(Continuous) Non-malleable Codes for Partial Functions with Manipulation Detection and Light Updates

. Non-malleable codes were introduced by Dziembowski et al. (in: Yao (ed) ICS2010, Tsinghua University Press, 2010), and its main application is the protection of cryptographic devices against tampering attacks on memory. In this work, we initiate a comprehensive study on non-malleable codes for the class of partial functions, that read/write on an arbitrary subset of codeword bits with speciﬁc cardinality. We present two constructions: the ﬁrst one is in the CRS model and allows the adversary to selectively choose the subset of codeword bits, while the latter is in the standard model and adaptively secure. Our constructions are efﬁcient in terms of information rate, while allowing the attacker to access asymptotically almost the entire codeword. In addition, they satisfy a notion which is stronger than non-malleability, that we call non-malleability with manipulation detection, guaranteeing that any modiﬁed code-word decodes to either the original message or to ⊥ . We show that our primitive implies All-Or-Nothing Transforms (AONTs), and as a result our constructions yield efﬁcient AONTs under standard assumptions (only one-way functions), which, to the best of our knowledge, was an open question until now. Furthermore, we construct a notion of continuous non-malleable codes (CNMC), namely CNMC with light updates, that avoids the full re-encoding process and only uses shufﬂing and refreshing operations. Finally, we present a number of additional applications of our primitive in tamper resilience.


Introduction
Non-malleable codes (NMC) were introduced by Dziembowski, Pietrzak and Wichs [39] as a relaxation of error correction and error detection codes, aiming to provide strong privacy but relaxed correctness.Informally, non-malleability guarantees that any modified codeword decodes either to the original message or to a completely unrelated one, with overwhelming probability.The definition of non-malleability is simulationbased, stating that for any tampering function f , there exists a simulator that simulates the tampering effect by only accessing f , i.e., without making any assumptions on the distribution of the encoded message.
The main application of non-malleable codes that motivated the seminal work by Dziembowski et al. [39] is the protection of cryptographic implementations from active physical attacks against memory, known as tampering attacks.In this setting, the adversary modifies the memory of the cryptographic device, receives the output of the computation, and tries to extract sensitive information related to the private memory.Security against such types of attacks can be achieved by encoding the private memory of the device using non-malleable codes.Besides that, various applications of non-malleable codes have been proposed in subsequent works, such as CCA secure encryption schemes [29] and non-malleable commitments [4].
Due to their important applications, constructing non-malleable codes has received a lot of attention over recent years.As non-malleability against general functions is impossible [39], various subclasses of tampering functions have been considered, such as split-state functions [1][2][3]38,39,51,55], bit-wise tampering and permutations [4,5,39], bounded-size function classes [45], bounded depth/fan-in circuits [14], space-bounded tampering [42], and others (cf.Sect.1.4).One characteristic shared by those function classes is that they allow full access to the codeword, while imposing structural or computational restrictions to the way the function computes over the input.In this work, we initiate a comprehensive study on non-malleability for functions that receive partial access over the codeword, which is an important yet overlooked class, as we elaborate below.
The class of partial functions.The class of partial functions contains all functions that read/write on an arbitrary subset of codeword bits with specific cardinality.The elements of the subset can be chosen selectively or adaptively.Concretely, let c be a codeword with length ν.For α ∈ [0, 1), the function class F αν (or F α for brevity) consists of all functions that operate over any subset of bits of c with cardinality at most αν, while leaving the remaining bits unseen and intact.The work of Cheraghchi and Guruswami [27] explicitly defines this class and uses a subclass (the one containing functions that always touch the first αν bits of the codeword) in a negative way, namely as the tool for deriving capacity lower bounds for information-theoretic non-malleable codes against split-state functions.Partial functions were also studied implicitly by Faust et al. [45], while aiming for non-malleability against bounded-size circuits. 1  1 Specifically, in [45], the authors consider a model where a common reference string (CRS) is available, with length roughly logarithmic in the size of the tampering function class; as a consequence, the tampering function is allowed to read/write the whole codeword while having only partial information over the CRS.
Even though capacity lower bounds for partial functions have been derived (cf.[27]), our understanding about explicit constructions is still limited.Existential results can be derived by the probabilistic method, as shown in prior works [27,39],2 but they do not yield explicit constructions.On the other hand, the capacity bounds do not apply to the computational setting, which could potentially allow more practical solutions.We believe that this is a direction that needs to be explored, as besides the theoretical interest, partial functions is a natural model that complies with existing attacks that require partial access to the registers of the cryptographic implementation [16,[19][20][21]63]. 3Besides the importance of partial functions in the active setting, i.e., when the function is allowed to partially read/write the codeword, the passive analogue of the class, i.e., when the function is only given read access over the codeword, matches the model considered by All-Or-Nothing Transforms (AONTs), which is a notion originally introduced by Rivest [60], providing security guarantees similar to those of leakage resilience: reading an arbitrary subset (up to some bounded cardinality) of locations of the codeword does not reveal the underlying message.As non-malleable codes provide privacy, nonmalleability for partial functions is the active analogue of (and in fact implies) AONTs, that find numerous applications [22,23,59,60,62].
Plausibility.At a first glance, one might think that partial functions better comply with the framework of error-correction/detection codes (ECC/EDC), as they do not touch the whole codeword.However, if we allow the adversary to access asymptotically almost the entire codeword (which can be more than the minimum distance that an ECC can achieve), it is conceivable it can use this generous access rate, i.e., the fraction of the codeword that can be accessed (see below), to create correlated encodings; thus, we believe solving non-malleability in this setting is a natural question.Additionally, ECC/EDC cannot guarantee security against selective failure attack for high access rate tampering adversaries and thus provide weaker security compared with the simulationbased non-malleable codes.Below we elaborate.
We illustrate the separation between the notions using the following example.Consider the set of partial functions that operate either on the right or on the left half of the codeword (the function chooses if it is going to be left or right), and the trivial encoding scheme that on input message s outputs (s, s).The decoder, on input (s, s ), checks if s = s , in which case it outputs s, otherwise it outputs ⊥.This scheme is clearly an EDC against the aforementioned function class, 4 as the output of the decoder is in {s, ⊥}, with probability 1; however, it is considered malleable since the tampering function can create encodings whose validity depends on the message.On the other hand, an ECC would provide a trivial solution in this setting; however, it requires restriction of the adversarial access fraction to 1/2 (of the codeword); by accessing more than this fraction, the attacker can possibly create invalid encodings depending on the message, as general ECCs do not provide privacy.Thus, the ECC/EDC setting is inapt against this type of selective failure tampering in the presence of attackers that access almost the entire codeword.Later in this section, we provide an extensive discussion on challenges of non-malleability for partial functions.
Besides the plausibility and the lack of a comprehensive study, partial functions can potentially allow stronger primitives, as constant functions are excluded from the class.This is similar to the path followed by Jafargholi and Wichs [49], aiming to achieve tamper detection (cf.Sect.1.4) against a class of functions that implicitly excludes constant functions and the identity function.In this work, we prove that this intuition holds, by showing that partial functions allow a stronger primitive that we define as non-malleability with manipulation detection (MD-NMC), which guarantees that any tampered codeword will either decode to the original message or to ⊥, and additionally, the outcome can be simulated without knowing the underlying message.This implies that the notion can defend against the selective failure tampering attacks, as the decoding of the tampered outcome would not only be either the original message or ⊥, but also independent of the underlying message.Thus, MD-NMC is not subject to the selective failure attacks, providing stronger security than what ECC/EDC can provide as we argued above.
Given the above, we believe that partial functions is an interesting and well-motivated model.The goal of this work is to answer the following (informally stated) question:

Is it possible to construct efficient (high information rate) non-malleable codes for partial functions, while allowing the attacker to access almost the entire codeword?
We answer the above question in the affirmative.Before presenting our results (cf.Sect.1.1) and the high level ideas behind our techniques (cf.Sect.1.2), we identify the several challenges that are involved in tackling the problem.
Challenges.We first define some useful notions used throughout the paper.
• Information rate: the ratio of message to codeword length, as the message length goes to infinity.• Access rate: the fraction of the number of bits that the attacker is allowed to access over the total codeword length, as the message length goes to infinity.
The access rate measures the effectiveness of a non-malleable code in the partial function setting and reflects the level of adversarial access to the codeword.In this work, we aim at constructing non-malleable codes for partial functions with high information rate and high access rate, i.e., both rates should approach 1 simultaneously.Before discussing the challenges posed by this requirement, we first review some known impossibility results.First, non-malleability for partial functions with concrete access rate 1 is impossible, as the function can fully decode the codeword and then re-encode a related message [39].Second, information-theoretic non-malleable codes with constant information rate (e.g., 0.5) are not possible against partial functions with constant access rate [27], 5 and consequently, solutions in the information-theoretic settings such as ECC and Robust Secret Sharing (RSS) do not solve our problem.Based on these facts, in order to achieve our goal, the only path is to explore the computational setting, aiming for access rate at most 1 − , for some > 0. At a first glance, one might think that non-malleability for partial functions is easier to achieve, compared to other function classes, as partial functions cannot touch the whole codeword.Having that in mind, it would be tempting to conclude that existing designs/techniques with minor modifications are sufficient to achieve our goal.However, we will show that this intuition is misleading, by pointing out why prior approaches fail to provide security against partial functions with high access rate.
The current state of the art in the computational setting considers tools such as (Authenticated) Encryption [1,35,36,41,51,55], non-interactive zero-knowledge (NIZK) proofs [35,41,43,55], and -more extractable collision resistant hashes (ECRH) [51], where others use KEM/DEM techniques [1,36].Those constructions share a common structure, incorporating a short secret key sk (or a short encoding of it), as well as a long ciphertext, e, and a proof π (or a hash value).Now, consider the partial function f that gets full access to the secret key sk and a constant number of bits of the ciphertext e, partially decrypts e and modifies the codeword depending on those bits.Then, it is not hard to see that non-malleability falls apart as the security of the encryption no longer holds.The attack requires access rate only O((|sk|)/(|sk| + |e| + |π |)), for [35,41,55] and O(poly(k)/|s|) for [1,36,51].A similar attack applies to [43], which is in the continual setting.
One possible route to tackle the above challenges is to use an encoding scheme over the ciphertext, such that partial access over it does not reveal the underlying message. 6he guarantees that we need from such a primitive resemble the properties of AONTs; however, this primitive does not provide security against active, i.e., tampering, attacks.Another approach would be to use Reconstructable Probabilistic Encodings [14] which provide error-correcting guarantees, yet still it is unknown whether we can achieve information rate 1 for such a primitive.In addition, the techniques and tools for protecting the secret key can be used to achieve optimal information rate as they are independent of the underlying message, yet at the same time, they become the weakest point against partial functions with high access rate.Thus, the question is how to overcome the above challenges, allowing access to almost the entire codeword.
In this paper, we solve the challenges presented above based on the following observation: in existing solutions the structure of the codeword is fixed and known to the attacker, and independently of the primitives that we use, the only way to resolve the above issues is by hiding the structure via randomization.This requires a structure recovering mechanism that can either be implemented by an "external" source, or otherwise the structure needs to be reflected in the codeword in some way that the attacker cannot exploit.In the present work, we implement this mechanism in both ways, by first proposing a construction in the common reference string (CRS) model, and then we show how to remove the CRS using slightly bigger alphabets.Refer to Sect.1.2 for a technical overview.

Our Results
We initiate the study of non-malleable codes with manipulation detection (MD-NMC), and we present the first (to our knowledge) construction for this type of codes.We focus on achieving simultaneously high information rate and high access rate, in the partial functions setting, which by the results of [27], it can be achieved only in the computational setting.
Our contribution is threefold.First, we construct an information rate 1 non-malleable code in the CRS model, with access rate 1 − 1/Ω(log k), where k denotes the security parameter.Our construction combines Authenticated Encryption together with an inner code that protects the key of the encryption scheme (cf.Sect.1.2).The result is informally summarized in the following theorem.
Theorem 1.1.(Informal) Assuming one-way functions, there exists an explicit computationally secure MD-NMC over the binary alphabet in the CRS model, against selective selection of codeword locations, achieving information rate 1 and access rate 1 − 1/Ω(log k), where k is the security parameter.
Our scheme, in order to achieve security with error 2 −Ω(k) , produces codewords of length |s| + O(k 2 log k), where |s| denotes the length of the message and uses a CRS of length O(k 2 log k log(|s| + k)).We note that our construction does not require the CRS to be fully tamper-proof, and we refer the reader to Sect.1.2 for a discussion on the topic.
In our second result, we show how to remove the CRS by slightly increasing the size of the alphabet.Our result is a computationally secure MD-NMC in the standard model, achieving information and access rate 1−1/Ω(log k).Our construction is proven secure by a reduction to the security of the scheme presented in Theorem 1.1.Below, we informally state our result.Theorem 1.2.(Informal) Assuming one-way functions, there exists an explicit, computationally secure MD-NMC in the standard model against adaptive selection of codeword locations, with alphabet length O(log k), information rate 1 − 1/Ω(log k) and access rate 1 − 1/Ω(log k), where k is the security parameter.

Our scheme produces codewords of length
In Sect.1.2, we consider security against continuous attacks.We show how to achieve a weaker notion of continuous security, while avoiding the use of a self-destruct mechanism, which was originally achieved by [41].Our notion is weaker than full continuous security [43], since the codewords need to be updated with a mechanism that is heavier than self-destruct, still it is deterministic and more efficient than the re-encoding process of [39,55]; it uses only shuffling and refreshing operations, i.e., we avoid cryptographic computations such as group operations and NIZKs.We call such an update mechanism a "light update."Informally, we prove the following result.As we have already stated, non-malleable codes against partial functions imply AONTs [60].The first AONT was presented by Boyko [22] in the random oracle model, and then, Canetti et al. [23] consider AONTs with public/private parts as well as a secretonly part, which is the full notion.Canetti et al. [23] provide efficient constructions for both settings, yet the fully secure AONT (called "secret-only" in that paper) is based on non-standard assumptions. 7ssuming one-way functions, our results yield efficient, fully secure AONTs, in the standard model.This resolves, the open question left in [23], where the problem of constructing AONT under standard assumptions was posed.Our result is presented in the following theorem.The above theorem is derived by the Informal Theorem 1.1, yielding an AONT whose output consists of both the CRS and the codeword produced by the NMC scheme in the CRS model.A similar theorem can be derived with respect to the Informal Theorem 1.2.Finally, and in connection to AONTs that provide leakage resilience, our results imply leakage-resilient codes [55] for partial functions.In Sect.2.3, we present the connection between MD-NMC and AONT with a formal description.
We provide concrete instantiations of our constructions, using textbook instantiations [50] for the underlying authenticated encryption scheme.For completeness, we also provide information theoretic variants of our constructions that maintain high access rate and thus necessarily sacrifice information rate.

Technical Overview
On the manipulation detection property.In the present work, we exploit the fact that the class of partial functions does not include constant functions and we achieve a notion that is stronger than non-malleability, which we call non-malleability with manipulation detection.We formalize this notion as a strengthening of non-malleability, and we show that our constructions achieve this stronger notion.Informally, manipulation detection ensures that any tampered codeword will either decode to the original message or to ⊥.A MD-NMC in the CRS model.For the exposition of our ideas, we start with a naive scheme (which does not work) and then show how we resolve all the challenges.Let (KGen, E, D) be a (symmetric) authenticated encryption scheme and consider the following encoding scheme: to encode a message s, the encoder computes (sk||e), where e ← E sk (s) is the ciphertext and sk ← KGen(1 k ), is the secret key.We observe that the scheme is secure if the tampering function can only read/write on the ciphertext, e, assuming the authenticity property of the encryption scheme, however, restricting access to sk, which is short, is unnatural and makes the problem trivial.On the other hand, even partial access to sk, compromises the authenticity property of the scheme, and even if there is no explicit attack against the non-malleability property, there is no hope for proving security based on the properties of (KGen, E, D), in black-box way.
A solution to the above problems would be to protect the secret key using an inner encoding, yet the amount of tampering is now restricted by the capabilities of the inner scheme, as the attacker knows the exact locations of the "sensitive" codeword bits, i.e., the non-ciphertext bits.In our construction, we manage to protect the secret key while avoiding the bottleneck on the access rate by designing an inner encoding scheme that provides limited security guarantees when used standalone, still when it is used in conjunction with a shuffling technique that permutes the inner encoding and ciphertext bit locations, it guarantees that any attack against the secret key will create an invalid encoding with overwhelming probability, even when allowing access to almost the entire codeword (Figs. 1, 2).
Our scheme is depicted in Fig. 3 and works as follows: on input message s, the encoder (i) encrypts the message by computing sk ← KGen(1 k ) and e ← E sk (s), (ii) computes an m-out-of-m secret sharing z of (sk||sk 3 ) (interpreting both sk and sk 3 as elements in some finite field), 8 and outputs a random shuffling of (z||e), denoted as P Σ (z||e), according to the common reference string Σ. Decoding proceeds as follows: on input c, the decoder (i) inverts the shuffling operation by computing (z||e) ← P −1 Σ (c), (ii) reconstructs (sk||sk ), and (iii) if sk 3 = sk , outputs D sk (e), otherwise, it outputs ⊥.
Intuitively, the properties that we require from the inner encoding scheme, i.e., the secret sharing and shuffling of (sk||sk 3 ), are similar to those provided by a robust secret sharing scheme [58], which guarantees tamper detection during the reconstruction phase.In our work, we additionally require simulatability of whether the reconstructed message will be the same or ⊥.In Sect.3, we present the intuition behind our construction and a formal security analysis.Our instantiation yields a rate 1 computationally secure MD-NMC in the CRS model, with access rate 1 − 1/Ω(log k) and codewords of length |s| + O(k 2 log k), under mild assumptions (e.g., one-way functions).
On the CRS.In our work, the tampering function, and consequently the codeword locations that the function is given access to, are fixed before sampling the CRS and this is critical for achieving security.However, proving security in this setting is non-trivial.In addition, the tampering function receives full access to the CRS when tampering with the codeword.This is in contrast to the work by Faust et al. [45] in the informationtheoretic setting, where the (internal) tampering function receives partial information over the CRS.
In addition, our results tolerate adaptive selection of the codeword locations, with respect to the CRS, in the following way: each time the attacker requests access to a location, he also learns if it corresponds to a bit of z or e, together with the index of that bit in the original string.In this way, the CRS is gradually disclosed to the adversary while picking codeword locations.
Finally, our CRS sustains a substantial amount of tampering that depends on the codeword locations chosen by the attacker: an attacker that gets access to a sensitive codeword bit is allowed to modify the part of the CRS that defines the location of that bit in the codeword.The attacker is allowed to modify all but O(k log(|s| + k)) bits of the CRS, that is of length O(k 2 log k log(|s| + k)).To our knowledge, this is the first construction that tolerates, even partial modification of the CRS.In contrast, existing constructions in the CRS model are either using NIZKs [35,41,43,55], or they are based on the knowledge of exponent assumption [51], thus tampering access to the CRS might compromise security.Removing the CRS.A first approach would be to store the CRS inside the codeword together with P Σ (z||e) and give to the attacker read/write access to it.However, the tampering function, besides getting direct (partial) access to the encoding of sk, it also gets indirect access to it by (partially) controlling the CRS.Then, it can modify the CRS in way such that, during decoding, ciphertext locations of its choice will be treated as bits of the inner encoding, z, increasing the tampering rate against z significantly.This makes the task of protecting sk hard, if not impossible (unless we restrict the access rate significantly).
To handle this challenge, we embed the structure recovering mechanism inside the codeword and we emulate the CRS effect by increasing the size of the alphabet, giving rise to a block-wise structure. 9Notice that, non-malleable codes with large alphabet size (i.e., poly(k) + |s| bits) might be easy to construct, as we can embed in each codeword block the verification key of a signature scheme together with a secret share of the message, as well as a signature over the share.In this way, partial access over the codeword does not compromise the security of the signature scheme while the message remains private, and the simulation is straightforward.This approach, however, comes with a large overhead, decreasing the information rate and access rate of the scheme significantly.In general, and similar to error correcting codes, we prefer smaller alphabet sizes-the larger the size is, the more coarse access structure is required, i.e., in order to access individual bits we need to access the blocks that contain them.In this work, we aim at minimizing this restriction by using small alphabets as below.Our approach on the problem is the following.We increase the alphabet size to O(log k) bits, and we consider two types of blocks: (i) sensitive blocks, in which we store the inner encoding, z, of the secret key, sk, and (ii) non-sensitive blocks, in which we store the ciphertext, e, that is fragmented into blocks of size O(log k).The first bit of each block indicates whether it is a sensitive block, i.e., we set it to 1 for sensitive blocks and to 0, otherwise.Our encoder works as follows: on input message s, it computes z, e, as in the previous scheme and then uses sampling without replacement to generate the indices, ρ 1 , . . ., ρ |z| , for the sensitive blocks.Then, for every i ∈ {1, . . ., |z|}, ρ i is a sensitive block, with contents (1||i||z[i]), while the remaining blocks keep ciphertext pieces of size O(log k).Decoding proceeds as follows: on input codeword C = (C 1 , . . ., C bn ), for each i ∈ [bn], if C i is a non-sensitive block, its data will be part of e, otherwise, the last bit of C i will be part of z, as it is dictated by the index stored in C i .If the number of sensitive blocks is not the expected, the decoder outputs ⊥, otherwise, z, e, have been fully recovered and decoding proceeds as in the previous scheme.Our scheme is depicted in Fig. 5.
The security of our construction is based on the fact that, due to our shuffling technique, the position mapping will not be completely overwritten by the attacker, and as we prove in Sect.4, this suffices for protecting the inner encoding over sk.We prove security of the current scheme (cf.Theorem 4.8) by a reduction to the security of the scheme in the CRS model.Our instantiation yields a rate 1 − 1/Ω(log k) MD-NMC in the standard model, with access rate 1 − 1/Ω(log k) and codewords of length |s|(1 + 1/O(log k)) + O(k 2 log 2 k), assuming one-way functions.
It is worth pointing out that the idea of permuting blocks containing sensitive and non-sensitive data was also considered by [61] in the context of list-decodable codes; however, the similarity is only in the fact that a permutation is being used at some point in the encoding process, and our objective, construction and proof are different.Continuously non-malleable codes with light updates.We observe that the codewords of the block-wise scheme can be updated efficiently, using shuffling and refreshing operations.Based on this observation, we prove that our code is secure against continuous attacks, for a notion of security that is weaker than the original one [43], as we need to update our codeword.However, our update mechanism is using cheap operations, avoiding the full decoding and re-encoding of the message, which is the standard way to achieve continuous security [39,55].In addition, our solution avoids the usage of a self-destruction mechanism that produces ⊥ in all subsequent rounds after the first round in which the attacker creates an invalid codeword, which was originally achieved by [41], and makes an important step toward practicality.
The update mechanism works as follows: in each round, it randomly shuffles the blocks and refreshes the randomness of the inner encoding of sk.The idea here is that, due to the continual shuffling and refreshing of the inner encoding scheme, in each round the attacker learns nothing about the secret key, and every attempt to modify the inner encoding, results to an invalid key, with overwhelming probability.Our update mechanism can be made deterministic if we further encode a seed of a PRG together with the secret key, which is similar to the technique presented in [55].
Our results are presented in Sect. 5 (cf.Theorem 5.3), and the rates for the current scheme match those of the one-time secure, block-wise code.

Applications
Security against passive attackers -AONTs.Regarding the passive setting, our model and constructions find useful application in all settings where AONTs are useful (cf.[22,23,59,60]), e.g., for increasing the security of encryption without increasing the key-size, for improving the efficiency of block ciphers and constructing remotely keyed encryption [22,60], and also for constructing computationally secure secret sharing [59].Other uses of AONTs are related to optimal asymmetric encryption padding [22].

Security against memory tampering -(Binary alphabets, Logarithmic length CRS).
As with every NMC, the most notable application of the proposed model and constructions is when aiming for protecting cryptographic devices against memory tampering.Using our CRS based construction, we can protect a large tamperable memory with a small (logarithmic in the message length) tamperproof memory, that holds the CRS.
The construction is as follows.Consider any device performing cryptographic operations, e.g., a smart card, whose memory is initialized when the card is being issued.Each card is initialized with an independent CRS, which is stored in a tamper-proof memory, while the codeword is stored in a tamperable memory.Due to the independency of the CRS values, it is plausible to assume that the adversary is not given access to the CRS prior to tampering with the card; the full CRS is given to the tampering function while it tampers with the codeword during computation.This idea is along the lines of the only computation leaks information model [56], where data can only be leaked during computation, i.e., the attacker learns the CRS when the devices perform computations that depend on it.We note that in this work we allow the tampering function to read the full CRS, in contrast to [45], in which the tampering function receives partial information over it (our CRS can also be tampered, cf. the above discussion).In subsequent rounds, the CRS and the codeword are being updated by the device, which is the standard way to achieve security in multiple rounds while using a one-time NMC [39].

Security against memory tampering -(Logarithmic length alphabets, no CRS).
In modern architectures, data are stored and transmitted in chunks; thus, our blockwise encoding scheme can provide tamper resilience in all these settings.For instance, consider the case of arithmetic circuits, having memory consisting of consecutive blocks storing integers.Considering adversaries that access the memory of such circuits in a block-wise manner, is a plausible scenario.In terms of modeling, this is similar to tamper resilience for arithmetic circuits [47], in which the attacker, instead of accessing individual circuit wires carrying bits, accesses wires carrying integers.The case is similar for RAM computation where the CPU operates over 32 or 64 bit registers (securing RAM programs using NMC was also considered by [34][35][36]44]).We note that the memory segments in which the codeword blocks are stored do not have to be physically separated, as partial functions output values that depend on the whole input in which they receive access to.This is in contrast to the split-state setting in which the tampering function tampers with each state independently, and thus, the states need to be physically separated.Security against adversarial channels.In Wiretap Channels [17,57,64] the goal is to communicate data privately against eavesdroppers, under the assumption that the channel between the sender and the adversary is "noisier" than the channel between the sender and the receiver.The model that we propose and our block-wise construction can be applied in this setting to provide privacy against a wiretap adversary under the assumption that due to the gap of noise there is a small (of rate o(1)) fraction of symbols that are delivered intact to the receiver and dropped from the transmission to the adversary.This enables private, key-less communication between the parties, guaranteeing that the receiver will either receive the original message, or ⊥.In this way, the communication will be nonmalleable in the sense that the receiver cannot be lead to output ⊥ depending on any property of the plaintext.Our model allows the noise in the receiver side to depend on the transmission to the wiretap adversary, that tampers with a large (of rate 1 − o( 1)) fraction of symbols, leading to an "active" variant of the wiretap model.

Related Work
Manipulation detection has been considered independently of the notion of non-malleability, in the seminal paper by Cramer et.al. [30], who introduced the notion of algebraic manipulation detection (AMD) codes, providing security against additive attacks over the codeword.A similar notion was considered by Jafargholi and Wichs [49], called tamper detection, aiming to detect malicious modifications over the codeword, independently of how those affect the output of the decoder.Tamper detection ensures that the application of any (admissible) function to the codeword leads to an invalid decoding.
Non-malleable codes for other function classes have been extensively studied, such as constant split-state functions [26,37], block-wise tampering [24,28], while the work of [2] develops beautiful connections among various function classes.There has been even richer classes studied in recent years, such as small depth circuits [12], bounded-degree polynomials over finite fields [11], and bounded polynomial time/depth functions [13,33,40].The results [11,12] are information-theoretic, and the others [13,33,40] require stronger complexity/cryptographic assumptions.On the other hand, the constructions of this work only rely on the minimal cryptographic assumption-the existence of one-way functions.
A related line of work in tamper resilience aims to protect circuit computation against tampering attacks on circuit wires [31,32,46,48] or gates [54], [9,10] aim at protecting circuits against hardware Trojans, while [18] relies on trusted hardware.In this setting, using non-malleable codes for protecting the circuit's private memory is an option, still in order to achieve security the encoding and decoding procedures should be protected against fault injection attacks using the techniques from [31,32,46,48,54].The work of [52] is the first that constructs (one-time) NMCs for the class of partial functions that tamper with almost the entire codeword.Whether NMCs could be useful in secure messaging remains an interesting open question [6][7][8].

Preliminaries
In this section, we present basic definitions and notation that will be used throughout the paper.Definition 2.1.(Notation) Let t, i, j, be nonnegative integers.Then, [t] is the set {1, . . ., t}.For bit strings x, y, x||y, is the concatenation of x, y, |x| denotes the length of x, For a distribution D over a set X , x ← D denotes sampling an element x ∈ X , according to D, x ← X denotes sampling a uniform element x from X , U X denotes the uniform distribution over X and x 1 , . . ., x t rs ← X denotes sampling a uniform subset of X with t distinct elements, using rejection sampling.The statistical distance between two random variables X, Y , is denoted by Δ(X, Y ), "≈" and "≈ c ", denote statistical and computational indistinguishability, respectively, and negl(k) denotes an unspecified, negligible function, in k.

Definition 2.3. (Coding scheme in the Common Reference String (CRS) Model
For brevity, 1 k will be omitted from the inputs of Enc and Dec. Below we define non-malleable codes with manipulation detection, which is a stronger notion than the one presented in [39], in the sense that the tampered codeword will always decode to the original message or to ⊥.Our definition is with respect to alphabets, as in Sect. 4 we consider alphabets of size O(log k).Definition 2.4.(Non-Malleability with Manipulation Detection (MD-NMC)) Let Γ be an alphabet, let (Init, Enc, Dec) be a (κ, ν)-coding scheme in the common reference string model, and F be a family of functions f : Γ ν → Γ ν .For any f ∈ F and s ∈ {0, 1} κ , define the tampering experiment which is a random variable over the randomness of Enc, Dec and Init.The coding scheme (Init, Enc, Dec) is non-malleable with manipulation detection with respect to the function family F, if for all, sufficiently large k and for all f ∈ F, there exists a distribution D (Σ, f ) over {0, 1} κ ∪ {⊥, same * }, such that for all s ∈ {0, 1} κ , we have:
In the above definition, f is parameterized by Σ to differentiate tamper-proof input, i.e., Σ, from tamperable input, i.e., c.

Partial Functions
Below we define the tampering function class that will be used throughout the paper.

Definition 2.5. (The class of partial functions
For simplicity, in the rest of the text we will use the notation f (x) and f (x | I ) (instead of f x | I ).Also, the length of the codeword, ν, according to Γ , will be omitted from the notation, and whenever Γ is omitted we assume that Γ = {0, 1}.In Sect.3, we consider Γ = {0, 1}, while in Sect.4, Γ = {0, 1} O(log k) , i.e., the tampering function operates over blocks of size O(log k).When considering the CRS model, the functions are parameterized by the common reference string.
The following lemma is useful for proving security throughout the paper.
-Output: if s = 0, set s ← same * , else, s ← ⊥.Output s.From the above, we have that for any s, where the first relation follows by the definition of D f , the second one follows from the main assumption which states that for any pair of messages s 0 , s 1 , Tamper f s 0 ≈ Tamper f s 1 , and the third one follows from the assumption that Pr Tamper f s / ∈ {⊥, s} ≤ negl(k).This concludes our proof since for any f ∈ F and any message s, Relation 1 is satisfied.
For coding schemes in the CRS model the above lemma is similar, and Tamper f s internally samples Σ ← Init(1 k ).

All-Or-Nothing-Transform
Here we present the definition of all-or-nothing-transform (AONT), by adopting the notion of [23] and presenting it with respect to coding schemes against partial codeword leakage.
Definition 2.7.Let Γ be an alphabet, and (Enc, Dec) be a (κ, ν) coding scheme over the alphabet Γ .The encoding is an AONT for parameter α ∈ (0, 1) if for any pair of messages (s 0 , s 1 ) and every subset I ⊂ [ν] with cardinality αν, we have where the indistinguishability may be information-theoretic or computational.
Next, we present a simple theorem, showing that MD-NMC against partial functions (with a sufficiently large access rate) implies AONT.
Theorem 2.8.Let Γ be an alphabet, and (Enc, Dec) be a (κ, ν) coding scheme over the alpha bet Γ .Suppose the coding scheme is MD-NMC with respect to the partial function class F α for some α > 0.5, then the coding scheme is an AONT with parameter α.
Proof.We first note that by Lemma 2.6, an equivalent formulation of MD-NMC against an f ∈ F α can be stated as: (1) for any messages s 0 , s 1 , we have Tamper , and (2) for any s, Pr Tamper f s / ∈ {⊥, s} ≤ negl(k).
We prove the theorem via a reduction.Assume that there exist a subset I with |I | = αν, messages s 0 , s 1 , and a distinguisher D that breaks the AONTsecurity; then, we construct a reduction A that uses a carefully chosen function f ∈ F α to break the MD-NMCsecurity.Without loss of generality, we assume that s 0 and s 1 are both nonzero messages.
First we define the function f : the function has hardcoded (s 0 , s 1 ) and receives as input a partial codeword C * .f first runs the distinguisher, i.e., computes b * = D(s 0 , s 1 , C * ).If b * = 1, then f outputs Enc(0 κ ) | I ; otherwise, f acts as the identity function, i.e., just outputting the input C * .Now, we prove that the coding scheme is not an MD-NMC.
First, we assume that Pr Tamper f s / ∈ {⊥, s} = negl(k) for any message s.Otherwise, the manipulation detection property is broken, implying a contradiction.Then, we claim that in either case of s = s 0 or s = s 1 , we have Tamper f s = ⊥, with an overwhelming probability.We observe that f has changed an α > 0.5 fraction of the codeword into Enc(0 κ ) | I .This effect is the same as another related tampering function g ∈ F α who changes a (1 − α) < 0. By the above theorem, we derive that any MD-NMC code against partial functions with sufficiently large access rate, i.e., for F α for α > 0.5, is also an AONT with the same parameter α.On the other hand, we notice that α > 0.5 is necessary for the theorem, as otherwise we can construct a simple counter example-first we observe that the repetition code with majority decoding 10 is an MD-NMC against F β for any β < 0.5, as any tampering function in this class cannot change the outcome of the decoding.However, this is certainly not an AONT, as reading one bit is sufficient to recover the underlying message.

One-Time Authenticated Encryption
Below, we define the security notion of authenticated encryption required by our construction of non-malleable codes.Definition 2.9.(Authenticated encryption) Let k be the security parameter and (KGen, E, D) be a symmetric encryption scheme.Then, (KGen, E, D) is authenticated, semantically secure against (1-query) key recovery attacks, if it satisfies the following properties: 1. (Correctness): For every message s, Pr[D sk (E sk (s)) = s] = 1, where sk ← KGen(1 k ). 2. (Semantic security): for any pair of messages s 0 , s 1 , E sk (s 0 ) ≈ E sk (s 1 ) , where sk ← KGen(1 k ).

(1-query key recovery security): for any message s and any adversary A, we have
≤ negl(k).

(Unforgeability): For any algorithm
10 That is, to encode a bit b, the codeword is simply outputting b k (concatenation of k b's).To decode, the algorithm just outputs the majority.
When the scheme is computationally secure, we consider computational indistinguishability instead of statistical, and A is PPT .
We notice that the notions of semantic security and key-recovery are not compatible just from the definitions, i.e., key-recovery security clearly does not imply semantic security, and the other way implication does not hold in general, i.e., if the key space is small (e.g., one-time pad with bit messages and keys), there is always a 1/2 probability guessing the key correctly.Nevertheless, below we instantiate two simple schemes which satisfy the key-recovery security.
It is not hard to see that the scheme defined above is a rate 1, computationally secure authenticated encryption scheme [50].The semantic security follows from the security of PRF/PRG.From the security of the pseudo-random function, the scheme is also secure against 1-query key recovery attack.Particularly, from any adversary who can break the 1-query key recovery security, we can easily derive a reduction who can invert the PRF, i.e., recovering the key r given (F r (τ ), τ ).The reduction can then be used to distinguish F r (•) from the truly random function given oracle access, as the truly random function cannot be compressed into a short key r , following the compression argument.
Next we describe a simple one-time information theoretic construction.It is easy to verify that the security (i.e., semantic, unforgeability) of the above scheme comes from the pair-wise independence of H, H.As long as |h| > |s| + k, then the conditional entropy of sk given e is still greater to k, meaning that the informationtheoretic adversary has at most 2 −k probability to predict sk successfully.

Secret Sharing
In this section, we present the definition and a concrete instantiation of the m-out-of-m secret sharing scheme later used in this work.Definition 2.13.An m-out-of-m secret sharing scheme has the following two algorithms (SS m , Rec m ) that works as follow: -SS m : on input x outputs shares (z 1 , . . ., z m ).Denote z = m i=1 z i , where denotes concatenation.
-Rec m : on input shares (z 1 , . . ., z m ) (denoted as z as above) outputs the message x.
The correctness requires that Rec m (SS m (x)) = x holds with probability 1.The security requires that the message x is information-theoretically hidden given any proper subset of shares (z 1 , . . ., z m ).
Instantiation.Given any finite field GF( p e ) where p is some prime and e is some non-negative integer, there is a simple additive m-out-of-m secret sharing scheme that works as follow.SS m takes input x ∈ GF( p e ) and samples uniformly random shares (z 1 , . . ., z m ) where each z i ∈ GF( p e ) and x = i∈[m] z i .Similarly, Rec m takes input (z 1 , . . ., z m ) and just outputs i∈[m] z i .It is easy to verify that both the correctness and security hold.Remark.In this work, we always refer the particular instantiation above as (SS m , Rec m ).Moreover, to simplify the presentation, we use SS m (x y) to denote SS m (x) SS m (y) for sharing multiple inputs.For this case, the reconstruction works analogously.

An MD-NMC for Partial Functions, in the CRS Model
In this section, we consider Γ = {0, 1} and we construct a rate 1 MD-NMC for F α , with access rate α = 1 − 1/Ω(log k).
Before presenting the encoding scheme for F α , we provide the intuition behind the construction.As a staring point, we consider a naive scheme (which does not work) and then show how we resolve all the challenges.Let (KGen, E, D) be a (symmetric) authenticated encryption scheme and consider the following encoding scheme: to encode a message s, the encoder computes (sk||e), where e ← E sk (s) is the ciphertext and sk ← KGen(1 k ), is the secret key.We observe that the scheme is secure if the tampering function can only read/write on the ciphertext, e, assuming the authenticity property of the encryption scheme, however, restricting access to sk, which is short, is unnatural and makes the problem trivial.On the other hand, even partial access to sk, compromises the authenticity property of the scheme, and even if there is no explicit attack against the non-malleability property of the code, there is no hope for proving security based on the properties of (KGen, E, D), in a black-box way.
A solution to the above problems would be to protect the secret key using an inner encoding, yet the amount of tampering is now restricted by the capabilities of the inner scheme, as the attacker knows the exact locations of the "sensitive" codeword bits, i.e., the non-ciphertext bits.In the proposed construction, we manage to protect the secret key while avoiding the bottleneck on the access rate, by designing an inner encoding scheme that provides limited security guarantees when used standalone, still when it is used in conjunction with a shuffling technique that permutes the inner encoding and ciphertext bit locations, it guarantees that any attack against the secret key will create an invalid encoding with overwhelming probability, even when allowing access to almost the entire codeword.
The proposed scheme is depicted in Fig. 3 and works as follows: on input message s, the encoder (i) encrypts the message by computing sk ← KGen(1 k ) and e ← E sk (s), (ii) computes an m-out-of-m secret sharing, z, of (sk||sk 3 ) (interpreting both sk and sk 3 as elements in some finite field), 11 and outputs a random shuffling of (z||e), denoted as P Σ (z||e), according to the common reference string, Σ. Decoding proceeds as follows: on input c, the decoder (i) inverts the shuffling operation by computing (z||e) ← P −1 Σ (c), (ii) reconstructs (sk||sk ), and (iii) if sk 3 = sk , it outputs D sk (e), otherwise, it outputs ⊥.The proposed instantiation yields a rate 1 computationally secure MD-NMC in the CRS model, with access rate 1 − 1/Ω(log k) and codewords of length |s| + O(k 2 log k), under mild assumptions, e.g., one-way functions.
Below, we formally define our construction.
The set of indices of z i in the codeword will be denoted by Z i .
In the above, we consider sk, sk 3 , as elements over GF(2 poly(k) ).In a high level, the construction presented above combines authenticated encryption with an inner encoding that works as follows.It interprets sk as an element in the finite field GF(2 |sk| ) and computes sk 3 as a field element.Then, for each bit of (sk||sk 3 ), it computes an m-out-of-m secret sharing of the bit, for some parameter m (we note that elements in GF(2 |sk| ) can be interpreted as bit strings).Then, by combining the inner encoding with the shuffling technique, we get an encoding scheme whose security follows from the observations that we briefly present below: -For any tampering function which does not have access to all m shares of a single bit of (sk||sk 3 ), the tampering effect on the secret key can be expressed essentially as a linear shift, i.e., as ((sk + δ)||(sk 3 + η)) for some (δ, η) ∈ GF(2 |sk| ) × GF(2 |sk| ), independent of sk.-By permuting the locations of the inner encoding and the ciphertext bits, we have that with overwhelming probability any tampering function who reads/writes on a (1 − o( 1)) fraction of codeword bits, will not learn any single bit of (sk||sk 3 ).-With overwhelming probability over the randomness of sk and the CRS, for nonzero η and δ, (sk+δ) 3 = sk 3 +η, and this property enables us to design a consistency check mechanism whose output is simulatable, without accessing sk.
-The security of the final encoding scheme follows by composing the security of the inner encoding scheme with the authenticity property of the encryption scheme.
Intuitively, the properties that we require from the inner encoding scheme (after the shuffling operation) employed by our construction are similar to those provided by a robust secret sharing scheme [58], which guarantees tamper detection during the reconstruction phase.In our work, we additionally require simulatability of whether the reconstructed message will be the same or ⊥.
Below we present the formal security proof of the above ideas.Proof.Let I be the set of indices chosen by the attacker and I c = [ν]\I , where ν = 2 m|sk| + |e|.The tampered components of the codeword will be denoted using the symbol "~" on top of the original symbol, i.e., we have c ← f (c), the tampered secret key sk (resp.sk 3 ) that we get after executing Rec m (z) will be denoted by sk (resp.sk ).Also the tampered ciphertext will be ẽ.We prove the needed using a series of hybrid experiments that are depicted in Fig. 4. Below, we describe the hybrids.
- : In the second experiment we define Z i , i ∈ [2|sk|], to be the set of codeword indices in which the secret sharing z i is stored, |Z i | = m.The main difference from the previous experiment is that the current one outputs ⊥, if there exists a bit of sk or sk 3 for which the tampering function reads all the shares of it, while accessing at most αν bits of the codeword.Intuitively, and as we prove in Claim 3.3, by permuting the location indices of z||e, this event happens with probability negligible in k, and the attacker does not learn any bit of sk and sk 3 , even if it is given access to (1 − o( 1))ν bits of the codeword.-Exp Σ, f,s 2 : By the previous hybrid, we have that for all i ∈ [2|sk|], the tampering function will not access all bits of z i , with overwhelming probability.In the third experiment, we unfold the encoding procedure, and in addition, we substitute the secret sharing procedure SS m with SS f m that computes shares z * i that reveal no information about sk||sk 3 ; for each i, SS f m simply "drops" the bit of z i with the largest index that is not being accessed by f .We formally define SS f m below.
Output same * if s = s and s otherwise.
Output same * if s = s and s otherwise.
Output same * if s = s and s otherwise., z = 2|sk| i=1 z i , and each z i is an m-out-of-m secret sharing for a bit of sk or sk 3 .From Claim 3.3, we have that for all i, |I ∩ Z i | < m with overwhelming probability, and we can observe that the current experiment is identical to the previous one up to the point of computing f (c | I ), as c | I and f (c | I ) depend only on z * , that carries no information about sk and sk 3 .Another difference between the two experiments is in the external "Else" branch: Exp Σ, f,s 1 makes a call to the decoder while Exp Σ, f,s 2 , before calling D sk ( ẽ), checks if the tampering function has modified the shares in a way such that the reconstruction procedure (( sk, sk ) ← Rec m (z)) will give sk = sk or sk = sk .This check is done by the statement "If ∃i : , without touching sk or sk 3 . 13In case modification is detected the current experiments outputs ⊥.The intuition is that an attacker that partially modifies the shares of sk and sk 3 , creates shares of sk and sk , such that sk 3 = sk , with negligible probability in k.We prove this by a reduction to the 1-IND-CPA security of the encryption scheme: any valid modification over the inner encoding of the secret key gives us method to compute the original secret key sk, with non-negligible probability.The ideas are presented formally in Claim 3.4.-Exp Σ, f,s 3 : The difference between the current experiment and the previous one is that instead of executing the decryption, D sk ( ẽ), we first check if the attacker has modified the ciphertext, in which case the current experiment outputs ⊥, otherwise it outputs same * .By the previous hybrid, we reach this newly introduced "Else" branch of Exp Σ, f,s 3 , only if the tampering function didn't modify the secret key.Thus, the indistinguishability between the two experiments follows from the authenticity property of the encryption scheme in the presence of z * : given that sk = sk and sk = sk , we have that if the attacker modifies the ciphertext, then with overwhelming probability D sk ( ẽ) = ⊥, otherwise, D sk ( ẽ) = s, and the current experiment correctly outputs ⊥ or same * (cf.Claim 3.5).
-Finally, we prove that for any f ∈ F α , and message s, Exp In what follows, we prove indistinguishability between the hybrids using a series of claims.
Then, for any f ∈ F α and any message s, we have Exp , where the probability runs over the randomness used by Init, Enc.

Proof. The difference between the two experiments is that Exp
Σ, f,s 1 outputs ⊥ when the attacker learns all shares of some bit of sk or sk 3 , otherwise it produces output as Exp Σ, f,s 0 does.Let E be the event "∃i : conditioned on ¬E, thus the statistical distance between the two experiments is bounded by Pr[E].In the following, we show that Pr[E] ≤ negl(k).We define by E i the event in which f learns the entire z i .Assuming the attacker reads n bits of the codeword, we have that for all i ∈ [2|sk|], We have n = αν and assuming α = 1 − for ∈ (0, 1], we have and which is negligible when (1 − α)m = ω(log(k)), and the proof of the claim is complete.
Claim 3.4.Assuming (KGen, E, D) is secure against the 1-query key recovery attack as Definition 2.9, then for any f ∈ F α and any message s, Exp , where the probability runs over the randomness used by Init, Enc. , with overwhelming probability, as z * is indistinguishable from z in the eyes of f .Another difference between the two experiments is in the external "Else" branch: Exp Σ, f,s 1 makes a call on the decoder while Exp Σ, f,s 2 , before calling D sk ( ẽ), checks if the tampering function has modified the shares in a way such that the reconstruction procedure will give sk = sk or sk = sk .This check is done by the statement "If ∃i :

Proof. In Exp
, without touching sk or sk 3 (cf.Claim 3.3). 14We define the events E, E as follows Clearly, conditioned on ¬E the two experiments are identical, since we have sk = sk and sk = sk , and the decoding process will output D sk ( ẽ) in both experiments.Thus, the statistical distance is bounded by Pr , and uses f , s to break the 1-query key recovery security of (KGen, E, D) in the presence of z * , with probability at least p/2.
First we prove that any secure (against 1-query key recovery attacks) encryption scheme, remains secure even if the attacker receives z * ← SS f m (Σ, sk).This is because that z * can be simulated without knowing sk, by using random shares on positions that the tampering function can see and * 's otherwise.Then this fact follows by a simple reduction argument.Now we prove our claim.Assuming Pr[E ∧ E ] > p, for p = 1/poly(k), we define an attacker A that breaks the 1-query key recovery security of (KGen, E, D) in the presence of z * , with non-negligible probability.A receives the encryption of s, which corresponds to the oracle query right before receiving the challenge ciphertext, the challenge ciphertext e ← E sk (s b ), for uniform b ∈ {0, 1} and uniform messages s 0 , s 1 , as well as z * .A is defined below.
(Define the shares that will be accessed by f ): be the tampered shares resulting after the application of f to c | I .

(Searching the secret key)
, U , V denote the sum of the shares that are being accessed by the attacker (maybe partially), and Di , are the corresponding tampered values after applying f on U , V .Define and compute the set of roots of p(X ), denoted as X , which are at most two.Then set (2) 4. (Output) Just output a random element in ŜK.
In the first step, A removes the dummy symbol " * " and computes the shares that will be partially accessed by f , denoted as C i for sk and as D i for sk 3 .In the second step, it simulates the codeword partially, applies the tampering function on it, and defines the tampered shares, Ci , Di .Conditioned on E , it is not hard to see that A simulates perfectly Exp Σ, f,s 2 . In particular, it simulates perfectly the input to f as it receives e ← E sk (s) and all but 2|sk| of the actual bit-shares of sk, sk 3 .Part of those shares will be accessed by f .Since for all i, |I ∩ Z i | < m, the attacker is not accessing any single bit of sk, sk 3 .Let C m , D m , be the shares (not provided by the encryption oracle) that completely define sk and sk 3 , respectively.By the definition of the encoding scheme and the fact that sk, sk 3 ∈ GF(2 poly(k) ), we have m i=1 C i = sk, m i=1 D i = sk 3 , and In order for the decoder to output a non-bottom value, the shares created by the attacker must decode to sk, sk , such that sk 3 = sk , or in other words, if From 3 and 4 we receive ≤ Pr sk ∈ ŜK , (6) and A manages to recover C m , and thus the set ŜK that contains sk, with non-negligible probability at least p.As ŜK is derived from solving a quadratic equation, the cardinality, i.e., | ŜK| is at most 2. Thus, a random guess would hit the sk with probability at least p/2.This is a contradiction to the 1-query key recovery security of (KGen, E, D).Thus, we have Pr[E ∧ E ] ≤ negl(k), and both experiments output ⊥ with overwhelming probability., where the probability runs over the randomness used by Init, KGen and E.
Proof.Before proving the claim, recall that the authenticity property of the encryption scheme is preserved under the presence of z * (cf.Claim 3.4).Let E be the event sk = sk ∧ sk = sk 3 and E be the event ẽ = e.Conditioned on ¬E, the two experiments are identical, as they both output ⊥.Also, conditioned on E ∧ ¬E , both experiments output same * .Thus, the statistical distance between the two experiments is bounded by Pr Assuming there exist s, f , for which Pr[E ∧ E ∧ B] > p, where p = 1/poly(k), we define an attacker A = (A 1 , A 2 ) that simulates Exp Σ, f,s 3 and breaks the authenticity property of the encryption scheme in the presence of z * , with non-negligible probability.A is defined as follows: sample (s, st) ← A 1 (1 k ), and then, on input (z * , e, st), where , where the probability runs over the randomness used by Init, KGen, E. "≈" may refer to statistical or computational indistinguishability, and 0 denotes the zero message.
Proof.Recall that (KGen, E, D) is semantically secure even in the presence of z * ← SS f m (Σ, sk) (cf.3.4), and toward contradiction, assume there exist f ∈ F α , message s, and PPT distinguisher D such that for p = 1/poly(k).We are going to define an attacker A that breaks the semantic security of (KGen, E, D) in the presence of z * , using s 0 := s, s 1 := 0. A, given z * , e, executes Program.; thus, the advantage of A against the semantic security of (KGen, E, D) is the same with the advantage of D in distinguishing between Exp

It is not hard to see that A simulates Exp
, which by assumption is non-negligible.We have reached a contradiction, and the proof of the claim is complete.
From the above claims, we have that for any f ∈ F α and any s, On the CRS.In the above, the tampering function, and consequently the codeword locations that the function is given access to, are fixed before sampling the CRS and this is critical for achieving security.However, by the proof of Theorem 3.2, we observe that proving security in this setting is highly non-trivial.In addition, the tampering function receives full access to the CRS when tampering with the codeword, which is in contrast to the work by Faust et.al. [45] in the information-theoretic setting, where the (internal) tampering function receives partial information over the CRS.
In addition, the proposed scheme tolerates adaptive selection of the codeword locations, with respect to the CRS, in the following way: each time the attacker requests access to a location, he also learns if it corresponds to a bit of z or e, together with the index of that bit in the original string.In this way, the CRS is gradually disclosed to the adversary while picking codeword locations.
Finally, our CRS sustains a substantial amount of tampering that depends on the codeword locations chosen by the attacker: an attacker that gets access to a sensitive codeword bit is allowed to modify the part of the CRS that defines the location of that bit in the codeword.The attacker is allowed to modify all but O(k log(|s| + k)) bits of the CRS, that is of length O(k 2 log k log(|s| + k)).To our knowledge, this is the first construction that tolerates, even partial modification of the CRS.In contrast, existing constructions in the CRS model are either using NIZKs [35,41,43,55], or they are based on the knowledge of exponent assumption [51], thus tampering access to the CRS would compromise security.

Removing the CRS
In the present section, we show how to construct an MD-NMC for partial functions, in the standard model.
A first approach would be to store the CRS of Construction 3.1, inside the codeword together with P Σ (z||e), and give to the attacker read/write access to it.However, the tampering function, besides getting direct (partial) access to the encoding of sk, it also gets indirect access to it by (partially) controlling the CRS.Then, it can modify the CRS in a way such that, during decoding, ciphertext locations of its choice will be treated as bits of the inner encoding, z, increasing the tampering rate against z significantly.This makes the task of protecting sk hard, if not impossible (unless we restrict the access rate significantly).
To handle this challenge, we embed a structure recovering mechanism inside the codeword and we emulate the CRS effect by increasing the size of the alphabet, giving rise to a block-wise structure. 15Notice that, non-malleable codes with large alphabet size (i.e., poly(k) + |s| bits) might be easy to construct, as we can embed in each codeword block the verification key of a signature scheme together with a secret share of the message, as well as a signature over the share.In this way, partial access over the codeword does not compromise the security of the signature scheme while the message remains private, and the simulation is straightforward.This approach, however, comes with a large overhead, decreasing the information rate and access rate of the scheme significantly.In general, and similar to error correcting codes, we prefer smaller alphabet sizes-the larger the size is, the more coarse access structure is required, i.e., in order to access individual bits we need to access the blocks that contain them.The present work aims at minimizing this restriction by using small alphabets, as described below.
Our approach on the problem is the following.We increase the alphabet size to O(log k) bits, and we consider two types of blocks: (i) sensitive blocks, in which we store the inner encoding, z, of the secret key, sk, and (ii) non-sensitive blocks, in which we store the ciphertext, e, that is fragmented into blocks of size O(log k).The first bit of each block indicates whether it is a sensitive block, i.e., we set it to 1 for sensitive blocks and to 0, otherwise.Our encoder works as follows: on input message s, it computes z, e, as in the previous scheme and then uses rejection sampling to sample the indices, ρ 1 , . . ., ρ |z| , for the sensitive blocks.Then, for every i ∈ {1, . . ., |z|}, C ρ i is a sensitive block, with contents (1||i||z[i]), while the remaining blocks keep ciphertext pieces of size O(log k).Decoding proceeds as follows: on input codeword C = (C 1 , . . ., C bn ), for each i ∈ [bn], if C i is a non-sensitive block, its data will be part of e, otherwise, the last bit of C i will be part of z, as it is dictated by the index stored in C i .If the number of sensitive blocks is not the expected, the decoder outputs ⊥, otherwise, z, e, have been fully recovered and decoding proceeds as in the previous scheme.The proposed scheme is depicted in Fig. 5.
The security of our construction is based on the fact that, due to our shuffling technique, the position mapping will not be completely overwritten by the attacker, and we prove later in this section, this suffices for protecting the inner encoding over sk.We prove security of the current scheme (cf.Theorem 4.8) by a reduction to the security of the scheme in the CRS model.Our instantiation yields a rate 1 − 1/Ω(log k) MD-NMC in the standard model, with access rate 1 − 1/Ω(log k) and codewords of length |s|(1 + 1/O(log k)) + O(k 2 log 2 k), assuming one-way functions.
It is worth pointing out that the idea of permuting blocks containing sensitive and non-sensitive data was also considered by [61] in the context of list-decodable codes; however, the similarity is only in the fact that a permutation is being used at some point in the encoding process, and our objective, construction and proof are different.
In what follows, we consider alphabets of size O(log(k)) and we provide a computationally secure, rate 1 − 1/Ω(log k) encoding scheme in the standard model, tolerating modification of (1−o( 1))ν blocks, where ν is the total number of blocks in the codeword.
The projection operation will be also used with respect to bigger alphabets, enabling the projection of blocks.
Our construction is defined below.
The set of indices of the blocks in which z i is stored will be denoted by Z i .
We prove security for the above construction by a reduction to the security of Construction 3.1.We note that our reduction is non-black box with respect to the coding scheme in which security is reduced to; a generic reduction, i.e., non-malleable reduction [2], from the standard model to the CRS model is an interesting open problem and thus out of the scope of the present work.
In the following, we consider Γ = {0, 1} O(log(k)) . 17The straightforward way to prove that (Enc * , Dec * ) is secure against F α Γ by a reduction to the security of the bit-wise code of Sect.3, would be as follows: for any α ∈ [0, 1), f ∈ F α Γ and any message s, we have to define α , g ∈ F α , such that the output of the tampered execution with respect to (Enc * , Dec * ), f , s, is indistinguishable from the tampered execution with respect to (Init, Enc, Dec), g, s, and g is an admissible function for (Init, Enc, Dec).However, this approach might be tricky as it requires the establishment of a relation between α and α such that the sensitive blocks that f will receive access to, will be simulated using the sensitive bits accessed by g.Our approach is cleaner: for the needs of the current proof we leverage the power of Construction 3.1, by allowing the attacker to choose adaptively the codeword locations, as long as it does not request to read all shares of the secret key.Then, for every block that is accessed by the block-wise attacker f , the bit-wise attacker g requests access to the locations of the bit-wise code that enable him to fully simulate the input to f .We formally present our ideas in the following sections.In Sect.4.1 we introduce the function class F ad that considers adaptive adversaries with respect to the CRS and we prove security of Construction 3.1 in Corollary 4.3 against a subclass of F ad , and then, we reduce the security of the block-wise code (Enc * , Dec * ) against F α Γ to the security of Construction 3.1 against F ad (cf.Sect.4.2).

Security Against Adaptive Adversaries
In the current section, we prove that Construction 4.1 is secure against the class of functions that request access to the codeword adaptively, i.e., depending on the CRS, as long as they access a bounded number of sensitive bits.Below, we formally define the function class F ad , in which the tampering function picks up the codeword locations depending on the CRS, and we consider Γ = {0, 1}.
Definition 4.2.(The function class F ν ad (or F ad )) Let (Init, Enc, Dec) be an (κ, ν)coding scheme and let Σ be the range of Init(1 k ).For any g = (g 1 , g 2 ) ∈ F ν ad , we have g 1 : Σ → P ([ν]), g Σ 2 : {0, 1} |range(g 1 )| → {0, 1} |range(g 1 )| ∪ {⊥}, and for any c ∈ {0, 1} ν , g Σ (c) = g 2 c | g 1 (Σ) .For brevity, the function class will be denoted as F ad .Construction 3.1 remains secure against functions that receive full access to the ciphertext, as long as they request to read all but one shares for each bit of sk and sk 3 .The result is formally presented in the following corollary.Proof.Let g = (g 1 , g 2 ) be as stated above.For any message s, the tampered execution with respect to g and (Init, Enc, Dec), is defined as follows.
The proof is along the lines of the proof of Theorem 3.2, i.e., we prove that for any g having the properties stated above, and any pair of messages s 0 , s 1 , Tamper g s 0 ≈ Tamper g s 1 , and the output of the tampered execution is either the original message, or ⊥, with overwhelming probability.Below, we revisit the hybrids of Theorem 3.2 and we prove that the indistinguishability between adjacent hybrids, holds with respect to g.

-Exp
Σ,g,s 0 : For any f , s, the first experiment, Exp Σ,g,s 0 , is identical to the experiment Tamper g s .-Exp Σ,g,s 1 : In the second experiment, we have Z i , i ∈ [2|sk|], to be the set of indices in which z i is stored, |Z i | = m.The main difference from the previous experiment is that the current one outputs ⊥, if there exists a bit of sk or sk 3 for which the tampering function reads all shares of it.However, by the definition of g we know that this happens with zero probability; thus, we have that the following claim holds, Claim 4.4.Let k, m ∈ N.For any g = (g 1 , g 2 ) ∈ F ad , assuming that for all i ∈ [2|sk|], (Z i ∩ g 1 (Σ)) < m and any message s, we have Exp , where -Exp Σ,g,s 2 : In the current experiment, we unfold the encoding procedure, and in addition, we substitute the secret sharing procedure SS m with SS g m , where SS g m is defined as SS f m does with respect to f , in Claim 3.4 of Theorem 3.2.From the above claim, we have that for all i, |I ∩ Z i | < m, and we observe that the current experiment is identical to the previous one up to the point of computing g(c | I ), as c | I carries no information about sk and sk 3 .Thus, the transition between the current experiment and the previous one is identical to that of Theorem 3.2: an attacker that partially modifies the shares of sk and sk 3 , creates shares of sk and sk , such that sk 3 = sk , with negligible probability in k, which is proved by a reduction to the 1-IND-CPA security of the encryption scheme in the presence of z * .Thus, we have the following claim., where the probability runs over the randomness used by Init, Enc.
-Exp Σ,g,s 3 : As in Theorem 3.2, the indistinguishability between the two experiments follows from the authenticity property of the encryption scheme in the presence of z * .Thus, the following holds., where the probability runs over the randomness used by Init, KGen and E.
-Finally, since g learns nothing about sk, we have that for any g ∈ F ad , and message s, Exp This follows by the semantic security of the encryption scheme (Definition 2.9).Formally, we prove the following claim., where the probability runs over the randomness used by Init, KGen, E, "≈" may refer to statistical or computational indistinguishability, and 0 is the zero message.
From the above claims we have that for any g ∈ F ad and any s 0 , s 1 , assuming that for all i ∈ [2|sk|], , the second property of Lemma 2.6 has been proven as the output of Exp Σ,g,s 3 is in {s, ⊥}, with overwhelming probability.

MD-NMC Security of the Block-Wise Code
In the current section, we prove security of Construction 4.1 against F α Γ , for Γ = {0, 1} O(log(k)) .Proof.Following Lemma 2.6, we prove that for any f ∈ F α Γ , and any pair of messages s 0 , s 1 , Tamper f s 0 ≈ Tamper f s 1 , and for any s, Pr Tamper f s / ∈ {⊥, s} ≤ negl(k), where Tamper denotes the experiment defined in Lemma 2.6 with respect to the encoding scheme of Construction 4.1, (Enc * , Dec * ).Our proof is given by a series of hybrids depicted in Fig. 9.We reduce the security (Enc * , Dec * ), to the security of Construction 3. is that in the latter one, we introduce the tampering function (g 1 , g 2 ), that operates over codewords of (Init, Enc, Dec) and we modify the encoding steps so that the experiment creates codewords of the bit-wise code (Init, Enc, Dec).(g 1 , g 2 ) simulates partially the block-wise codeword C, while given partial access to the bit-wise codeword c ← Enc(s).As we prove in Claim 4.9, it simulates perfectly the tampering effect of f against C ← Enc * (s).g 1 operates as follows (cf. Figure 6): it simulates perfectly the randomness for the permutation of the block-wise code, denoted as ρ, and constructs a set of indices I , such that g 2 will receive access to, and tamper with, c | I .The set I is constructed with respect to the set of blocks I b , that f chooses to access, as well as Σ, that reveals the original bit positions, i.e., the ones before permuting (z||e).g 2 receives c | I , reconstructs I , simulates partially the blocks of the block-wise codeword, C, and applies f on the simulated codeword.The program of g 2 is given in Fig. 7.In Claim 4.9, we show that g 2 , given c | I , simulates perfectly , and the two executions are identical.-Exp (g 1 ,g 3 ),s 2 : In the current experiment, we substitute the function g 2 with g 3 , and Dec * with Dec, respectively.By inspecting the code of g 2 and g 3 (cf.Figures 7,8, respectively), we observe that latter function executes the code of the former, plus the "Check labels and simulate c[I ]" step.Thus, the two experiments are identical up to the point of computing The main idea here is that we want the current execution to be with respect to (Init, Enc, Dec) against (g 1 , g 3 ).Thus, we substitute Dec * with Dec, and we expand the function g 2 with some extra instructions/checks that are missing from Dec. We name the resulting function as g 3 and we prove that the two executions are identical.
-Finally, we prove that for any f and any s, We do so by proving that (g 1 , g 3 ) is admissible for (Init, Enc, Dec, ), i.e., (g 1 , g 3 ) ∈ F ad , and g 3 will not request to access more that m − 1 shares for each bit of sk, sk 3 (cf.Corollary 4.3).This implies security according to Lemma 2. 6.
In what follows, we prove indistinguishability between the hybrids.Claim 4.9.For any f ∈ F α Γ and any s, Exp . 18 18 For random variables X , Y , X = Y denotes that the random variables are identical.
). Proof.The main difference between Exp 0 and Exp 1 is that in Exp 1 , we introduce the tampering function g = (g 1 , g 2 ) that operates over codewords of (Init, Enc, Dec), and simulates partially the block-wise code.We observe that g 1 simulates perfectly the randomness of the permutation for the block-wise code, denoted as ρ.Thus, the computation C ← Π ρ (z||e) does not induce any statistical difference between the two experiments.By the definition of g 1 , we have that c | I consists of all ciphertext bits, as well as the indices r i , for which ρ i ∈ I b , i ∈ [l], i.e., if f requests access to the sensitive block with index ρ i , containing z[i], g 1 will request access to the r i -th bit of c, which is z[i].Thus, g 2 will receive as input the entire ciphertext and all the sensitive bits that f will request access to, with respect to I b , thus it can fully simulate C | I b while being consistent with the distribution of blocks in C | I c b , as ρ is generated by g 1 .Thus, we have

* *
, and the proof of the claim is complete.
Claim 4.10.For any f ∈ F α Γ and any s, Exp Proof.In Exp 2 we substitute the function g 2 with g 3 , and Dec * with Dec, respectively.By inspecting the code of g 2 and g 3 , we observe that latter function executes the code of the former, plus the "Check labels and simulate c[I ]" step.Thus, the two experiments are identical up to the point of computing f (C | I b ).We unfold the code of the two experiments from that point of the computation and on (cf. Figure 10).The idea is that the consistency check on the labels of the block-wise code is transferred from Dec * in Exp 1 to g 3 in Output same * if s = s and s otherwise.
Output same * if s = s and s otherwise.
Output same * if s = s and s otherwise.Exp 2 , and Dec * is substituted by Dec, so that Exp is the tampering experiment of Lemma 2.6 with respect to (Init, Enc, Dec) and (g 1 , g 3 ).
In order to show that Exp , is suffices to prove that Dec * ( C) = Dec( c).By inspecting Exp  . . .
where the last equality follows from the fact that is independent of the blocks of C that Exp 2 does not have access to.Moreover, where the last equality follows from the fact that c| I c is not being accessed by the tampering function.From the above relations, we have that c = P Σ Π −1 ( C) , thus Proof.Assuming (1 − α)m = ω(log(k)), it suffices to prove that for any f ∈ F α Γ , the function (g 1 , g 3 ) ∈ F ad is admissible for (Init, Enc, Dec, ), i.e., g 1 will not request to access more that m −1 shares for each bit of sk, sk 3 , and the proof of the claim will follow by Corollary 4.3 and Lemma 2.6.We prove that for any f ∈ F α Γ , the corresponding (g 1 , g 3 ) will not access the entire z i , for all i ∈ [|2sk|], with overwhelming probability.Such an event takes place if and only if ∃i : |(I b ∩ Z i )| = m.We define by E i the event in which f request access to all blocks in which z i is stored.Assuming f reads n blocks, we have that for all i ∈ [2|sk|], We have n = αν and assuming α = 1 − for ∈ (0, 1], we have Pr The security of the block-wise code follows from the above claims and the MD-NMC security of (Init, Enc, Dec).

Continuous MD-NMC with light Updates
In this section, we enhance the block-wise scheme of Sect. 4 with an update mechanism, that uses only shuffling and refreshing operations.The resulting code is secure against continuous attacks, for a notion of security that is weaker than the original one [45], as we need to update the codeword after each round of execution.However, our update mechanism is using cheap operations, avoiding the full decoding and re-encoding of the message, which is the standard way to achieve continuous security [39,55] using a onetime NMC.In addition, our solution avoids the usage of a self-destruction mechanism that produces ⊥ in all subsequent rounds after the first round in which the attacker creates an invalid codeword, which was originally proposed by [41].Avoiding the self-destruction mechanism was originally proposed by [41], and it is an important step toward practicality, as (i) the mechanism is subjective to denial of service attacks, and (ii) it renders the device useless in the presence of non-adversarial hardware faults.Our solution enables normal use of the device in the presence of such faults and provides security against malicious attacks. 19 The update mechanism of the proposed scheme works as follows: in each round, it randomly shuffles the blocks and refreshes the randomness of the inner encoding of sk.The idea here is that, due to the continual shuffling and refreshing of the inner encoding scheme, in each round the attacker learns nothing about the secret key, and every attempt to modify the inner encoding, results to an invalid key, with overwhelming probability.Our update mechanism can be made deterministic if we further encode the seed of a PRG together with the secret key, which is similar to the technique presented in [55].
Below we define the update mechanism, which is denoted as Update * .The following definition of security is along the lines of the one given in [45], adapted to the notion of non-malleability with manipulation detection.Also, after each invocation the codewords are updated, where in our case the update mechanism is only using shuffling and refreshing operations.In addition, there is no need for self-destruct after detecting an invalid codeword [41].Definition 5.2.(Continuous MD-NMC with light updates) Let CS = (Enc, Dec) be an encoding scheme, F be a function class and k, q ∈ N.Then, CS is a q-continuously non-malleable code with manipulation detection (q-MD-CNMC) with light updates, if for every, sufficiently large k ∈ N, any pair of messages s 0 , s 1 ∈ {0, 1} poly(k) , and any algorithm A, Below we prove that the scheme of Construction 5.1 is continuously non-malleable with manipulation detection and light updates.Proof.Let A be any adversary playing against Tamper A s , for any s.Let I b be the set of indices chosen by the attacker in each round and I c = [ν]\I .The tampered components of the codeword will be denoted using the symbol "~" on top of the original symbol.Our proof follows the strategy of the one given in Theorem 3.2, using a series of hybrid experiments that are depicted in Fig. 11.Below, we describe the hybrids.
-Exp A,s,q 0 : For any A, s, q, the experiment Exp A,s,q 0 is the experiment Tamper A s , of Definition 5.2.
-Exp A,s,q 1 : In the second experiment and for each round of the execution, we define Z i , i ∈ [2|sk|], to be the set of indices in which z i is stored, |Z i | = m.Intuitively, in each round, by calling the Update * procedure that permutes the blocks using a fresh permutation key and updates the shares of sk and sk 3 , we achieve the following: in each round, the attacker finds all shares for a bit of sk, and sk 3 , with negligible probability in k, thus the tampering function is not accessing any bit of sk and sk 3 , even if it is given access to (1 − o(1))ν blocks of the codeword.Thus, the indistinguishability between the current experiment and the previous one comes from a claim analogous to Claim 3.3, made in the proof of Theorem 3.2.In particular, we have the following claim., where the probability runs over the randomness used by Enc * , Update * .
-Exp A,s,q 2 : In the third experiment, we define by Zi to be the set of indices in which zi is stored, | Zi | = m.The main difference with the previous experiment is that we unfold the encoding procedure, and in addition, we substitute the secret sharing procedure SS m with SS , checks if the tampering function has modified the shares in a way such that the reconstruction procedure will give sk = sk or sk = sk .In case modification is detected the current experiments sends ⊥ to the attacker.The main idea here is that, a tampering function that modifies the shares of sk and sk 3 , creates shares of sk and sk , such that sk 3 = sk , with negligible probability in k.We prove this by a reduction to the 1-IND-CPA security of the encryption scheme in the presence of z * , that as we have already stated, it gives no information about the secret key.The indistinguishability between the two experiments comes from the following claim, whose proof is similar to the one given in Claim 3.4., where the probability runs over the randomness used by Enc * , Update * .
-Exp A,s,q 3 : In the final experiment, in each round of the execution, instead of calling the decryption D sk ( ẽ), we first check if the attacker has modified the ciphertext, in which case the current experiment outputs ⊥, otherwise it outputs same * .This part of the program is reached only if the tampering function does not modify the secret key.Thus, the indistinguishability between the two experiments follows from Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Theorem 1 . 3 .
(Informal) One-way functions imply continuous non-malleable codes with deterministic light updates and without self-destruct against adaptive selection of codeword locations, in the standard model, with alphabet length O(log k), information rate 1 − 1/Ω(log k) and access rate 1 − 1/Ω(log k), where k is the security parameter.

Theorem 1 . 4 .
(Informal) Assuming one-way functions, there exists an explicit secretonly AONT in the standard model, with information rate 1 and access rate 1−1/Ω(log k), where k is the security parameter.

Fig. 1 .
Fig. 1.Description of the scheme in the CRS model.

Fig. 2 .
Fig. 2. Description of the scheme in the standard model.
For a set I , |I |, P(I ), are the cardinality and power set of I , respectively, and for I ⊆ [|x|], x | I is the projection of the bits of x with respect to I .For a string variable c and value v, c ← v denotes the assignment of v to c, and c[I ] ← v, denotes an assignment such that c | I equals v.
5 fraction of Enc(0 κ ) into Enc(s) on the set [ν] \ I , meaning that Tamper f s ≈ Tamper g 0 κ .By assumption, we have Pr Tamper f s ∈ {⊥, s} = Pr Tamper g 0 κ ∈ {⊥, 0 κ } = 1 − negl(k), implying that Tamper f s = Tamper g 0 κ = ⊥, with overwhelming probability.Next, we show that Tamper f s 0 k∈N ≈ Tamper f s 1 k∈N .We notice that for b ∈ {0, 1}, Tamper f s b outputs ⊥ with probability the same as that of D(s 0 , s 1 , Enc(s b ) | I ) outputting 1.As the distinguisher D has a non-negligible gap outputting 1 between b = 0 and b = 1, the two tampering experiments can be distinguished with non-negligible probability.This breaks the non-malleability property of the coding scheme, reaching a contradiction.

Definition 2 . 10 .
(One-time MAC[50]) Let k be the security parameter.A message authentication code Π = (Gen, Mac, Vrfy) is one-time -secure, if for all algorithms

Fig. 4 .
Fig. 4. The hybrid experiments for the proof of Theorem 3.2.The gray part signifies the portion of the code of an experiment that differs from the previous one.
0 denotes the zero message.This follows by the semantic security of the encryption scheme, and gives us the indistinguishability property required by Lemma 2.6.The manipulation detection property is derived by the indistinguishability between the hybrids and the fact that the output of Exp Σ, f,s 3 is in the set {same * , ⊥}.

Σ, f,s 2 ,
we unfold the encoding procedure; however, instead of calling SS m , we make a call to SS f m .As we have already stated above, this modification does not induce any difference between the output of Exp Σ, f,s 2 and Exp Σ, f,s 1 [E ].Now, conditioned on E ∧ ¬E, both experiments output ⊥.Thus, we need to bound Pr[E ∧ E ].Assuming Pr[E ∧ E ] > p, for p = 1/poly(k), we define an attacker A that simulates Exp Σ, f,s 2

Claim 4 . 6 . 2 ≈
Assuming the authenticity property of (KGen, E, D), for any g ∈ F ad and any message s, Exp Σ, f,s Exp Σ, f,s 3

g,s 3
is indistinguishable from Exp g,0 3 , where 0 denotes the zero message.

Claim 4 . 7 .
Assuming (KGen, E, D) is semantically secure, for any g ∈ F ad and any message s, Exp

Fig. 6 .
Fig. 6.The function g 1 that appears in the hybrid experiments of Fig. 9 .

Fig. 7 .
Fig. 7.The function g 2 that appears in the hybrid experiments of Fig. 9 . g

Fig. 8 .
Fig. 8.The function g 3 that appears in the hybrid experiments of Fig. 9 .

Fig. 9 .
Fig. 9.The hybrid experiments for the proof of Theorem 4.8 .

(g 1
,g 3 ),s 2 , we have that c = ⊥ if and only if Π −1 ( C * ) = ⊥.By the definition of Π −1 (cf.Construction 4.1), Π −1 ( C * ) = ⊥, if and only if the tampering function creates an inconsistent set of labels, an effect that can be decided by g 3 by only partially accessing C, since it fully simulates the labels for the block-wise code.By Claim 4.9, C | I b = C * | I b and thus C| I b = C * | I b , which implies that Π −1 ( C * ) = ⊥ if and only if Π −1 ( C) = ⊥.We conclude that c = ⊥ if and only if Π −1 ( C) = ⊥.Let
: C ← Enc(1 k , s), s ← 0 For τ ∈ [q] : f ← A(s), C ← f (C), s ← Dec( C) If s = s : s ← same * C ← Update * (1 k , C) out ← A(s)Return : out and for each round the output of the decoder is not in {s, ⊥} with negligible probability in k, over the randomness of Tamper A s .

Fig. 11 .Claim 5 . 4 .
Fig. 11.Hybrids for the proof of Theorem 5.3.The gray part signifies the portion of the code of an experiment that differs from the previous one.

1 . 1 ,
Sample z * 1 , . . ., z * 2|sk| ← SS m sk||sk 3 .2. For i ∈ [2|sk|]:l i := max d {d ∈ [m] ∧ Ind (z i [d]) / ∈ I b )} ,where Ind returns the index ofz i [d] in C, i.e., l i is the largest index in [m] such that the codeword block containing z i [l i ], is not accessed by f .3. (Output): For all i set z * i [l i ] = * ,and output z * := 2|sk| we have z = 2|sk| i=1 z i , and each z i is an m-out-of-m secret sharing for a bit of sk or sk 3 .From the first transition we have that for all i, |I b ∩ Z i | < m with overwhelming probability, and the current experiment is identical to the previous one up to the point of computing f (C | I b ), as C | I b and f (C | I b ) depend only on z * , that gives no information about sk and sk 3 .Another difference between the two experiments is that, after applying the tampering function, Exp A,s,q 1 makes a call on the decoder while Exp A,s,q 2
1, (Init, Enc, Dec), against F ad (cf.Corollary 4.3).The idea is to move from the tampered execution with respect to (Enc * , Dec * ), f , to a tampered execution with respect to (Init, Enc, Dec), g, such that the two executions are indistinguishable and (Init, Enc, Dec) is secure against g.Let I b be the set of indices of the blocks that f chooses to tamper with, where |I b | ≤ αν, and let l ← 2 m|sk|, bs ← log l + 2, bn ← l + |e|/bs.Below we describe the hybrids of Fig.9.
and the two executions are identical conditioned on E.