Improved, black-box, non-malleable encryption from semantic security

Abstract

We give a new black-box transformation from any semantically secure encryption scheme into a non-malleable one which has a better rate than the best previous work of Coretti et al. (in: Kushilevitz and Malkin (eds) TCC 2016-A, Part I, Springer, Heidelberg, 2016). We achieve a better rate by departing from the “matrix encoding” methodology used by previous constructions, and working directly with a single codeword. We also use a Shamir secret-share packing technique to improve the rate of the underlying error-correcting code.

Appendix 1: Background

1.1 Appendix 1.1: Error-correcting codes

For integers \(\ell , n\), \(0< \delta < 1\) and a collection of symbols \(\varSigma \), an \([\ell ,n,\delta ]\)-code over \(\varSigma \) is a collection \(\mathcal {W}\subset \varSigma ^\ell \) of \(\ell \)-letter words over the alphabet \(\varSigma \) with \(|\mathcal {W}| = 2^n\) and the property that any two strings in \(\mathcal {W}\) differ in at least \(\delta \cdot \ell \) locations. Note that given any string \(s \in \varSigma ^\ell \), there is at most one string \(w \in \mathcal {W}\) which is within distance \(\frac{\delta \ell -1 }{2} \) from s.

Reed–Solomon codes. For a finite field F of size \(2^n\), a set \(S = \{i_0, i_1, \ldots , i_\ell \} \subseteq F\), and parameter d, where \(\ell \ge d + 1\), the Reed Solomon Code is an \([\ell , n, (\ell -d)/\ell ]\)-code over alphabet \(\varSigma := F\), whose codewords are the strings \(\{(p(i_1), p(i_2), \ldots , p(i_\ell )\}\), where p ranges over all polynomials of degree at most d over F.

For purposes of this work, to encode a message m:

• Choose a random degree-d polynomial p subject to \(p(i_0) := m\).

• Output \(\{(p(i_1), p(i_2), \ldots , p(i_n)\}\).

The Berlekamp–Welch algorithm. The decoding algorithm for RS codes can be efficiently implemented using the Berlekamp–Welch algorithm [5]. Specifically, this algorithm can be used to efficiently recover the nearest codeword—i.e. the nearest degree-d polynomial p—given a corrupted codeword \(\{(f(i_1), f(i_2), \ldots , f(i_\ell )\}\), as long as there exists some set \(S' \subseteq S\) of size at least \((n-d)/2\), such that \(f(i_j) = p(i_j)\), for all \(i_j \in S'\). Once such a polynomial p is found, the message can be recovered by outputting \(p(i_0)\).

1.2 Appendix 1.2: Lagrange interpolation polynomial

For a given set of distinct points \(\{(a_1, b_1), \ldots , (a_{d+1}, b_{d+1})\}\), the Lagrange interpolation polynomial is a degree-d polynomial q such that \(q(a_1) = b_1, \ldots q(a_{d+1}) = b_{d+1}\), which can be computed as follows:

$$\begin{aligned} q(x) = \sum _{i=1}^{d+1} b_i L_i(x), \end{aligned}$$

where Lagrangian \(L_i\) is a degree-d polynomial such that \(L_i(x) = 1\) if \(x = a_i\) and \(L_i(x) = 0\) if \(x \in \{a_1, \ldots , a_{d+1}\}\) but \(x \ne a_i\). In particular, we have

$$\begin{aligned} L_i(x) = \prod _{j \in [d+1]\setminus \{i\}} \frac{x - a_j}{a_i - a_j}. \end{aligned}$$