Skip to main content

Detecting Algebraic Manipulation in Leaky Storage Systems

  • Conference paper
  • First Online:
Information Theoretic Security (ICITS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10015))

Included in the following conference series:

  • 600 Accesses

Abstract

Algebraic Manipulation Detection (AMD) Codes detect adversarial noise that is added to a coded message which is stored in a storage that is opaque to the adversary. We study AMD codes when the storage can leak up to \(\rho \log |{\mathcal {G}}|\) bits of information about the stored codeword, where \({\mathcal {G}}\) is the group that contains the codeword and \(\rho \) is a constant. We propose \(\rho \)-AMD codes that provide protection in this new setting. We define weak and strong \(\rho \)-AMD codes that provide security for a random and an arbitrary message, respectively. We derive concrete and asymptotic bounds for the efficiency of these codes featuring a rate upper bound of \(1-\rho \) for the strong codes. We also define the class of \(\rho ^{LV}\)-AMD codes that provide protection when leakage is in the form of a number of codeword components, and give constructions featuring a family of strong \(\rho ^{LV}\)-AMD codes that asymptotically achieve the rate \(1-\rho \). We describe applications of \(\rho \)-AMD codes to, (i) robust ramp secret sharing scheme and, (ii) wiretap II channel when the adversary can eavesdrop a \(\rho \) fraction of codeword components and tamper with all components of the codeword.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The message distribution in this construction is not exactly uniform over \({\mathbb {F}}_q^k\) but \(({\mathbb {F}}_q^{*})^k\). So this construction can achieve security even when the message distribution is not uniform.

  2. 2.

    This definition of leakage is seemingly different from [13], where uniform distribution of secret S is assumed and Shannon entropy is used instead of min-entropy.

References

  1. Cramer, R., Dodis, Y., Fehr, S., Padró, C., Wichs, D.: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 471–488. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_27

    Chapter  Google Scholar 

  2. Ahmadi, H., Safavi-Naini, R.: Detection of algebraic manipulation in the presence of leakage. In: Lehmann, A., Wolf, S. (eds.) ICITS 2015. LNCS, vol. 9063, pp. 238–258. Springer, Heidelberg (2014). doi:10.1007/978-3-319-04268-8_14

    Chapter  Google Scholar 

  3. Safavi-Naini, R., Wang, P.: Codes for limited view adversarial channels. In: IEEE International Symposium on Information Theory (ISIT), pp. 266–270 (2013)

    Google Scholar 

  4. Wyner, A.D.: The wire-tap channel. Bell Syst. Tech. J. 54, 1355–1367 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  5. Ozarow, L.H., Wyner, A.D.: Wire-tap channel II. AT & T Bell Lab. Tech. J. 63(10), 2135–2157 (1984)

    MATH  Google Scholar 

  6. Standaert, F.-X., Pereira, O., Yu, Y., Quisquater, J.-J., Yung, M., Oswald, E.: Leakage Resilient Cryptography in Practice. https://eprint.iacr.org/2009/341.pdf

  7. Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 242–268. Springer, Heidelberg (1985). doi:10.1007/3-540-39568-7_20

    Chapter  Google Scholar 

  8. Wang, P., Safavi-Naini, R.: A model for adversarial wiretap channels. IEEE Trans. Inf. Theor. 62(2), 970–983 (2016)

    Article  MathSciNet  Google Scholar 

  9. Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_31

    Chapter  Google Scholar 

  10. Cheraghchi, M., Didier, F., Shokrollahi, A.: Invertible extractors and wiretap protocols. IEEE Trans. Inf. Theor. 58(2), 1254–1274 (2012)

    Article  MathSciNet  Google Scholar 

  11. Dziembowski, S., Pietrzak, K., Wichs, D.: Non-malleable codes. In: ICS, pp. 434–452 (2010)

    Google Scholar 

  12. Shamir, A.: How to share a secret. Commun. Assoc. comput. Mach. 22(11), 612–613 (1979)

    MathSciNet  MATH  Google Scholar 

  13. Strongly secure ramp secret sharing schemes for general access structures

    Google Scholar 

  14. Aggarwal, V., Lai, L., Calderbanand, A.R., Poor, H.V.: Wiretap channel type II with an active eavesdropper. In: IEEE International Symposium on Information Theory (ISIT) 2009, pp. 1944–1948 (2009)

    Google Scholar 

  15. Wang, P., Safavi-Naini, R., Lin, F.: Erasure adversarial wiretap channels. In: 53rd Annual Allerton Conference on Communication, Control and Computing (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Fuchun Lin .

Editor information

Editors and Affiliations

Appendices

Appendices

A Proof of Lemma 4

Proof

Assume a regular encoder and consider a message \({\mathbf {m}}\).

The codeword \(\mathbf{X}= \text {Enc}({\mathbf {m}}, \mathbf{R})\) where the randomness of encoding \(\mathbf{R}\) is a uniformly distributed r-bit string. Now consider an adversary with leakage variable \(\mathbf{Z}\). Because of the one-to-one property of the regular encoder, we have

$$\begin{aligned} H_\infty ( \mathbf{X}) = H_\infty (\mathbf{R})=r, \end{aligned}$$
(10)

and

$$\begin{aligned} \begin{array}{ll} {\tilde{H}}_\infty ( \mathbf{X}| \mathbf{Z})&{}=-\log {\mathbb {E}}_{\mathbf {z}}\left( \max _{{\mathbf {x}}}\text {Pr}[{\mathbf {X}}={\mathbf {x}}|{\mathbf {Z}}={\mathbf {z}}]\right) \\ &{}=-\log {\mathbb {E}}_{\mathbf {z}}\left( \max _{{\mathbf {r}}}\text {Pr}[{\mathbf {R}}={\mathbf {r}}|{\mathbf {Z}}={\mathbf {z}}]\right) \\ &{}={\tilde{H}}_\infty ( \mathbf{R}| \mathbf{Z}). \end{array} \end{aligned}$$
(11)

For a leakage variable \(\mathbf{Z}\), we consider two classes of adversaries denoted by \({\mathbb {A}}_Z\) and \({\mathbb {B}}_Z\), depending on the conditions that they must satisfy, as follows: \({\mathbb {A}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{R}| \mathbf{Z})\) and, \({\mathbb {B}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{X}| \mathbf{Z})\). Both adversaries, when applied to a vector x, use their leakage variables to select an offset vector to be added to a codeword. That is \({\mathbb {A}}_Z(x) = x+ \varDelta _z\) where \(\varDelta _z \in F_q^n \) is chosen dependent on the leakage \(\mathbf{Z}=z\). We have the same definition for \({\mathbb {B}}_Z(x) = x+ \varDelta _z\).

i. strong LLR-AMD code \(\Rightarrow \) strong \(\rho \)-AMD

Now consider a \((q^k,q^n,2^r,\alpha ,\delta )\)-strong LLR-AMD code \(\mathbf C\) with encoder and decoder pair, (Enc,Dec). For an adversary \({\mathbb {A}}_Z\) whose leakage variable satisfies \( {\tilde{H}}_\infty (\mathbf{R}|\mathbf{Z}) \ge (1-\alpha )r\), we have

$$\begin{aligned} \text {Pr}[ \text {Dec} ( {\mathbb {A}}_Z ( \text {Enc} ( {\mathbf {m}},{\mathbf {R}} ) ) ) \notin \{{\mathbf {m}},\perp \}] \le \delta , \end{aligned}$$

where the probability is over the randomness of encoding, and is an expectation over \({\mathbf {z}}\in {\mathcal {Z}}\).

Note that using (10) and (11), the \({\mathbb {A}}_Z\) adversary is also a \({\mathbb {B}}_Z\) adversary satisfying,

$$\begin{aligned} {\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge {\tilde{H}}_\infty ( \mathbf{X}) -\alpha r \end{aligned}$$
(12)

Both these adversaries have the same leakage variable \(\mathbf{Z}\) and so any algorithm Offset(z) used by one, taking the value \(\mathbf{Z}=z\) as input and finding the offset \(\varDelta _z\), can be used by the other also (the two adversaries have the same information). This means that the success probabilities of the two adversaries are the same,

$$\begin{aligned} \text {Pr}[\text {Dec} ({\mathbb {A}}_Z (\text {Enc} ({\mathbf {m}},{\mathbf {R}}) ) ) \notin \{{\mathbf {m}},\perp \}]= \text {Pr}[\text {Dec}({\mathbb {B}}_Z (\text {Enc}({\mathbf {m}},{\mathbf {R}}) )) \notin \{{\mathbf {m}},\perp \}] \le \delta . \end{aligned}$$

For \(\rho \)-AMD codes, security is defined against a \({\mathbb {B}}_Z\) adversary whose leakage variable \(\mathbf{Z}\) satisfies,

$$\begin{aligned} {\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge H_\infty ( \mathbf{X}) -\rho n\log q \end{aligned}$$
(13)

Comparing (13) and (12), we conclude that \(\mathbf C\) is a \(\rho \)-AMD code for \(\rho \) values that satisfy \(\alpha r \ge \rho n\log q\), namely \(\rho \le \frac{\alpha r}{n\log q}\).

ii. strong \(\rho \)-AMD \(\Rightarrow \) strong LLR-AMD code

An argument similar to i. immediately gives that the \((q^k,q^n,2^r,\alpha ,\delta )\)-strong LLR-AMD code obtain from \(\rho \)-AMD code should satisfy \(\alpha \le \frac{\rho n\log q}{ r}\). Next we show the bound on r follows from Proposition 1 together with (10). Indeed, by Proposition 1, \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge \log \frac{1}{\delta }\) should hold for any \({\mathbf {Z}}\) satisfying \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge H_\infty ( \mathbf{X}) -\rho n\log q\). In particular, we must have \(H_\infty ( \mathbf{X}) -\rho n\log q\ge \log \frac{1}{\delta }\). Now we can use (10) to conclude that \(r\ge \log \frac{1}{\delta }+\rho n\log q\). \(\square \)

B Proof of Lemma 5

Proof

The encoder Enc is a one-to-one correspondence between messages and codewords. Consider a message variable \({\mathbf {M}}\leftarrow {\mathcal {M}}\) (in particular, the uniform distribution is emphasized by \({\mathbf {M}}_u\mathop {\leftarrow }\limits ^{\$}{\mathcal {M}}\)). The codeword is a variable \(\mathbf{X}= \text {Enc}({\mathbf {M}})\). Now consider an adversary with leakage variable \(\mathbf{Z}\). Because of the one-to-one property of the encoder, we have

$$\begin{aligned} H_\infty ( \mathbf{X}) = H_\infty (\mathbf{M}), \end{aligned}$$
(14)

and

$$\begin{aligned} \begin{array}{ll} {\tilde{H}}_\infty ( \mathbf{X}| \mathbf{Z})&{}=-\log {\mathbb {E}}_{\mathbf {z}}\left( \max _{{\mathbf {x}}}\text {Pr}[{\mathbf {X}}={\mathbf {x}}|{\mathbf {Z}}={\mathbf {z}}]\right) \\ &{}=-\log {\mathbb {E}}_{\mathbf {z}}\left( \max _{{\mathbf {m}}}\text {Pr}[{\mathbf {M}}={\mathbf {m}}|{\mathbf {Z}}={\mathbf {z}}]\right) \\ &{}={\tilde{H}}_\infty ( \mathbf{M}| \mathbf{Z}). \end{array} \end{aligned}$$
(15)

For a leakage variable \(\mathbf{Z}\), we consider two classes of adversaries denoted by \({\mathbb {A}}_Z\) and \({\mathbb {B}}_Z\), depending on the conditions that they must satisfy, as follows: \({\mathbb {A}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{M}| \mathbf{Z})\) and, \({\mathbb {B}}_Z()\) is an adversary whose leakage variable must satisfy a lower bound on \({\tilde{H}}_\infty (\mathbf{X}| \mathbf{Z})\). Both adversaries, when applied to a vector x, use their leakage variables to select an offset vector to be added to a codeword. That is \({\mathbb {A}}_Z(x) = x+ \varDelta _z\) where \(\varDelta _z \in F_q^n \) is chosen dependent on the leakage \(\mathbf{Z}=z\). We have the same definition for \({\mathbb {B}}_Z(x) = x+ \varDelta _z\).

i. weak LLR-AMD code \(\Rightarrow \) weak \(\rho \)-AMD

Now consider a \((q^k,q^n,\alpha ,\delta )\)-weak LLR-AMD code \(\mathbf C\) with encoder and decoder pair, (Enc,Dec). For an adversary \({\mathbb {A}}_Z\) whose leakage variable satisfies \( {\tilde{H}}_\infty (\mathbf{M}|\mathbf{Z}) \ge (1-\alpha )k\log q\), we have

$$\begin{aligned} \text {Pr}[ \text {Dec} ( {\mathbb {A}}_Z ( \text {Enc} ( {\mathbf {M}}) ) ) \notin \{{\mathbf {M}},\perp \}] \le \delta , \end{aligned}$$

where the probability is over the randomness of encoding, and is an expectation over \({\mathbf {z}}\in {\mathcal {Z}}\).

Note that using (14) and (15), the \({\mathbb {A}}_Z\) adversary is also a \({\mathbb {B}}_Z\) adversary satisfying,

$$\begin{aligned} {\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge (1-\alpha )k\log q \end{aligned}$$
(16)

Both these adversaries have the same leakage variable \(\mathbf{Z}\) and so any algorithm Offset(z) used by one, taking the value \(\mathbf{Z}=z\) as input and finding the offset \(\varDelta _z\), can be used by the other also (the two adversaries have the same information). This means that the success probabilities of the two adversaries are the same,

$$\begin{aligned} \text {Pr}[\text {Dec} ({\mathbb {A}}_Z (\text {Enc} ({\mathbf {M}}) ) ) \notin \{{\mathbf {M}},\perp \}]= \text {Pr}[\text {Dec}({\mathbb {B}}_Z (\text {Enc}({\mathbf {M}}_u) )) \notin \{{\mathbf {M}}_u,\perp \}] \le \delta . \end{aligned}$$

For \(\rho \)-AMD codes, security is defined against a \({\mathbb {B}}_Z\) adversary whose leakage variable \(\mathbf{Z}\) satisfies,

$$\begin{aligned} {\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge H_\infty ( \mathbf{X}) -\rho n\log q,\text { where } \mathbf{X}=\text {Enc}(\mathbf{M}_u). \end{aligned}$$
(17)

Comparing (17) and (16), we conclude that \(\mathbf C\) is a \(\rho \)-AMD code for \(\rho \) values that satisfy \(\alpha k \ge \rho n\), namely \(\rho \le \frac{\alpha k}{n}\).

ii. weak \(\rho \)-AMD \(\Rightarrow \) weak LLR-AMD code

An argument similar to i. immediately gives that the \((q^k,q^n,\alpha ,\delta )\)-weak LLR-AMD code obtain from \(\rho \)-AMD code should satisfy \(\alpha \le \frac{\rho n}{ k}\). \(\square \)

C Proof of Proposition 2

Proof

By Proposition 1, \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge \log \frac{1}{\delta }\) should hold for any \({\mathbf {Z}}\) satisfying \({\tilde{H}}_\infty (\mathbf{X}|\mathbf{Z})\ge H_\infty ( \mathbf{X}) -\rho n\log q\). In particular, we must have \(H_\infty ( \mathbf{X}) -\rho n\log q\ge \log \frac{1}{\delta }\). Since the message \(\mathbf{M}\) of weak \(\rho \)-AMD is uniform and the encoder is one-to-one correspondence, \(H_\infty ( \mathbf{X})=H_\infty ( \mathbf{M})=k\log q\). We conclude that \(k\log q-\rho n\log q\ge \log \frac{1}{\delta }\), namely,

$$\begin{aligned} q^{\rho n-k}\le \delta . \end{aligned}$$
(18)

Similar to the proof of Theorem 1, we also consider a random attack strategy. Then the total number of valid codewords that do not decode to \({\mathbf {M}}\) is at least \((q^{k}-1)\), which is the number of offsets that lead to undetected manipulations. A randomly chosen offset (\(\varDelta \ne 0^n\)) leads to undetected manipulation with probability at most

$$\begin{aligned} \frac{q^{k}-1}{q^{n}-1} \end{aligned}$$

and we must have

$$\begin{aligned} \frac{q^{k}-1}{q^{n}-1}\le \delta . \end{aligned}$$
(19)

\(\square \)

D Proof of Construction 4

Proof

Let \(\beta \) be a primitive element of \({\mathbb {F}}_q\). Then every element \(m_i\in {\mathbb {F}}_q^{*}\) can be written as a power of \(\beta \): \(m_i=\beta ^{m_i^{'}}\). (9) is rewritten as follows.

$$\begin{aligned} f({\mathbf {m}},G)=\sum _{j=1}^k\beta ^{\sum _{i=1}^km_i^{'}g_{i,j}\text { mod }(q-1)}. \end{aligned}$$

According to [[2], Theorem 4] and the proof therein, (Enc, Dec) satisfies \(\text {Pr}[\text {Dec}(\text {Enc}({\mathbf {m}})+\varDelta ({\mathbf {Z}}_\rho ))\notin \{{\mathbf {m}},\perp \}]\le \frac{\psi k}{q-1}\) as long as the leakage parameter \(\rho \) satisfies \(k-(k+1)\rho \ge 1\). What is left to show is for any \(\rho <1\) and \(\delta >0\), there exists an N such that for all \(k+1\ge N\), \(k-(k+1)\rho >0\) and \(\frac{\psi k}{q-1}\le \delta \) are both satisfied. Indeed, \(k-(k+1)\rho =k(1-\rho )-\rho \), which is bigger than 1 if \(k>\frac{1+\rho }{1-\rho }\). So we can simply let \(N=\lceil \frac{1+\rho }{1-\rho }\rceil +1\). And \(\frac{\psi k}{q-1}\le \delta \) can be achieved by choosing a big enough q, for example, \(q=\omega (\psi k)\) and choose a big enough k. \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Lin, F., Safavi-Naini, R., Wang, P. (2016). Detecting Algebraic Manipulation in Leaky Storage Systems. In: Nascimento, A., Barreto, P. (eds) Information Theoretic Security. ICITS 2016. Lecture Notes in Computer Science(), vol 10015. Springer, Cham. https://doi.org/10.1007/978-3-319-49175-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49175-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49174-5

  • Online ISBN: 978-3-319-49175-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics