Continuously Non-malleable Codes in the Split-State Model

Non-malleable codes (Dziembowski et al., ICS’10 and J. ACM’18) are a natural relaxation of error correcting/detecting codes with useful applications in cryptography. Informally, a code is non-malleable if an adversary trying to tamper with an encoding of a message can only leave it unchanged or modify it to the encoding of an unrelated value. This paper introduces continuous non-malleability, a generalization of standard non-malleability where the adversary is allowed to tamper continuously with the same encoding. This is in contrast to the standard definition of non-malleable codes, where the adversary can only tamper a single time. The only restriction is that after the first invalid codeword is ever generated, a special self-destruct mechanism is triggered and no further tampering is allowed; this restriction can easily be shown to be necessary. We focus on the split-state model, where an encoding consists of two parts and the tampering functions can be arbitrary as long as they act independently on each part. Our main contributions are outlined below. We show that continuous non-malleability in the split-state model is impossible without relying on computational assumptions. We construct a computationally secure split-state code satisfying continuous non-malleability in the common reference string (CRS) model. Our scheme can be instantiated assuming the existence of collision-resistant hash functions and (doubly enhanced) trapdoor permutations, but we also give concrete instantiations based on standard number-theoretic assumptions. We revisit the application of non-malleable codes to protecting arbitrary cryptographic primitives against related-key attacks. Previous applications of non-malleable codes in this setting required perfect erasures and the adversary to be restricted in memory. We show that continuously non-malleable codes allow to avoid these restrictions. We show that continuous non-malleability in the split-state model is impossible without relying on computational assumptions. We construct a computationally secure split-state code satisfying continuous non-malleability in the common reference string (CRS) model. Our scheme can be instantiated assuming the existence of collision-resistant hash functions and (doubly enhanced) trapdoor permutations, but we also give concrete instantiations based on standard number-theoretic assumptions. We revisit the application of non-malleable codes to protecting arbitrary cryptographic primitives against related-key attacks. Previous applications of non-malleable codes in this setting required perfect erasures and the adversary to be restricted in memory. We show that continuously non-malleable codes allow to avoid these restrictions.


Introduction
Physical attacks targeting cryptographic implementations instead of breaking the blackbox security of the underlying algorithm are amongst the most severe threats for cryptographic systems. A particularly important attack on implementations is the so-called tampering attack, where the adversary changes the secret key to some related value and observes the effect of such changes at the output. Traditional black-box security notions do not incorporate adversaries that change the secret key to some related value; even worse, as shown in the celebrated work of Boneh et al. [22], already minor changes to the key suffice for complete security breaches. Unfortunately, tampering attacks are also rather easy to carry out: A virus corrupting a machine can gain partial control over the state, or an adversary that penetrates the cryptographic implementation with physical equipment may induce faults into keys stored in memory.
In recent years, a growing body of work (see [4,11,55,64,70,76,84]) developed new cryptographic techniques to tackle tampering attacks. Non-malleable codes introduced by Dziembowski, Pietrzak and Wichs [55,56] are an important approach to achieve this goal. Intuitively a code is non-malleable w.r.t. a family of tampering functions F if the message contained in a codeword modified via a function f ∈ F is either the original message, or a completely unrelated value. Non-malleable codes can be used to protect any cryptographic functionality against tampering with the memory. Instead of storing the key, we store its encoding and decode it each time the functionality wants to access the key. As long as the adversary can only apply tampering functions from the family F, the non-malleability property guarantees that the (possibly tampered) decoded value is not related to the original key.
The standard notion of non-malleability considers a one-shot game: the adversary is allowed to tamper a single time with the codeword, after which it obtains the decoded output. In this work we introduce continuously non-malleable codes, where non-malleability is guaranteed even if the adversary continuously applies functions from the family F to the same codeword. We show that our new security notion is not only a natural extension of the standard definition, but moreover allows to protect against tampering attacks in important settings where earlier constructions fall short to achieve security.

Continuous Non-malleability
A code consists of two polynomial-time algorithms = (Enc, Dec) satisfying the following correctness property: For all messages m ∈ M, it holds that Dec(Enc(m)) = m (with probability one over the randomness of the encoding). To define non-malleability for a function family F, consider the following experiment Tamper F A, (λ, b) with hidden bit b ∈ {0, 1} and featuring a (possibly unbounded) adversary A.
"boost" is achieved by re-encoding the secret state after each execution ofF. As one-time non-malleability suffices for the above cryptographic application, one may ask why we need continuously non-malleable codes. Besides being a natural generalization of the standard non-malleability notion, our new definition has several important advantages that we discuss in the next two paragraphs.
Tamper resilience without erasures The transformation described above necessarily requires that after each execution the entire content of the memory is erased. While such perfect erasures may be feasible in some settings, they are rather problematic in the presence of tampering. To illustrate this issue consider a setting where besides the encoding of a key, the memory also contains other non-encoded data. In the tampering setting, we cannot restrict the erasure to just the part that stores the encoding of the key as a tampering adversary may copy the encoding to some different part of the memory.
A simple solution to this problem is to erase the entire memory, but such an approach is not possible in most cases: for instance, think of the memory as being the hard-disk of your computer that besides the encoding of a key stores other important files that you don't want to be erased. Notice that this situation is quite different from the leakage setting, where we also require perfect erasures to achieve continuous leakage resilience.
In the leakage setting, however, the adversary cannot mess around with the state of the memory by, e.g., copying an encoding of a secret key to some free space, which makes erasures significantly easier to implement. One option to prevent the adversary from keeping permanent copies is to encode the entire state of the memory. Such an approach has, however, the following drawbacks.
• It is unnatural In many cases, secret data, e.g., a cryptographic key, are stored together with non-confidential data. Each time we want to read some small part of the memory, e.g., the key, we need to decode and re-encode the entire stateincluding also the non-confidential data. • It is inefficient Decoding and re-encoding the entire state of the memory for each access introduces additional overhead and would result in highly inefficient solutions. This gets even worse as most current constructions of non-malleable codes are rather inefficient.
The second issue may be solved employing locally decodable and updatable nonmalleable codes [42][43][44][45][46], which intuitively allow to access/update a portion of the message without reading/modifying the entire codeword. Using our new notion of continuously non-malleable codes we can avoid both issues in one go, and achieve continuous tamper resilience without using erasures or relying on inefficient solutions that encode the entire state.
Stateless tamper-resilient transformations To achieve tamper resistance from one-time non-malleability, we necessarily need to re-encode the state using fresh randomness. This not only reduces the efficiency of the proposed construction, but moreover makes the transformation stateful. Thanks to continuously non-malleable codes we get continuous security without the need to refresh the encoding after each usage. This is particularly useful when the underlying primitive that we want to protect is stateless itself (e.g., in the case of any standard block-cipher construction that typically keeps the same key).
Using continuously non-malleable codes, the tamper-resilient implementation of such stateless primitives does not need to keep any secret state. We discuss the protection of stateless primitives in further detail in Sect. 5.

Our Contribution
Our main contribution is the first construction of continuously non-malleable codes in the split-state model, first introduced in the leakage setting [50,54]. Various recent works study the split-state model for non-malleable codes [3,4,30,53,84] (see more details on related work in Sect. 1.3). In the split-state tampering model, the codeword consists of two halves c 0 and c 1 that are stored on two different parts of the memory. The adversary is assumed to tamper with both parts independently, but otherwise can apply any efficiently computable tampering function. That is, the adversary picks two polynomial-time computable functions f 0 and f 1 and replaces the codeword (c 0 , c 1 ) with ( f 0 (c 0 ), f 1 (c 1 )). Similar to the earlier work of Liu and Lysyanskaya [84], our construction assumes a public untamperable common reference string (CRS). Notice that this is a rather mild assumption, as the CRS can be hard-wired into the functionality and is independent of any secret data.
Continuous non-malleability of existing constructions The first construction of onetime split-state non-malleable codes (without random oracles) was given by Liu and Lysyanskaya [84]. At a high-level their construction encrypts the message m with a leakage-resilient encryption scheme, and generates a non-interactive zero-knowledge (NIZK) proof of knowledge showing that (i) the public/secret key of the PKE are valid, and (ii) the ciphertext is an encryption of m under the public key. Then, c 0 is set to the secret key while c 1 holds the corresponding public key, the ciphertext, and the NIZK proof. Unfortunately, it is rather easy to break the non-malleable code of Liu and Lysyanskaya in the continuous setting. Recall that our security notion of continuously non-malleable codes allows the adversary to interact in the following game. First, we sample an encoding (ĉ 0 ,ĉ 1 ) of m, and then we repeat the following process a polynomial number of times.
The main observation that enables the attack against the scheme of [84] is as follows: For a fixed (but adversarially chosen) part c 0 it is easy to come up with two corresponding parts c 1 and c 1 such that both (c 0 , c 1 ) and (c 0 , c 1 ) form a valid encoding (i.e., a codeword whose decoding does not yield ⊥). Suppose further that decoding (c 0 , c 1 ) yields a message m that is different from the message m obtained by decoding (c 0 , c 1 ). Then, under continuous tampering, the adversary may permanently replace the original encodingĉ 0 with c 0 , while depending on whether the i-th bit ofĉ 1 being 0 or 1 either replaceĉ 1 by c 1 or c 1 . This allows to recover the entireĉ 1 by just n tampering queries (where n is the size ofĉ 1 ). Onceĉ 1 is known to the adversary, it is easy 2 to tamper witĥ c 0 in a way that depends on the messagem corresponding to (ĉ 0 ,ĉ 1 ).
Somewhat surprisingly, our attack can be generalized to break any non-malleable code that is secure in the information-theoretic setting. Hence, also the recent breakthrough results on information theoretic non-malleability [3][4][5]53] fail to provide security under continuous attacks. Moreover, we emphasize that our attack does not only work for the code itself, but (in most cases) can be applied to the tamper-protection application of cryptographic functionalities.

Uniqueness
The attack above exploits that for a fixed known part c 0 it is easy to come up with two valid parts c 1 , c 1 . For the encoding of [84] this is indeed easy to achieve. If the secret key c 0 is known, it is easy to come up with two valid parts c 1 , c 1 : just encrypt two arbitrary messages m, m such that m = m , and generate the corresponding proofs. The above weakness motivates a new property that non-malleable codes shall satisfy in order to achieve continuous non-malleability. We call this property uniqueness, which informally guarantees that for any (adversarially chosen) valid encoding (c 0 , c 1 ) it be computationally hard to come up with c 1 = c 1 such that (c 0 , c 1 ) forms a valid encoding. 3 Clearly, the uniqueness property prevents the above described attack, and hence is a crucial requirement for continuous non-malleability in the split-state model.
A new construction In light of the above discussion, we need to build a non-malleable code that achieves our uniqueness property. Our construction uses as building blocks a leakage-resilient storage (LRS) scheme [50,52] for the split-state model (one may view this as a generalization of the leakage-resilient PKE used in [84]), a collision-resistant hash function, and (similar to [84]) an extractable NIZK. At a high-level we use the LRS to encode the secret message, hash the resulting shares using the hash function, and generate a NIZK proof of knowledge that indeed the resulting hash values are correctly computed from the shares. While it is easy to show that collision resistance of the hash function guarantees the uniqueness property, a careful analysis is required to prove continuous non-malleability. We refer the reader to Sect. 4.1 for the details of our construction, and to Sect. 4.2 for an outline of the proof.
Tamper resilience for stateless and stateful primitives We can use our new construction of continuously non-malleable codes to protect arbitrary computation against continuous tampering attacks. In contrast to earlier works, our construction does not need to reencode the secret state after each usage, which besides being more efficient avoids the use of erasures. As discussed above, erasures are problematic in the tampering setting as one would essentially need to encode the entire state (possibly including large nonconfidential data).
Additionally, our transformation does not need to keep any secret state. Hence, if our transformation is used to protect stateless primitives, then the resulting scheme remains stateless. This solves an open problem posed by Dziembowski, Pietrzak and Wichs [55,56]. Notice that while we do not need to keep any secret state, the transformed functionality requires one bit of state to activate the self-destruct mechanism. This bit can be public, but must be untamperable, and can, for instance, be implemented through a one-time writable memory. As shown in the work of Gennaro et al. [70], continuous tamper resilience is impossible to achieve without such a mechanism for self-destruction.
Of course, our construction can also be used for stateful primitives, in which case our functionality will re-encode the new state during execution. Note that in our setting, where data are never erased, an adversary can always reset the functionality to a previous valid state. To avoid this, our transformation uses an untamperable public counter 4 that helps us detecting whenever the attacker tries to reset the functionality to a previous state (in which case, a self-destruct is triggered). We notice that such an untamperable counter is necessary, as otherwise there is no way to protect against the above resetting attack. 5 Bounded leakage resilience As an additional contribution, we show that our code is also secure against bounded leakage attacks. This is similar to the works of [53,84] who also consider bounded leakage resilience of their encoding scheme. Furthermore, as we prove, bounded leakage resilience is also inherited by functionalities that are protected using our transformation.
Notice that without perfect erasures bounded leakage resilience is the best we can achieve, as there is no hope for security if an encoding that is produced at some point in time is gradually revealed to the adversary.

Related Work
Constructions of non-malleable codes Besides showing feasibility by a probabilistic argument, Dziembowski et al. [55,56] also built non-malleable codes for bit-wise tampering (later improved in [9,10,32,34,36]) and gave a construction in the split-state model using a random oracle. This result was followed by [33], which proposed nonmalleable codes that are secure against block-wise tampering. The first construction of non-malleable codes in the split-state model without random oracles was given by Liu and Lysyanskaya [84], in the computational setting, assuming an untamperable CRS. Several follow-up works focused on constructing split-state non-malleable codes in the information-theoretic setting [1,3,4,7,28,53].
Other works on tamper resilience A large body of work shows how to protect specific cryptographic schemes against tampering attacks (see [18,20,21,47,48,78,86] and many more). While these works consider a strong tampering model (e.g., they do not require the split-state assumption), they only offer security for specific schemes. In contrast non-malleable codes are generally applicable and can provide tamper resilience of any cryptographic scheme.
In all the above works, including ours, it is assumed that the circuitry that computes the cryptographic algorithm using the potentially tampered key runs correctly, and is not subject to tampering attacks. An important line of works analyze to what extent we can guarantee security when even the circuitry is prone to tampering attacks [39,40,66,69,76,83]. These works typically consider a restricted class of tampering attacks (e.g., individual bit tampering) and assume that large parts of the circuit (and memory) remain untampered.
Subsequent work A preliminary version of this paper appeared as [62]. Subsequent work showed that our impossibility result on information-theoretic continuous nonmalleability can be circumvented in weaker tampering models, such as bit-wise tampering [34][35][36], high-min-entropy and few-fixed points tampering [77], 8-split-state tampering [6], permutations and overwrites [49], and space-bounded tampering [29,61], or by assuming that the number of tampering queries is a priori fixed [26] and that tampering is persistent [8].
Continuously non-malleable codes have also been used to protect Random Access Machines against tampering attacks with the memory and the computation [63], and to obtain domain extension for non-malleable public-key encryption [34,36,49].
A recent work by Dachman-Soled and Kulkarni [41] shows that the strong flavor of continuous non-malleability in the split-state model considered in this paper (sometimes known as super non-malleability [64,65]) is impossible to achieve in the plain model (i.e., without assuming an untamperable CRS). On the other hand, Ostrovsky et al. [85] proved that continuous weak non-malleability in the split-state model (i.e., the standard flavor of non-malleability in which the attacker only learns the output of the decoding corresponding to each tampered codeword) is possible in the plain model (assuming oneto-one one-way functions). Faonio and Venturi [58,59] further consider continuously non-malleable split-state codes with a special refreshing procedure allowing to update codewords.
Finally, the concept of continuous non-malleability has also been recently studied in the more general setting of non-malleable secret sharing [23,60,71].

Notation
For a string x, we denote its length by |x|; if X is a set, |X | represents the number of elements in X . When x is chosen randomly in X , we write x ←$ X . When A is a randomized algorithm, we write y ←$ A(x) to denote a run of A on input x (and implicit random coins r ) and output y; the value y is a random variable, and A(x; r ) denotes a run of A on input x and randomness r . A randomized algorithm A is probabilistic polynomialtime (PPT) if for any input x, r ∈ {0, 1} * the computation of A(x; r ) terminates in a polynomial number of steps (in the size of the input). For a PPT algorithm A, we denote by A its description using poly-many bits.
Unless stated otherwise, throughout the paper, we implicitly assume that the security parameter is given as input (in unary) to all algorithms.
Random variables For a random variable X, we write P [X = x] for the probability that X takes on a particular value x ∈ X (with X being the set where X is defined). Given to denote that X and Y are statistically (resp. computationally) close, i.e., for all unbounded (resp. PPT) distinguishers D: If the above distance is zero, we say that X and Y are identically distributed, denoted X ≡ Y.
We extend the notion of computational indistinguishability to the case of interactive experiments (a.k.a. games) featuring an adversary A. In particular, let G A (λ) be the random variable corresponding to the output of A at the end of the experiment, where A outputs a decision bit. Given two experiments G A (λ, 0) and G A (λ, 1), we write The above naturally generalizes to statistical distance (in case of unbounded adversaries).

Collision-Resistant Hashing
A family of hash functions := (Gen, Hash) is a pair of efficient algorithms specified as follows: (i) The randomized algorithm Gen takes as input the security parameter and outputs a hash-key hk. (ii) The deterministic algorithm Hash takes as input the hash-key hk and a value x ∈ {0, 1} * , and outputs a value y ∈ {0, 1} λ .
We define two properties of a non-interactive argument system. The first property says that honestly computed arguments do not reveal anything beyond the fact that x ∈ L. Definition 2. (Adaptive multi-theorem zero-knowledge) A non-interactive argument system for a relation R satisfies adaptive multi-theorem zero-knowledge if there exists a PPT simulator S := (S 0 , S 1 ) such that the following holds: (i) S 0 outputs ω, a simulation trapdoor ζ and an extraction trapdoor ξ .
Groth [73] introduced the concept of simulation extractability, which informally states that knowledge soundness should hold even if the adversary can see simulated arguments for possibly false statements of its choice. For our purpose, it will suffice to consider the weaker notion of true-simulation extractability, as defined by Dodis et al. [51].

Definition 3. (True-simulation extractability) Let
be a non-interactive argument system for a relation R, that satisfies adaptive multi-theorem zero-knowledge w.r.t. a simulator S := (S 0 , S 1 ). We say that is true-simulation extractable (tSE) if there exists a PPT algorithm K such that for all PPT adversaries A, it holds that is negligible in λ, where the oracle O sim (ζ, ·, (·, ·)) takes as input a tuple (φ, (x, w)) and returns S 1 (ζ, φ, x) iff (x, w) ∈ R (and otherwise it returns ⊥), and the list Q contains all pairs (φ, x) queried by A to its oracle, along with the corresponding answer π .
Note that the above definition allows the attacker to win using a pair label/statement (φ * , x * ) for which it already obtained a simulated argument, as long as the value π * is different from the argument π obtained from the oracle. This flavor is sometimes known as strong tSE, and it can be obtained generically from non-strong tSE (i.e., the attacker needs to win using a fresh pair (φ * , x * )) using any strongly unforgeable one-time signature scheme [51].
Security of LRS demands that, for any choice of messages m 0 , m 1 ∈ {0, 1} k , it be hard for an attacker to distinguish bounded, independent, leakage from a target encoding of either m 0 or m 1 . Below, we state such a property in the information-theoretic setting, as this flavor is met by known constructions. In what follows, for a leakage parameter ∈ N, let O leak (s, ·) be a stateful oracle taking as input functions g : {0, 1} n → {0, 1} * , and returning g(s) for a maximum of at most bits.

Definition 4. (Leakage-resilient storage) We call (LREnc, LRDec) an -leakageresilient storage ( -LRS for short) if it holds that
where for A := (A 0 , A 1 ) and b ∈ {0, 1} we set: For our construction, we will need a slight variant of the above definition where at the end of the game the attacker is further allowed to obtain one of the two shares in full. Following [2], we refer to this variant as augmented LRS.
where for A = (A 0 , A 1 , A 2 ) and b ∈ {0, 1} we set: The lemma below 6 shows the equivalence between Definitions 5 and 4 up to a loss of a single bit in the leakage parameter.
Proof. We prove the lemma by contradiction. Assume that there exists some adver- able to distinguish with non-negligible probability between Leak + ,A + (λ, 0, σ ) and Leak + ,A + (λ, 1, σ ) for some fixed σ ∈ {0, 1} and using − 1 bits of leakage. We construct another adversary A = (A 0 , A 1 ) which can distinguish between Leak ,A (λ, 0) and Leak ,A (λ, 1) with the same distinguishing advantage, using bits of leakage. A description of A follows: Adversary A : by simply forwarding its leakage queries to its own target left/right leakage oracle.
• Denote by α 2 the output of A + 1 , and letĝ A + 2 ,α 2 σ be the leakage function that hard-wires (a description of) A + 2 and the auxiliary information α 2 , and upon input s σ returns the same as A + 2 (1 λ , α 2 , s σ ).
to the leakage oracle O leak (s σ , ·) obtaining a bit b , and finally outputs b as its guess.
It is clear that A leaks at most − 1 + 1 = bits. Moreover, A perfectly simulates the view of A + , and thus, it retains the same advantage. This finishes the proof.

Continuous Non-Malleability
In this section, we formalize the notion of continuous non-malleability against splitstate tampering in the common reference string (CRS) model. To that end, we start by describing the syntax of split-state codes in the CRS model.
Formally, a split-state code in the CRS model is a tuple of algorithms = (Init, Enc, Dec) specified as follows: (i) The randomized algorithm Init takes as input the security parameter and outputs a CRS ω ←$ Init(1 λ ). (ii) The randomized encoding algorithm Enc takes as input some message m ∈ {0, 1} k and the CRS, and outputs a codeword consisting of two parts c := (c 0 , c 1 ) ∈ {0, 1} 2n where c 0 , c 1 ∈ {0, 1} n . (iii) The deterministic algorithm Dec takes as input a codeword (c 0 , c 1 ) ∈ {0, 1} 2n and the CRS, and outputs either a message m ∈ {0, 1} k or a special symbol ⊥.
As usual, we say that is correct if for all λ ∈ N, for all ω ∈ Init(1 λ ), and for all m ∈ {0, 1} k , it holds that Dec(ω, Enc(ω, m)) = m (with probability 1 over the randomness of Enc).

The Definition
Intuitively, non-malleability captures a setting where an adversary A tampers a single time with a target encoding c := (c 0 , c 1 ) of some message m. The tampering attack is arbitrary, as long as it modifies the two parts c 0 and c 1 of the target codeword c independently, i.e., the attacker can choose any tampering function f : , and different flavors of non-malleability are possible depending on what information the attacker obtains about the decoding ofc: • Weak non-malleability In this case the attacker obtains the decoded messagem ∈ {0, 1} k ∪ {⊥} corresponding toc, unlessm = m (in which case the adversary gets a special "same" symbol ); • Strong non-malleability In this case the attacker obtains the decoded messagẽ m ∈ {0, 1} k ∪ {⊥} corresponding toc, unlessc = c (in which case the adversary gets a special "same" symbol ); • Super non-malleability In this case the attacker obtainsc, unlessc is invalid (in which case the adversary gets ⊥), orc = c (in which case the adversary gets a special "same" symbol ).
Super non-malleability is the strongest flavor, as it implies that not even the mauled codeword reveals information about the underlying message (as long as it is valid and different from the original codeword). Similarly, one can see that strong non-malleability is strictly stronger than weak non-malleability. For the rest of this paper, whenever we write "non-malleability" (without specifying the flavor weak/strong/super) we implicitly mean "super non-malleability". Continuous non-malleability generalizes the above setting to the case where the attacker tampers adaptively with the same target codeword c, and for each attempt obtains some information about the decoding of the modified codewordc (as above). The only restriction is that whenever a tampering attempt yields an invalid codeword, the system "self-destructs". Toward defining continuous non-malleability, consider the following oracle O maul ((c 0 , c 1 ), ·), which is parameterized by a codeword (c 0 , c 1 ) and takes as input If Dec(ω, (c 0 ,c 1 )) = ⊥, return ⊥ and "self-destruct" Else return (c 0 ,c 1 ).
By "self-destruct" we mean that once Dec(ω, (c 0 ,c 1 )) outputs ⊥, the oracle will answer ⊥ to any further query. We are now ready to define (leakage-resilient) continuous nonmalleability.

Definition 6.
(Continuous non-malleability) Let = (Init, Enc, Dec) be a split-state code in the CRS model. We say that is -leakage-resilient continuously super-nonmalleable ( -CNMLR for short), if it holds that where for A := (A 0 , A 1 ) and b ∈ {0, 1} we set:

Codewords Uniqueness
As we argue below, constructions that satisfy our new Definition 6 have to meet the following requirement: For any (possibly adversarially chosen) side of an encoding c 0 it is computationally hard to find two corresponding sides c 1 and c 1 such that both (c 0 , c 1 ) and (c 0 , c 1 ) form a valid encoding; moreover, a similar property holds if we fix the right side c 1 of a codeword.

Definition 7.
(Codewords uniqueness) Let = (Init, Enc, Dec) be a split-state code in the CRS model. We say that satisfies codewords uniqueness if for all PPT adversaries A we have: The following attack shows that codewords uniqueness is necessary to achieve Definition 6.
Proof. For the sake of contradiction, assume that there exists a PPT attacker A that outputs a triple (c 0 , c 1 , c 1 ) violating uniqueness of , i.e., such that (c 0 , c 1 ) and (c 0 , c 1 ) are both valid, with c 1 = c 1 . We show how to construct a PPT attacker A := (A 0 , A 1 ) breaking continuous non-malleability of . Attacker A 0 , given the CRS, outputs any two messages m 0 , m 1 ∈ {0, 1} k which differ, say, in the first bit; denote by (ĉ 0 ,ĉ 1 ) the target codeword corresponding to m b in the experiment Tamper ,A (λ, b). Attacker A 1 runs A , and then queries the tampering oracle O maul ((ĉ 0 ,ĉ 1 ), ·) with a sequence of n ∈ poly(λ) tampering queries, where the i-th query ( 1 reads the i-th bitĉ 1 [i] ofĉ 1 ; in caseĉ[i] = 0 it overwritesĉ 1 with c 1 , and else it overwritesĉ 1 with c 1 .
The above clearly allows to learn the first bit of the message in the target encoding, and hence contradicts the fact that is continuously non-malleable.
Attacking existing schemes The attack of Lemma 1 can be used to show that the code of [84] does not satisfy continuous non-malleability as per our definition. Recall that in [84] a message m is encoded as c 0 = (pk, γ := Encrypt(pk, m), π ) and c 1 = sk. Here, (pk, sk) is a valid public/secret key pair and π is an argument of knowledge of (m, sk) such that γ decrypts to m under sk and (pk, sk) is well formed. Clearly, for any fixed c 1 = sk it is easy to find two corresponding parts c 0 = c 0 such that both (c 0 , c 1 ) and (c 0 , c 1 ) are valid. 8 Let us mention two important extensions of the above attack, leading to even stronger security breaches.
1. In case the pair of valid codewords (c 0 , c 1 ), (c 0 , c 1 ) violating the uniqueness property are such that Dec(ω, (c 0 , c 1 )) = Dec(ω, (c 0 , c 1 )), one can show that Lemma 1 even rules out continuous weak non-malleability. 9 The latter flavor of uniqueness is sometimes referred to as message uniqueness [60,85]. 2. In case it is possible to find both (c 0 , c 1 , c 1 ) and (c 0 , c 0 , c 1 ) violating uniqueness, a simple variant of the attack from Lemma 1 allows to recover both halves of the target encoding, which is a total breach of security. However, it is not clear how to do that for the scheme of [84], as once we fix c 0 = (pk, γ, π), it shall be hard to find two valid secret keys c 1 = sk = sk = c 1 corresponding to pk.
A simple adaptation of the above attack shows that continuous non-malleability in the split-state model is impossible in the information-theoretic setting. 7 If not, A 1 obtains as answer to one of its tampering queries, and thus it can safely conclude thatĉ 0 = c 0 andĉ 1 ∈ {c 1 , c 1 }. Onceĉ 0 is known it is trivial to break non-malleability using an additional tampering query. 8 Namely, just have c 0 (resp. c 1 ) contain pk, the encryption γ (resp. γ ) of any message m (resp. m = m) under pk, and the corresponding argument π (resp. π ). 9 Note that this applies in particular to the encoding of [84].

Theorem 2.
There is no split-state code in the CRS model that is 0-leakage-resilient continuously super-non-malleable in the presence of a computationally unbounded adversary.
Note that by properties (i) and (ii) above, we know that for allĉ 1 =ĉ 1 , the decoding algorithm Dec(ω, (ĉ 0 ,ĉ 1 )) outputs ⊥. Thus, the above tampering query allows to learn the first bit of m with overwhelming probability, which is a clear breach of non-malleability.
Note that although the attack of Theorem 2 uses a single (inefficient) tampering query, it crucially relies on the assumption that the code be continuously non-malleable, in that it uses the fact that satisfies codewords uniqueness. This is consistent with the fact that all split-state codes that achieve one-time non-malleability in the information-theoretic setting do not satisfy uniqueness.

The Code
We describe our split-state code in Sect. 4.1. A detailed outline of the security proof can be found in Sect. 4.2, whereas the formal proof is given in Sect. 4.3-4.5 Finally, in Sect. 4.6, we explain how to instantiate our scheme both from generic and concrete assumptions.
The main idea behind the scheme is as follows: The CRS includes the CRS ω for the argument system and the hash key hk for the hash function. Given a message m ∈ {0, 1} k , the encoding procedure first encodes m using LREnc, obtaining shares (s 0 , s 1 ). Hence, it hashes both s 0 and s 1 , obtaining values h 0 and h 1 , and generates a non-interactive argument π 0 (resp. π 1 ) for the statement h 0 ∈ L hk hash (resp. h 1 ∈ L hk hash ) using h 1 (resp. h 0 ) as label. The left part c 0 (resp. right part c 1 ) of the codeword c * consists of s 0 (resp. s 1 ), along with the value h 1 (resp. h 0 ), and with the arguments π 0 , π 1 .
The decoding algorithm proceeds in the natural way. Namely, given a codeword c * = (c 0 , c 1 ) it first checks that the arguments contained in the left and right part are equal, and moreover that the hash values are consistent with the shares; further, it checks that the non-interactive arguments verify correctly w.r.t. the corresponding statement and label. If any of the above checks fails, the algorithm returns ⊥, and otherwise it outputs the same as LRDec(s 0 , s 1 ).
Correctness of the code * follows directly by the correctness properties of the LRS and of the non-interactive argument system. As for security, we establish the following result. Then, the split-state code * described in Fig. 1 is an * -leakage-resilient continuously super-non-malleable code in the CRS model, as long as * ≤ /2 − O(λ log(λ)). . For simplicity, we assume that the extractor K is deterministic (which is the case for known instantiations, e.g., [51]); a generalization is immediate.

Proof Outline
Our goal is to show that no PPT attacker A * can distinguish the experiments Tamper * ,A * (λ, 0) and Tamper * ,A * (λ, 1) (cf. Definition 6). Recall that A * , after seeing the CRS, can select two messages m 0 , m 1 ∈ {0, 1} k , and then adaptively tamper with, and leak from, a target encoding c * = (c 0 , c 1 ) of either m 0 or m 1 , where both the tampering and the leakage act independently on the two parts c 0 and c 1 .
In order to prove the theorem, we introduce two hybrid experiments, as outlined below.
In the first hybrid, we modify the distribution of the target codeword c * = (c 0 , c 1 ). In particular, we first use the simulator S 0 of the noninteractive argument system to program the CRS ω, yielding simulation trapdoor ζ and extraction trapdoor ξ , and then we compute the argument π 0 (resp. π 1 ) by running the simulator S 1 upon input ζ , statement h 0 (resp. h 1 ) and label h 1 (resp. h 0 ).
Finally, if 0 = 1 the oracle returns this value as answer to the tampering query ( f 0 , f 1 ); else, it returns ⊥ and self-destructs. (Of course, in case 0 = 1 = ⊥, the oracle also returns ⊥ and self-destructs.) As a first step, we argue that Tamper * ,A * (λ, b) and Hyb 1 * ,A * (λ, b) are computationally close. This follows readily from adaptive multi-theorem zero knowledge of the non-interactive argument system, as the only difference between the two experiments is the fact that in the latter the arguments π 0 , π 1 are simulated. As a second step, we prove that Hyb 1 * ,A * (λ, b) and Hyb 2 * ,A (λ, b) are also computationally indistinguishable. More in details, we show how to bound the probability that the output of the tampering oracle in the two experiments differs in the above described cases (a), (b), (c) and (d): (a) For Type-A queries, note that whenc β = c β , we must havec 1−β = c 1−β with overwhelming probability, as otherwise, say, (c 0 , c 1 ,c 1 ) would violate codewords uniqueness, which for our code readily follows from collision resistance of the hash function. (b) For Type-B queries, the decoding process in the previous hybrid would also return ⊥, so these queries always yield the same output in the two experiments. (c) For Type-C queries, we use the facts that (i) the underlying non-interactive argument system is true-simulation extractable, and (ii) the hash function is collision resistant, to show thatc β must be of the formc β = (s β , h 1−β ,π 0,β , π 1,β ) with π 0,β = π 1,β . As we show, the latter contradicts security of the underlying LRS. (d) For Type-D queries, note that whenever we run the extractor either the statement h 1−β , or the argumentπ 1−β,β , or the labelh β,β are fresh, which ensures the witness must be valid with overwhelming probability by (true-simulation) extractability of the non-interactive argument system.
Next, we show that no PPT attacker A * can distinguish between experiments Hyb 2 * ,A * (λ, 0) and Hyb 2 * ,A * (λ, 1) with better than negligible probability. To this end, we build a reduction A to the security of the underlying LRS. In order to keep the exposition simple, let us first assume that A * is not allowed to ask leakage queries. Roughly, the reduction works as follows: • Simulate the CRS: At the beginning, A samples a programmed CRS ω and the hash key hk exactly as defined in Hyb 2 * ,A * (λ, b), and runs A * upon ω * := (ω, hk) and fresh randomness r . Upon receiving (m 0 , m 1 ) from A * , then A forward the same pair of messages to the challenger.
• Learn the self-destruct index: Note that in the last hybrid, the tampering oracle answers A * 's tampering queries by computing both 0 (looking only at c 0 ) and 1 (looking only at c 1 ), and then 0 is returned as long as 0 = 1 (and otherwise a self-destruct is triggered). Since A can leak independently from s 0 and s 1 , it can compute all the values β by running A * with hard-wired 10 randomness r inside 11 each of its leakage oracles, and then use a pairwise independent hash function to determine using a binary search the first index i * corresponding to the tampering query where 0 = 1 . By pairwise independence, this yields the index of the query i * in which A * provokes a self-destruct with overwhelming probability, and by leaking at most O(λ log λ) bits from each block. • Play the game: Once the self-destruct index i * is known, A obtains 12 s σ and can thus restart A * outside the leakage oracle, using the same randomness r , and answer to the first i * − 1 tampering queries using c σ = (s σ , h 1−σ , π 0 , π 1 ), after which the answer to all remaining tampering queries is set to be ⊥. This yields a perfect simulation of how tampering queries are handled in the last hybrid, so that A keeps the advantage of A * .
Finally, let us explain how to remove the simplifying assumption that A * cannot leak from the target codeword. The difficulty when considering leakage is that we cannot run anymore the entire experiment with A * inside the leakage oracle, as the answer to A * 's leakage queries depends on the other half of the target codeword. However, note that in this case we can stop the execution and inform the reduction to leak from the other side whatever information is needed to continue the execution of each copy of A * inside the leakage oracle.
This allows to obtain the answers to all leakage queries of A * up to a self-destruct occurs. In order to obtain the answers to the remaining queries, we must re-run A inside the leakage oracle and adjust the simulation consistently with the self-destruct index being i * . In the worst case, this requires 2 * bits of leakage, yielding the final bound of 2 * + O(λ log λ). At the end, the reduction knows the answer to all leakage queries of A * with hard-wired randomness r , which allows to play the game with the challenger as explained above.

Hybrids
Let us start by recalling the definition of experiment Tamper * ,A * (λ, b) for our code from Fig. 1. 10 To be more precise, this also requires to leak the initial hash values, to simulate the non-interactive arguments as done in the last hybrid, and to hard-wire those values in each leakage query. 11 This makes the reduction non-black-box, as it needs to run A * inside the leakage oracles. 12 Recall that the underlying LRS satisfies augmented leakage resilience (cf. Definition 5).
Consider the following hybrid experiments.
We first prove, in Sect. 4.4, that Then, in Sect. 4.5, we show that the above hybrids are computationally close, i.e., for all b ∈ {0, 1}: thus proving continuous non-malleability:

The Main Reduction
Proof. The proof is down to the augmented leakage resilience (cf. Definition 5) of the underlying LRS (LREnc, LRDec). The reduction relies on a family of weakly universal 13 hash functions . By contradiction, assume that there exists a PPT adversary A * = (A * 0 , A * 1 ) that can tell apart Hyb 2 * ,A * (λ, 0) and Hyb 2 * ,A * (λ, 1) with nonnegligible probability. Consider the following PPT attacker A against leakage resilience of (LREnc, LRDec), which relies on the leakage functions defined in Fig. 3 on the following page.

3.
(Learn the self-destruct index.) Set (q min , q max ) = (0, q). Run the following loop: (a) If q min = q max , break the loop obtaining the self-destruct index i * := q min = q max ; else, set q med = q min +q max (e) Upon input a guess b from A * 1 , forward b to the challenger and terminate.
For the analysis, we must show that A does not leak too much information and that the reduction is correct (in the sense that the view of A * is simulated correctly). Note that A makes leakage queries in steps 1d, 2a, 3c, and 4a. The leakage amount in step 1d is equal to λ bits per share (i.e., the size of a hash value). The leakage amount in step 2a is bounded by * + O(log λ) bits per share (i.e., the maximum leakage asked by A * plus the indexes q 0 , q 1 ); by a similar argument, the leakage in step 4a consists of at most * bits per share. Finally, the leakage in step 3c is bounded by O(λ log(λ)) (as the loop for the binary search is run at most O(log λ) times, and each time the reduction leaks λ bits per share). Putting it all together, the overall leakage is bounded by where the inequality follows by the bound on * in the theorem statement.
Next, we argue that A perfectly simulates the view of A * except with negligible probability. Indeed: • The distribution of the CRS ω * = (ω, hk) is perfect.
• For each β ∈ {0, 1}, the distribution of the value c β assembled inside the leakage oracle O leak (s β , ·) is identical to that of the target codeword c * = (c 0 , c 1 ) in Hyb 2 * ,A * (λ, b), where b is the hidden bit in the security game for (LREnc, LRDec). • The simulation of A * 's leakage queries is perfect. Note that the simulated leakages 0 , 1 might be inconsistent after the loop of step 2 terminates. This is because there may exist an index i ∈ [q] such that ., the answer to the i-th tampering query should be ⊥, but a different value is passed to A * 1 inside the leakage oracle), which causes a wrong simulation of all leakage queries j ≥ i (if any). However, the reduction adjusts the leakages later in step 4, after the index i * corresponding to the self-destruct query is known.
• Except with negligible probability, the index i * coincides with the index corresponding to the self-destruct query, i.e. the minimum i * ∈ [q] such that in Hyb 2 * ,A * (λ, b). The latter follows readily from the weak universality of , as for each query g sd 0 (α, 0 , 1 , ψ t , q med , ·) and g sd 1 (α, 0 , 1 , ψ t , q med , ·) the probability that is at most 2 −λ (over the choice of t ←$ {0, 1} λ ), and thus, by the union bound, the simulation is wrong with probability at most q · 2 −λ . • In step 5, the reduction obtains c 0 , and thus can use the knowledge of the final corrected leakages 0 , 1 and of the self-destruct index i * to perfectly simulate all the queries of A * 1 . Hence, we have shown that there exists a polynomial p(λ) ∈ poly(λ) and a negligible function ν : N → [0, 1] such that This concludes the proof.

Indistinguishability of the Hybrids
We first establish some useful lemmas, and then analyze each of the two game hops individually. Proof. We show that Definition 7 is satisfied for β = 0. The proof for β = 1 is analogous, and therefore omitted.
For the analysis, note that the simulation done by D is perfect. In particular, depending on the game that D is playing, the CRS ω is either generated by running CRSGen(1 λ ) or S 0 (1 λ ); similarly, the arguments π 0 , π 1 are either obtained by running π β ←$ Prove(ω, h 1−β , (h β , s β )) or π β ←$ S 1 (ζ, h 1−β , h β ). Moreover, the reduction can perfectly emulate the oracles O maul and O * leak since it holds a simulated codeword c * that is either distributed according to Tamper * ,A * (λ, b) or Hyb 1 * , A  *  (λ, b). Thus, D has the same distinguishing advantage as that of A * . The lemma follows:

Second Game Hop
Proof. Fix b ∈ {0, 1}. We will prove that, with all but a negligible probability, the output of the tampering oracles O maul ((c 0 , c 1 ), ·) and O maul ((c 0 , c 1 ), ·) are identical up to the first tampering query that is answered with ⊥ in O maul ((c 0 , c 1 ), ·). (Afterward, both oracles self-destruct and thus always return ⊥.) Let q ∈ poly(λ) be an upper bound on the number of tampering queries in either of the hybrids. Consider the following events, defined over the probability space of both Hyb 1 * ,A (λ, b) and Hyb 2 * ,A (λ, b): • Event Bad same : There exists an index i ∈ [q], corresponding to a tampering query ( f • Event Bad ⊥ : There exists an index i ∈ [q], corresponding to a tampering query ( f • Event Bad cdw : There exists an index i ∈ [q], corresponding to a tampering query ( f Denote by Bad := Bad same ∪ Bad ⊥ ∪ Bad cdw . Since the two hybrids are identical conditioned on Bad not happening, by a standard argument, it suffices to prove that Bad happens with at most a negligible probability. In what follows, we always writẽ , andh β,β for the value Hash(hk,s β ).
However, for such a query, 1 )) would also return , and thus the event Bad same never happens.
The above means that the local check onc (i) β (as run by the original decoding algorithm) fails, and thus O maul ((c 0 , c 1 1 )) would also return ⊥. Type-C queries: Wlog. assume that f (i) 0 is of Type C (the proof in case f (i) 1 is of Type C being analogous). Recall that function f h 1 , h 0 , π 1 ).
We claim this implies that the tampered codeword (c (i) 0 ,c (i) 1 ) must be of the form π 1 )). First, collision resistance 14 of (Gen, Hash) implies thats 0 as otherwise the tampered codeword would not be valid. Next, we prove that the above contradicts security of the LRS. By contradiction, assume that there exists an adversary A * that with non-negligible probability outputs a tampering query ( f  15 Moreover, collision resistance of (Gen, Hash) implies that in this cases (i) 0 = s 0 with overwhelming probability. 16 Consider now the following attacker A. Attacker A against (LREnc, LRDec) :

would be of Type A). Sinceπ
• Run steps 1-4 as described in the reduction A in the proof of Lemma 2.
• Set c 1 = (s 1 , h 0 , π 0 , π 1 ), sample j * ←$ [i * ], and then start A * 1 (1 λ , α 1 ; r 1 ). • Upon input the j-th leakage query (g ( j) , 1} such that 14 Given an attacker A * that with non-negligible probability outputs a tampering query ( f we can build an attacker A breaking collision resistance of (Gen, Hash). The reduction is straightforward: Given hk, adversary A simply runs A * honestly after embedding hk in the CRS, until it outputs the query ( f , which yields the collision (s 0 ,s (i) 0 ). 15 The reduction is analogous to the one in Lemma 4, and therefore omitted. 16 The reduction is analogous to the one in Footnote 14.
LRDec(s (i) 0 ,s (i) 1 ) = m b , forward b to the challenger and terminate; else, abort the simulation and terminate.
An argument identical to that used in the proof of Lemma 2 shows that A leaks at most bits and perfectly simulates the view of A * . Since with probability 1/poly(λ) attacker A * outputs a tampering query ( f 0 , π 1 )), withπ (i) 0 = π 0 , and moreover with probability 1/i * this is the j * -th tampering query, it follows that b = b in experiment Leak + ,A (λ, b) with probability at least 1/poly(λ) − negl(λ).

Type-D queries:
Wlog. assume that f and moreover the argumentπ 1 )) does not output ⊥, the above implies that both (c 0 , c 1 ) and (c 0 ,c (i) 1 ) are valid codewords, which contradicts codewords uniqueness. More formally, given an efficient attacker A * that provokes the above event, it is straightforward 17 to construct an efficient attacker A that breaks uniqueness, which in turn contradicts 1 )), for all β ∈ {0, 1}, we can write: Claim 3. P [Bad cdw ] ∈ negl(λ). 17 Attacker A simply runs A * on a simulated codeword (c 0 , c 1 ) generated exactly as in the last hybrid, and answers to both leakage and tampering queries honestly until A * outputs the query ( f 1 )) cannot output . This is because the latter would imply thatc (i) ) cannot output ⊥ either. This is because the latter would imply that either (i) ∃β ∈ {0, 1} : Hash(hk,s However, both these conditions contradict the fact that (c (i) 0 ,c (i) 1 ) must be valid. It remains to consider the case where O maul ((c 0 , c 1 1 )), however, it must be the case thats The statement of the lemma now follows by the above claims, together with a union bound.

Concrete Instantiation
Below, we explain how to instantiate the building blocks required for our code, both from generic and concrete assumptions.
• Leakage-Resilient Storage As shown in [50,52], this primitive exists unconditionally. Let F = GF(2 k ) be the Galois field with 2 k elements, and t ∈ N be a parameter. Given m ∈ {0, 1} k , algorithm LREnc interprets m as an element of F and outputs random s 0 , s 1 ∈ F t subject to s 0 , where s = (s [1], . . . , s[t]) ∈ Z t q and Hash : Z t q → G. • True-Simulation Extractable NIZK It is well known that simulation extractable NIZKs (i.e., NIZKs that are extractable even in case the attacker observes simulated arguments of possibly false statements) can be obtained for all of NP assuming (doubly enhanced) trapdoor permutations [51,68,87]. More concretely, using the collision-resistant hash function from the previous bullet point, we need to consider the NP-relation: Following [51], an efficient tSE NIZK for the above relation can be obtained under the DLIN assumption by combining classical Groth-Sahai NIZKs [74,75] with Cramer-Shoup encryption [38]. We leave the count of the exact number of group elements as an exercise to the reader.

Application to Tamper-Resilient Security
In this section we revisit the classical application of non-malleable codes to protecting arbitrary cryptographic primitives against memory-tampering attacks [55,56,84], highlighting in particular the benefits that our new notion of continuous non-malleability brings to the picture.
In what follows, let F(κ, ·) be an efficiently computable functionality taking a secret key κ ∈ {0, 1} k and value x ∈ {0, 1} * as input, and producing some output y ∈ {0, 1} * . We are concerned about attackers changing the original key κ into a related keyκ, and observing the effect of such changes at the output. For concreteness, we will focus on the setting in which the key material is stored into two separate parts of the memory that can be tampered independently, but the results in this section can be easily extended to general tampering (parameterized by a tampering family supported by the non-malleable code). As explained below, we distinguish between stateless and stateful functionalities.

Stateless Functionalities
In the case of stateless functionalities, the key κ is fixed once and for all. The main idea is to transform the original functionality F into some kind of "hardened" functionalitŷ F using a non-malleable code to encode the key. Previous transformations aiming at protecting stateless functionalities [55,56,84] required to freshly re-encode the key κ each time the functionality is invoked. Our approach avoids the re-encoding of the key at each invocation, leading to a stateless transformation. This solves an open question from [55,56]. Moreover, we consider a setting where the encoded key is stored into a memory M := (M 0 , M 1 ) which is much larger than the size needed to store the encoding itself (say |M 0 | = |M 1 | = p(n) where p(n) is polynomial in the length n of the encoding). When (perfect) erasures are not possible, this feature naturally allows the adversary to make copies of the initial encoding and tamper continuously with it.
Let us formally define what it means to harden a stateless functionality.

Remark 1. (On δ)
The public value δ is just a way how to implement the self-destruct feature. An alternative approach would be to let the hardened functionality simply output a dummy value and overwrite (M 0 , M 1 ) with the all-zero string. As we do not want to assume perfect erasures, we use the first approach here. Note that we assume that δ is untamperable and one-time writable. The latter is necessary, as an adversary tampering with δ could always switch-off the self-destruct feature and apply a variant of the attack from [70] to recover the secret state.
Similarly to [55,56,84], security ofF is defined via the comparison of a real and an ideal experiment. The real experiment features an adversary A interacting withF; the adversary is allowed to honestly run the functionality on any chosen input, but also to modify the memory and retrieve a bounded amount of information from it. The ideal experiment features a simulator S that is given black-box access to the original functionality F and to the adversary A, but is not allowed any tampering or leakage query. The two experiments are formally described below.
At the end of the experiment, A outputs a bit that is an arbitrary function of its view (and this is also the output of the experiment).
Experiment Ideal F,A,S (λ, κ). The simulator sets up the CRSω = (ω, δ) and is given black-box access to the functionality F(κ, ·) and the adversary A. At the end of the experiment, A outputs a bit that is an arbitrary function of its view (and this is also the output of the experiment).
Intuitively, since the code is non-malleable, the adversary can either keep the encoding of the secret key unchanged or overwrite it with the encoding of an unrelated value. These two cases are captured in the above modes: The simulator starts in the normal mode and then, whenever the adversary modifies the initial encoding, it switches to the overwritten mode. However, note that the adversary can use the extra space to keep a copy of the original encoding and place it back at some later point in time. When this happens, the simulator switches back to the normal mode; this feature is important to maintain simulation.
By contradiction, assume that there exists a PPT attacker A, and some key κ ∈ {0, 1} k , such that the following holds for the above defined simulator S: where i is the index of the last tampering query. Then, forward the answer ( Else, proceed as follows: • If mode = normal, let y ( j) ←$ F(κ, x ( j) ) and return y ( j) to A.
6. Upon receiving a guess b from A, output b and terminate.
For the analysis, first note that A runs in polynomial time. Next, we claim that the simulation done by A is perfect. This is because: • The CRSω is distributed identically to the CRS in RealF ,A,κ (λ) and Ideal F,A,S,κ (λ).
• Depending on the target encoding (c 0 , c 1 ) being either an encoding of κ or an encoding of 0 k , the queries of A are answered exactly as in RealF ,A,κ (λ) or in Ideal F,A,S,κ (λ). More precisely: · Tampering queries are handled using the oracle O maul ((c 0 , c 1 ), ·). However, note that A cannot directly forward the tampering functions ( f maps p bits into p bits, whereas A 's tampering oracle expects functions mapping n bits into n bits; (ii) In both RealF ,A,κ (λ) and Ideal F,A,S,κ (λ) the tampering functions are applied to the current memory content (M 0 , M 1 ), whereas the tampering oracle always uses the target codeword (c 0 , c 1 ). However, the reduction can easily handle this mismatch by padding each part of the target codeword with zeroes, recover the current memory, and define the tampered codeword to be the first n bits of M 0 := f  2)). · Leakage queries are handled using the oracles O leak (c 0 , ·) and O leak (c 1 , ·). By a similar argument as above, the reduction perfectly emulates such queries by adjusting them as in Eq. (3). Furthermore, if A leaks at most bits from each side of the memory, A leaks at most bits from each side of the target codeword. · Evaluation queries are perfectly emulated. Indeed, whenever mode equals normal, the reduction answers evaluation queries by running F on key κ (this corresponds to the normal mode of simulator S). Similarly, whenever mode equals overwritten, the reduction answers evaluation queries by running F on the current tampered keyκ which results from applying the tampering functions to the initial memory (this corresponds to the overwritten mode of simulator S).

Stateful Functionalities
In the case of stateful functionalities, the function F has a secret state σ that is updated at each invocation, i.e., (σ , y) ←$ F(σ, x). As the state gets updated, in this setting we inherently need to re-encode the new state after each execution. Furthermore, since we do not assume erasures in our model, the following subtlety arises. An adversary can first copy some old (encoded) state to a different part of the memory, and later replace the current (encoded) state by the old one. This essentially corresponds to a reset attack, that cannot be simulated given only black-box access to the original functionality. To overcome this obstacle, our transformation leverages an untamperable public counter γ ∈ N that helps us detecting whenever the functionality is reset to a previous state, in which case a self-destruct is triggered; note that such a counter can be implemented using log(λ) bits (plus the additional bit to implement the self-destruct mechanism). 19 Below, we define what it means to harden a stateful functionality. Remark 2. (On (γ , δ)) As in the case of stateless functionalities, we require δ to be untamperable and one-time writable (cf. Remark 1). Moreover, the counter γ is assumed to be untamperable and poly-time writable. The latter is necessary, as otherwise the attacker can use the extra memory to reset the functionality to a previous valid state, which cannot be simulated with black-box access to the original functionality. 19 Without assuming an untamperable counter, one can still get continuous tamper simulatability if the simulator is allowed to reset the original functionality. This essentially allows to protect cryptographic primitives with so-called resettable security (see, e.g., [19,72,88]).  M 1 ), and, if Dec(ω, (c 0 ,c 1 )) ∈ {⊥,σ ||γ } for someγ = γ , update the CRS toω := (ω, γ , 1). · Eval, x ( j) : Upon input the j-th evaluation query, run (σ , y ( j) ) ←$ Exec(ω, F, M, x ( j) ) and reply with y ( j) . Compute (c 0 , c 1 ) ←$ Enc(ω, σ ||γ + 1), and update the first n bits of M β to c β for each β ∈ {0, 1}, and the CRS toω := (ω, γ + 1, δ).
The intuition behind the above simulation strategy is similar to that in the proof of Theorem 4. One important difference is the fact that, after the simulator switches to the overwritten mode, it never goes back to the normal mode. Intuitively, this is because the untamperable counter ensures that the attacker can never copy an old state back to the first part of the memory. A further difficulty in the analysis is that in the case of stateful functionalities the state is re-encoded after each invocation, and thus we cannot directly reduce to the security of the underlying continuously non-malleable code.

Experiment Hyb (i)
F,A,S (λ, σ ). In order to overcome the above difficulty, we consider a sequence of mental experiments. Let q ∈ poly(λ) be an upper bound on the total number of queries (and thus rounds). For all i ∈ [q], consider the following hybrid experiment where the simulator runs a modified normal mode and the same overwritten mode.
• For the first i rounds, A's commands are answered exactly as in experiment Ideal F,A,S (λ, σ ). • Starting from round i +1, if the simulator S is already in the overwritten mode, then continue simulating as in the ideal world. Otherwise, proceed with the following modified normal mode: where σ is the current state of the functionality and σ is the new state, and reply with y ( j) . Redefine σ := σ , and update the CRS toω := (ω, γ := γ + 1, δ).

Clearly, {Hyb
F,A,S (λ, σ )} λ∈N ≡ {RealF ,A (λ, σ )} λ∈N . This is because the modified normal mode of the simulator corresponds to answering A's commands exactly as in the real experiment. Hence, the theorem follows by the lemma below. Proof. Fix i ∈ [q]. By contradiction, assume that there exists a PPT attacker A, and some state σ ∈ {0, 1} k , such that the following holds for the above defined simulator S: We build a PPT attacker A breaking continuous non-malleability of the code . A description of A follows: Attacker A for (Init, Enc, Dec) : 1. Upon receiving the CRS ω, set (γ , δ) = (1, 0), and passω := (ω, γ, δ) to A. 2. For each round j ≤ i − 1, reply to A's commands as described in the ideal experiment. Let σ := σ (i) andω = (ω, i, δ) be, respectively, the current state 21 of the functionality and the CRS at the end of the (i −1)-th round. 3. Forward (m 0 := σ (i) ||i, m 1 := 0 k ||0 log λ ) to the challenger, and initializẽ σ ||γ := ε and mode to normal. In case the simulation of the first i − 1 tampering queries has already caused the simulator to enter the overwritten mode, output a random b and terminate; else, continue. 4. For each round j ≥ i, upon input a command Tamper, ( f 1 ) to A. 6. For each round j ≥ i, upon input a command Eval, x ( j) from A, if δ = 1 return ⊥ to A. Else, proceed as follows: • If mode = normal, let (σ , y ( j) ) ←$ F(σ, x ( j) ) and return y ( j) to A. • If mode = overwritten, let (σ , y ( j) ) ←$ F(σ , x ( j) ) and return y ( j) to A. • Update the CRS toω = (ω, γ + 1, δ), and re-define σ := σ . 7. Upon receiving a guess b from A, output b and terminate.
For the analysis, first note that A runs in polynomial time. Next, we claim that the simulation done by A is perfect. This is because: • The CRSω is distributed identically to the CRS in Hyb (i−1) F,A,S (λ, σ ) and Hyb (i) F,A,S (λ, σ ). • The first i − 1 leakage/tampering/execute queries are answered as in the ideal experiment, which corresponds to the way such queries are answered in both Hyb F,A,S (λ, σ ) and Hyb (i−1) F,A,S (λ, σ ). • Let W be the event that the simulation has already entered the overwritten mode while answering the first i − 1 tampering queries. Note that conditioning on W, the random variables Hyb (i−1) F,A,S (λ, σ ) and Hyb (i) F,A,S (λ, σ ) are identical, and thus Eq. (4) implies that P [¬W] ≥ 1/poly(λ).
• For each round j ≥ i, conditioning on ¬W and depending on the target encoding (c 0 , c 1 ) being either an encoding of σ (i) ||i or an encoding of 0 k ||0 log λ , the queries of A are answered exactly as in Hyb  ((c 0 , c 1 ), ·). As in the proof of Theorem 4, the reduction needs to adjust the leakage/tampering functions taking into account the initial padding of the memory and the previous tampering queries. This can be done using Eq. (2) and Eq. (3) as before. · The remaining evaluation queries are perfectly emulated. Indeed, whenever mode equals normal, the reduction answers evaluation queries by running F on the current state σ (this corresponds to the normal mode of simulator S). Similarly, whenever mode equals overwritten, the reduction answers evaluation queries by running F on the current tampered stateσ which results from applying the tampering functions to the initial memory (this corresponds to the overwritten mode of simulator S).
It follows that in case (c 0 , c 1 ) is an encoding of σ (i) ||i and conditioning on ¬W, the reduction perfectly emulates the view of A in Hyb (i−1) F,A,S (λ, σ ). Similarly, when (c 0 , c 1 ) is an encoding of 0 k ||0 log λ and conditioning on ¬W, the reduction perfectly emulates the view of A in Hyb (i) F,A,S (λ, σ ). Finally, P [¬W] ≥ 1/poly(λ), and additionally conditioning on W we have that P b = b = 1/2. Hence, we have obtained: