Non-malleable Codes for Decision Trees

Abstract

We construct efficient, unconditional non-malleable codes that are secure against tampering functions computed by decision trees of depth \(d= n^{1/4-o(1)}\). In particular, each bit of the tampered codeword is set arbitrarily after adaptively reading up to d arbitrary locations within the original codeword. Prior to this work, no efficient unconditional non-malleable codes were known for decision trees beyond depth \(O(\log ^2 n)\).

Our result also yields efficient, unconditional non-malleable codes that are \(\exp (-n^{\varOmega (1)})\)-secure against constant-depth circuits of \(\exp (n^{\varOmega (1)})\)-size. Prior work of Chattopadhyay and Li (STOC 2017) and Ball et al. (FOCS 2018) only provide protection against \(\exp (O(\log ^2n))\)-size circuits with \(\exp (-O(\log ^2n))\)-security.

We achieve our result through simple non-malleable reductions of decision tree tampering to split-state tampering. As an intermediary, we give a simple and generic reduction of leakage-resilient split-state tampering to split-state tampering with improved parameters. Prior work of Aggarwal et al. (TCC 2015) only provides a reduction to split-state non-malleable codes with decoders that exhibit particular properties.

A Leaky Function Classes

Ball et al. [BDG+18] considered a leaky variant of a given tampering class \(\mathcal {C}\).

Definition 12

(Leaky Function Families). [BDG+18] Let \(\mathrm {LL}^{i,m,N}[\mathcal {C}]\) denote tampering functions generated via the following game:

1. 1.

   The adversary first commits to N functions from a class \(\mathcal {C}\), \(F_1,\ldots ,F_N = \varvec{F}\).

   (Note: \(F_j:\{0,1\}^N\rightarrow \{0,1\}\) for all \(j\in [N]\).)

2. 2.

   The adversary then has i-adaptive rounds of leakage. In each round \(j\in [i]\),

   • the adversary selects s indices from [N], denoted \(S_j\),

   • the adversary receives \(\varvec{F}(x)_{S_j}\).

   Formally, we take \(h_j:\{0,1\}^{m(j-1)}\rightarrow [N]^m\) to be the selection function such that

   $$\begin{aligned} h_j(F(X)_{S_1},\ldots ,F(X)_{S_{j-1}})=S_{j}. \end{aligned}$$

   Let \(h_1\) be the constant function that outputs \(S_1\).

3. 3.

   Finally, selects a sequence of n functions \((F_{t_1},\ldots ,F_{t_n})\) (\(T=\{t_1,\ldots ,t_n\}\subseteq [N]\) such that \(t_1<t_2<\cdots <t_n\)) to tamper with.

   Formally, we take \(h:\{0,1\}^{mi}\rightarrow [N]^n\) such that \(h(F(X)_{S_1},\ldots ,F(X)_{S_i})=T\).

Thus, any \(\tau \in \mathrm {LL}^{i,m,N}[\mathcal {C}]\) can be described as \((\varvec{F},h_1,\cdots ,h_i,h)\) and denote the tampering function described above via \(\tau = \mathrm {Eval}(\varvec{F},h_1,\cdots ,h_i,h)\).