Non-Malleable Functions and their Applications

Abstract

We formally study “non-malleable functions” (NMFs), a general cryptographic primitive which simplifies and relaxes “non-malleable one-way/hash functions” (NMOWHFs) introduced by Boldyreva et al. (in: Advances in cryptology—ASIACRYPT 2009, pp 524–541, 2009) and refined by Baecher et al. (in: CT-RSA 2011, pp 268–283, 2011). NMFs focus on basic functions, rather than one-way/hash functions considered in the literature of NMOWHFs. We formalize a game-based definition for NMFs. Roughly, a function f is non-malleable if given an image \(y^* \leftarrow f(x^*)\) for a randomly chosen \(x^*\), it is hard to output a value y together with a transformation \(\phi \) from some prefixed transformation class such that y is an image of \(\phi (x^*)\) under f. Our non-malleable notion is strong in the sense that only trivial copy solution \((\mathsf {id}, y^*)\) is forbidden, where \(\mathsf {id}\) is the identity transformation. We also consider the adaptive notion, which stipulates that non-malleability holds even when an inversion oracle is available. We investigate the relations between non-malleability and one-wayness in depth. In the non-adaptive setting, we show that non-malleability generally implies one-wayness for poly-to-one functions but not vice versa. In the adaptive setting, we show that for most algebra-induced transformation classes, adaptive non-malleability (ANM) is equivalent to adaptive one-wayness (AOW) for injective functions. These results establish theoretical connections between non-malleability and one-wayness for functions and extend to trapdoor functions as well, resolving the open problems left by Kiltz et al. (in: Advances in cryptology—EUROCRYPT 2010, pp 673–692, 2010). We also study the relations between standard OW/NM and hinting OW/NM, where the latter notions are typically more useful in practice. Toward efficient realizations of NMFs, we give a deterministic construction from adaptive trapdoor functions as well as a randomized construction from all-but-one lossy functions and one-time signature. This partially solves an open problem posed by Boldyreva et al. (in: Advances in cryptology—ASIACRYPT 2009, pp 524–541, 2009). Finally, we explore applications of NMFs in security against related-key attacks (RKA). We first show that, somewhat surprisingly, the implication AOW \(\Rightarrow \) ANM sheds light on addressing non-trivial copy attacks in RKA security. We then show that NMFs give rise to a generic construction of RKA-secure authenticated key derivation functions, which have proven to be very useful in achieving RKA security for numerous cryptographic primitives. Particularly, our construction simplifies and unifies the result due to Qin et al. (in: Public-key cryptography—PKC 2015, volume 9020 of LNCS. Springer, Berlin, pp 557–578, 2015).

Appendices

A An Improved Proof for the Non-malleability of the Strengthened Merkle–Damgård Transformation

Strengthened Merkle–Damgård Transformation  Let h be a fixed-length hash function with input length \(2\ell (\lambda )\) and output length \(\ell (\lambda )\), \(iv \in \{0,1\}^{\ell (\lambda )}\) be an initialization vector, \(\mathsf {pad}\) be a padding function which maps a message \(x \in \{0,1\}^*\) of length at most \(2^{\ell (\lambda )}-1\) to multiples of the block length \(\ell (\lambda )\) such that the final block contains the message length.¹⁵ The strengthened Merkle–Damgård transformation \(\mathsf {MD}\) is defined as:

$$\begin{aligned} \mathsf {MD}_{iv}^h(x): = h_{iv}^*(x_1||\dots ||x_k) = h(\cdots h(h(iv, x_1), x_2) \cdots ) \end{aligned}$$

where \(x_1||\dots ||x_k = \mathsf {pad}(x)\). In the following, let \(y_i\) denote the i-th intermediate value when iterating h, i.e., \(h_{iv}^*(x_1||\dots ||x_i)\).

Baecher et al. [11, Proposition 4.2] proved that \(\mathsf {MD}\) is \(\Phi ^{\text {xor}}\)-non-malleable (for fixed-length message) if the compression function h is modeled as random oracle. In the following lemma, we show that \(\mathsf {MD}\) is essentially \(\Phi _{\text {brs}}^{\text {srs}}\cup \mathsf {id}\)-non-malleable.

Lemma A.1

For a random oracle \(h: \{0,1\}^{2\ell (\lambda )} \rightarrow \{0,1\}^{\ell (\lambda )}\) where \(\ell (\lambda ) = \mathsf {poly}(\lambda )\), the hash function \(\mathsf {MD}_{iv}^h: \{0,1\}^{n(\lambda )} \rightarrow \{0,1\}^{\ell (\lambda )}\) is \(\Phi _{\text {brs}}^{\text {srs}}\cup \mathsf {id}\)-non-malleable w.r.t. arbitrary \(\mathsf {hint}\) as long as \(\tilde{{\mathsf {H}}}_\infty (x^*|(\mathsf {hint}(x^*), y^*)) \ge \omega (\log \lambda )\) where \(x^* \xleftarrow {\text { R}}\{0,1\}^{n(\lambda )}\) and \(y^* = \mathsf {MD}_{iv}^h(x^*)\).

Proof

We prove this lemma by showing that if there exists a PPT adversary \({\mathcal {A}}\) that has non-negligible advantage against \(\Phi _{\text {brs}}^{\text {srs}}\cup \mathsf {id}\)-non-malleability of \(\mathsf {MD}_{iv}^h\) where h is a random oracle, then we can build a PPT adversary \({\mathcal {B}}\) that contradicts to the hypothesis \(\tilde{{\mathsf {H}}}_\infty (x^*|(\mathsf {hint}(x^*), y^*)) \ge \omega (\log \lambda )\). Here, \(h(\cdot )\) is implemented via an external random oracle \({\mathcal {O}}_\mathsf {ro}^h(\cdot )\), which maintains a list L to track random oracle queries. For each fresh random oracle query on point \((a, b) \in \{0,1\}^{2\ell (\lambda )}\), a random value \(c \xleftarrow {\text { R}}\{0,1\}^{\ell (\lambda )}\) is chosen and the tuple \(\langle (a, b), c \rangle \) is added into L. At the very beginning, \({\mathcal {B}}\) is given \(y^* = \mathsf {MD}_{iv}^h(x^*)\) and \(\mathsf {hint}(x^*)\) for a randomly chosen \(x^* \xleftarrow {\text { R}}\{0,1\}^{n(\lambda )}\) from its challenger. With the aim to recover \(x^*\), \({\mathcal {B}}\) invokes \({\mathcal {A}}\) with \(\mathsf {hint}(x^*)\) and \(y^*\) and simulates its challenger in the non-malleable security experiment. Let \(L_A\) be the subset of L which containing all the tuples indexed by \({\mathcal {A}}\)’s random oracle queries. When \({\mathcal {A}}\) outputs its solution \((\phi , y)\), \({\mathcal {B}}\) recovers \(x^*\) via the following steps:

1. 1.

   Let \(x_1 ||\dots || x_k = \mathsf {pad}(\phi (x^*))\), \(y_0 = iv\), \(y_k = y\) and \(y_i = {\mathcal {O}}_\mathsf {ro}^h(y_{i-1}, x_i)\) for \(1 \le i \le k\). \({\mathcal {B}}\) initiates a counter \(j = k\), sets \(y_j' = y\). \({\mathcal {B}}\) then randomly picks a tuple in \(L_A\) whose image is \(y_j'\), sets the left part of the preimage as \(y_{j-1}'\), sets the right part of the preimage as \(x_j'\). \({\mathcal {B}}\) then sets the counter \(j = j-1\) and continues the above operation until \(j=0\). Finally, \({\mathcal {B}}\) obtains \(x_{k}', \dots , x_1'\). We claim that if \({\mathcal {A}}\) succeeds (i.e., \(\mathsf {MD}_{iv}^h(\phi (x^*)) = y\)) with some probability \(\epsilon (\lambda )\), then \(\Pr [\wedge _{i=1}^k x_i = x_i'] \ge \epsilon (\lambda )\). Let Q be the event that during the game \({\mathcal {A}}\) explicitly queries \({\mathcal {O}}_\mathsf {ro}^f(\cdot )\) at all intermediate points \((y_0, x_1)\), \((y_1, x_2), \dots , (y_{k-1}, x_k)\), and S be the event that \({\mathcal {A}}\) succeeds. Then, we have:

   $$\begin{aligned} \Pr [S] = \Pr [S \wedge {\overline{Q}}] + \Pr [S \wedge Q] \le \Pr [S \wedge {\overline{Q}}] + \Pr [Q] \end{aligned}$$

   Note that the output length \(\ell (\lambda ) = \mathsf {poly}(\lambda )\), the output of \({\mathcal {O}}_\mathsf {ro}^h(\cdot )\) is unpredictable, and \({\mathcal {O}}_\mathsf {ro}^h(\cdot )\) acts like a collision-resistant hash function. The first fact indicates that \(\Pr [S \wedge {\overline{Q}}] = \mathsf {negl}(\lambda )\). The second fact indicates that for each \(1 \le i \le k\), there is one and only one tuple \(\langle (y_{i-1}, x_i), y_i \rangle \) (whose image is \(y_i\)) in \(L_A\). Therefore, we must have \(y_j' = y_j\) and \(x_j' = x_j\) for each \(j \in [k]\). This proves the above claim.

2. 2.

   \({\mathcal {B}}\) then recovers \(x' \in \{0,1\}^{n(\lambda )}\) from \((x_1', \dots , x_k')\). Conditioned on \({\mathcal {A}}\) succeeds, we must have \(\phi \ne \mathsf {id}\) because \(\mathsf {MD}_{iv}^h(\cdot )\) is deterministic. According to the above claim, if \({\mathcal {A}}\) succeeds with some non-negligible probability \(\epsilon (\lambda )\), then \(\Pr [\wedge _{i=1}^k x_i' = x_i] \ge \epsilon (\lambda )\) and thus \(\Pr [x' = \phi (x^*)] \ge \epsilon (\lambda )\). \({\mathcal {B}}\) then runs \(\mathsf {SampRS}\) to output a random solution of equation \(\phi (\alpha ) - x' = 0\) as its answer. Combining the fact \(\Pr [x' = \phi (x^*)] \ge \epsilon \) and the BRS and SRS properties of \(\Phi _{\text {brs}}^{\text {srs}}\), we conclude that \({\mathcal {B}}\) outputs \(x^*\) probability \(\epsilon (\lambda )/\mathsf {poly}(\lambda )\), which is still non-negligible in \(\lambda \).

During the recovering procedure, \({\mathcal {B}}\) only uses the information from \({\mathcal {A}}\)’s random oracle queries. The existence of \({\mathcal {B}}\) contradicts the hypothesis that \(\tilde{{\mathsf {H}}}_\infty (x^*|(\mathsf {hint}(x^*), y^*)) \ge \omega (\log \lambda )\). This proves Lemma A.1. \(\square \)

B Missing Cryptographic Primitives

1.1 B. 1 Universal Hash Functions

A family of functions \({\mathcal {H}} = \{h_i: X \rightarrow Y\}\) from domain X to range Y is said to be universal if, for every distinct \(x, x' \in X\), \(\Pr _{h \leftarrow {\mathcal {H}}}[h(x) = h(x')] = 1/|X|\).

1.2 B.2 Strongly Unforgeable One-Time Signatures

A signature scheme consists of three polynomial time algorithms as follows:

• \(\mathsf {Gen}(1^\lambda )\): on input a security parameter \(\lambda \), outputs a verification key vk and a signing key sk.

• \(\mathsf {Sign}(sk,m)\): on input a signing key sk and a message m from some message space M (M may depend on \(\lambda \) and vk), outputs a signature \(\sigma \).

• \(\mathsf {Vefy}(vk, m, \sigma )\): on input a verification key vk, a message \(m \in M\) and a signature \(\sigma \), outputs a bit b, with \(b=1\) meaning “valid” and \(b=0\) meaning “invalid.”

Correctness For any \((vk, sk) \leftarrow \mathsf {Gen}(1^\lambda )\) and any \(m \in M\), \(\mathsf {Vefy}(vk, m, \mathsf {Sign}(sk,m)) = 1\). We can relax the standard correctness to require that \(\mathsf {Vefy}\) accepts with overwhelming probability over all the randomness of the experiment.

Strong unforgeability Let \({\mathcal {A}}\) be an adversary against signature and define its advantage in the following experiment:

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A}}(\lambda ) = \Pr \left[ \begin{array}{c} \mathsf {Vefy}(vk, m, \sigma ) = 1 \\ \wedge (m, \sigma ) \notin {\mathcal {Q}} \end{array}: \begin{array}{l} (vk, sk) \leftarrow \mathsf {Gen}(1^\lambda );\\ (m, \sigma ) \leftarrow {\mathcal {A}}^{{\mathcal {O}}_\mathsf {sign}}(vk); \end{array} \right] \end{aligned}$$

Here, \({\mathcal {O}}_\mathsf {sign}\) is the signing oracle that on input m returns \(\sigma \leftarrow \mathsf {Sign}(sk, m)\). The set \({\mathcal {Q}}\) contains pairs of queries to \({\mathcal {O}}_\mathsf {sign}\) and their associated responses. A signature is said to be strongly unforgeable under one-time chosen message attack if no PPT adversary has non-negligible advantage in above experiment by accessing \({\mathcal {O}}_\mathsf {sign}\) once.

1.3 B.3 All-But-One Lossy Functions

Qin and Liu [52] introduced the notion of all-but-one lossy functions (ABOLFs), which could be viewed as the trapdoor-free version of all-but-one lossy trapdoor functions [50]. Formally, a collection of \((X, Y, \tau )\)-ABOLFs with branch set B consists of two polynomial time algorithms satisfying the following properties:

• \(\mathsf {Gen}(1^\lambda , b^*)\): on input a security parameter \(\lambda \) and a branch \(b^* \in B\), outputs a function index s. For any \(b \ne b^*\), \(g_{s,b}(\cdot )\) is an injective function from X to Y, while \(g_{s, b^*}(\cdot )\) is a lossy function from X to Y whose image has size at most \(2^{\tau }\). In both cases, \(g_{s,b}(\cdot )\) is deterministic.

• \(\mathsf {Eval}(s, b, x)\): on input a function index s, a branch \(b \in B\), and an element \(x \in X\), outputs \(y \leftarrow g_{s,b}(x)\).

Hidden lossy branch For any \(b_0^*, b_1^* \in B \times B\), the output \(s_0\) of \(\mathsf {Gen}(1^\lambda , b_0^*)\) and the output \(s_1\) of \(\mathsf {Gen}(1^\lambda , b_1^*)\) are computationally indistinguishable.

1.4 B.4 One-Time Lossy Filters

Qin and Liu [51] introduced the notion of one-time lossy filters (OTLFs), in which a lossy branch could be generated on-the-fly in a somewhat semi-customized (or adversary-dependent) manner. A collection of \((X, Y, \tau )\)-OTLFs with branch set \(B = B_c \times B_a\) (where \(B_c\) is the core branch set and \(B_a\) is the auxiliary branch set) consists of three polynomial time algorithms satisfying the following properties:

• \(\mathsf {Gen}(1^\lambda )\): on input a security parameter \(\lambda \), outputs a function index s and a trapdoor td. B contains two disjoint subsets, the subset of injective branches \(B_\text {inj}\) and the subset of lossy branches \(B_\text {lossy}\). For any \(b \in B_\text {inj}\), \(g_{s, b}(\cdot )\) is an injective function from X to Y. For any \(b \in B_\text {lossy}\), \(g_{s, b}(\cdot )\) is a lossy function from X to Y whose image has size at most \(2^{\tau }\). In both cases, \(g_{s, b}(\cdot )\) is deterministic.

• \(\mathsf {Eval}(s, b, x)\): on input a function index s, a branch \(b \in B\), and an element \(x \in X\), outputs \(y \leftarrow g_{s, b}(x)\).

• \(\mathsf {SampLossy}(td, b_a)\): on input a trapdoor td and an auxiliary branch \(b_a\), outputs a core branch \(b_c\) such that \(b = (b_c, b_a)\) is lossy branch from \(B_\text {lossy}\).

Indistinguishability For any auxiliary branch \(b_a \in B_a\), a random lossy core branch \(b_c \leftarrow \mathsf {SampLossy}(td, b_a)\) and a random core branch \(b_c \xleftarrow {\text { R}}B_c\) are computationally indistinguishable.

Evasiveness For any PPT adversary, it is hard to generate a new lossy branch even given a lossy branch.