Abstract
Algebraic Manipulation Detection (AMD) Codes detect adversarial noise that is added to a coded message which is stored in a storage that is opaque to the adversary. We study AMD codes when the storage can leak up to \(\rho \log |{\mathcal {G}}|\) bits of information about the stored codeword, where \({\mathcal {G}}\) is the group that contains the codeword and \(\rho \) is a constant. We propose \(\rho \)-AMD codes that provide protection in this new setting. We define weak and strong \(\rho \)-AMD codes that provide security for a random and an arbitrary message, respectively. We derive concrete and asymptotic bounds for the efficiency of these codes featuring a rate upper bound of \(1-\rho \) for the strong codes. We also define the class of \(\rho ^{LV}\)-AMD codes that provide protection when leakage is in the form of a number of codeword components, and give constructions featuring a family of strong \(\rho ^{LV}\)-AMD codes that asymptotically achieve the rate \(1-\rho \). We describe applications of \(\rho \)-AMD codes to, (i) robust ramp secret sharing scheme and, (ii) wiretap II channel when the adversary can eavesdrop a \(\rho \) fraction of codeword components and tamper with all components of the codeword.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The message distribution in this construction is not exactly uniform over \({\mathbb {F}}_q^k\) but \(({\mathbb {F}}_q^{*})^k\). So this construction can achieve security even when the message distribution is not uniform.
- 2.
This definition of leakage is seemingly different from [13], where uniform distribution of secret S is assumed and Shannon entropy is used instead of min-entropy.
References
Cramer, R., Dodis, Y., Fehr, S., Padró, C., Wichs, D.: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 471–488. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_27
Ahmadi, H., Safavi-Naini, R.: Detection of algebraic manipulation in the presence of leakage. In: Lehmann, A., Wolf, S. (eds.) ICITS 2015. LNCS, vol. 9063, pp. 238–258. Springer, Heidelberg (2014). doi:10.1007/978-3-319-04268-8_14
Safavi-Naini, R., Wang, P.: Codes for limited view adversarial channels. In: IEEE International Symposium on Information Theory (ISIT), pp. 266–270 (2013)
Wyner, A.D.: The wire-tap channel. Bell Syst. Tech. J. 54, 1355–1367 (1975)
Ozarow, L.H., Wyner, A.D.: Wire-tap channel II. AT & T Bell Lab. Tech. J. 63(10), 2135–2157 (1984)
Standaert, F.-X., Pereira, O., Yu, Y., Quisquater, J.-J., Yung, M., Oswald, E.: Leakage Resilient Cryptography in Practice. https://eprint.iacr.org/2009/341.pdf
Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 242–268. Springer, Heidelberg (1985). doi:10.1007/3-540-39568-7_20
Wang, P., Safavi-Naini, R.: A model for adversarial wiretap channels. IEEE Trans. Inf. Theor. 62(2), 970–983 (2016)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_31
Cheraghchi, M., Didier, F., Shokrollahi, A.: Invertible extractors and wiretap protocols. IEEE Trans. Inf. Theor. 58(2), 1254–1274 (2012)
Dziembowski, S., Pietrzak, K., Wichs, D.: Non-malleable codes. In: ICS, pp. 434–452 (2010)
Shamir, A.: How to share a secret. Commun. Assoc. comput. Mach. 22(11), 612–613 (1979)
Strongly secure ramp secret sharing schemes for general access structures
Aggarwal, V., Lai, L., Calderbanand, A.R., Poor, H.V.: Wiretap channel type II with an active eavesdropper. In: IEEE International Symposium on Information Theory (ISIT) 2009, pp. 1944–1948 (2009)
Wang, P., Safavi-Naini, R., Lin, F.: Erasure adversarial wiretap channels. In: 53rd Annual Allerton Conference on Communication, Control and Computing (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendices
A Proof of Lemma 4
Proof
Assume a regular encoder and consider a message \({\mathbf {m}}\).
The codeword \(\mathbf{X}= \text {Enc}({\mathbf {m}}, \mathbf{R})\) where the randomness of encoding \(\mathbf{R}\) is a uniformly distributed r-bit string. Now consider an adversary with leakage variable \(\mathbf{Z}\). Because of the one-to-one property of the regular encoder, we have
and
For a leakage variable \(\mathbf{Z}\), we consider two classes of adversaries denoted by \({\mathbb {A}}_Z\) and \({\mathbb {B}}_Z\), depending on the conditions that they must satisfy, as follows: \({\mathbb {A}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{R}| \mathbf{Z})\) and, \({\mathbb {B}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{X}| \mathbf{Z})\). Both adversaries, when applied to a vector x, use their leakage variables to select an offset vector to be added to a codeword. That is \({\mathbb {A}}_Z(x) = x+ \varDelta _z\) where \(\varDelta _z \in F_q^n \) is chosen dependent on the leakage \(\mathbf{Z}=z\). We have the same definition for \({\mathbb {B}}_Z(x) = x+ \varDelta _z\).
i. strong LLR-AMD code \(\Rightarrow \) strong \(\rho \)-AMD
Now consider a \((q^k,q^n,2^r,\alpha ,\delta )\)-strong LLR-AMD code \(\mathbf C\) with encoder and decoder pair, (Enc,Dec). For an adversary \({\mathbb {A}}_Z\) whose leakage variable satisfies \( {\tilde{H}}_\infty (\mathbf{R}|\mathbf{Z}) \ge (1-\alpha )r\), we have
where the probability is over the randomness of encoding, and is an expectation over \({\mathbf {z}}\in {\mathcal {Z}}\).
Note that using (10) and (11), the \({\mathbb {A}}_Z\) adversary is also a \({\mathbb {B}}_Z\) adversary satisfying,
Both these adversaries have the same leakage variable \(\mathbf{Z}\) and so any algorithm Offset(z) used by one, taking the value \(\mathbf{Z}=z\) as input and finding the offset \(\varDelta _z\), can be used by the other also (the two adversaries have the same information). This means that the success probabilities of the two adversaries are the same,
For \(\rho \)-AMD codes, security is defined against a \({\mathbb {B}}_Z\) adversary whose leakage variable \(\mathbf{Z}\) satisfies,
Comparing (13) and (12), we conclude that \(\mathbf C\) is a \(\rho \)-AMD code for \(\rho \) values that satisfy \(\alpha r \ge \rho n\log q\), namely \(\rho \le \frac{\alpha r}{n\log q}\).
ii. strong \(\rho \)-AMD \(\Rightarrow \) strong LLR-AMD code
An argument similar to i. immediately gives that the \((q^k,q^n,2^r,\alpha ,\delta )\)-strong LLR-AMD code obtain from \(\rho \)-AMD code should satisfy \(\alpha \le \frac{\rho n\log q}{ r}\). Next we show the bound on r follows from Proposition 1 together with (10). Indeed, by Proposition 1, \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge \log \frac{1}{\delta }\) should hold for any \({\mathbf {Z}}\) satisfying \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge H_\infty ( \mathbf{X}) -\rho n\log q\). In particular, we must have \(H_\infty ( \mathbf{X}) -\rho n\log q\ge \log \frac{1}{\delta }\). Now we can use (10) to conclude that \(r\ge \log \frac{1}{\delta }+\rho n\log q\). \(\square \)
B Proof of Lemma 5
Proof
The encoder Enc is a one-to-one correspondence between messages and codewords. Consider a message variable \({\mathbf {M}}\leftarrow {\mathcal {M}}\) (in particular, the uniform distribution is emphasized by \({\mathbf {M}}_u\mathop {\leftarrow }\limits ^{\$}{\mathcal {M}}\)). The codeword is a variable \(\mathbf{X}= \text {Enc}({\mathbf {M}})\). Now consider an adversary with leakage variable \(\mathbf{Z}\). Because of the one-to-one property of the encoder, we have
and
For a leakage variable \(\mathbf{Z}\), we consider two classes of adversaries denoted by \({\mathbb {A}}_Z\) and \({\mathbb {B}}_Z\), depending on the conditions that they must satisfy, as follows: \({\mathbb {A}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{M}| \mathbf{Z})\) and, \({\mathbb {B}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{X}| \mathbf{Z})\). Both adversaries, when applied to a vector x, use their leakage variables to select an offset vector to be added to a codeword. That is \({\mathbb {A}}_Z(x) = x+ \varDelta _z\) where \(\varDelta _z \in F_q^n \) is chosen dependent on the leakage \(\mathbf{Z}=z\). We have the same definition for \({\mathbb {B}}_Z(x) = x+ \varDelta _z\).
i. weak LLR-AMD code \(\Rightarrow \) weak \(\rho \)-AMD
Now consider a \((q^k,q^n,\alpha ,\delta )\)-weak LLR-AMD code \(\mathbf C\) with encoder and decoder pair, (Enc,Dec). For an adversary \({\mathbb {A}}_Z\) whose leakage variable satisfies \( {\tilde{H}}_\infty (\mathbf{M}|\mathbf{Z}) \ge (1-\alpha )k\log q\), we have
where the probability is over the randomness of encoding, and is an expectation over \({\mathbf {z}}\in {\mathcal {Z}}\).
Note that using (14) and (15), the \({\mathbb {A}}_Z\) adversary is also a \({\mathbb {B}}_Z\) adversary satisfying,
Both these adversaries have the same leakage variable \(\mathbf{Z}\) and so any algorithm Offset(z) used by one, taking the value \(\mathbf{Z}=z\) as input and finding the offset \(\varDelta _z\), can be used by the other also (the two adversaries have the same information). This means that the success probabilities of the two adversaries are the same,
For \(\rho \)-AMD codes, security is defined against a \({\mathbb {B}}_Z\) adversary whose leakage variable \(\mathbf{Z}\) satisfies,
Comparing (17) and (16), we conclude that \(\mathbf C\) is a \(\rho \)-AMD code for \(\rho \) values that satisfy \(\alpha k \ge \rho n\), namely \(\rho \le \frac{\alpha k}{n}\).
ii. weak \(\rho \)-AMD \(\Rightarrow \) weak LLR-AMD code
An argument similar to i. immediately gives that the \((q^k,q^n,\alpha ,\delta )\)-weak LLR-AMD code obtain from \(\rho \)-AMD code should satisfy \(\alpha \le \frac{\rho n}{ k}\). \(\square \)
C Proof of Proposition 2
Proof
By Proposition 1, \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge \log \frac{1}{\delta }\) should hold for any \({\mathbf {Z}}\) satisfying \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge H_\infty ( \mathbf{X}) -\rho n\log q\). In particular, we must have \(H_\infty ( \mathbf{X}) -\rho n\log q\ge \log \frac{1}{\delta }\). Since the message \(\mathbf{M}\) of weak \(\rho \)-AMD is uniform and the encoder is one-to-one correspondence, \(H_\infty ( \mathbf{X})=H_\infty ( \mathbf{M})=k\log q\). We conclude that \(k\log q-\rho n\log q\ge \log \frac{1}{\delta }\), namely,
Similar to the proof of Theorem 1, we also consider a random attack strategy. Then the total number of valid codewords that do not decode to \({\mathbf {M}}\) is at least \((q^{k}-1)\), which is the number of offsets that lead to undetected manipulations. A randomly chosen offset (\(\varDelta \ne 0^n\)) leads to undetected manipulation with probability at most
and we must have
\(\square \)
D Proof of Construction 4
Proof
Let \(\beta \) be a primitive element of \({\mathbb {F}}_q\). Then every element \(m_i\in {\mathbb {F}}_q^{*}\) can be written as a power of \(\beta \): \(m_i=\beta ^{m_i^{'}}\). (9) is rewritten as follows.
According to [[2], Theorem 4] and the proof therein, (Enc, Dec) satisfies \(\text {Pr}[\text {Dec}(\text {Enc}({\mathbf {m}})+\varDelta ({\mathbf {Z}}_\rho ))\notin \{{\mathbf {m}},\perp \}]\le \frac{\psi k}{q-1}\) as long as the leakage parameter \(\rho \) satisfies \(k-(k+1)\rho \ge 1\). What is left to show is for any \(\rho <1\) and \(\delta >0\), there exists an N such that for all \(k+1\ge N\), \(k-(k+1)\rho >0\) and \(\frac{\psi k}{q-1}\le \delta \) are both satisfied. Indeed, \(k-(k+1)\rho =k(1-\rho )-\rho \), which is bigger than 1 if \(k>\frac{1+\rho }{1-\rho }\). So we can simply let \(N=\lceil \frac{1+\rho }{1-\rho }\rceil +1\). And \(\frac{\psi k}{q-1}\le \delta \) can be achieved by choosing a big enough q, for example, \(q=\omega (\psi k)\) and choose a big enough k. \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Lin, F., Safavi-Naini, R., Wang, P. (2016). Detecting Algebraic Manipulation in Leaky Storage Systems. In: Nascimento, A., Barreto, P. (eds) Information Theoretic Security. ICITS 2016. Lecture Notes in Computer Science(), vol 10015. Springer, Cham. https://doi.org/10.1007/978-3-319-49175-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-49175-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49174-5
Online ISBN: 978-3-319-49175-2
eBook Packages: Computer ScienceComputer Science (R0)