi \), \(\Pr [\phi (x) = x] = \mathsf {negl}(\lambda )\) when \(x \xleftarrow {\tiny R }D\). We observe here that BRS implies HOE & IOCR. To see this, notice that: (1) for each \(c \in D\) the equation \(\phi (x) - c = 0\) having at most polynomial number of roots implies that \(\max _{c \in D}\Pr [\phi (x) = c] \le \mathsf {poly}(\lambda )/|D| = \mathsf {negl}(\lambda )\) when \(x \xleftarrow {\tiny R }D\); (2) the equation \(\phi (x) - x = 0\) having at most polynomial number of roots implies that \(\Pr [\phi (x) = x] \le \mathsf {poly}(\lambda )/|D| = \mathsf {negl}(\lambda )\) when \(x \xleftarrow {\tiny R }D\). We can alternatively think of the BRS property captures the characterization that all \(\phi \in \varPhi \) are far from regular transformations in an algebraic view.

The notion of root sampleable RPDTs (RPDT class that meets the SRS property) is reminiscent of the notion of preimage sampleable functions introduced in [32]. The former one is weaker than the latter one in that it only insists two special forms of transformations are preimage sampleable at zero point obeying uniform distribution. We note that it suffices to relax uniform distribution to some appropriate distribution.

We conclude this section by showing that the BRS & SRS properties are met by most algebra-induced transformation classes (excluding \(\mathsf {id}\) and \(\mathsf {cf}\)) considered in the literature, which we recall as below.

Group-Induced Transformations. When D under \(\odot \) forms a group \(\mathbb {G}\), let \(\varPhi ^\text {lin} = \{\phi _a\}_{a \in \mathbb {G}}\) with \(\phi _a(x) = a \odot x\) be the class of linear transformations, which generalize several important classes, for example, “bit flips” (exclusive or, XOR) \(\phi _a(x) = a \oplus x\) and modular additions \(\phi _a(x) = a + x \mod 2^n\) when \(D = \{0,1\}^n\).

Ring-Induced Transformations. When D under addition \(+\) and multiplication \(\cdot \) forms a ring \(\mathbb {R}\), let \(\varPhi ^\text {aff} = \{\phi _{a,b}\}_{a,b \in \mathbb {R}}\) with \(\phi _{a,b}(x) = ax + b\) be the class of affine transformations.

Field-Induced Transformations. When D under addition \(+\) and multiplication \(\cdot \) forms a field \(\mathbb {F}\), let p be the characteristic of \(\mathbb {F}\) and \(d \ge 0\) be any fixed integer. Let \(\varPhi ^\text {poly(d)} = \{\phi _q\}_{q \in \mathbb {F}_d(x)}\) with \(\phi _q(x) = q(x)\) be the class of polynomial functions, where \(\mathbb {F}_d(x)\) denotes single variable polynomials over \(\mathbb {F}\) with degree bounded by d. When d and p are small (i.e., \(d = \mathsf {poly}(\lambda )\) and \(p = \mathsf {poly}(\lambda )\)), one can find all roots for any \(q \in \mathbb {F}_d(x)\) in polynomial time \(O(d^3p)\) using Berlekamp’s algorithm [14]. When d is small but p is large, one can find all roots for any \(q \in \mathbb {F}_d(x)\) in expected polynomial time \(O(d^{2+\varepsilon }+d^{1+\varepsilon } \log p)\) using Gathen and Shoup’s algorithm [31].

It is easy to verify that \(\varPhi ^\text {lin} \backslash \mathsf {id}\), \(\varPhi ^\text {aff} \backslash (\mathsf {id} \cup \mathsf {cf})\), and \(\varPhi ^{\text {poly}(d)} \backslash (\mathsf {id} \cup \mathsf {cf})\) for \(d = \mathsf {poly}(\lambda )\) all satisfy the BRS and SRS properties.

5 Relations Among Non-Malleability and One-Wayness

In this section, we explore the relations among (adaptive) non-malleability and (adaptive) one-wayness for deterministic functions. For simplicity, we work with hint-free notions. All the results obtained extend naturally among hinted notions.

5.1 Non-Malleability \(\Rightarrow \) One-Wayness

Lemma 1

For any achievable RPDT class \(\varPhi \), \(\varPhi \)-Non-Malleability \(\Rightarrow \) One-Wayness when \(\mathcal {F}\) is poly-to-one.


Suppose there is an adversary \(\mathcal {A}\) that breaks the one-wayness of \(\mathcal {F}\) with non-negligible probability, then we can build an algorithm \(\mathcal {B}\) that breaks non-malleability of \(\mathcal {F}\) also with non-negligible probability. \(\mathcal {B}\) works by simulating \(\mathcal {A}\)’s challenger in the one-wayness experiment as follows:

Setup: Given \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\) and a challenge \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), \(\mathcal {B}\) forwards \((f, y^*)\) to \(\mathcal {A}\).

Attack: When \(\mathcal {A}\) outputs its solution x against one-wayness, \(\mathcal {B}\) simply picks a random \(\phi \in \varPhi \), then outputs \((\phi , f(\phi (x))\) as its solution.

Since \(\mathcal {F}\) is poly-to-one, conditioned on \(\mathcal {A}\) succeeds (\(x \in f^{-1}(y^*)\)), we have \(\Pr [x = x^* |y^*] \ge 1/\mathsf {poly}(\lambda )\), where the probability is over the choice of \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\). This is because there are at most \(\mathsf {poly}(\lambda )\) values x such that \(f(x) =~y^*\), and they are all equally likely in \(\mathcal {A}\)’s view. Therefore, if \(\mathcal {A}\) breaks the one-wayness of \(\mathcal {F}\) with non-negligible probability, then \(\mathcal {B}\) breaks the non-malleability of \(\mathcal {F}\) also with non-negligible probability. This lemma follows.    \(\square \)

The above reduction loses a factor of \(1/\mathsf {poly}(\lambda )\). When \(\mathcal {F}\) is injective, the reduction becomes tight.

5.2 One-Wayness \(\nRightarrow \) Non-Malleability

Lemma 2

One-Wayness \(\nRightarrow \) \(\varPhi _\mathrm{{brs}}^\mathrm{{srs}}\)-Non-Malleability.


Let \(\mathcal {F}\) be a family of one-way functions. To prove this lemma, we show how to modify \(\mathcal {F}\) into \(\mathcal {F}'\) so that \(\mathcal {F}'\) is still one-way but malleable w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\). Suppose \(\mathcal {F}.\mathsf {Gen}(\lambda )\) outputs a function \(f: \{0,1\}^n \rightarrow \{0,1\}^m\), we construct \(\mathcal {F}'.\mathsf {Gen}(\lambda )\) as follows: run \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), output a function \(f': \{0,1\}^{n+1} \rightarrow \{0,1\}^{m+1}\) where \(f'(x||\beta ) := f(x)||\beta \) and \(\beta \) denotes the last bit of its input. We then proceed to prove the following two claims.

Claim 1

\(\mathcal {F}'\) is one-way.


It is easy to see that \(\mathcal {F}'\) inherits the one-wayness from \(\mathcal {F}\). We omit the proof here since it is straightforward.    \(\square \)

Claim 2

\(\mathcal {F}'\) is \((\varPhi ^\mathrm{{xor}} \backslash \mathsf {id})\)-malleable.


Given \(f'\) and a challenge \(y'^* = f'(x'^*)\) where \(x'^* = x^*||\beta ^*\) is randomly chosen from \(\{0,1\}^{n+1}\), we build an adversary \(\mathcal {A}'\) against the non-malleability of \(\mathcal {F}'\) as follows: parse \(y'^*\) as \(y^*||\beta ^*\), set \(a = 0^n||1\), then output \(\phi _a\) together with \(y' = y^* || (\beta ^* \oplus 1)\). It is easy to see that \(\phi _a \in \varPhi ^\text {xor} \backslash \mathsf {id}\) and \(y' = f'(x^*||(\beta ^* \oplus 1)) = f'(\phi _a(x'^*))\). This proves Claim 2.    \(\square \)

As shown in Sect. 4, \(\varPhi ^\text {xor}\) is a special case of group-induced class, and thus \(\varPhi ^\text {xor} \backslash \mathsf {id} \subseteq \varPhi _{\text {brs}}^{\text {srs}}\). The lemma immediately follows from the above two claims.    \(\square \)

While this is just a contrived counterexample for one particular attempt, there exist more natural counterexamples. For instance, a \(\varPhi \)-homomorphic one-way functionFootnote 12 f is also \(\varPhi \)-malleable since \(f(x^*) = y^*\) implies \(f(\phi (x^*)) = \phi (y^*)\). All these counterexamples indicate that functions with nice algebraic structure are unlikely to be non-malleable.

5.3 Adaptive Non-Malleability \(\Leftrightarrow \) Adaptive One-Wayness

Lemma 3

For any achievable RPDT class \(\varPhi \), q-Adaptive \(\varPhi \)-Non-Malleability \(\Rightarrow \) q-Adaptive One-Wayness when \(\mathcal {F}\) is poly-to-one.


The proof can be easily adapted from that of Lemma 1. We omit it here for since it is straightforward.    \(\square \)

Lemma 4

\((q+1)\)-Adaptive One-Wayness \(\Rightarrow \) q-Adaptive \(\varPhi _\mathrm{{brs}}^\mathrm{{srs}}\)-Non-Malleability when \(\mathcal {F}\) is injective.

We first outline the high-level idea of the proof. Since the task of finding the preimage \(x^*\) appears to be harder than that of mauling its image, the major technical difficulty is how to utilize the power of an adversary \(\mathcal {A}\) against adaptive non-malleability to break adaptive one-wayness.

It is instructive to see that a challenge instance of one-wayness has already provided an equation about \(x^*\), i.e., \(f(x^*) = y^*\). When \(\mathcal {A}\) outputs its solution \((\phi , y)\) against non-malleability, the reduction immediately obtains another equation about \(x^*\), that is, \(f(\phi (x^*)) = y\). However, these two equations are hard to solve on their own due to the involvement of f (which could be complex). Luckily, by utilizing either the injectivity of f or the inversion oracle, the reduction is able to obtain a new solvable equation about \(x^*\) without the presence of f: (1) for the case of \(y = y^*\), the reduction gets \(\phi (x^*) = x^*\) due to the injectivity of f; (2) for the case of \(y \ne y^*\), the reduction first queries the inversion oracle at point y, then gets \(\phi (x^*) = \mathcal {O}_\mathsf {inv}(y)\). In both cases, the reduction successfully confines \(x^*\) in a poly-bounded root space (due to the BRS property), then correctly extracts it with noticeable probability (due to the SRS property). This justifies the usefulness of BRS & SRS properties. See the formal proof as follows.


Suppose there is an adversary \(\mathcal {A}\) against the adaptive non-malleability of \(\mathcal {F}\), we can build an adversary \(\mathcal {B}\) against the adaptive one-wayness of \(\mathcal {F}\). \(\mathcal {B}\) simulates \(\mathcal {A}\)’s challenger in the adaptive non-malleability experiment as follows:

Setup: Given \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\) and a challenge \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), \(\mathcal {B}\) forwards \((f, y^*)\) to \(\mathcal {A}\).

Attack: When \(\mathcal {A}\) issues an query to the inversion oracle, \(\mathcal {B}\) forwards it to its own challenger and sends back the reply. When \(\mathcal {A}\) outputs its solution \((\phi , y)\) against adaptive non-malleability, \(\mathcal {B}\) proceeds as follows:

  1. 1.

    Case \(y = y^*\): \(\mathcal {B}\) runs \(\mathsf {SampRS}(\phi ')\) to output a random solution of \(\phi '(\alpha ) = 0\) where \(\phi '(\alpha ) = \phi (\alpha ) - \alpha \).

  2. 2.

    Case \(y \ne y^*\): \(\mathcal {B}\) queries the inversion oracle \(\mathcal {O}_\mathsf {inv}(\cdot )\) at point y and gets the response x, then runs \(\mathsf {SampRS}(\phi '')\) to output a random solution of \(\phi ''(\alpha ) = 0\) where \(\phi ''(\alpha ) = \phi (\alpha ) - x\).

We justify the correctness of \(\mathcal {B}\)’s strategy as follows. For case 1, conditioned on \(\mathcal {A}\) succeeds (\(f(\phi (x^*)) = y^*\)), due to the injectivity of \(\mathcal {F}\), we have \(\phi (x^*) =~x^*\), i.e., \(x^*\) is a solution of \(\phi '(\alpha ) = 0\). For case 2, conditioned on \(\mathcal {A}\) succeeds (\(f(\phi (x^*)) =~y\)), due to the injectivity of \(\mathcal {F}\), we have \(\phi (x^*) = x\), i.e., \(x^*\) is a solution of \(\phi ''(\alpha ) = 0\). Taking the two cases together, conditioned on \(\mathcal {A}\) succeeds by making at most q inversion queries, then according to the BRS & SRS properties of \(\varPhi _{\text {brs}}^{\text {srs}}\), \(\mathcal {B}\) will output the right \(x^*\) with probability \(1/\mathsf {poly}(\lambda )\) by making at most \((q+1)\) inversion queries. We stress that the probability here is taken over the randomness of \(\mathsf {SampRS}\), but not \(\mathcal {F}.\mathsf {Samp}\). Thereby, if \(\mathcal {A}\) breaks the q-adaptive non-malleability with non-negligible probability, \(\mathcal {B}\) breaks the \((q+1)\)-adaptive one-wayness also with non-negligible probability. This proves this lemma.    \(\square \)

Combining Lemmas 3 and 4 together, we conclude that for injective functions, adaptive \(\varPhi _{\text {brs}}^{\text {srs}}\)-non-malleability is equivalent to adaptive one-wayness.

Remark 3

Analogous to the RKA security notion, our non-malleability notion is of “unique” flavor, in which the adversary is only considered to be successful if its output is a related image of the preimage \(x^*\) exactly chosen by the challenger. Precis for this reason, the injectivity of \(\mathcal {F}\) is crucial for the reduction from adaptive non-malleability to adaptive one-wayness. If \(\mathcal {F}\) is non-injective, the reduction is not guaranteed to get the right equation about \(x^*\). For example, in case \(y = y^*\), if the adversary \(\mathcal {A}\) always outputs \(\phi \in \varPhi \) such that \(\phi (x) \ne x\) for any \(x \in D\), the reduction will never get a right solvable equation about \(x^*\).

5.4 Non-Malleability \(\nRightarrow \) Adaptive Non-Malleability

At first glance, one might think non-malleability does imply adaptive non-malleability based on the intuition that the inversion oracle does not help. Suppose \(\mathcal {A}\) is an adversary against adaptive non-malleability. Given \(y^* \leftarrow f(x^*)\) for randomly chosen \(x^*\) and an inversion oracle, \(\mathcal {A}\) is asked to output \((\phi , y)\) such that \(f(\phi (x^*)) = y\). Since \(\mathcal {A}\) is not allowed to query the inversion oracle on \(y^*\), it seems the only strategy is to firstly maul \(y^*\) to some related y, then query the inversion oracle on y, and use the answer x to help figuring out a transformation \(\phi \) s.t. \(\phi (x^*) = x\). As we showed in Lemma 1, if \(\mathcal {F}\) is non-malleable and poly-to-one, it is also one-way and thus \(x^*\) is computationally hidden from \(\mathcal {A}\). Thus, it seems impossible for \(\mathcal {A}\) to determine \(\phi \) without the knowledge of \(x^*\).

However, the above intuition is deceptive in thinking that the inversion algorithm always behave benignly, namely, returning the preimages of its inputs. Actually, contrived inversion algorithm may reveal critical information (e.g. trapdoor) when its inputs fall outside the image of f, and thus make f not adaptively non-malleable. This is similar in spirit to the separation NM-CPA \(\nRightarrow \) IND-CCA1 [7, Sect. 3.2] in the public-key encryption setting.

Lemma 5

For any achievable RPDT class \(\varPhi \), \(\varPhi \)-Non-Malleability \(\nRightarrow \) Adaptive \(\varPhi \)-Non-Malleability when \(\mathcal {F}\) is poly-to-one.

Due to page limit, we defer the proof of this lemma to the full version [21].

In the above, we work with hint-free (standard) non-malleability notion and one-wayness notion for simplicity. It is easy to see that all these relations apply equally well to the hinted non-malleability notion and the hinted one-wayness notion, with respect to the same hint function.

Construction of NMFs. Baecher et al. [3, Construction4.1] showed that the strengthened Merkle-Damgård (MD) transformation is non-malleable w.r.t. \(\varPhi ^\text {xor} \backslash \mathsf {id}\)), assuming the compression function is a random oracle. We improve over their result by showing that the strengthened MD transformation is essentially non-malleable w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\). This result gives us an efficient candidate of NMFs w.r.t. large RPDT class, though in the random oracle model. Due to page limit, we defer the details of this part to the full version [21].

As to the construction of NMFs in the standard model, Lemma 4 shows that any injective ATDFs are indeed \(\varPhi _{\text {brs}}^{\text {srs}}\)-non-malleable, while [38] demonstrates that injective ATDFs can be constructed from either a number of cryptographic primitives such as correlated-product TDFs [48], lossy TDFs [45] and CCA-secure deterministic encryption [4] (which in turn can be efficiently constructed from a variety of standard assumptions) or from some specific assumption, e.g. “instance-independent” RSA assumption. This indicates that deterministic NMFs are widely realizable in the standard model, and thus partially resolves an open question raised in [16].

Finally, we observe that for the purpose of constructing NMFs, 1-ATDFs (which only allows the adversary to query the inversion oracle once) are sufficient. Nevertheless, if 1-ATDFs are strictly weaker than q-ATDFs for \(q > 1\) and if it allows more efficient instantiations, are still unknown to us. Besides, we are only able to construct NMFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\) in this work. Though \(\varPhi _{\text {brs}}^{\text {srs}}\) is very general (comprising most algebra-induced transformations), it is still of great interest to know if it is possible to go beyond the algebraic barrier.

6 Relation Between Hint-Free and Hinted Notions

In this section, we investigate the relations between hint-free notions and hinted notions. While hinted notions obviously imply hint-free ones, if the reverse implication holds crucially depends on the hint functions. It is intriguing to know for what kind of hint functions, hint-free notions do imply hinted notions.

Let \(\mathcal {F}\) be a family of deterministic functions, \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\) and \(y^* \leftarrow f(x^*)\). Roughly, we say \(\mathsf {hint}(x^*)\) is \(p(\lambda )\)-statistically simulatable if there exists a PPT algorithm \(\mathcal {R}\) such that \((y^*, \mathcal {R}(y^*)) \approx _s (y^*, \mathsf {hint}(x^*))\) holds with probability \(p(\lambda )\); we say \(\mathsf {hint}(x^*)\) is \(p(\lambda )\)-computationally simulatable if there exists a PPT algorithm \(\mathcal {R}\) such that \((y^*, \mathcal {R}(y^*)) \approx _{c} (y^*, \mathsf {hint}(x^*))\) holds with probability \(p(\lambda )\) based on the hint-free hardness assumption. The probability is over the choice of \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\) and the random coins of \(\mathcal {R}\). It is easy to see that when \(\mathsf {hint}(x^*)\) is either statistically simulatable or computationally simulatable for some noticeable probability \(p(\lambda )\), a reduction algorithm is able to create a game with probability \(p(\lambda )\) such that it is indistinguishable to the real hinted game, and thus reduces hinted notions to hint-free ones. We exemplify these two cases in Lemmas 7 and  8, respectively.

Next, we formally study the relation between one-wayness and hinted one-wayness, then show the analogous result also holds between non-malleability and hinted non-malleability for poly-to-one functions.

Lemma 6

For a family of functions \(\mathcal {F}\), hinted one-wayness w.r.t. any achievable hint function implies one-wayness.


This direction is straightforward and hence the proof is omitted.    \(\square \)

We then turn to the inverse direction. We first show that regardless of the construction of \(\mathsf {hint}(\cdot )\), as long as its output length is short, i.e., bounded by \(\log (\mathsf {poly}(\lambda ))\), then \(\mathsf {hint}(x^*)\) is \(1/\mathsf {poly}(\lambda )\)-perfectly simulatable (a special case of statistically simulatable) and thus one-wayness implies hinted one-wayness.

Lemma 7

(Statistically Simulatable Case). For a family of functions \(\mathcal {F}\), one-wayness implies hinted one-wayness w.r.t. any hint function with output length bounded by \(\log (\mathsf {poly}(\lambda ))\).


Let \(\mathcal {A}\) be an adversary against hinted one-wayness of \(\mathcal {F}\) with advantage \(\mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^\text {how}(\lambda )\). We build an adversary \(\mathcal {B}\) against one-wayness by using \(\mathcal {A}\)’s power. Given \((f, y^*)\) where \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), \(\mathcal {B}\) simply makes a random guess of \(\mathsf {hint}(x^*)\), then sends \((f, y^*, \mathsf {hint}(x^*))\) to \(\mathcal {A}\). Finally, \(\mathcal {B}\) forwards \(\mathcal {A}\)’s solution as its solution. Since the output length is bounded by \(\log (\mathsf {poly}(\lambda ))\), \(\mathcal {B}\) guesses the right hint value and thus simulates perfectly with probability \(1/\mathsf {poly}(\lambda )\). Thereby, we conclude that \(\mathsf {Adv}_{\mathcal {B}, \mathcal {F}}^\text {ow}(\lambda ) \ge \mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^\text {how}(\lambda )/\mathsf {poly}(\lambda )\). The lemma immediately follows.    \(\square \)

We then show that, for some specific hint functions with output length could possibly beyond \(\log (\mathsf {poly}(\lambda ))\), \(\mathsf {hint}(x^*)\) is computationally simulatable assuming the one-wayness of \(\mathcal {F}\), and thus hint-free one-wayness also implies hinted one-wayness in this case.

Lemma 8

(Computationally Simulatable Case). For a family of functions \(\mathcal {F}\), one-wayness implies hinted one-wayness w.r.t. the following specific hint function:

$$\begin{aligned} \mathsf {hint}(x; b) = \left\{ \begin{array}{ll} h(x) &{} \text {if b=0}\\ r \xleftarrow {\tiny R }\{0,1\}^{m(\lambda )} &{} \text {if b=1}\\ \end{array} \right. \end{aligned}$$

Here, \(h: D \rightarrow \{0,1\}^{m(\lambda )}\) denotes a hardcore function for \(f \in \mathcal {F}\). It is well-defined when \(\mathcal {F}\) is one-way.


The high-level idea of the proof is to show that, assuming the one-wayness of \(\mathcal {F}\), \(\mathsf {hint}(x^*; b)\) for \(x^* \xleftarrow {\tiny R }X\) and \(b \xleftarrow {\tiny R }\{0,1\}\) is 1-computationally simulatable. We prove this theorem via a sequence of games. Let \(\mathcal {A}\) be an adversary against the hinted one-wayness of \(\mathcal {F}\) w.r.t. the hint function defined as above. Let \(S_i\) be the event that \(\mathcal {A}\) wins in Game i.

Game 0 (The real experiment): \(\mathcal {CH}\) interacts with \(\mathcal {A}\) in the real hinted one-wayness experiment w.r.t. the hinted function defined as above. According to the definition, we have:

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^{\text {how}}(\lambda ) = \Pr [S_0]. \end{aligned}$$

Game 1 (Modify the hint function): The same as Game 0 except that the hint function \(\mathsf {hint}(x^*;b)\) is modified to \(\widetilde{\mathsf {hint}}(x^*; b)\), which ignores its input \((x^*, b)\) and always returns a random value \(r \xleftarrow {\tiny R }\{0,1\}^{m(\lambda )}\). Observe that in this case the hint value carries no information of \(x^*\).

We now state and prove two claims that establish the lemma.

Claim 3

Game 0 and Game 1 are computationally indistinguishable, assuming the hint-free one-wayness of \(\mathcal {F}\).


Since one-wayness of \(\mathcal {F}\) implies pseudorandomness of its hardcore \(\mathcal {H}\) (c.f. Definition 3), it suffices to show that Game 0 and Game 1 are computationally indistinguishable based on the pseudorandomness of \(\mathcal {H}\). We show how to turn a distinguisher \(\mathcal {A}\) into an algorithm \(\mathcal {B}\) against the pseudorandomness of \(\mathcal {H}\).

Given \((f, h, y^*, r_\beta ^*)\) where \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), h is a hardcore function for f, \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), and \(r_\beta ^*\) is \(h(x^*)\) if \(\beta =0\) or a random string from \(\{0,1\}^{m(\lambda )}\) if \(\beta =1\), \(\mathcal {B}\) is asked to determine the value of \(\beta \). \(\mathcal {B}\) picks a random bit b and computes the hint value as follows:

$$\begin{aligned} \mathsf {hint}'(x^*; b) = \left\{ \begin{array}{ll} r_\beta ^* &{} \text {if b=0}\\ r \xleftarrow {\tiny R }\{0,1\}^{m(\lambda )} &{} \text {if b=1}\\ \end{array} \right. \end{aligned}$$

\(\mathcal {B}\) then sends \((f, y^*, \mathsf {hint}'(x^*))\) to \(\mathcal {A}\). Finally, \(\mathcal {A}\) outputs a bit \(b'\) (\(b'=0\) indicates Game 0 and \(b'=1\) indicates Game 1), and \(\mathcal {B}\) forwards \(b'\) to its own challenger. It is easy to verify that if \(\beta =0\) then \(\mathsf {hint}(x^*;b)=\mathsf {hint}'(x^*;b)\) and thus \(\mathcal {B}\) perfectly simulates Game 0; if \(\beta =1\) then \(\widetilde{\mathsf {hint}}(x^*;b)=\mathsf {hint}'(x^*;b)\) and thus \(\mathcal {B}\) perfectly simulates Game 1. Therefore, \(\mathcal {B}\) breaks the pseudorandomness of \(\mathcal {H}\) with at least the same advantage as \(\mathcal {A}\) distinguishes Game 0 and Game 1. By assuming the one-wayness of \(\mathcal {F}\), Game 0 and Game 1 are computationally indistinguishable. This proves the Claim 3.    \(\square \)

Claim 4

No PPT adversary has non-negligible advantage in Game 2 assuming the one-wayness of \(\mathcal {F}\).


Suppose \(\mathcal {A}\) is a PPT adversary that has non-negligible advantage in Game 2. We show how to use \(\mathcal {A}\)’s power to break the one-wayness of \(\mathcal {F}\). Given the one-wayness challenge \((f, y^*)\) where \(y^* \leftarrow f(x^*)\) for randomly chosen \(x^*\), \(\mathcal {B}\) simply assigns \(\widetilde{\mathsf {hint}}(x^*;b)\) to be a random string from \(\{0,1\}^{m(\lambda )}\), then sends \((f, y^*, \widetilde{\mathsf {hint}}(x^*;b))\) to \(\mathcal {A}\) as the challenge. Finally, \(\mathcal {A}\) outputs its solution, and \(\mathcal {B}\) forwards it to its own challenger. Clearly, \(\mathcal {B}\) perfectly simulates Game 1. Therefore, \(\mathcal {B}\) breaks the one-wayness of \(\mathcal {F}\) with at least the same advantage as \(\mathcal {A}\) succeeds in Game 1. By assuming the one-wayness of \(\mathcal {F}\), \(\mathcal {A}\)’s advantage must be negligible in \(\lambda \). This proves the Claim 4.    \(\square \)

From Claims 3 and 4, we have \(\Pr [S_1]-\Pr [S_0] = \mathsf {negl}(\lambda )\) and \(\Pr [S_1] = \mathsf {negl}(\lambda )\). Putting all the above together, we have \(\mathsf {Adv}_{\mathcal {A}, \mathcal {F}}^{\text {how}}(\lambda ) = \mathsf {negl}(\lambda )\) assuming the one-wayness of \(\mathcal {F}\). In other words, one-wayness implies hinted one-wayness w.r.t. such specific hint function defined as above. The lemma follows.    \(\square \)

The above results apply naturally to the adaptive setting.

Remark 4

It is easy to see that the above results also hold between hinted non-malleability and hint-free non-malleability for poly-to-one \(\mathcal {F}\). Particularly, to see hinted NM w.r.t. the hint function defined in Eq.  (1) is implied by hint-free NM, just note that such hint function is 1-computationally simulatable assuming the one-wayness of \(\mathcal {F}\) (as we have shown in Lemma 8), which in turn implied by the non-malleability of \(\mathcal {F}\) when \(\mathcal {F}\) is poly-to-one (Lemma 1).

7 Built-In Resilience Against Non-trivial Copy Attacks

Here, we extend the idea underlying the implication AOW \(\Rightarrow \) ANM further still to address non-trivial copy attacks in the RKA area. We begin by briefly introducing the background of RKA security and defining what it means for “copy attacks” (including trivial ones and non-trivial ones).

7.1 RKA-security Model and Copy Attacks

Traditional security models assume that the internal states (e.g., secret keys and random coins) of cryptographic hardware device are completely protected from the adversary. However, practical fault injection techniques [15, 18] demonstrate that the adversaries are able to launch related-key attacks (RKAs), namely, to induce modifications to the keys stored in cryptographic hardware device and subsequently observe the outcome under the modified keys. Bellare and Kohno [9] initiated a theoretical study of RKA security. Their results mainly focused on pseudorandom function/permutation, and their constructions were subsequently improved by [1, 5]. So far, the study of RKA security has expands to other primitives, such as private-key encryption [2], public-key encryption [51], signature [10], and identity-based encryption [10].

In the RKA-security model, modifications to the secret keys are modeled by related-key deriving transformation (RKDT) class \(\varPhi \), and cryptographic hardware device is modeled by algorithm \(\mathsf {Func}(sk, x)\), where \(\mathsf {Func}(sk, \cdot )\) denotes some keyed-operations (e.g., signing, decryption) and x denotes its input (e.g., message, ciphertext). A primitive is said to be RKA-secure if it remains secure when the adversary can access to a RKA oracle \(\mathcal {O}_\mathsf {rka}(\phi , x): = \mathsf {Func}(\phi (sk), x)\).

Let \(x^*\) be the challenge in the security experiment. The RKA queries \(\langle \phi , x^* \rangle \) where \(\phi (sk) = sk\) essentially capture a category of attacks known as “copy attacks”. Among copy attacks, we refer to the ones with \(\phi = \mathsf {id}\) as trivial copy attacks and the rest as non-trivial copy attacks. While trivial copy attacks must be excluded to ensure the meaningfulness of the RKA-security notion, non-trivial copy attacks should be allowed since they are possible in practice (e.g., via fault injection attacks [15, 18]). However, attaining resilience against non-trivial copy attacks turns out to be difficult.

7.2 Known Techniques in Tackling Non-trivial Copy Attacks

Almost all the known constructions of RKA-secure primitives achieve RKA security by exploiting so called \(\varPhi \)-key-malleability as a vital property. Loosely speaking, this property provides a PPT algorithm \(\mathsf {T}\) such that \(\mathsf {Func}(\phi (sk), x) = \mathsf {Func}(sk, \mathsf {T}(\phi , x))\). Let \(\mathcal {O}(x) := \mathsf {Func}(sk, x)\) be the original oracle of the starting primitive. With such property, the reduction is able to reduce the RKA security to the original security of the starting primitive by simulating the RKA oracle via the original oracle, that is, answering \(\mathcal {O}_\mathsf {rka}(\phi , x)\) with \(\mathcal {O}(\mathsf {T}(\phi , x))\). However, a subtlety in the above strategy is that the original oracle \(\mathcal {O}(\cdot )\) will deny query \(\langle x^* \rangle \). As a consequence, the reduction is unable to handle non-trivial copy attacks, i.e., answering RKA queries \(\langle \phi , x^* \rangle \) where \(\phi \ne \mathsf {id}\) but \(\phi (sk) = sk\).

Prior works paid a lot of effort to address this problem. To date, there are three methods dealing with non-trivial copy attacks in the literature. The first method is assuming \(\varPhi \) is claw-free and contains \(\mathsf {id}\). Recall that claw-freeness requires that for all distinct \(\phi , \phi ' \in \varPhi \) and all \(x \in D\), \(\phi (x) \ne \phi '(x)\). With this assumption, such a \(\phi \) is not in \(\varPhi \) and non-trivial copy attacks are automatically ruled out. This is exactly the technical reason of why numerous constructions of \(\varPhi \)-RKA-secure-primitives [5, 9, 33, 41] are restricted to claw-free \(\varPhi \). However, as already pin-pointed by [1, 6], this assumption is undesirable because many natural and practical RKDT classes are not claw-free. The second method is directly modifying the RKA security experiment to disallow RKA queries \(\langle \phi , x^* \rangle \) where \(\phi \ne \mathsf {id}\) but \(\phi (sk) = sk\). Such method evades non-trivial copy attacks only in the conceptual sense by adopting a potentially weaker RKA notion. It also brings a new technical challenge, that is, checking if \(\phi (sk) = sk\) without knowing sk. To overcome this hurdle, existing works either require the starting primitives to meet extra properties like \(\varPhi \)-fingerprinting [37, 40, 51] in the context of public-key encryption or resort to ad-hoc transform like identity-renaming [10] in the context of identity-based encryption.Footnote 13 The third method in the context of pseudorandom functions is to rely on \(\varPhi \)-key-collision-security [1], which requires that for a random key k it is impossible to find two distinct \(\phi _1, \phi _2 \in \varPhi \) such that \(\phi _1(k) = \phi _2(k)\). However, such property is only known to hold w.r.t. specific \(\varPhi \) under concrete number-theoretic assumptions.

7.3 Our Insight in Addressing Non-trivial Copy Attacks

As discussed above, non-trivial copy attacks have not been well addressed at a general level. Being aware of the similarity between our non-malleability notion and the RKA security notion, we are curious to know if our strengthening of allowing \(\phi (x^*) = x^*\) can shed light on this problem. Recall that in the proof of Lemma 4 for the case of \(y = y^*\), we essentially proved that by assuming the one-wayness of f, no PPT adversary is able to find a \(\phi \in \varPhi _{\text {brs}}^{\text {srs}}\) such that \(\phi (x^*) = x^*\) with non-negligible probability. The high-level idea is that as long as the adversary is able to find such a \(\phi \in \varPhi _{\text {brs}}^{\text {srs}}\), then a reduction can obtain an efficiently solvable equation about \(x^*\). Somewhat surprisingly, this idea immediately indicates that w.r.t. RKDT class \(\varPhi = \varPhi _{\text {brs}}^{\text {srs}}\cup \mathsf {id} \cup \mathsf {cf}\), resilience against non-trivial copy attacks is in fact a built-in immunity guaranteed by the security of starting primitives.

We sketch the argument more formally as follows. Let \(\mathcal {A}\) be a RKA adversary and denote by E the event that non-trivial attack happens, i.e., \(\mathcal {A}\) makes at least one RKA query \(\langle \phi , x^* \rangle \) such that \(\phi \in \varPhi _{\text {brs}}^{\text {srs}}\) and \(\phi (sk) = sk\). Let \(l(\lambda )\) be the maximum number of RKA queries \(\mathcal {A}\) makes. Our aim is to prove \(\Pr [E] = \mathsf {negl}(\lambda )\) by only assuming the original security of the starting primitives. Conditioned on E happens, a reduction \(\mathcal {R}\) can pick out a non-trivial copy attack query say \(\langle \phi , x^* \rangle \) and hence obtains a right equation \(\phi (sk) = sk\) about sk, with probability at least \(1/l(\lambda )\). Conditioned on getting the right equation, \(\mathcal {R}\) can further compute the correct sk with probability \(1/\mathsf {poly}(\lambda )\) due to the BRS & SRS properties of \(\varPhi _{\text {brs}}^{\text {srs}}\). Overall, \(\mathcal {R}\) is able to recover sk with probability \(\Pr [E]/l(\lambda )\mathsf {poly}(\lambda )\). Since \(\mathcal {A}\) is a PPT adversary, \(l(\lambda )\) is poly-bounded. Therefore, if \(\Pr [E]\) is non-negligible, then \(\mathcal {R}\) can recover sk with non-negligible probability. This contradicts the security of the starting primitives, and therefore we must have \(\Pr [E] = \mathsf {negl}(\lambda )\).

Somewhat surprisingly, our result indicates that w.r.t. RKDT class \(\varPhi \subseteq \varPhi _{\text {brs}}^{\text {srs}}\cup \mathsf {id} \cup \mathsf {cf}\), resilience against non-trivial copy attacks is essentially a built-in security guaranteed by the starting primitives. Previous RKA-secure schemes w.r.t. algebra-induced RKDTs could benefit from this, that is, “weak” RKA security (disallowing non-trivial copy attacks) can be enhanced automatically without resorting to claw-free assumption or additional properties/transformations.

8 Application to RKA-secure Authenticated KDFs

8.1 Continuous Non-Malleable KDFs, Revisited

Qin et al. [47] extended non-malleable key derivation functions (KDFs) [28] to continuous non-malleable KDFs, and showed how to use it to compile numerous cryptographic primitives into RKA-secure ones. In what follows, we briefly recall the syntax, security notion, as well as construction of continuously non-malleable KDFs presented in [47].

Syntax. KDFs consist of three polynomial time algorithms: (1) \(\mathsf {Setup}(\lambda )\), on input \(\lambda \), outputs system-wide public parameters pp, which define the key space S, the public key space \(\varPi \), and the derived key space \(\{0,1\}^m\). (2) \(\mathsf {Sample}(pp)\), on input pp, samples a random key \(s \xleftarrow {\tiny R }S\) and computes public key \(\pi \in \varPi \). (3) \(\mathsf {Derive}(s, \pi )\), on input \((s, \pi )\), outputs a derived key \(r \in \{0,1\}^m\) or \(\bot \) indicating that \(\pi \) is not a valid proof of s.

Security. The continuous non-malleability of KDFs is defined w.r.t. a transformation class \(\varPhi \), which states that no PPT adversary can distinguish a real derived key \(r \leftarrow \mathsf {Derive}(s^*, \pi ^*)\) from a random one, even if it can continuously query a key derivation oracle \(\mathcal {O}_\mathsf {derive}^\varPhi (\cdot , \cdot )\), which on input \(\phi \in \varPhi \) and \(\pi \in \varPi \), returns a special symbol \(\mathsf {same}^*\) if , or \(\mathsf {Derive}(\phi (s^*), \pi )\) otherwise.

Construction. Let \(\text {LF} = (\mathsf {Gen}, \mathsf {Eval}, \mathsf {LTag})\) be a collection of one-time lossy filters [46] with domain S, range Y, and tag space \(T = \{0,1\}^* \times T_c\). Let \(\text {OTS} = (\mathsf {Gen}, \mathsf {Sign}, \mathsf {Vefy})\) be a strongly one-time signature. Let \(\mathcal {H}\) be a family of pairwise independent functions from S to \(\{0,1\}^m\). The construction is as below.

  • \(\text {KDF}.\mathsf {Setup}(\lambda )\): run \((ek, td) \leftarrow \text {LF}.\mathsf {Gen}(\lambda )\), pick \(h \xleftarrow {\tiny R }\mathcal {H}\), output \(pp = (ek, h)\). Precisely, pp also includes the public parameters of \(\text {LF}\) and \(\text {OTS}\).

  • \(\text {KDF}.\mathsf {Sample}(pp)\): run \((vk, sk) \leftarrow \text {OTS}.\mathsf {Gen}(\lambda )\), pick \(t_c \xleftarrow {\tiny R }T_c\), \(s \xleftarrow {\tiny R }S\); compute \(y \leftarrow \text {LF}.\mathsf {Eval}(ek, (vk, t_c), s)\) and \(\sigma \leftarrow \text {OTS}.\mathsf {Sign}(sk, t_c||y)\), then set \(t = (vk, t_c, y, \sigma )\), and finally output (st).

  • \(\text {KDF}.\mathsf {Derive}(s, t)\): parse \(t = (vk, t_c, y, \sigma )\), if \(\text {LF}.\mathsf {Eval}(ek, (vk, t_c), s) = y\) and \(\text {OTS}.\mathsf {Vefy}(vk, t_c||y, \sigma ) = 1\) hold simultaneously, output h(s), else output \(\bot \).

Qin et al.’s construction requires one-time lossy filter, one-time signature, and pairwise-independent functions as ingredients. Though ingenious, their construction is somewhat complicated and expensive. Its public parameters consist of those of three ingredients as well as an evaluation key; to compute a tag for a random key, its sampling procedure has to generate a fresh one-time signature key pair, pick a random tag, evaluate a function and also compute a signature; to derive a random key, its key derivation procedure has to verify a signature and a function value before deriving. Compared to standard KDFs, these do add noticeable storage and computation overhead, which could be critical in resource-constrained scenarios, e.g., embedded systems and low-end smart card.

More Accurate Naming. In standard KDFs, there is no the concept of “public key”, and the key derivation algorithm never fails. In contrast, in the KDFs introduced by Qin et al. [47], each key s is accompanied with an auxiliary “public key” \(\pi \), and the key derivation algorithm reports failure by outputting \(\bot \) if \(\pi \) does not match s. Thus, it is preferable to use the name authenticated KDFs to highlight this functional difference. In addition, \(\pi \) is interpreted as a proof of knowledge of s in [47] . However, in the context of KDFs, the key s is not necessarily belong to any \(\mathcal {NP}\) language. In this regard, it is more appropriate to simply view \(\pi \) as a tag of s, which we will denote by t.

We then reconsider its security notion. The continuous non-malleable notion considered in [47] is potentially weak in that key derivation queries of the form \(\langle \phi , \pi ^* \rangle \) with \(\phi (s^*) = s^*\) are implicitly rejected by returning \(\mathsf {same}^*\). As a consequence, this notion cannot guarantee the resilience against non-trivial copy attacks for its enabling RKA-secure schemes. Besides, non-malleability is conventionally used to capture the inability to maul the value of a cryptographic primitive in a controlled way, whereas RKA security ensures that a cryptographic primitive remains secure even an adversary may adaptively learn functions of a sequence of related keys. In light of this distinction, their “continuous non-malleability” is actually a form of related-key security and we use the term “RKA-secure authenticated KDFs” instead of continuous non-malleable KDFs in the rest of this work.

8.2 RKA-secure Authenticated KDFs

Based on the above discussions, we are motivated to enhance the security notion and propose a simple yet efficient construction for RKA-secure authenticated KDFs (AKDFs) w.r.t. general RKDT class. For completeness, we first present authenticated KDFs with the refined terminology and enhanced security notions.

Definition 7

(Authenticated KDFs). Authenticated KDFs are given by three polynomial time algorithms as follows:

  • \(\mathsf {Setup}(\lambda )\): on input \(\lambda \), output system parameters pp, which define the derivation key space S, the tag space T, and the derived key space \(\{0,1\}^m\).

  • \(\mathsf {Sample}(pp)\): on input pp, pick a random key \(s \xleftarrow {\tiny R }S\) computes it associated tag \(t \in T\), output (st).

  • \(\mathsf {Derive}(s, t)\): on input a key \(s \in S\) and a tag \(t \in T\), output a derived key \(r \in \{0,1\}^m\) or a rejecting symbol \(\bot \) indicating that t is not a valid tag of s.

Definition 8

(RKA-Security). AKDFs are said to be \(\varPhi \)-RKA-secure w.r.t. RKDT class \(\varPhi \) if for any PPT adversary \(\mathcal {A}\) its advantage \(\mathsf {Adv}_{\mathcal {A},{\text {AKDF}}}^\mathrm{{rka}}\) defined in the following experiment is negligible in \(\lambda \).

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A},{\text {AKDF}}}^\mathrm{{rka}}(\lambda ) = \Pr \left[ b'=b:~ \begin{array}{ll} &{} pp \leftarrow \mathsf {Setup}(\lambda );\\ &{} (s^*, t^*) \leftarrow \mathsf {Sample}(pp);\\ &{} r_0^* \leftarrow \mathsf {Derive}(s^*, t^*), r_1^* \xleftarrow {\tiny R }\{0,1\}^m; \\ &{} b \xleftarrow {\tiny R }\{0,1\};\\ &{} b' \leftarrow \mathcal {A}^{\mathcal {O}_\mathsf {derive}^\varPhi (\cdot , \cdot )}(pp, t^*, r_b^*); \end{array} \right] - \frac{1}{2}. \end{aligned}$$

Here \(\mathcal {O}_\mathsf {derive}^\varPhi (\phi , \pi )\) on input \(\phi \in \varPhi \) and \(t \in T\), returns a special symbol \(\mathsf {same}^*\) only if , and returns \(\mathsf {Derive}(\phi (s^*), t)\) otherwise.

Our RKA security notion is strong in the sense that only trivial query (underlined as above) is not allowed. By Qin et al.’s result [47], one can use RKA-secure AKDFs to transform a cryptographic primitive to a RKA-secure one in a modular way, as long as the key generation algorithm of the primitive takes uniform random coins to generate (public/secret) keys. Notably, this transform naturally transfers our strong RKA security of AKDFs to the resulting RKA-secure primitives.

8.3 RKA-secure AKDFs from Non-Malleable Functions

Before presenting our construction, we first sketch the high-level idea, which we think may be useful in other places. The main technical hurdle in constructing RKA-secure AKDFs is to answer related key derivation queries without knowing the secret key \(s^*\). As we recalled in Sect. 7, a common approach addressing this hurdle is exploiting key-malleable like property to simulate RKA oracle based on the standard oracle of the starting primitive. However, this approach does not fit for our purpose. On one hand, efficient construction of the starting primitive namely AKDFs is yet unknown to us. On the other hand, key-malleable like property (if exists) is usually tied to some specific algebraic structure and thus cannot yield RKA-security w.r.t. general RKDT class. Here we take a complementary approach, that is, acquiring RKA security from non-malleability. Instead of trying to answer RKA queries, we aim to reject all RKA queries. We do so by stipulating that even after seeing a valid tag \(t^*\) of \(s^*\), no PPT adversary is able to generate a legal related key derivation query \((\phi , \pi )\) (here legal means t is a valid tag of \(\phi (s^*)\)). In this way, the reduction can handle all related key derivation queries without knowing \(s^*\), by simply returning \(\bot \).

With this strategy, an incredibly simple construction of RKA-secure AKDFs comes out by twisting NMFs. Let \(\mathcal {F}\) be a family of poly-to-one NMFs. The \(\mathsf {Setup}\) algorithm randomly picks f from \(\mathcal {F}\). Let h be a hardcore function of f. To generate a tag for a random key, one simply computes \(t \leftarrow f(s)\). Intuitively, t serves as a deterministic non-malleable tag of s. To get a derived key from (st), one first checks if \(f(s) = t\) and then outputs \(r \leftarrow h(s)\) if so. On a high (and not entirely precise) level, due to the non-malleability of the underlying NMFs, all related-key derivation queries can be safely rejected, and thus the pseudorandomness of the derived key can be reduced to the one-wayness of f. A subtlety here is that, in addition to \(t^*\), the adversary can obtain some auxiliary information about \(s^*\), namely, the real or random derived key. In this regard, hinted non-malleability is required for \(\mathcal {F}\). We present our generic construction and formal security proof in details as below.

Our Construction. Let \(\mathcal {F} = (\mathsf {Gen}, \mathsf {Samp}, \mathsf {Eval})\) be a family of \(\varPhi \)-non-malleable poly-to-one functions and \(\mathcal {H}\) be its hardcore that maps D to \(\{0,1\}^{m}\). We show how to build \(\varPhi '\)-RKA-secure AKDFs from it, where \(\varPhi ' = \varPhi \cup \mathsf {id} \cup \mathsf {cf}\).Footnote 14

  • \(\text {AKDF}.\mathsf {Setup}(\lambda )\): run \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(h \leftarrow \mathcal {H}.\mathsf {Gen}(\lambda , f)\), output \(pp = (f, h)\).

  • \(\text {AKDF}.\mathsf {Sample}(pp)\): sample \(s \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), compute \(t \leftarrow f(s)\), output (st).

  • \(\text {AKDF}.\mathsf {Derive}(s, t)\): if \(t \ne f(s)\), output \(\bot \); otherwise output \(r \leftarrow h(s)\).

The RKA security of the above construction follows from the theorem below.

Theorem 1

The above construction of AKDFs is \(\varPhi '\)-RKA-secure if \(\mathcal {F}\) is \(\varPhi \)-non-malleable and poly-to-one, where \(\varPhi ' = \varPhi \cup \mathsf {id} \cup \mathsf {cf}\).


We prove this theorem via a sequence of games. Let \(S_i\) be the event that \(\mathcal {A}\) wins in Game i.

Game 0 (The real experiment): \(\mathcal {CH}\) interacts with \(\mathcal {A}\) as follows:

  1. 1.

    \(\mathcal {CH}\) picks \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(h \leftarrow \mathcal {H}.\mathsf {Gen}(\lambda , f)\), sets \(pp = (f,h)\); picks \(s^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), computes \(t^* \leftarrow f(s^*)\), \(r_0^* \leftarrow h(s^*)\), \(r_1^* \xleftarrow {\tiny R }\{0,1\}^m\). Finally, \(\mathcal {CH}\) picks \(b \xleftarrow {\tiny R }\{0,1\}\), sends \((pp, t^*, r_b^*)\) to \(\mathcal {A}\) as the challenge.

  2. 2.

    Upon receiving a RKA key derivation query \(\langle \phi , t \rangle \) from \(\mathcal {A}\), if \(\langle \phi , t \rangle = \langle \mathsf {id}, t^* \rangle \), \(\mathcal {CH}\) returns \(\mathsf {same}^*\); else \(\mathcal {CH}\) returns \(h(\phi (s^*))\) if \(\phi (s^*)=t\) or \(\bot \) otherwise.

  3. 3.

    \(\mathcal {A}\) outputs a guess \(b'\) for b and wins if \(b'=b\).

According to the definition of \(\mathcal {A}\), we have:

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A},{\text {AKDF}}}^{\text {rka}}(\lambda ) = |\Pr [S_0] - 1/2|. \end{aligned}$$

Game 1 (Handling trivial queries without \(s^*\)): The same as Game 0 except that in step 2 \(\mathcal {CH}\) handles trivial queries \(\langle \phi , t \rangle \) without \(s^*\). Here the term “trivial” means \(\phi \in \mathsf {id} \cup \mathsf {cf}\). We break trivial queries into three cases:

  • \(\phi = \mathsf {id}\) and \(t = t^*\): return \(\mathsf {same}^*\) indicating that the query is illegal.

  • \(\phi = \mathsf {id}\) and \(t \ne t^*\): return \(\bot \) indicating that the query is invalid. This is because f is a deterministic function and hence each s has an unique tag.

  • \(\phi \in \mathsf {cf}\) and all t: suppose \(\phi \) is a constant transform that maps all its inputs to a constant c, return h(c) if \(f(c) = t\) and \(\bot \) otherwise.

These modifications are purely conceptual and hence

$$\begin{aligned} \Pr [S_1] = \Pr [S_0]. \end{aligned}$$

Game 2 (Handling all queries without \(s^*\)): The same as Game 1 except \(\mathcal {CH}\) directly returns \(\bot \) for all non-trivial queries \(\langle \phi , t \rangle \). Here the term “non-trivial” means \(\phi \in \varPhi \). Let E be the event that \(\mathcal {A}\) issues a non-trivial query \(\langle \phi , t \rangle \) such that \(t = f(\phi (s^*))\). According to the definitions of Game 1 and Game 2, if this event happens, \(\mathcal {CH}\) returns \(\bot \) in Game 2, but not in Game 1. It is easy to see that unless event E occurs, Game 1 and Game 2 are identical from the view of the adversary. By the difference lemma, it follows that:

$$\begin{aligned} |\Pr [S_2] - \Pr [S_1]| \le \Pr [E]. \end{aligned}$$

We now state and prove two claims that establish the main theorem.

Lemma 9

\(\Pr [E]\) is negligible in \(\lambda \) assuming the \(\varPhi \)-non-malleability of \(\mathcal {F}\).

What we need to show is that, after seeing \(t^*\) and the auxiliary information \(r_b^*\) about \(s^*\), no PPT adversary is able to output a valid non-trivial RKA query \(\langle \phi , t \rangle \) such that \(\phi (s^*) = t\). Therefore, hint-free non-malleability is inadequate and hinted non-malleability is needed. Notice that here the auxiliary information \(r_b^*\) is exactly \(\mathsf {hint}(s^*; b)\), where \(\mathsf {hint}\) is the special hint function defined in Eq. (1). As we have shown Sect. 6, hinted non-malleability w.r.t. this hint function is implied by hint-free non-malleability.


Suppose \(\mathcal {B}\) is an adversary against hinted \(\varPhi \)-non-malleability of \(\mathcal {F}\) w.r.t. the hint function defined in Equation (1). Given \((f, y^*, \mathsf {hint}(x^*;b))\), where \(f \leftarrow \mathcal {F}.\mathsf {Gen}(\lambda )\), \(y^* \leftarrow f(x^*)\) for \(x^* \leftarrow \mathcal {F}.\mathsf {Samp}(\lambda )\), and \(b \xleftarrow {\tiny R }\{0,1\}\). \(\mathcal {B}\) simulates \(\mathcal {A}\)’s challenger in Game 2 as below: set \(pp = (f, h)\),Footnote 15 \(t^* = y^*\), \(r_b^* \leftarrow \mathsf {hint}(x^*;b)\), then send \((pp, t^*, r_b^*)\) to \(\mathcal {A}\). Here \(s^*\) is implicitly set to be \(x^*\), which is unknown to \(\mathcal {B}\). This is not a problem since according to the definition of Game 2, \(\mathcal {B}\) is able to handle all RKA queries correctly without \(s^*\). Let L be the list of all non-trivial queries issued by \(\mathcal {A}\). Since \(\mathcal {A}\) is a PPT adversary, we have \(|L| \le \mathsf {poly}(\lambda )\). At the end of the simulation, \(\mathcal {B}\) picks a random tuple \((\phi , t)\) from the L list as its answer against hinted \(\varPhi \)-non-malleability. Conditioned on E happens, \(\mathcal {B}\) succeeds with probability at least \(1/\mathsf {poly}(\lambda )\). Therefore, if \(\Pr [E]\) is non-negligible, \(\mathcal {B}\)’s advantage is at least \(\Pr [E]/\mathsf {poly}(\lambda )\), which is also non-negligible. This breaks the hinted \(\varPhi \)-non-malleability of \(\mathcal {F}\), which in turn contradicts the assumed hint-free \(\varPhi \)-non-malleability of \(\mathcal {F}\) in this case. The lemma immediately follows.    \(\square \)

Lemma 10

\(|\Pr [S_2] - 1/2| = \mathsf {negl}(\lambda )\) assuming the \(\varPhi \)-non-malleability of \(\mathcal {F}\).


Since \(\mathcal {F}\) is poly-to-one, according to Lemma 1 \(\varPhi \)-non-malleability implies one-wayness, and further implies pseudorandomness of its hardcore \(\mathcal {H}\). Thereby, it suffices to prove \(|\Pr [S_2] - 1/2| = \mathsf {negl}(\lambda )\) assuming the pseudorandomness of \(\mathcal {H}\). Suppose \(\mathcal {B}\) is an adversary against pseudorandomness of hardcore \(\mathcal {H}\) associated with \(\mathcal {F}\). Given \((f, h, y^*, r_b^*)\), where \(y^* \leftarrow f(x^*)\) for \(x^* \xleftarrow {\tiny R }D\) and \(r_b^*\) is either \(h(x^*)\) when \(b = 0\) or a random string from \(\{0,1\}^m\) when \(b=1\), \(\mathcal {B}\) simulates \(\mathcal {A}\)’s challenger in Game 2 as follows: set \(pp = (f, h)\), \(t^* = y^*\), send \((pp, t^*, r_b^*)\) to \(\mathcal {A}\). According to the definition of Game 2, \(\mathcal {B}\) can handle all the queries without the knowledge of \(s^* = x^*\). At the end of the game, \(\mathcal {B}\) simply forwards \(\mathcal {A}\)’s output as its guess. It is easy to see that if \(\mathcal {A}\) succeeds, so does \(\mathcal {B}\). Therefore, we have \(\mathsf {Adv}_{\mathcal {B},\mathcal {H}}^{\text {rand}}(\lambda ) \ge |\Pr [S_2] - 1/2|\). By the hypothesis that \(\mathcal {H}\) is pseudorandom, we have \(|\Pr [S_2] - 1/2| = \mathsf {negl}(\lambda )\). This proves the lemma.    \(\square \)

Putting it all together, the theorem immediately follows.    \(\square \)

By instantiating our generic construction with poly-to-one NMFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\) (which in turn can be constructed from ATDFs), we obtain RKA-secure AKDFs w.r.t. \(\varPhi _{\text {brs}}^{\text {srs}}\cup \mathsf {id} \cup \mathsf {cf}\).

Comparison to Qin et al.’s Construction. While both our construction and Qin et al.’s construction are generic, it is still instructive to make a rough comparison. For efficiency, our construction is built solely from deterministic NMFs, so its public parameters consist of merely the descriptions of a NMF f and a hardcore function h; and its tag generation and authentication procedures are both deterministic. In contrast, Qin et al.’s construction is built from three different cryptographic primitives, and thus its public parameters size is large and its tag generation procedure is randomized. In this regard, our construction has potential advantages over Qin et al.’s construction in terms of small footprint of cryptographic code, compact public parameters size, short tag size, as well as quick tag generation and authentication. For security, our construction is RKA-secure in the strong sense w.r.t. a general RKDT class with a direct and modular proof, whereas Qin et al.’s construction is RKA-secure w.r.t. specific RKDT class [30] with a bit involved proof.

8.4 Optimizations

Relaxation on NMFs. We observe that in the above construction, NMFs can be relaxed to non-malleable verifiable relations (NMVRs). In NMVRs, instead of requiring f to be efficiently computable, we only require that the distribution (xf(x)) for a random x is efficiently sampleable and the correctness of sampling is publicly verifiable.Footnote 16 It is easy to see that NMVRs are implied by adaptive trapdoor relations (ATDRs) [50] with publicly verifiability. As shown in [52], publicly verifiable ATDRs can be constructed from all-but-one verifiable lossy trapdoor relations, which permit efficient realizations from a variety of standard assumptions. Combining this result with our observation above, we are able to give more efficient constructions of RKA-secure AKDFs.

Stronger RKA Security. In the above RKA security notion for AKDFs, the adversary is only given access to a RKA oracle. In practice, it may also collect some tags and learn the corresponding derivation keys. To defend against such powerful adversaries, it is necessary to make the RKA security stronger by giving the adversary access to a reveal oracle \(\mathcal {O}_\mathsf {reveal}\) that on input a tag t outputs a corresponding key s.Footnote 17 AKDFs satisfying such strong RKA notion can be constructed from adaptive NMFs, which in turn can be constructed from ATDFs. This not only justifies the utility of the adaptive non-malleability notion, but also supports the view of Kiltz et al. [38] that “ATDFs may be useful in the general context of black-box constructions of cryptographic primitives secure against adaptive attacks.”

Increasing the Length of Derivation Key. We can always instantiate h via the Goldreich-Levin hardcore predicate [34]. Nevertheless, such general instantiation yields only one-bit derived key. We may also obtain a hardcore function with linearly-many hardcore bits either by iteration when \(\mathcal {F}\) is a family of one-way permutations or relying on stronger decisional assumptions. A recent work [13] provides us an appealing hardcore function with poly-many hardcore bits from any one-way functions, assuming the existence of differing-inputs/indistinguishability obfuscation. In applications of RKA-secure AKDFs where the length of the derived key is of great importance, one can further stretch it by applying a normal pseudorandom generator.

9 Conclusion

We formally study non-malleable functions with simplified syntax and strong game-based security definition. We establish connections between (adaptive) non-malleability and (adaptive) one-wayness, by exploiting our newly abstracted algebraic properties of transformation class. Notably, the implication AOW \(\Rightarrow \) ANM not only gives efficient construction of NMFs from adaptive trapdoor functions, but also provides insight in addressing non-trivial copy attacks in the RKA area. Using NMFs, we give a simple and efficient construction of RKA-secure authenticated KDFs.