Non-malleability Against Polynomial Tampering

Ball, Marshall; Chattopadhyay, Eshan; Liao, Jyun-Jie; Malkin, Tal; Tan, Li-Yang

doi:10.1007/978-3-030-56877-1_4

Marshall Ball¹⁰,
Eshan Chattopadhyay¹¹,
Jyun-Jie Liao¹¹,
Tal Malkin¹⁰ &
…
Li-Yang Tan¹²

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12172))

Included in the following conference series:

Annual International Cryptology Conference

2225 Accesses
5 Citations

Abstract

We present the first explicit construction of a non-malleable code that can handle tampering functions that are bounded-degree polynomials. Prior to our work, this was only known for degree-1 polynomials (affine tampering functions), due to Chattopadhyay and Li (STOC 2017). As a direct corollary, we obtain an explicit non-malleable code that is secure against tampering by bounded-size arithmetic circuits.

We show applications of our non-malleable code in constructing non-malleable secret sharing schemes that are robust against bounded-degree polynomial tampering. In fact our result is stronger: we can handle adversaries that can adaptively choose the polynomial tampering function based on initial leakage of a bounded number of shares.

Our results are derived from explicit constructions of seedless non-malleable extractors that can handle bounded-degree polynomial tampering functions. Prior to our work, no such result was known even for degree-2 (quadratic) polynomials.

You have full access to this open access chapter, Download conference paper PDF

Non-malleable Secret Sharing in the Computational Setting: Adaptive Tampering, Noisy-Leakage Resilience, and Improved Rate

Continuously Non-malleable Codes Against Bounded-Depth Tampering

Leakage-resilient Linear Secret-sharing Against Arbitrary Bounded-size Leakage Family

1 Introduction

1.1 Non-malleable Codes

Non-malleable codes were introduced by Dziembowski, Pietrzak, and Wichs [33] as a natural and useful modification of error correcting codes, which can handle stronger forms of adversarial tampering attacks (including ones that can change all symbols of the codeword), while still providing meaningful guarantees. Informally, a non-malleable code is a pair of algorithms $(\mathrm {Enc},\mathrm {Dec})$, and it is secure against a tampering function family $\mathcal {F}$ if for every tampering function $f\in \mathcal {F}$, the decoding of a tampered codeword, namely $\mathrm {Dec}(f(\mathrm {Enc}(s)))$ for an arbitrary message s, will either be the original message s, or a value completely unrelated to s. (See Sect. 3.3 for a formal definition).

As an example of an application of non-malleable codes, one can consider s as being the signing key of a digital signature scheme, and is stored as $\mathrm {Enc}(s)$ in memory. The non-malleability guarantee ensures that for any tampering attack which turns $\mathrm {Enc}(s)$ into $f(\mathrm {Enc}(s))$, the tampered signature is signed under either s or a completely unrelated key. In both cases the tampered signature does not help the adversary learn how to forge a valid signatures on its own.

Non-malleable codes have also found other useful applications in cryptography, such as in constructing non-malleable commitments [37], public-key encryption systems [25], and, as we discuss in Sect. 1.2, non-malleable secret sharing [1, 6, 35, 36].

Dziembowski et al. [33] observed that some restrictions on the tampering function family is necessary. Indeed, it is impossible to achieve non-malleability if the adversary is able to decode the codeword, tamper the message, and then re-encode the tampered message. In the last 10 years, non-malleable codes have been shown to exist for numerous rich tampering function families and in various settings. In this work we focus on explicit, information-theoretic constructions.

A successful line of work focused on split-state tampering functions, where the codeword is broken into several disjoint parts and the adversary can tamper each part arbitrarily but independently [2,3,4, 16, 19, 21, 32, 38, 41, 42, 44, 45]. This line of work has culminated in the construction of near-optimal codes in this setting.

Recently there has been significant interest and progress on constructing non-malleable codes in a more general setting, where the tampering functions are not restricted to fixed partitions, and can act globally on the codeword. Global tampering classes that have been studied include permutations and bit flipping [5], local functions [9], affine functions over $\mathbb {F}_2$ [17], small-depth circuits [8, 17], and small-depth decision trees [10]. Our work fits into this line of research.

Our Results. We consider the tampering class of bounded-degree polynomials. This is a natural class of tampering functions, and significantly generalizes the class of affine tampering functions (i.e. degree-1 polynomials) studied in [17]. We define the setting more precisely as follows. Let q be a prime, and $\text {Poly}_{n, q,d}$ denote the family of n-variate polynomials over $\mathbb {F}_q$ of degree at most d. We are interested in the following family of tampering functions:

$$\mathcal {F}_{n,q,d} := \{(p_1,\ldots , p_n): \forall i \in [n], p_i \in \text {Poly}_{n, q,d} \}.$$

For $P=(p_1,\ldots ,p_n) \in \mathcal {F}_{n,q,d}$, and $x \in \mathbb {F}_q^n$, define $P(x) := (p_1(x),\ldots ,p_n(x))$.

The following is our main result.

Theorem 1 (NMCs for bounded-degree polynomials)

There exists a constant $C>0$ such that for all integers n, d, m, any $\varepsilon >0$ and any prime $q>(Cn^2d^4m2^{2m}/\varepsilon ^2) \cdot \log (nd/\varepsilon )$, there exists a non-malleable code on alphabet [q], with block length n, message length m, relative rate $\varOmega (m/n\log q)$ and error $\varepsilon $, with respect to the family $\mathcal {F}_{n,q,d}$.

Prior to our work, no explicit construction of a non-malleable code was known even for quadratic polynomials ($d=2$).

To prove Theorem 1, we construct new explicit seedless non-malleable extractors that can handle the tampering class $\mathcal {F}_{n,q,d}$. A similar strategy was adopted in [17], where they constructed seedless non-malleable extractors against affine tampering functions (i.e, $\mathcal {F}_{n,q,1}$). However, their construction of such extractors heavily exploit the linearity of the tampering functions and explicit constructions of extractors that are linear, and their techniques seem to break down even against quadratic tampering functions. We introduce a completely different approach to construct seedless non-malleable extractors against higher degree polynomial tampering. We discuss this in detail in Sect. 1.3.

We use Theorem 1 to derive a non-malleable code that is secure against tampering by arithmetic circuits. Consider the following family of tampering functions:

$$\begin{aligned} \mathcal {E}_{n,q,s}&:= \{(e_1,\ldots , e_n): e_i \text { is an } n\text {-variate size-} s \text { arithmetic circuit over } \mathbb {F}_q\}. \end{aligned}$$

For $E=(e_1,\ldots ,e_n) \in \mathcal {E}_{n,q,s}$ and $x \in \mathbb {F}_q^n$, we define $E(x) := (e_1(x),\ldots ,e_n(x))$.

Corollary 1 (NMCs for arithmetic circuits)

There exists a constant $C>0$ such that for all integers n, s, m, any $\varepsilon >0$ and any prime $q > (Cn^2 sm 2^{4s+2m}/\varepsilon ^2) \cdot \log (n/\varepsilon )$, there exists a non-malleable code on alphabet [q], with block length n, message length m, relative rate $\varOmega (m/n\log q)$ and error $\varepsilon $, with respect to the family $\mathcal {E}_{n,q,s}$.

To our knowledge, this is the first explicit construction of a non-malleable code that can handle tampering by arithmetic circuits.

Corollary 1 follows as a straightfoward consequence of Theorem 1, using the fact that a size-s arithmetic circuit computes a polynomial of degree at most $2^s$.

1.2 Non-malleable Secret Sharing

A t-out-of-n secret sharing scheme [13, 55] allows a dealer to share a secret $s\in \{0,1\}^{m}$ among n parties such that any t parties can collectively recover the secret, and yet any colluding $(t-1)$ parties learn nothing about the secret. Recently, Goyal and Kumar [35] initiated the study of the more robust notion of non-malleable secret sharing. A non-malleable secret sharing scheme further requires the shares to be non-malleable against a family of tampering functions $\mathcal {F}$. That is, when the shares are tampered by any function $f\in \mathcal {F}$, for any t parties the reconstructed secret should be either s or a value completely unrelated to s.

Similar to non-malleable codes, non-malleable secret sharing schemes aim to provide protection against tampering attacks, and there are strong connections between non-malleable secret sharing schemes and non-malleable codes. In fact, it can be shown that non-malleable codes in the 2-split-state model are 2-out-of-2 secret sharing schemes. In [35], the authors constructed t-out-of-n non-malleable secret sharing schemes in different tampering models. A detailed comparison of these models and references to other related work can be found in [1]. These models have in common that the tampering functions are “compartmentalized”, applying the function independently to different disjoint parts.

A natural direction of investigation is to construct non-malleable secret sharing against tampering functions that are not compartmentalized. Recently, Lin et al. [46] construct a t-out-of-n secret sharing against affine tampering for every t and large enough n, and Chattopadhyay and Li [18] construct a non-malleable ramp secret sharing against affine tampering composed with joint tampering.

Our Results. We construct a non-malleable secret sharing scheme that is secure against the class of polynomial tampering functions. Prior to our work, no such explicit construction was known even against the tampering class of quadratic polynomials. The following is an informal version of our result:

Theorem 2 (NM secret sharing for polynomial tampering)

For all integers n, d, r, any prime $q>\text {poly}(2^m, n,d)$ and $1\le r\le n$, there exists an r-out-of-n non-malleable secret sharing scheme with respect to polynomial tampering $\mathcal {F}_{n,q,d}$ for m-bit secrets.

In fact our construction is stronger and can handle an adaptive tampering adversary who chooses the polynomial tampering function $f \in \mathcal {F}_{n,q,d}$ depending on any $r-1$ of the shares.

As in the case of non-malleable codes, the above theorem directly yields explicit non-malleable secret sharing schemes that are secure against the tampering class of bounded-size arithmetic circuits.

1.3 Seedless Non-malleable Extractors

Informally, a randomness extractor is a deterministic algorithm that produces nearly uniform bits of randomness from defective sources of randomness. The study of randomness extractors is motivated by the fact that many applications in computer science require high-quality random bits, whereas most naturally occurring sources of randomness are of much lower quality. Before defining a randomness extractor formally, we first define the notion of min-entropy that is typically used as a measure of the quality of a source:

Definition 1

(Min-entropy and (n, k)-sources). Let X be a distribution on $\{0,1 \}^n$. The min-entropy of X, denoted by $H_{\infty }(X)$, is defined as $\min _{x}(\log (1/\Pr [X=x]))$.

An (n, k)-source is a distribution on $\{0,1 \}^n$ with min-entropy at least k.

For two distributions $D_1$ and $D_2$ on the same universe $\varOmega $, we use $|D_1-D_2|$ to denote the statistical distance between them. We are now ready to define a randomness extractor for a class of sources.

Definition 2

(Extractor). Let $\mathcal {X}$ be a family of sources on $\{0,1 \}^n$. A function $\mathrm {Ext}: \{0,1 \}^n \rightarrow \{0,1 \}^m$ is called an extractor for the family $\mathcal {X}$ with error $\varepsilon $ if for any $X \in \mathcal {X}$,

$$ |\mathrm {Ext}(X) - \text {U}_m| \le \varepsilon ,$$

where $\text {U}_m$ is the uniform distribution over $\{0,1\}^{m}$.

It turns out that there cannot exist an extractor that works for the family of distributions on $\{0,1 \}^n$ with min-entropy at least $n-1$. To circumvent this difficulty, a long line of work has focused on extracting from a weak source X assuming access to a short independent seed Y. Such extractors are called seeded extractors [48] and we now have almost optimal constructions of such extractors [31, 39]. Another successful line of research focused on extracting random bits assuming more structure on the source X. Such extractors are called as seedless extractors. Examples include assuming that the weak source consists of multiple independent sources [11, 14, 20, 23], assuming that the source is supported on an affine subspace [15, 34] or an algebraic variety [29], or even simply assuming that there are some unknown coordinates of the source that are uniform and independent [24]. Explicit constructions of seeded and seedless extractors have found numerous applications in complexity theory [60], coding theory [57] and cryptography [12, 47].

Recently, several works studied a more robust notion of a randomness extractor called non-malleable extractor. The main motivations for studying this stronger variant is from applications in cryptography. Surprisingly, explicit constructions of non-malleable extractors have led to improved constructions of standard extractors. As in the case of standard extractors, there are seeded non-malleable extractors and seedless non-malleable extractors. The seeded variant was introduced by Dodis and Wichs [27] with applications to the problem of privacy application [12]. The seedless variant of non-malleable extractors was introduced by Cheraghchi and Guruswami [21] with applications to constructions of non-malleable codes.

We focus on the seedless variant of non-malleable extractors. For the sake of simplicity, we define seedless non-malleable extractors in slightly less generality and refer the reader to Sect. 3.3 for the more general definition.

Definition 3

(Seedless non-malleable extractor). Let $\mathcal {X}$ be a family of sources on $\{0,1 \}^n$ and $\mathcal {F}$ be a class of tampering functions acting on $\{0,1 \}^n$. Further assume that all $f \in \mathcal {F}$ does not have any fixed points. A function $\mathrm {nmExt}:\{0,1 \}^n \rightarrow \{0,1 \}^m$ is defined to be a non-malleable extractor with respect to $\mathcal {X}$ and $\mathcal {F}$ with error $\varepsilon $ if the following hold: for any $X \in \mathcal {X}$ and $f \in \mathcal {F}$, we have

$$| (\mathrm {nmExt}(X), \mathrm {nmExt}(f(X))) - (\text {U}_m, \mathrm {nmExt}(f(X)))| \le \varepsilon .$$

An informal way of interpreting the above definition is as follows. Let X be a source from the family $\mathcal {X}$. The distribution $X'=f(X)$ represents the tampered distribution, where $f \in \mathcal {F}$ (note that $X'\ne X$). The task of the non-malleable extractor $\mathrm {nmExt}$ is to remove the correlation between the random variables X and $X'$ (which are clearly dependent).

Chattopadhyay and Zuckerman [19] gave explicit constructions of seedless non-malleable extractors assuming X consists of 10 independent sources, and each source is arbitrarily tampered. This was improved by Chattopadhyay, Goyal and Li [16] to construct seedless non-malleable extractors for 2 independent sources. Chattopadhyay and Li [17] constructed a seedless non-malleable extractor against the class of affine functions. In another work, Chattopadhyay and Li [18] constructed seedless non-malleable extractors when the source X consists of 2 independent sources that are interleaved in an unknown way. They also consider some generalizations such as composition of linear tampering and partitioned tampering.

Our Results. We give a seedless non-malleable extractor that can handle polynomial tampering. Prior to our work, Chattopadhyay and Li [17] handled the special case of affine tampering. Their construction heavily relied on linearity of the tampering functions and linearity properties of extractors, and their techniques do not seem to extend even to the case tampering functions that are quadratic polynomials. While a seedless non-malleable extractor for uniform source is sufficient for the reduction in [21], we show that our non-malleable extractor in fact works for skew affine source defined below. This generality is useful in our construction of non-malleable secret sharing schemes that are robust to polynomial tampering.

Definition 4

Let $\mathbb {F}_q$ be a finite field, and let $X=(X_1,\dots ,X_n)$ be a distribution on $\mathbb {F}_q^n$. We say X is an affine source if X is uniform over an affine subspace $W\subseteq \mathbb {F}_q^n$. We define the dimension of X to be the dimension of W. We say X is a skew affine source if X is an affine source and for every $i\in [n]$, $X_i$ has support size greater than 1.

We are now ready to state our result on explicit non-malleable extractors against polynomial tampering.

Theorem 3

There exists a constant $C>0$ such that for all integers n, d, m, any prime q and any $\varepsilon >0$ such that $q > (Cn^2d^4m2^{2m}/\varepsilon ^2) \cdot \log (nd/\varepsilon ) $, there exists an explicit function $\mathrm {nmExt}:\mathbb {F}_q^{n} \rightarrow \{0,1 \}^{m}$, that is a seedless non-malleable extractor with respect to the family of sources

$$\mathcal {X} = \{X: \text { X is a skew affine source on } \mathbb {F}_q^n \text { of dimension } \ge 1\}$$

and the tampering family $ \mathcal {F}_{n,q,d}$.

Prior to our work, no explicit construction of a seedless non-malleable extractor was known against even quadratic polynomials ($d=2$).

We use the above theorem to derive a non-malleable extractor against arithmetic circuits.

Corollary 2

There exists a constant $C>0$ such that for all integers n, s, m, any prime q and any $\varepsilon >0$ such that $q > (Cn^2 sm 2^{4s+2m}/\varepsilon ^2) \cdot \log (n/\varepsilon ) $, there exists an explicit function $\mathrm {nmExt}:\mathbb {F}_q^{n} \rightarrow \{0,1 \}^{m}$, that is a seedless non-malleable extractor with respect to the

$$\mathcal {X} = \{X: \text { X is a skew affine source on } \mathbb {F}_q^n \text { of dimension } \ge 1\}$$

and the tampering family $\mathcal {E}_{n,q,s}$.

To the best of our knowledge, this is the first explicit construction of a non-malleable extractor that can handle tampering by arithmetic circuits.

We in fact show that the non-malleable extractors constructed are efficiently invertible, i.e, given any output z, there exists an efficient sampling algorithm that produces a sample from a distribution that is close to uniform on the set $\mathrm {nmExt}^{-1}(z)$. We discuss the sampling algorithm in Sect. 5. We then use the connection established in [21] (see Sect. 3.4) to derive the explicit non-malleable codes with respect to polynomials (Theorem 1) and arithmetic circuits (Corollary 2).

Organization. We give an overview of our techniques in Sect. 2. We discuss some preliminaries in Sect. 3. In Sect. 4, we explicitly construct a non-malleable extractor against polynomial tampering functions. In Sect. 5, we present efficient sampling algorithms necessary to construct efficient non-malleable codes. We use Sect. 6 to construct a non-malleable secret sharing scheme that can handle polynomial tampering.

2 Overview of Techniques

In this section we discuss the main ideas that are used in our explicit constructions of non-malleable codes, non-malleable extractors, and non-malleable secret sharing schemes. We start by discussing the explicit non-malleable extractor against polynomial tampering (Theorem 3). We then discuss ideas that go into using this construction to construct efficient non-malleable codes and non-malleable secret sharing schemes that are robust to polynomial tampering.

Seedless Non-malleable Extractors Against Polynomials. We discuss the main ideas behind the construction of the non-malleable extractor from Theorem 3. We consider the simpler setting and assume the source is uniform (instead of being a skew affine source as in Theorem 3). This setting cleanly captures our main ideas. The setup is as follows:

Let n, d be arbitrary integers, and fix any $\varepsilon >0$. Let $q = \mathrm {poly}(n,d,1/\varepsilon )$ be a large enough prime (for exact details, see the statement of Theorem 3). Let X be the uniform distribution on $\mathbb {F}_q^n$. Our goal is to construct a polynomial time function $\mathrm {nmExt}:\mathbb {F}_q^n \rightarrow \{0,1 \}^m$ such that for any tampering function $P=(p_1,\ldots ,p_n)$ from the class $\mathcal {F}_{n,q,d}$, such that there exits $i \in [n]$ for which $p_i(x) \ne x_i$, we have

$$ \left| \left( \mathrm {nmExt}(X), \mathrm {nmExt}(P(X))\right) - \left( \text {U}_m, \mathrm {nmExt}(P(X))\right) \right| \le \varepsilon .$$

The high level idea of our construction is to observe that we can express X as a convex combination of distributions that are flat^{Footnote 1} on lines in $\mathbb {F}_q^n$, and then design a non-malleable extractor for such line sources. We note that Gabizon and Raz [34] used such an approach for constructing affine extractors on large fields.

We now describe our approach more precisely. Our plan is to construct a low-degree multivariate polynomial $h:\mathbb {F}_q^n \rightarrow \mathbb {F}_q$ such that the following hold: for all $\beta \in \mathbb {F}_q$, the polynomial

$$g_{\beta } = h(x) + \beta h(P(x))$$

is non-constant. (We stress that the choice of h cannot depend on P.) Now, for a suitable choice of m (we pick $m=\nu \log q$ for some small enough $\nu $), we claim that for such an h, defining

$$\mathrm {nmExt}(x) = h(x) \pmod {2^m}$$

would satisfy the conclusion of Theorem 3.

Before constructing such an h, we first discuss why this is indeed enough. For any $a \in \mathbb {F}_q^n$, $b \in \mathbb {F}_q^n \setminus \{0^n\}$, define the line $L_{a,b}=\{(a_1+tb_1,\ldots ,a_n+tb_n):t\in \mathbb {F}_q\}$. We abuse notation, also use $L_{a,b}$ to denote the flat distribution on $L_{a,b}$. Then clearly, X can be sampled by first uniformly sampling a, b (from their respective domains), and then sampling from $L_{a,b}$.

The first observation is the following: let $D= deg(g_\beta )$, and let $g_{\beta ,a,b}(t)$ be the univariate restriction of $g_\beta $ to the line $L_{a,b}$. We note that the coefficient of $t^D$ is $g_{\beta }(b)$. Appealing to the fact that a low degree polynomial has few roots (Lemma 4), it follows that with high probability (over sampling a, b), the univariate polynomial $g_{\beta ,a,b}(t)$ is a non-constant polynomial of degree D. Fix such vectors a, b so that $g_{\beta ,a,b}$ is a non-constant polynomial. We now use a deep result from algebraic geometry known as the Weil bound (see Theorem 4) to conclude that for any non-trivial character^{Footnote 2} $\chi $ of $\mathbb {F}_q$, we have

$$|\mathbb {E}_{t \sim \mathbb {F}_q}[\chi (g_{\beta ,a,b}(t))]| \le D/\sqrt{q}.$$

Roughly, this asserts the fact that the non-trivial Fourier coefficients of the distribution $g_{\beta ,a,b}(U_{\mathbb {F}_q})$ are bounded, where $U_{\mathbb {F}_q}$ denotes the uniform distribution on $\mathbb {F}_q$. Such a bound can be now be translated into statistical closeness of the distribution $(\mathrm {nmExt}(L_{a,b}), \mathrm {nmExt}(P(L_{a,b})))$ to $(\text {U}_m, \mathrm {nmExt}(P(L_{a,b})))$ using known XOR lemmas (see Lemma 1, Lemma 2). To conclude that $(\mathrm {nmExt}(X), \mathrm {nmExt}(P(X)))$ is close to $(\text {U}_m, \mathrm {nmExt}(P(X)))$, we combine the fact that X is a convex combination of the flat sources $L_{a,b}$, and that for most a, b, we have $(\mathrm {nmExt}(L_{a,b}), \mathrm {nmExt}(P(L_{a,b})))$ is close to $(\text {U}_m, \mathrm {nmExt}(P(L_{a,b})))$.

Given the above discussion, all that remains to construct the required non-malleable extractor is to find such an h. We recall the guarantee we need from h for convenience of the reader:

for all $\beta \in \mathbb {F}_q$ and $P=(p_1,\ldots ,p_n) \in \mathcal {F}_{n,q,d}$ satisfying that for some $i \in [n]$ $p_i(x) \ne x_i$, the polynomial $g_{\beta }(x) = h(x) + \beta h(P(x))$ is a non-constant polynomial.
h must a low degree polynomial. In particular, we require $deg(h) \ll q^{1/2}$.

An initial attempt to construct such an h could be to use a polynomial similar to the one used by Gabizon and Raz [34] in their affine extractor construction and define

$$h(x_1,x_2,\ldots ,x_n)=x_1^{c_1}+x_2^{c_2}+\ldots +x_n^{c_n},$$

where $c_1,c_2,\ldots ,c_n$ are arbitrary distinct positive integer. It is not hard to see that this does not work as follows. It is always possible to find $\beta , \gamma _1,\gamma _2,\dots ,\gamma _n \in \mathbb {F}_q^*$ such that $\gamma _i^{c_i}=-\beta ^{-1}$ for every i and $\gamma _i \ne 1$ for at least one i. Now defining $P=(\gamma _1x_1,\ldots ,\gamma _n x_n)$ gives the desired counterexample since for this choice of $\beta $ and P, $h(x) + \beta h(P(x))$ is identically the zero polynomial.

We avoid the above counterexample as follows: Pick $c_1,c_2,\dots ,c_{2n}$ from an arithmetic progression such that the common difference is co-prime with $q-1$, and define

$$h(x_1,x_2,\dots ,x_n)=\sum _{i=1}^n \left( x_i^{c_{2i-1}}+x_i^{c_{2i}}\right) .$$

For this choice of h, it is not hard to prove that if each $p_i(x) = \gamma _i x_i$ (for some $\gamma _i \in \mathbb {F}_q$), and g(x) is a constant polynomial, it must be that each $\gamma _i$ is 1, and $\beta = -1$. However this contradicts our assumption on P that for some i, $p_i(x) \ne x_i$. Thus we avoid the counterexample discussed above.

We in fact prove that this choice of h works for all $P \in \mathcal {F}_{n,q,d} \setminus \{ (x_1,\ldots ,x_n) \}$. To prove this, we rely on a result (Lemma 3) which shows that for such a choice of $c_i$’s, for any distinct $i_1,i_2 \in [n]$, $deg(p_{i_1}^{c_{i_1}})$ is well separated from $deg(p_{i_2}^{c_{i_2}})$. With a careful case analysis, we use this to show that some monomial (of degree at least 1) in g(x) survives. We provide the details in Sect. 4.

Non-malleable Extractors for Skew Affine Sources Against Polynomial Tampering. In the previous paragraph we sketched how to construct a non-malleable extractor against polynomial tampering assuming access to a uniform source on $\mathbb {F}_q^n$. In Sect. 4, we actually show that the non-malleable extractor works for any affine source which is non-constant on every coordinate. We call such source a skew affine source. In other words, our non-malleable extractor is resilient to affine leakage which does not reveal any single coordinate in the source. We will see the application of this property in non-malleable secret sharing.

To prove this stronger property of the non-malleable extractor, recall that in previous section we defined a polynomial $g_{\beta }(x)=h(x)+\beta h(P(x))$, and its restriction to the line $L_{a,b}$, denoted by $g_{\beta ,a,b}(t)$. We then sketched a proof that $g_{\beta ,a,b}$ is non-constant if $g_{\beta }(b)\ne 0$, which happens with high probability over b. In Sect. 4, we actually show the following stronger result: $\forall i, b_i\ne 0$ is a sufficient condition for $g_{\beta ,a,b}$ to be non-constant. In fact, it is also a necessary condition. If there exists i such that $b_i=0$, the adversary can set $p_j(x)=x_j$ for every $j\ne i$ and $p_i(x)=c$ for a constant $c\ne a_i$. One can verify that $g_{-1,a,b}$ is a constant in this case.

The proof idea is that a similar case analysis as sketched in the previous section also works for $g_{\beta ,a,b}$ if $b_i\ne 0$ for every i. We then show that every skew affine source is a convex combination of line source $L_{a,b}$ where $b_i\ne 0$ for every i (Lemma 7) to finish the proof.

Non-malleable Codes Against Polynomial Tampering. We now turn to cryptographic applications of our non-malleable extractors. To build a non-malleable code against polynomial tampering, we use the connection between non-malleable code and non-malleable extractor established in [21]. To apply the reduction in [21], we need an efficient algorithm which samples almost uniformly from a pre-image of our non-malleable extractor on any output.

Recall that our non-malleable extractor is of the form $\mathrm {nmExt}(x)=\sigma (h(x))$, where $\sigma $ is modulo $2^m$ and h is a bounded-degree polynomial. Inverting $\sigma $ is easy, and there exists an algorithm by Cheraghchi and Shokrollahi [22] which almost-uniformly samples a pre-image of bounded-degree polynomial (over any large enough prime field). An initial attempt to sample from $\mathrm {nmExt}^{-1}(z)$ would be first sample $y\in \sigma ^{-1}(z)$ and then sample from $h^{-1}(y)$. However this does not work since $h^{-1}(y)$ might have different size for different $y\in \mathbb {F}_q$. So we need to sample $y\in \sigma ^{-1}(z)$ with probability proportional to $|h^{-1}(y)|$. A possible way to perform such weighted sampling from $\sigma ^{-1}(z)$ is to do a rejection sampling which samples $y\in \sigma ^{-1}(z)$ uniformly in each round and accept with probability proportional to $|h^{-1}(y)|$. However, we need to (approximately) count $|h^{-1}(y)|$ in this approach, which is difficult in general.

Chattopadhyay and Zuckerman [19] handled a similar sampling task while constructing efficient non-malleable codes in the split-state model, with the crucial difference being that they were dealing with polynomials on a constant number of variables. In [19], they adopted a similar sampling strategy as the one sketched above, and they count $|h^{-1}(y)|$ with an algorithm from [40], which has running time doubly exponential in the number of variables (which, in their case, still takes constant time).

To get around this difficulty, we observe that the algorithm in [22] is actually a rejection sampling which has accepting probability proportional to $|h^{-1}(y)|$ in each round. Therefore, we can embed an uniform sampling of y in each round of [22] and bypass the computation of $|h^{-1}(y)|$. We provide the details of our sampling algorithm in Sect. 5.

Non-malleable Secret Sharing Against Polynomial Tampering. As another application of our non-malleable extractor, we build a non-malleable secret sharing that can handle polynomial tampeering. We obtain this by plugging in our extractor into a scheme by Lin, Cheraghchi, Guruswami, Safavi-Naini and Wang [46]. In this scheme, they take an efficiently invertible non-malleable extractor $\mathrm {nmExt}$ and a linear erasure code $(\mathrm {Enc},\mathrm {Dec})$, then define the sharing function to be $\mathrm {Enc}\circ \mathrm {nmExt}^{-1}$ and the reconstruction function to be $\mathrm {nmExt}\circ \mathrm {Dec}$. If in the erasure code $(\mathrm {Enc},\mathrm {Dec})$, $\mathrm {Dec}$ only needs r symbols in the codeword to reconstruct the original message, then so does $\mathrm {nmExt}\circ \mathrm {Dec}$ in the secret sharing scheme. Therefore the correctness holds as long as there is an efficient inverter for $\mathrm {nmExt}$ which succeeds with high probability.

To prove privacy and non-malleability we need the following guarantee on $\mathrm {nmExt}$. To guarantee non-malleability, for every tampering function f, $\mathrm {nmExt}$ should be non-malleable against the composed tampering function $\mathrm {Dec}\circ f\circ \mathrm {Enc}$. For polynomial tampering, taking the erasure code to be a linear code over $\mathbb {F}_q$ naturally satisfies this requirement. To guarantee privacy, given a uniform source X, $\mathrm {nmExt}(X)$ should be uniform conditioned on that some symbols of $\mathrm {Enc}(X)$ is leaked to the adversary. When $(\mathrm {Enc},\mathrm {Dec})$ is a linear code, this means $\mathrm {nmExt}$ should be an affine extractor. This is also true for our extractor (see Appendix A in the online version of this paper [7]).

We in fact achieve a stronger result and construct a non-malleable secret sharing scheme where the adversary can choose the polynomial tampering function based on some of the shares. If given a secret the adversary can learn a symbol of $\mathrm {nmExt}^{-1}(s)$ from their shares, the secret sharing scheme sketched above will become malleable. We show that we can avoid this problem by taking $\mathrm {Enc}$ to be a “truncated systematic MDS code”. That is, we take a MDS (maximum distance separable) code for which the encoding is in the form $f(x)=(x,f'(x))$,^{Footnote 3} then we discard x and only keep $f'(x)$. For $x\in \mathbb {F}_q^r$, we can prove that given any $r-1$ symbols in $f'(x)$, it is not possible to recover any symbol in x. Roughly speaking, if given $r-1$ symbols in $f'(x)$ it is possible to recover a symbol $x_i$, then these symbols together with $x_i$ form a collection of r symbols which contain “redundant information”. This violates the property of MDS codes that the original message can be recovered with any r symbols in the codeword. This is conceptually similar to Shamir’s secret sharing scheme, and the only difference is we want to hide every single symbol in the message while Shamir’s secret sharing is only hiding the first symbol because the others are random. Because our extractor is non-malleable given any other form of affine leakage (using the fact that our non-malleable extractor works for any skew affine source of dimension at least 1), we can conclude that the corresponding r-out-of-n secret sharing is non-malleable even if the adversary choose their tampering function based on $r-1$ shares. We provide more details of our non-malleable secret sharing scheme in Sect. 6.

3 Preliminaries

Define $e(x) = e^{2 \pi {i}x}$, where ${i}=\sqrt{-1}$.

For any distribution D, let D(x) denote $\Pr [D=x]$, and let $\mathrm {Supp}(D)$ denote the support of D.

Let $\text {U}_m$ denote the uniform distribution over m bits. Let $\text {U}_\varSigma $ denote the uniform distribution over the finite set $\varSigma $.

For two distributions $D_1$ and $D_2$ on the same universe, we use $|D_1-D_2|$ to denote the statistical distance. We use $D_1 \approx _{\varepsilon } D_2$ to denote the fact that $D_1$ and $D_2$ are $\varepsilon $-close in statistical distance.

For non-negative integers $\lambda _1,\ldots ,\lambda _n$ that sum to 1, and arbitrary distributions $D_1,\ldots ,D_n$, we use $\sum _{i} \lambda _i D_i$ to denote the distribution that places weight $\sum _{i} \lambda _i D_i(x)$ at the point x.

For $n\in \mathbb {N}$, we use [n] to denote the set $\{1,2,\ldots ,n\}$. For non-negative integer k, we use $\left( {\begin{array}{c}[n]\\ k\end{array}}\right) $ denote the set of all subsets of [n] of size k. Let $\varSigma $ be a set of symbol. For sequence $X=(x_1,\ldots ,x_n)\in \varSigma ^n$ and $S=\{i_1,\ldots ,i_k\}\subseteq [n]$ such that $i_1<i_2<\ldots <i_k$, we use $X_S$ to denote the sequence $(x_{i_1},x_{i_2},\ldots ,x_{i_k})$.

3.1 Characters Sums over Finite Fields

Let q be a prime. The additive characters of $\mathbb {F}_q$ are of the form $\chi _j(x) = e(xj/q)$, for $j = 0,1,\ldots , q-1$. $\chi _0$ is called the trivial character, and the others are called as non-trivial characters of $\mathbb {F}_q$. We now recall a deep result from algebraic geometry that has found various applications in pseudorandomness.

Theorem 4

(Weil bound [58]). Let p be a non-constant univariate polynomial of degree $d <q$ over $\mathbb {F}_q$. For any non-trivial additive character $\chi $ of $\mathbb {F}_q$, we have

$$ \left| \sum _{y \in \mathbb {F}_q}\chi (p(y))\right| \le d \sqrt{q}.$$

We record a couple of XOR lemmas that lets us translate bounds on expectations of characters under a distribution D, to the closeness of D in statistical distance to the uniform distribution.

Lemma 1

([50]). For every prime q, there exists an efficiently computable map $\sigma : \mathbb {F}_q \rightarrow \{0,1 \}^m$ such that if Y is a distribution on $\mathbb {F}_q$ such that for every non-trivial additive character $\chi $ of $\mathbb {F}_q$,

$$\mathbb {E}[\chi (Y) ] \le \delta ,$$

then it is the case that

$$|\sigma (Y) - \text {U}_m| \le \varepsilon ,$$

where $\varepsilon = \delta 2^{m/2} + O(2^m/q)$.

Lemma 2

([26, 50]). For every prime q, there exists an efficiently computable map $\sigma : \mathbb {F}_q \rightarrow \{0,1 \}^m$ such that if $(Y,Y')$ is a distribution on $\mathbb {F}_q \times \mathbb {F}_q$ where for all additive characters $\chi , \phi $ of $\mathbb {F}_q$, where $\chi $ is non-trivial,

$$\mathbb {E}[\chi (Y) \phi (Y')] \le \delta ,$$

then it is the case that

$$|(\sigma (Y), \sigma (Y')) - (\text {U}_m,\sigma (Y'))| \le \varepsilon ,$$

where $\varepsilon = \delta 2^{m} + O(2^m/q)$.

3.2 Useful Lemmas About Polynomials

We recall a useful result from [30] (Lemma 4.2).

Lemma 3

Let $n,r,d,\lambda $ be arbitrary positive integers, and q be a prime. Let $p_1(x),\ldots ,p_r(x) \in \text {Poly}_{n, q,d}$ be non-constant polynomials. Suppose that $d_i = deg(p_i)$. Define $c_i = \lambda (2dr+1)+ \lambda i$. Then, for all $1 \le i < j \le r$, we have

$$|deg(p_i^{c_i}) - deg(p_j^{c_j})|=|c_i\cdot d_i - c_j\cdot d_j| \ge \lambda .$$

We also record the Schwartz-Zippel Lemma.

Lemma 4

([54, 59]). Let $p(x) \in \text {Poly}_{n, q,d}$ be a non-zero polynomial. Then,

$$ \mathop {\Pr }\limits _{x \in \mathbb {F}_q^n}[p(x) = 0] \le d/q.$$

3.3 Non-malleable Codes and Seedless Non-malleable Extractors

Definition 5

(Coding schemes). Let $\varSigma $ be a finite alphabet set. A pair of functions $(\mathrm {Enc},\mathrm {Dec})$, where $\mathrm {Enc}:\{0,1\}^k \rightarrow \varSigma ^n$ is a randomized function and $\mathrm {Dec}:\varSigma \rightarrow \{0,1\}^k \cup \{ \perp \}$ is a deterministic function, is defined to be a coding scheme with block length n and message length k if for all $z \in \{0,1\}^k $, $\Pr [\mathrm {Dec}(Enc(s))=s]=1$.

Definition 6

(Tampering functions). Let $\varSigma $ be a finite alphabet set. For any $n>0$, let $\mathcal {H}_{\varSigma ,n}$ denote the set of all functions $h: \varSigma ^n \rightarrow \varSigma ^n$. Any subset $\mathcal {G} \subseteq \mathcal {H}_{\varSigma ,n}$ is a family of tampering functions.

For simplicity, we sometimes do not specify the domain of tampering functions when it is clear from the context. We define a function that will be useful in defining non-malleable codes:

$$ \mathrm {copy}(x,y) = {\left\{ \begin{array}{ll} x &{} \text {if } x \ne \mathrm {same}\\ y &{} \text {if } x = \mathrm {same}. \end{array}\right. } $$

Definition 7

(Non-malleable codes). Let $\varSigma $ be a finite alphabet set. A coding scheme $(\mathrm {Enc},\mathrm {Dec})$ on alphabet $\varSigma $ with block length n and message length k is a non-malleable code with respect to a tampering family $\mathcal {G} \subset \mathcal {H}_{\varSigma ,n}$ and error $\varepsilon $ if for every $g \in \mathcal {G}$ there is a random variable $D_g$ supported on $\{ 0,1\}^k \cup \{ \mathrm {same}\}$ that is independent of the randomness in $\mathrm {Enc}$, and any message $z \in \{0,1\}^k$, we have

$$ |\mathrm {Dec}(f(\mathrm {Enc}(z))) - \mathrm {copy}(D_g,z)| \le \varepsilon $$

We define the rate of a non-malleable code $\mathcal {C}$ to be the quantity $\frac{k}{n \log (|\varSigma |)}$.

Definition 8

(Seedless non-malleable extractors). Let $\varSigma $ be a finite alphabet set, $\mathcal {G}$ be a class of tampering functions $\varSigma ^n\rightarrow \varSigma ^n$ and $\mathcal {X}$ be a class of distribution over $\varSigma ^n$. A function $\mathrm {nmExt}: \varSigma ^{n} \rightarrow \{0,1\}^{m}$ is called a seedless non-malleable extractor that works for $\mathcal {X}$ with respect to $\mathcal {G}$ with error $\varepsilon $ if for every distribution $X\in \mathcal {X}$ and every tampering function $g \in \mathcal {G}$, there exists a random variable $D_{g}$ on $\{ 0,1\}^m \cup \{ \mathrm {same}\}$ that is independent of X, such that

$$|(\mathrm {nmExt}(X), \mathrm {nmExt}(g(X))) - (\text {U}_m,\mathrm {copy}(D_{g},\text {U}_m)) | \le \varepsilon .$$

3.4 Non-malleable Codes via Seedless Non-malleable Extractors

Cheraghchi and Guruswami [21] established the following connection between non-malleable codes and seedless non-malleable extractors.

Theorem 5

Let $\varSigma $ be some finite alphabet set. Let $\mathrm {nmExt}: \varSigma ^{n} \rightarrow \{0,1\}^{m}$ be a polynomial time computable seedless non-malleable extractor that works for uniform distribution with respect to a class of tampering functions $\mathcal {G}$ acting on $\varSigma ^n$. Suppose there is a sampling algorithm $\mathrm {Samp}$ that on any input $z \in \{0,1 \}^m$ runs in time $\mathrm {poly}(n, \log |\varSigma |)$ and samples from a distribution that is $\delta $-close to uniform on the pre-image set $\mathrm {nmExt}^{-1}(s)$.

Then there exists an efficient construction of a non-malleable code on alphabet $\varSigma $ with block length n, relative rate $\frac{m}{n}$, error $2^{m}\varepsilon +\delta $ with respect to the tampering family $\mathcal {G}$.

Given such an invertible non-malleable extractor, the non-malleable code for $\mathcal {G}$ is defined as follows: Any message $ v \in \{ 0,1\}^m$ is encoded as $\mathrm {Samp}(v)$. The decoding of a codeword $c \in \varSigma ^{n}$ is $\mathrm {nmExt}(c) \in \{0,1 \}^m$.

3.5 MDS Code

Definition 9

Let $C\subseteq \mathbb {F}_q^n$ be a linear subspace of dimension k where $\mathbb {F}_q$ is the finite field with q elements. We say C is a $[n,k,d]_q$ code if every two distinct codewords $c_1,c_2\in C$ coincide in at most $n-d$ coordinates. We say C is a $[n,k]_q$ MDS (maximum distance separable) code if C is a $[n,k,n-k+1]$ code, i.e. C matches Singleton bound [56].

Definition 10

Let C be a $[n,k,d]_q$ code and $\mathrm {Enc}$ be a bijective linear mapping from $\mathbb {F}_q^k$ to C. We say $\mathrm {Enc}$ is systematic encoding of C if there exists a function $\mathrm {Enc}':\mathbb {F}_q^k\rightarrow \mathbb {F}_q^{n-k}$ such that for every $x\in \mathbb {F}_q^k$, $\mathrm {Enc}(x)=(x,\mathrm {Enc}'(x))$.

The distance property of a $[n,k]_q$ MDS code guarantees that the codewords remain distinct even when restricted to only k out of n symbols. Moreover, it is well-known that Reed-Solomon code [51] is a MDS code, and every linear code has a systematic encoding. (For example, see [43] for a systematic encoding of Reed-Solomon code.) Therefore we have the following lemma.

Lemma 5

For every finite field $\mathbb {F}_q$ of q element, and every integer k, n such that $k\le n \le q$, there exists a $[n,k]_q$ MDS code $C\subseteq \mathbb {F}_q^n$ and an efficient systematic encoding $\mathrm {Enc}:\mathbb {F}_q^k\rightarrow C$. Moreover, for every $R\subseteq [n]$ of size $|R|=k$, there exists an efficient decoding algorithm $\mathrm {Dec}_R:\mathbb {F}_q^k\rightarrow \mathbb {F}_q^k$ such that for every $x\in \mathbb {F}_q^k$, $\mathrm {Dec}_R(\mathrm {Enc}(x)_R)=x$, where $\mathrm {Enc}(x)_R$ denote the restriction of $\mathrm {Enc}(x)$ on the coordinates specified by R.

3.6 Other Useful Lemmas

We will also use the following lemma for statistical distance in [46] (Lemma 13).

Lemma 6

Let $\mathcal {V},\mathcal {W}$ be finite sets, and let (V, W), $(V',W')$ be joint distribution on $\mathcal {V}\times \mathcal {W}$. Let $\varepsilon >0$ be real number such that

$$(V,W)\approx _\varepsilon (V',W').$$

Then for every event $\mathcal {E}\subseteq \mathrm {Supp}(W)\cap \mathrm {Supp}(W')$,

$$|(V\mid W\in \mathcal {E})-(V'\mid W'\in \mathcal {E})|\le \frac{\varepsilon }{\Pr [W\in \mathcal {E}]}.$$

4 Non-malleable Extractors Against Polynomials

We present the proof of Theorem 3 in this section. On a high level, our idea is to express X as a convex combination of sources on lines in $\mathbb {F}_q^n$, and design a non-malleable extractor for such line sources. We note that Gabizon and Raz [34] adopted such an approach for constructing affine extractors over large fields. First we show that a skew affine source is a convex combination of skew line source.

Lemma 7

Let q be a prime, $n<q$ be a integer and $X\in \mathbb {F}_q^n$ be a skew affine source of dimension k. Then there exists a distribution $A\in \mathbb {F}_q^n$ and a vector $b\in (\mathbb {F}_q\backslash \{0\})^n$ such that $X\equiv A+Tb$, where T is uniform over $\mathbb {F}_q$. In other word,

$$X=\sum _{a\in F_q^n}\Pr [A=a]\cdot L_{a,b},$$

where $L_{a,b}$ is the uniform distribution over the line $\{a+tb:t\in \mathbb {F}_q\}$.

Proof

Suppose X is uniform over the affine subspace $W+z$ where W is a linear subspace of $\mathbb {F}_q^n$ and $z\in \mathbb {F}_q^n$ is a fixed vector. Our goal is to find a vector $b\in W$ s.t. $b_i\ne 0$ for every $i\in [n]$. Given such b we can set $A\equiv X$, and the lemma holds because $tb\in W$ for every $t\in \mathbb {F}_q$, and $X+w\equiv X$ for every $w\in W$.

Fix a basis $\{w_1,\dots ,w_k\}$ of the linear subspace W. For every $i\in [k]$, define ${S_i=\{j\in [n]: (w_i)_j\ne 0\}}$ (i.e. the indices of the non-zero coordinates of $w_i$) and $\overline{S}_i=\bigcup _{j=1}^i S_j$. Note that $\overline{S}_k=[n]$ because $W+z$ does not have any constant coordinate. We will prove by induction that for every $i\in [k]$ there exists $v_i\in \mathrm {span}(w_1,\dots ,w_i)$ s.t. $(v_{i})_j\ne 0$ for every $j\in \overline{S}_i$. Assume that there exists $v_{i-1}$ which satisfies the induction hypothesis. (Note that $v_0=0$.) Consider the set of q distinct vectors ${L_i=\{v_{i-1}+tw_i: t\in \mathbb {F}_q\}\subseteq \mathrm {span}(w_1,\dots ,w_i)}$. Observe that for every $j\in S_i$, there exists at most one vector $u_j\in L_i$ satisfying that $(u_j)_j =0$. Since $n<q$, there must exist $u^*\in L_i$ s.t. $(u^*)_j\ne 0$ for every $j\in S_i$. Moreover, for every $j\in \overline{S_i} \backslash S_i\subseteq \overline{S_{i-1}}$, $(u^*)_j=(v_{i-1})_j\ne 0$. Therefore $(u^*)_j\ne 0$ for every $j\in \overline{S}_i$. By mathematical induction theorem, our claim is true for every $i\in [k]$. Finally observe that $v_k$ is a valid choice of b because $\overline{S}_k=[n]$ and $\mathrm {span}(w_1,\dots ,w_k)=W$.

Next we present the extractor construction and prove correctness. Let B be the smallest integer greater than 3 such that $\gcd (B, q-1) = 1$. Note that B must be a prime. We can deduce an upper bound on B as follows. Define the primorial function $\nu (\ell )$ as the product of the first $\ell $ primes. It is known that $\nu (\ell ) = e^{(1+o(1)) \ell \log (\ell )}$ [28]. Further, it is known that the $\ell $’th smallest prime number is at most $O(\ell \log (\ell ))$ [52, 53]. Hence, it must be that $B \le \mu \log q$, for some large enough constant $\mu $. We can thus find such a B efficiently.

For $i \in [2n]$, define $c_i = B(4dn+1)+Bi$. Define the function $h: \mathbb {F}_q^n \rightarrow \mathbb {F}_q$ as

$$h(x_1,\ldots ,x_n) = \sum _{i=1}^n (x_i^{c_{2i-1}} + x_i^{c_{2i}} ).$$

Let $\sigma : \mathbb {F}_q \rightarrow \{0,1 \}^m$ be the mapping from Lemma 2. We now define the non-malleable extractor:

$$\mathrm {nmExt}(x) = \sigma (h(x)).$$

For any $a \in \mathbb {F}_q^n$ and $b \in \mathbb {F}_q^n \setminus \{ 0^n\}$, define the line $L_{a, b} = \{ a + t b: t \in \mathbb {F}_q\}$. We overload notation, and also use $L_{a,b}$ to denote the flat source on this line. We will show that $\mathrm {nmExt}$ is a non-malleable extractor against $\text {Poly}_{n, q,d}$ for every skew line source. Theorem 3 then follows using Lemma 7.

Lemma 8

Let $a\in \mathbb {F}_q^n,b\in (\mathbb {F}_q\backslash \{0\})^n$. For every tampering function $P\in \text {Poly}_{n, q,d}$ which is not identity on $L_{a,b}$,^{Footnote 4}

$$(\mathrm {nmExt}(L_{a,b}),\mathrm {nmExt}(P(L_{a,b})))\approx _\varepsilon (\text {U}_m,\mathrm {nmExt}(P(L_{a,b}))),$$

where $\varepsilon =O\left( \frac{2^md^2 n \log q}{\sqrt{q}}\right) $

The following bound is the key ingredient. Indeed, Lemma 8 then follows using Lemma 2.

Lemma 9

Let $\chi , \phi $ be additive characters of $\mathbb {F}_q$ such that $\chi $ is non-trivial. Then,

$$ \left| \mathbb {E}[\chi (h(L_{a,b})) \phi (h(P(L_{a,b})))]\right| \le O((d^2 n \log q)/\sqrt{q}).$$

Let $\chi (y) = e^{2\pi \alpha y/q}$ and $\phi (y) = e^{2 \pi \alpha ' y/q}$. Since $\chi $ is non-trivial, we know that $\alpha \ne 0$. Let $\beta = \alpha ' /\alpha $. Define the polynomial

$$g_\beta (x) = h(x) + \beta h(P(x)).$$

We note that

$$ \left| \mathbb {E}[\chi (h(X)) \phi (h(P(X)))]\right| \le \left| \mathbb {E}\left[ e\left( \frac{\alpha g_{\beta }(X)}{q}\right) \right] \right| .$$

Let $g_{\beta ,a,b}(t)$ be the univariate polynomial obtained by restricting g(x) to the line $L_{a,b}$. The following two claims directly yields Lemma 9.

Lemma 10

Suppose for some $a,b \in \mathbb {F}_q^n$, $g_{\beta ,a,b}$ is a non-constant polynomial. Then,

$$ \left| \mathbb {E}_{t \sim \mathbb {F}_q}\left[ e\left( \frac{\alpha \cdot g_{\beta ,a,b}(t)}{q}\right) \right] \right| \le O((d^2 n \log q)/ \sqrt{q}).$$

Lemma 11

For every $a\in \mathbb {F}_q^n$, $b\in (\mathbb {F}_q\backslash \{0\})^n$, $g_{\beta ,a,b}$ is a constant polynomial only if P is identity on $L_{a,b}$.

Lemma 10 is indeed simple to obtain using the Weil bound.

Proof

(Proof of Lemma 10). Follows directly from Theorem 4 using the fact that $deg(g_{\beta ,a,b}(t)) \le O(d^2 n \log q)$.

Now we prove Lemma 11.

Proof

(Proof of Lemma 11). For every $i\in [n]$, define the polynomial $q_i(t)=p_i(a+tb)$. Since $a+tb$ is an affine function, $deg(q_i)\le deg(p_i)\le d$. Let $d_i = deg(q_i)$. For every $i\in [n]$, define

$$w_i(t)=(a_i+tb_i)^{c_{2i-1}}+ (a_i+tb_i)^{c_{2i}} + \beta q_i(t)^{c_{2i-1}} + \beta q_i(t)^{c_{2i}}.$$

Recall that

$$g_{\beta ,a,b}(t)=\sum _i w_i(t).$$

First we prove that $deg(w_i)\in \{0,c_{2i} d_i,c_{2i}, c_{2i-1},c_{2i}-1\}$. Moreover, $deg(w_i)=0$ if and only if $\beta =-1$ and $q_i(t)=a_i+tb_i$. (In other word, $w_i$ is constant if and only if $\beta =-1$ and $p_i(x)=x_i$ for every $x\in L_{a,b}$.) To prove this statement, first we consider the case $deg(q_i)\ge 2$. Suppose that the leading coefficient in $q_i$ is $s_i\ne 0$. If $\beta \ne 0$, the coefficient of $t^{c_{2i} d_i}$ in $w_i$ is $\beta s_i^{c_{2i}}\ne 0$. Therefore $deg(w_i)=c_{2i} d_i$. If $\beta =0$, the coefficient of $t^{c_{2i}}$ in $w_i$ is $ b_i^{c_{2i}}\ne 0$. Therefore $deg(w_i)=c_{2i}$. Next consider the case $deg(q_i)=0$. With an argument similar to the case $\beta =0$, we also have $deg(w_i)=c_{2i}$. Finally consider the case $deg(q_i)=1$. Suppose $q_i(t)=r_i +ts_i$. Observe that the coefficient of $t^{c_{2i}}$ in $w_i$ is $b_i^{c_{2i}}+\beta s_i^{c_{2i}}$ and the coefficient of $t^{c_{2i}-1}$ in $w_i$ is $c_{2i}(a_i b_i^{c_{2i}-1}+\beta r_i s_i^{c_{2i}-1})$. In this case either $deg(w_i)\in \{c_{2i},c_{2i}-1\}$ or

$$b_i^{c_{2i}}=-\beta s_i^{c_{2i}} \text { and }a_i b_i^{c_{2i}-1}=-\beta r_i s_i^{c_{2i}-1}.$$

The equations hold only when there exists $k\in \mathbb {F}_q$ s.t.

$$r_i=ka_i, s_i=kb_i \text { and }k^{c_{2i}}=-\beta ^{-1}.$$

If such k exists, we can write $w_i(t)=(1- k^{-B}(a_i+tb_i)^{c_{2i-1}}$. If $\beta =-1$, we have $k=1$, $w_i(t)=0$ and $q_i(t)=a_i+tb_i$. If $\beta \ne -1$, then $k\ne 1$, which implies $(1- k^{-B})\ne 0$ because $\mathrm {gcd}(B,q-1)=1$. Therefore $w_i$ contains a monomial of degree $c_{2i-1}$ with coefficient $(1-k^{-B})b_i^{c_{2i-1}}\ne 0$, and hence $deg(w_i)=c_{2i-1}$.

Now we show that $g_{\beta ,a,b}(t)$ is a constant polynomial only if $\beta =-1$ and $q_i(t)=a_i+tb_i$ for every $i\in [n]$. Consider the set of index $I=\{i\in [n]:deg(w_i)>0\}$. Then for every $i\in I$, $deg(w_i)\in \{d_i c_{2i}, c_{2i}, c_{2i-1},c_{2i}-1\}$ if $d_i> 0$, or $deg(w_i)\in \{c_{2i}, c_{2i-1},c_{2i}-1\}$ if $d_i=0$. By Lemma 3, for every pair $i,j\in I$ s.t. $i\ne j$, we have $deg(w_i)\ne deg(w_j)$. Therefore $deg(g_{\beta ,a,b})>0$ if I is non-empty. If $g_{\beta ,a,b}$ is a constant polynomial, it must be the case that $deg(w_i)=0$ for every $i\in [n]$. This only happens when $\beta =-1$ and $q_i(t)=a_i+tb_i$ for every $i\in [n]$, i.e. $\beta =-1$ and $P(x)=x$ for every $x\in L_{a,b}$. Lemma 11 then follows directly.

Finally we prove Theorem 3 formally.

Theorem 6

(Theorem 3, restated). There exists a constant $C>0$ such that for every integers n, m, d, any $\varepsilon >0$, any prime q such that $q>Cn^2d^4m2^{2m}\cdot \log (nd/\varepsilon )$, any skew affine source $X\in \mathbb {F}_q^n$ of dimension $\ge 1$ and any tampering function $f\in \text {Poly}_{n, q,d}$, there exists a distribution $D_f$ on $\{0,1\}^m \cup \{\mathrm {same}\}$ that is independent of X, such that

$$|(\mathrm {nmExt}(X),\mathrm {nmExt}(f(X)))-(\text {U}_m,\mathrm {copy}(D_f,\text {U}_m))|\le \varepsilon .$$

Proof

By Lemma 7, there exists a distribution A on $\mathbb {F}_q^n$ and vector b such that $X=\sum _a \Pr [A=a] \cdot L_{a,b}.$ Define $I=\{a\in \mathbb {F}_q^n: f\text { is identity on }L_{a,b}\}$. For every $a\in I$, define $(D_f)_a=\mathrm {same}$. For every $a\not \in I$ define $(D_f)_a=\mathrm {nmExt}(f(L_{a,b}))$. Then we claim that $D_f=\sum _a \Pr [A=a]\cdot (D_f)_a$ satisfies the requirement:

$$\begin{aligned}&|\mathrm {nmExt}(X),\mathrm {nmExt}(f(X))-\text {U}_m,\mathrm {copy}(D_f,\text {U}_m)|\\&\le \sum _{a} \Pr [A=a]\cdot |\mathrm {nmExt}(L_{a,b}),\mathrm {nmExt}(f(L_{a,b}))-\text {U}_m,\mathrm {copy}((D_f)_a,\text {U}_m)|\\&=\sum _{a\in I} \Pr [A=a]\cdot |\mathrm {nmExt}(L_{a,b}),\mathrm {nmExt}(L_{a,b})-\text {U}_m,\text {U}_m|\\&+\sum _{a\not \in I} \Pr [A=a]\cdot |\mathrm {nmExt}(L_{a,b}),\mathrm {nmExt}(f(L_{a,b}))-\text {U}_m,\mathrm {nmExt}(f(L_{a,b}))|\\&\le \sum _{a\in I} \Pr [A=a]\cdot \varepsilon + \sum _{a\not \in I} \Pr [A=a]\cdot \varepsilon \\&=\varepsilon \end{aligned}$$

The first inequality is by the convexity of statistical distance, and the second inequality is by Lemma 8.

5 Efficient Sampling

Recall that to construct efficient non-malleable codes using the connection established in [21], we need to efficiently sample from the pre-image of any given output of the non-malleable extractor constructed in the previous section. (We discuss this connection in Sect. 3.4.) In this section we show how to construct such a sampler for the non-malleable extractor constructed in Theorem 3. Note that Theorem 2 uses the same non-malleable extractors.

Theorem 7

Let $\mathrm {nmExt}:\mathbb {F}_q^n\rightarrow \{0,1 \}^m$ be the non-malleable extractor against $\mathcal {F}_{n,q,d}$ tampering in Theorem 3. Then there exists a randomized algorithm $\overline{\mathrm {nmExt}^{-1}}$ such that for every $z\in \{0,1 \}^m$ the distribution of $\overline{\mathrm {nmExt}^{-1}}(z)$ is $\varepsilon $-close to uniform distribution on $\mathrm {nmExt}^{-1}(z)$. The running time of $\overline{\mathrm {nmExt}^{-1}}$ is bounded by $\mathrm {poly}(n,d,\log q,\log (1/\varepsilon ))$.

Our starting point to prove Theorem 7 is a sampling algorithm from [19], which has running time $O(d^{n^{O(n)}}(\log q)^{O(1)})$ and error $O(d^{O(n^n)}/\sqrt{q})$. We will show how to modify this algorithm and get an improved running time of $\mathrm {poly}(n,d,\log q,\log (1/\varepsilon ))$ for arbitrarily small error $\varepsilon $.

Let $\mathrm {nmExt}$ be the non-malleable extractor from Theorem 3. Recall that $\mathrm {nmExt}=\sigma \circ h$ where $\sigma :\mathbb {F}_q\rightarrow \{0,1 \}^m$ is defined as $\sigma (x)=x\pmod {2^m}$ and $h:\mathbb {F}_q^n\rightarrow \mathbb {F}_q$ is a multivariate polynomial of degree d over $\mathbb {F}_q$. Given $z \in \{0,1 \}^m$, the pre-image of z under $\mathrm {nmExt}$ is

$$\mathrm {nmExt}^{-1}(z)=\bigcup _{y\in \sigma ^{-1}(z)} h^{-1}(y),$$

and our goal is to sample from $\mathrm {nmExt}^{-1}(z)$ almost uniformly. The sampling algorithm in [19] is based on the following rejection sampling strategy.

Let $M\ge \max _y |h^{-1}(y)|$.

1.
Sample $y\in \sigma ^{-1}(z)$ uniformly at random.
2.
Compute $|h^{-1}(y)|$ (approximately), and accept y with probability $|h^{-1}(y)|/M$. If y is rejected, go back to step 1.
3.
Output an (almost) uniform sample from $h^{-1}(y)$.

In [19], the second step is achieved by an algorithm from [40] that has running time $O(d^{n^{O(n)}}(k\log q)^{O(1)})$.

The third step is based on the following algorithm in [22].

Lemma 12

([22]). Let q be a sufficiently large prime, $f \in \mathbb {F}_q[x_1,\ldots ,x_n]$ be polynomials of total degree bounded by d, and each polynomial has at most $\ell $ monomials. Let $S\subseteq \mathbb {F}_q^n$ be the set of common zeroes of f. There exists a randomized algorithm which takes f as input (as a list of monomials) and outputs a random value $X\in \mathbb {F}_q^n$ such that the distribution of X is $O(d^{O(1)}/q)$-close to uniform distribution on S. The worst-case running time of this algorithm is $\mathrm {poly}(\log q,d,n,\ell )$.

Thus the bottleneck in achieving a polynomial time sampling algorithm is Step (2) which takes time that is doubly exponential in n. We get around this difficulty as follows: first note that the rejection sampling in Step (2) is to ensure that the subset $h^{-1}(y)$ is selected with probability proportional to $|h^{-1}(y)|$. Our crucial observation is that the algorithm in Lemma 12 is actually a rejection sampling which accepts an output with probability proportional to $|h^{-1}(y)|$ in each round. Therefore we can actually combine the rejection sampling in Step 2 and 3, and bypass the computation of $|h^{-1}(y)|$.

First we explain the relation between the algorithm in Lemma 12 and rejection sampling. A naive way to sample from the variety $h^{-1}(y)$ is to repeatedly sample a point $x\in \mathbb {F}_q^n$ and verify if $h(x)=y$. However, the success probability of the naive rejection sampling is only $|h^{-1}(y)|/q^n$, which is too small. The idea in [22] is that the space $\mathbb {F}_q^n$ can be split into lines, and the variety S is split into many “slices” by these lines. The naive rejection sampling is equivalent to first sampling a line and then sampling a point from this line. Since each line has q points, the probability of a certain point in the variety being chosen is still $1/q^{n-1}\cdot 1/q$. However, if we choose a good direction to split the space, each slice of the variety only has at most d points where $d\ll q$, and these points can be enumerated efficiently. Therefore instead of sampling every point in this subspace with equal probability we can sample only from the slice of variety instead. This allows us to increase the accepting probability in each round to $|h^{-1}(y)|/dq^{n-1}$, which is high enough and still proportional to $|h^{-1}(y)|$. With the ideas above we get the following lemma.

Lemma 13

Let $h:\mathbb {F}_q^n\rightarrow \mathbb {F}_q$ be a n-variate polynomial of degree $d<q/2$ with $\ell $ monomials, and $\sigma :\mathbb {F}_q\rightarrow \{0,1 \}^m$ be any function. Suppose we have access to an oracle $\mathrm {Samp}_\sigma $ which takes input z and outputs a sample from $\sigma ^{-1}(z)$ uniformly at random. Then for every $\varepsilon >0$, there exists a randomized algorithm A such that for every $z\in \{0,1 \}^m$, the algorithm either outputs a uniformly random sample from $(\sigma \circ h)^{-1}(z)$ or output $\bot $. The probability that the algorithm outputs $\bot $ is at most $\varepsilon $.

Moreover, the expected running time of A on z is $T\cdot \mathrm {poly}(\log q, n,d,\ell )$ plus T oracle calls to $\mathrm {Samp}_\sigma $, where

$$T=O\left( \frac{q^{ n-1}\cdot d\cdot \left| \sigma ^{-1}(z)\right| }{\left| (\sigma \circ h)^{-1}(z)\right| }\log (1/\varepsilon )\right) .$$

Before we formally prove Lemma 13, first we show how to prove Theorem 7 based on Lemma 13. The following corollary shows that the algorithm in Lemma 13 is efficient when $\sigma \circ h$ is an “extractor for uniform distribution” and $\sigma $ does not concentrate on certain output.

Corollary 3

Suppose that $\sigma (h(\text {U}_{\mathbb {F}_q^n}))\approx _{1/2^{m+1}} \text {U}_m$, and $|\sigma ^{-1}(z)|\le Cq/2^m$ for every z. Then the running time of the algorithm in Lemma 13 is $C\log (1/\varepsilon )\mathrm {poly}(n,\ell ,\log q,d)$.

Proof

The number of rounds of rejection sampling in the algorithm from Lemma 13 is $T=O\left( \frac{q^{ n-1}\cdot d\cdot \left| \sigma ^{-1}(z)\right| }{\left| (\sigma \circ h)^{-1}(z)\right| }\log (1/\varepsilon )\right) $.

Observe that

$$\left| (\sigma \circ h)^{-1}(z)\right| =q^n\cdot \Pr [\sigma (h(\text {U}_{\mathbb {F}_q^n}))=z]\ge q^n\cdot (1/2^m-1/2^{m+1})=q^n/2^{m+1}.$$

Plugging this in, and the upper on $\sigma ^{-1}(z)$, we have $T=O(d\log (1/\varepsilon ))$. The corollary now follows directly from Lemma 13.

Proof

(Proof of Theorem 7). To prove Theorem 7 we only need to show that our non-malleable extractor satisfies the condition in Corollary 3. The fact that $\sigma (h(\text {U}_{\mathbb {F}_{q}^n}))$ is close to $\text {U}_m$ follows from Theorem 3, and the second condition is also true because $\sigma (x)=x\mod 2^m$, which satisfies $|\sigma ^{-1}(z)| \le \lceil q/2^m \rceil $ for every $z\in \{0,1 \}^m$.

We now prove Lemma 13. First we need the following lemma which is analogous to Proposition 4.3 in [22]. Note that we slightly tweak the lemma to make the sampling algorithm able to handle arbitrarily small error. The lemma says a random direction is a good direction to split the space with high probability.

Lemma 14

Let $h:\mathbb {F}_q^n\rightarrow \mathbb {F}_q$ be a n-variate polynomial of degree at most d, and let $b=(b_1,\ldots ,b_n)$ be uniformly random samples from $\mathbb {F}_q$. Then with probability at least $1-d/q$, $h_{a,b}(t)=h(a_1+b_1t,\ldots ,a_n+b_nt)$ is a non-constant polynomial of t for every $a=(a_1,\ldots ,a_n)\in \mathbb {F}_q^n$.

Proof

Let g be the highest-degree homogeneous part of h. Then observe that $h_{a,b}(t)$ has degree at most d, and its coefficient of $t^d$ equals to $g(b_1,\ldots ,b_n)$. By Lemma 4, the probability that $g(b_1,\ldots ,b_n)$ is non-zero is at least $1-d/q$. Therefore with probability $1-d/q$ over b, $h_{a,b}(t)$ has degree exactly d for every $a\in \mathbb {F}_q^n$.

Proof

(Proof of Lemma 13). In algorithm A, first we repeatedly sample $b\in \mathbb {F}_q^n$ uniformly at random until we find b which satisfies the condition in Lemma 14. If we fail to find such b in $\log (1/\varepsilon )+1$ rounds, abort and output $\bot $. Then repeat the following steps for at most T rounds:

Sample $y\in \sigma ^{-1}(z)$ with oracle $\mathrm {Samp}_\sigma $, and sample $a=(a_1,\ldots ,a_n)$ uniformly at random. Compute the restriction of $h(x)=y$ on the line $L_{a,b}=\{(a_1+b_1t,\ldots ,a_n+b_nt):b\in \mathbb {F}_q\}$, i.e. $h_{a,b}(t)=y$ where $h_{a,b}(t)=h(a_1+b_1t,\ldots ,a_n+b_nt)$. Note that $h_{a,b}$ is a non-constant polynomial of degree at most d. Then we run Berlekamp-Rabin algorithm [49] to enumerate all the roots of $h_{a,b}$ in $\mathbb {F}_q$, denoted by $t_1,\ldots ,t_k$ where $k\le d$. Now pick a number $i\in [d]$ uniformly at random. If $i\le k$, the algorithm succeeds, and we will return $(a_1+b_1t_i,\ldots ,a_n+b_nt_i)$. Otherwise sample y and a again and repeat. If no value is returned after all T rounds, return $\bot $.

To prove the correctness of A, first we compute the distribution A(z) conditioned on that the algorithm succeeds. Observe that A(z) never returns an element which is not in $(\sigma \circ h)^{-1}(z)$. Moreover, for every $v\in (\sigma \circ h)^{-1}(z)$, in each round the probability that A(z) outputs v is

$$\frac{1}{|\sigma ^{-1}(z)|}\cdot \frac{1}{q^{n-1}}\cdot \frac{1}{d}.$$

The first factor is the probability that $y=h(v)$, the second factor is the probability that $L_{a,b}\ni v$, and the third factor is the probability that v is chosen from the list of roots of $h_{a,b}$. Since this formula does not depend on v, we can conclude that A(z) is a uniform distribution on $(\sigma \circ h)^{-1}(z)$, conditioned on $A(z)\ne \bot $.

Now we compute the probability that A fails. Assuming $q\ge 2d$, the probability that we fail to find a b satisfying the condition in Lemma 14 in $log(1/\varepsilon )+1$ rounds is at most $(d/q)^{\log (1/\varepsilon )+1}\le \varepsilon /2$. If we find such b successfully, observe that A successfully returns a sample with probability

$$p=\frac{|(\sigma \circ h)^{-1}(z)|}{|\sigma ^{-1}(z)|\cdot q^{n-1}\cdot d}$$

in one round. Now define

$$T=\frac{C\log (1/\varepsilon )}{p},$$

for a large enough constant C. Then the probability that A does not output any element after T rounds is at most $(1-p)^T<\varepsilon /2$. Therefore $\Pr _A[A(z)=\bot ]\le \varepsilon $.

Finally we analyze the running time of A. Finding a vector b which satisfies Lemma 14 (or abort and output $\bot $) takes at most $\log (1/\varepsilon )\mathrm {poly}(n,\ell ,\log q,d)$ steps. After finding b, we run at most T rounds of rejection sampling, where in each round we first make an oracle call to $\mathrm {Samp}_\sigma $, sample a and compute the polynomial $h_{a,b}$ which takes $\mathrm {poly}(n,\ell ,\log q,d)$ steps, and run Berlekamp-Rabin which takes expected $\mathrm {poly}(n,\ell ,\log q,d)$ steps. Therefore the total expected running time is as claimed.

Remark 1

While we only show the expected running time in Lemma 13, it is possible to bound the worst-case running time by introducing a small error to the output distribution. That is, we can let the algorithm “time out” and output $\bot $ when the running time is too long. A full explanation can be found in the online version [7, Remark 1].

6 Non-malleable Secret Sharing

In this section we construct a non-malleable secret sharing scheme that is non-malleable against polynomial tampering. This extends a recent work of Lin et al. [46] where they could handle affine tampering functions. We use the framework that was introduced in [46] to derive our secret sharing scheme. In short, the framework in [46] takes a linear erasure code $(\mathrm {Enc},\mathrm {Dec})$ and an invertible affine extractor $\mathrm {Ext}$, and define the share function to be $\mathrm {Enc}(\mathrm {Ext}^{-1})$. If $\mathrm {Ext}$ is non-malleable against a class of tampering function $\mathcal {F}$ which is closed under composition with linear function, the non-malleability will be inherited by the secret sharing scheme. We show that the non-malleable extractor in Theorem 3 is also an extractor for arbitrary affine source (see Appendix A in the online version [7]). Thus the framework in [46] directly gives a non-malleable secret sharing against polynomial tampering.

Besides the direct application, we further show how to construct a r-out-of-n secret sharing which is non-malleable against adversaries who can (adaptively) corrupt $(r\!-\!1)$ shares and choose the polynomial tampering functions based on the corrupted shares. To handle such adaptive adversary, we cannot directly plug our extractor into the framework in [46] because our extractor is non-malleable only for skew affine source. Nevertheless, we will show that non-malleablility for skew affine source is sufficient if we choose a proper erasure code in the [46] scheme. In short, the erasure code we choose has the property that no single symbol in the message can be determined by $(r\!-\!1)$ symbols in the codeword. The property above ensures that when a uniformly random secret S is distributed using the scheme $\mathrm {Enc}(\mathrm {Ext}^{-1}(S))$ and $(r-1)$ shares are revealed to the adversary, none of the symbol in $\mathrm {Ext}^{-1}(S)$ is constant in the adversary’s view, which means $\mathrm {Ext}^{-1}(S)$ is a skew affine source in the adversary’s view. Since our extractor is non-malleable for skew affine source, we can prove our claim above following a similar path to the proof in [46].

Before we state our theorem and proof, first we formally define the non-malleable secret sharing.

Definition 11 (Adaptive adversary)

Let $\varSigma $ denote a set of symbols. We say $\mathcal {A}:\varSigma ^n\rightarrow \varSigma ^k$ is a (n, k)-adaptive adversary if $\mathcal {A}(x_1,\ldots ,x_n)=(x_{s_1},\ldots ,x_{s_{k}})$ for indices $s_1,\ldots ,s_k$ defined as follows.

$s_1$ is fixed.
For every i, there exists a function $f_i:\varSigma ^i\rightarrow [n]$ such that $s_{i+1}=f_i(x_{s_1},\ldots ,x_{s_i})$.

Definition 12 (Non-malleable secret sharing)

Let $\varSigma $ be a finite alphabet set. Let $\mathrm {Share}: \{0,1\}^{m}\rightarrow \varSigma ^n$ be a randomized algorithm mapping m bits to into n shares, each being an alphabet from $\varSigma $. Let $\mathcal {F}: \varSigma ^n \rightarrow \varSigma ^n$ be a family of tampering function. We say $\mathrm {Share}$ is a r-out-of-n $\varepsilon $-non-malleable secret sharing with respect to $\mathcal {F}$ if the following properties hold.

Correctness. For every authorized set $R\subseteq [n]$ of size $|R|= r$, there exists a deterministic algorithm $\mathrm {Rec}_R:\varSigma ^{r}\rightarrow \{0,1\}^{m}$ such that for every secret $s\in \{0,1\}^{m}$,
$$\Pr [\mathrm {Rec}_R(\mathrm {Share}(s)_R)=s]\ge 1-\varepsilon ,$$
where $\mathrm {Share}(s)_R$ denotes the r shares in $\mathrm {Share}(s)$ identified by the set R.
Privacy. For every $(n,r\!-\!1)$-adaptive adversary $\mathcal {A}$ and every pair of secret $a,b\in \{0,1\}^{m}$,
$$\mathcal {A}\left( \mathrm {Share}(a)\right) \approx _\varepsilon \mathcal {A}\left( \mathrm {Share}(b)\right) .$$
Non-malleability. For every $(n,r\!-\!1)$-adaptive adversary $\mathcal {A}$, every reconstruction strategy $\mathcal {R}:\varSigma ^{r-1}\rightarrow \left( {\begin{array}{c}[n]\\ r\end{array}}\right) $, every secret $s\in \{0,1\}^{m}$ and every tampering strategy $\mu :\varSigma ^{r-1}\rightarrow \mathcal {F}$, define the tampering experiment
$$\begin{aligned} \tilde{S}=\left\{ \begin{array}{c} share \leftarrow \mathrm {Share}(s) \\ v \leftarrow \mathcal {A}(share)\\ f \leftarrow \mu (v)\\ R \leftarrow \mathcal {R}(v) \\ \widetilde{share} \leftarrow f(share)\\ Output: \mathrm {Rec}_R(\widetilde{share}_R) \end{array} \right\} \end{aligned}$$
which is a random variable over the randomness of $\mathrm {Share}$. Then there exists a distribution $D_{\mathcal {A},\mathcal {R},\mu }$ on $\{0,1\}^{m}\cup \{\mathrm {same}\}$ which does not depend on s such that
$$\tilde{S}\approx _\varepsilon \mathrm {copy}(D_{\mathcal {A},\mathcal {R},\mu },s).$$

As observed in [46], since the tampering function f can be based on the view of adversary, the adversary can jointly tamper $(r\!-\!1)$ adaptively chosen shares arbitrarily. The tampering on shares which the adversary cannot see depends on how strong $\mathcal {F}$ is. In our construction $\mathcal {F}$ would be bounded-degree polynomials. With the non-malleable extractor in Theorem 3, we show the following.

Theorem 8

There exists a constant $C>0$ such that for all integers n, d, r, any prime q and any $\varepsilon >0$ such that $q>(C2^mn^2d^4/\varepsilon ^2)\cdot \log (nd/\varepsilon )$ and $1\le r\le n$, there exists a r-out-of-n $\varepsilon $-non-malleable secret sharing scheme with respect to polynomial tampering $\mathcal {F}_{n,q,d}$ for m-bit secret.

Proof

First we specify the construction. Let $\mathrm {nmExt}:\mathbb {F}_q^r \rightarrow \{0,1\}^{m}$ be the non-malleable extractor with respect to $\mathcal {F}_{r,q,d}$ with error $\varepsilon /2^{m+2}$ in Theorem 3. Let $\mathrm {Enc}(x)=(x,\mathrm {Enc}'(x))$ be the systematic encoding of a $[n+r,r]_q$ MDS code in Lemma 5. Let $\overline{\mathrm {nmExt}^{-1}}$ be the sampling algorithm in Theorem 7 with error $\varepsilon /2^{m+2}$. Then we define

$$\mathrm {Share}(s)=\mathrm {Enc}'( \overline{\mathrm {nmExt}^{-1}}(m)),$$

where $\overline{\mathrm {nmExt}^{-1}}$ is the almost-uniform inverter of $\mathrm {nmExt}$ in Sect. 4. Next we prove the three properties in Definition 12. The proof basically follows [46], but additionally we need to show that the decoded shares is a skew affine source conditioned on adversary view.

Correctness. For every authorized set $R\subseteq [n]$ of size $|R|= r$, let $\mathrm {Dec}_R$ denote the decoding function of $\mathrm {Enc}'$ specified by R in Lemma 5. Then we define
$$\mathrm {Rec}_R(v)=\mathrm {nmExt}(\mathrm {Dec}_R(v)).$$
$\mathrm {Rec}$ is a correct reconstruction because for every secret s,
$$\Pr [\mathrm {Rec}_R(\mathrm {Share}(s)_R)=s]=\Pr [\mathrm {nmExt}\left( \mathrm {Dec}_R\left( \mathrm {Enc}(\overline{\mathrm {nmExt}^{-1}}(s))_R\right) \right) =s]\ge 1-\varepsilon .$$
Note that the correctness is not perfect because $\overline{\mathrm {nmExt}^{-1}}(x)$ does not always output a pre-image of x.
Privacy. Let $S=\mathrm {nmExt}(\text {U}_{\mathbb {F}_q^r})$, and define $X=\overline{\mathrm {nmExt}^{-1}}(S)$. Fix any $(n,r\!-\!1)$-adaptive adversary $\mathcal {A}:\mathbb {F}_q^n\rightarrow \mathbb {F}_q^{r-1}$. Since $\overline{\mathrm {nmExt}^{-1}}$ is an inverter of $\mathrm {nmExt}$ with error $\varepsilon /2^{m+2}$, we have $(X,S)\approx _{\varepsilon /2^{m+2}}(\text {U}_{\mathbb {F}_q^r},S)$, which implies
$$\left( \mathcal {A}\left( \mathrm {Enc}'(X)\right) , S\right) \approx _{\varepsilon /2^{m+2}}\left( \mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})\right) , \mathrm {nmExt}(\text {U}_{\mathbb {F}_q^r})\right) .$$
Define $V=\mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})\right) $. We claim that for every $v\in \mathbb {F}_q^{r-1}$, $Y_v=(\text {U}_{\mathbb {F}_q^r} \mid V =v)$ is a skew affine source with positive min-entropy. Observe that there exists a set $T_v\in \left( {\begin{array}{c}[n]\\ r-1\end{array}}\right) $ uniquely determined by v such that $\mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})\right) =\mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})_{T_v}$. Since $\mathrm {Enc}'$ is a linear mapping, $V=v$ corresponds to $r\!-\!1$ linear constraints for $Y_v$. Therefore $Y_v$ is an affine source with positive min-entropy. Now assume for contradiction that $Y_v$ is not skew. Then there exists $i\in [r]$ such that $(Y_v)_i$ is a constant. Since $Y_v$ is not a constant, there exist two distinct value $y_1,y_2\in \mathrm {Supp}(Y_v)$. Observe that $\mathrm {Enc}'(y_1)_{T_v}=v=\mathrm {Enc}'(y_2)_{T_v}$ and $(y_1)_i=(y_2)_i$. Then $\mathrm {Enc}(y_1):=(y_1,\mathrm {Enc}'(y_1))$ and $\mathrm {Enc}(y_2):=(y_2,\mathrm {Enc}'(y_2))$ coincide on $(r\!-\!1)+1$ coordinates, which contradicts to the fact that $\mathrm {Enc}$ is a MDS code. Therefore $Y_v$ is skew. By Theorem 3,
$$\left( \mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})\right) , \mathrm {nmExt}(\text {U}_{\mathbb {F}_q^r})\right) \approx _{\varepsilon /2^{m+2}} \left( \mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})\right) , \text {U}_m\right) .$$
By triangle inequality we have
$$\left( \mathcal {A}\left( \mathrm {Enc}'(X)\right) , S\right) \approx _{\varepsilon /2^{m+1}} \left( \mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r})\right) , \text {U}_m\right) ,$$
which by Lemma 6 implies
$$\left( \mathcal {A}\left( \mathrm {Enc}'(X)\right) \mid S=a\right) \approx _{\varepsilon /2} \left( \mathcal {A}\left( \mathrm {Enc}'(\text {U}_{\mathbb {F}_q^r}\right) \right) \approx _{\varepsilon /2} \left( \mathcal {A}\left( \mathrm {Enc}'(X)\right) \mid S=b\right) $$
for every $a,b\in \mathrm {Supp}(S)$. Finally, observe that $\mathrm {Supp}(S)=\{0,1\}^{m}$ because S is $\varepsilon /2^{m+2}<1/2^{m}$ close to uniform. Therefore for every $a,b\in \{0,1\}^{m}$,
$$\mathcal {A}\left( \mathrm {Enc}'\left( \overline{\mathrm {nmExt}^{-1}}(a)\right) \right) \approx _\varepsilon \mathcal {A}\left( \mathrm {Enc}'\left( \overline{\mathrm {nmExt}^{-1}}(b)\right) \right) .$$
Non-malleability. Let $S=\mathrm {nmExt}(\text {U}_{\mathbb {F}_q^r})$, and define $X=\overline{\mathrm {nmExt}^{-1}}\left( S\right) $. Fix any $(n,r\!-\!1)$-adaptive adversary $\mathcal {A}:\mathbb {F}_q^n\rightarrow \mathbb {F}_q^{r-1}$, any reconstruction strategy $\mathcal {R}:\mathbb {F}_q^{r-1}\rightarrow \left( {\begin{array}{c}[n]\\ r\end{array}}\right) $ and any tampering strategy $\mu :\mathbb {F}_q^{r-1}\rightarrow \mathcal {F}_{n,q,d}$. Recall the tampering experiment
$$\begin{aligned} \widetilde{S}=\left\{ \begin{array}{c} share \leftarrow \mathrm {Enc}'(X) \\ V \leftarrow \mathcal {A}(share)\\ f \leftarrow \mu (V)\\ R \leftarrow \mathcal {R}(V) \\ \widetilde{share} \leftarrow f(share)\\ Output: \mathrm {Rec}_R(\widetilde{share}_R) \end{array} \right\} \end{aligned}$$
Note that this tampering experiment is equivalent to applying the tampering experiment in Definition 12 on S. Now define
$$\begin{aligned} \widetilde{S}'=\left\{ \begin{array}{c} share' \leftarrow \mathrm {Enc}(\text {U}_{\mathbb {F}_q^n}) \\ V' \leftarrow \mathcal {A}(share')\\ f \leftarrow \mu (V')\\ R \leftarrow \mathcal {R}(V') \\ \widetilde{share'} \leftarrow f(share')\\ Output: \mathrm {Rec}_R(\widetilde{share}_R) \end{array} \right\} \end{aligned}$$
Since $\overline{\mathrm {nmExt}^{-1}}$ is an inverter of $\mathrm {nmExt}$ with error $\varepsilon /2^{m+2}$, we have $(S,X)\approx _{\varepsilon /2^{m+2}}(S,\text {U}_{\mathbb {F}_q^n})$ which implies
$$(S,\widetilde{S})\approx _{\varepsilon /2^{m+2}}(S,\widetilde{S'}).$$
For every $v\in \mathbb {F}_q^{r-1}$, define $Y_v=(\text {U}_{\mathbb {F}_q^r} \mid V' =v)$. With the same proof in the privacy part, we can show that $Y_v$ is a skew affine source with positive min-entropy. Now define $f_v=\mu (v)$, $R_v=\mathcal {R}(v)$ and $g_v:\mathbb {F}_q^r\rightarrow \mathbb {F}_q^r$ to be $g_v(x):=\mathrm {Dec}_{R_v}(f_v(\mathrm {Enc}'(x))_{R_v})$. Since both $\mathrm {Enc}'$ and $\mathrm {Dec}_{R_v}$ are linear and $f_v\in \mathcal {F}_{n,q,d}$, we have $g_v\in \mathcal {F}_{r,q,d}$. By Theorem 3, there exists a distribution $D_{g_v}$ on $\{0,1\}^{m}\cup \{\mathrm {same}\}$ such that
$$(\mathrm {nmExt}(\text {U}_{\mathbb {F}_q^r}),\mathrm {nmExt}(g_v(\text {U}_{\mathbb {F}_q^r}))\mid V' =v)\approx _{\varepsilon /2^{m+2}}(\text {U}_m, \mathrm {copy}(D_{g_v},\text {U}_m)).$$
Define $D_{\mathcal {A},\mathcal {R},\mu }=\sum _{v}\Pr [V'=v]\cdot D_{g_v}$. By convexity of statistical distance,
$$(S,\widetilde{S'})=(\mathrm {nmExt}(\text {U}_{\mathbb {F}_q^r}),\widetilde{S'})\approx _{\varepsilon /2^{m+2}}(\text {U}_m, \mathrm {copy}(D_{\mathcal {A},\mathcal {R},\mu },\text {U}_m)),$$
which by triangle inequality implies
$$(S,\tilde{S})\approx _{\varepsilon /2^{m+1}}(\text {U}_m, \mathrm {copy}(D_{\mathcal {A},\mathcal {R},\mu },\text {U}_m))).$$
Finally by Lemma 6 and the fact that $\mathrm {Supp}(S)=\{0,1\}^{m}$ we can conclude that for every $s\in \{0,1\}^{m}$,
$$(\tilde{S}\mid S=s)\approx _{\varepsilon } \mathrm {copy}(D_{\mathcal {A},\mathcal {R},\mu },s).$$

7 Open Questions

Obvious questions that arise from our work include improving the parameters (such as rate and error) of our non-malleable code against polynomials, and similarly obtaining seedless non-malleable extractors against polynomials with smaller error.

Another interesting direction is to construct such non-malleable codes and extractors against polynomials over smaller fields. In particular, over $\mathbb {F}_2$ would be the most interesting. We expect this to require significantly different ideas from our construction: we crucially rely on exponential sum estimates for our non-malleable extractor construction, and such estimates are not available over smaller fields.

More broadly, we believe it to be a very interesting question to construct non-malleable codes against other natural complexity classes (e.g., small-width branching programs, $\text {AC}^{0}$ with PARITY gates, etc.).

Notes

1.
We say a distribution is flat if it is uniformly distributed on its support.
2.
See Sect. 3 for a quick recap of characters of finite fields.
3.
The definition of MDS codes and the construction of systematic MDS codes can be found in Sect. 3.5.
4.
That is, there exists $x\in L_{a,b}$ s.t. $P(x)\ne x$.

References

Aggarwal, D., et al.: Stronger leakage-resilient and non-malleable secret-sharing schemes for general access structures. IACR Cryptology ePrint Archive 2018, 1147 (2018)
Google Scholar
Aggarwal, D., Dodis, Y., Kazana, T., Obremski, M.: Non-malleable reductions and applications. In: Proceedings of the Forty-Seventh Annual ACM Symposium on Theory of Computing, pp. 459–468. ACM (2015)
Google Scholar
Aggarwal, D., Dodis, Y., Lovett, S.: Non-malleable codes from additive combinatorics. SIAM J. Comput. 47(2), 524–546 (2018)
Article MathSciNet MATH Google Scholar
Aggarwal, D., Obremski, M.: A constant-rate non-malleable code in the split-state model. IACR Cryptology ePrint Archive 2019, 1299 (2019)
Google Scholar
Agrawal, S., Gupta, D., Maji, H.K., Pandey, O., Prabhakaran, M.: A rate-optimizing compiler for non-malleable codes against bit-wise tampering and permutations. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 375–397. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_16
Chapter Google Scholar
Badrinarayanan, S., Srinivasan, A.: Revisiting non-malleable secret sharing. IACR Cryptology ePrint Archive 2018, 1144 (2018)
Google Scholar
Ball, M., Chattopadhyay, E., Liao, J., Malkin, T., Tan, L.: Non-malleability against polynomial tampering. IACR Cryptology ePrint Archive 2020, 147 (2020). https://eprint.iacr.org/2020/147
Ball, M., Dachman-Soled, D., Guo, S., Malkin, T., Tan, L.Y.: Non-malleable codes for small-depth circuits. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 826–837. IEEE (2018)
Google Scholar
Ball, M., Dachman-Soled, D., Kulkarni, M., Malkin, T.: Non-malleable codes for bounded depth, bounded fan-in circuits. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 881–908. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_31
Chapter MATH Google Scholar
Ball, M., Guo, S., Wichs, D.: Non-malleable codes for decision trees. IACR Cryptology ePrint Archive 2019, 379 (2019)
Google Scholar
Barak, B., Impagliazzo, R., Wigderson, A.: Extracting randomness using few independent sources. SIAM J. Comput. 36(4), 1095–1118 (2006). https://doi.org/10.1137/S0097539705447141
Article MathSciNet MATH Google Scholar
Bennett, C., Brassard, G., Robert, J.M.: Privacy amplification by public discussion. SIAM J. Comput. 17, 210–229 (1988)
Article MathSciNet MATH Google Scholar
Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317 (1979)
Google Scholar
Bourgain, J.: More on the sum-product phenomenon in prime fields and its applications. Int. J. Number Theory 01(01), 1–32 (2005). https://doi.org/10.1142/S1793042105000108
Article MathSciNet MATH Google Scholar
Bourgain, J.: On the construction of affine extractors. GAFA Geom. Funct. Anal. 17(1), 33–57 (2007)
Article MathSciNet MATH Google Scholar
Chattopadhyay, E., Goyal, V., Li, X.: Non-malleable extractors and codes, with their many tampered extensions. In: STOC (2016)
Google Scholar
Chattopadhyay, E., Li, X.: Non-malleable codes and extractors for small-depth circuits, and affine functions. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, pp. 1171–1184. ACM (2017)
Google Scholar
Chattopadhyay, E., Li, X.: Non-malleable codes, extractors and secret sharing for interleaved tampering and composition of tampering. Technical report, Cryptology ePrint Archive, Report 2018/1069, 2018 (2019)
Google Scholar
Chattopadhyay, E., Zuckerman, D.: Non-malleable codes against constant split-state tampering. In: Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science, pp. 306–315 (2014)
Google Scholar
Chattopadhyay, E., Zuckerman, D.: Explicit two-source extractors and resilient functions. Ann. Math. 189(3), 653–705 (2019). https://doi.org/10.4007/annals.2019.189.3.1
Article MathSciNet MATH Google Scholar
Cheraghchi, M., Guruswami, V.: Non-malleable coding against bit-wise and split-state tampering. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 440–464. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_19
Chapter MATH Google Scholar
Cheraghchi, M., Shokrollahi, A.: Almost-uniform sampling of points on high-dimensional algebraic varieties. In: 26th International Symposium on Theoretical Aspects of Computer Science, STACS 2009, Freiburg, Germany, 26–28 February 2009, Proceedings, pp. 277–288 (2009)
Google Scholar
Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2), 230–261 (1988)
Article MathSciNet MATH Google Scholar
Chor, B., Goldreich, O., Hasted, J., Freidmann, J., Rudich, S., Smolensky, R.: The bit extraction problem or t-resilient functions. In: IEEE Symposium on Foundations of Computer Science, pp. 396–407 (1985). https://doi.org/10.1109/SFCS.1985.55
Coretti, S., Maurer, U., Tackmann, B., Venturi, D.: From single-bit to multi-bit public-key encryption via non-malleable codes. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 532–560. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_22
Chapter Google Scholar
Dodis, Y., Li, X., Wooley, T.D., Zuckerman, D.: Privacy amplification and nonmalleable extractors via character sums. SIAM J. Comput. 43(2), 800–830 (2014)
Article MathSciNet MATH Google Scholar
Dodis, Y., Wichs, D.: Non-malleable extractors and symmetric key cryptography from weak secrets. In: STOC, pp. 601–610 (2009)
Google Scholar
Dusart, P.: Estimates of some functions over primes without RH. arXiv preprint arXiv:1002.0442 (2010)
Dvir, Z.: Extractors for varieties. Comput. Complex. 21(4), 515–572 (2012)
Article MathSciNet MATH Google Scholar
Dvir, Z., Gabizon, A., Wigderson, A.: Extractors and rank extractors for polynomial sources. Comput. Complex. 18(1), 1–58 (2009)
Article MathSciNet MATH Google Scholar
Dvir, Z., Kopparty, S., Saraf, S., Sudan, M.: Extensions to the method of multiplicities, with applications to Kakeya sets and mergers. In: Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science, pp. 181–190 (2009)
Google Scholar
Dziembowski, S., Kazana, T., Obremski, M.: Non-malleable codes from two-source extractors. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 239–257. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_14
Chapter Google Scholar
Dziembowski, S., Pietrzak, K., Wichs, D.: Non-malleable codes. J. ACM 65(4), 20:1–20:32 (2018). https://doi.org/10.1145/3178432
Article MathSciNet MATH Google Scholar
Gabizon, A., Raz, R.: Deterministic extractors for affine sources over large fields. Combinatorica 28(4), 415–440 (2008)
Article MathSciNet MATH Google Scholar
Goyal, V., Kumar, A.: Non-malleable secret sharing. In: Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, pp. 685–698. ACM (2018)
Google Scholar
Goyal, V., Kumar, A.: Non-malleable secret sharing for general access structures. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 501–530. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_17
Chapter Google Scholar
Goyal, V., Pandey, O., Richelson, S.: Textbook non-malleable commitments. In: Proceedings of the Forty-Eighth Annual ACM Symposium on Theory of Computing, pp. 1128–1141. ACM (2016)
Google Scholar
Gupta, D., Maji, H.K., Wang, M.: Constant-rate non-malleable codes in the split-state model. Technical report, Technical Report Report 2017/1048, Cryptology ePrint Archive (2018)
Google Scholar
Guruswami, V., Umans, C., Vadhan, S.P.: Unbalanced expanders and randomness extractors from Parvaresh-Vardy codes. J. ACM 56(4), 1–34 (2009)
Article MathSciNet MATH Google Scholar
Huang, M.-D., Wong, Y.-C.: An algorithm for approximate counting of points on algebraic sets over finite fields. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 514–527. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054889
Chapter Google Scholar
Kanukurthi, B., Obbattu, S.L.B., Sekar, S.: Four-state non-malleable codes with explicit constant rate. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 344–375. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_11
Chapter Google Scholar
Kanukurthi, B., Obbattu, S.L.B., Sekar, S.: Non-malleable randomness encoders and their applications. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 589–617. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_19
Chapter Google Scholar
Lacan, J., Fimes, J.: Systematic MDS erasure codes based on vandermonde matrices. IEEE Commun. Lett. 8(9), 570–572 (2004). https://doi.org/10.1109/LCOMM.2004.833807
Article MATH Google Scholar
Li, X.: Improved non-malleable extractors, non-malleable codes and independent source extractors. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, pp. 1144–1156 (2017)
Google Scholar
Li, X.: Non-malleable extractors and non-malleable codes: partially optimal constructions. In: 34th Computational Complexity Conference, CCC 2019, New Brunswick, NJ, USA, 18–20 July 2019, pp. 28:1–28:49 (2019)
Google Scholar
Lin, F., Cheraghchi, M., Guruswami, V., Safavi-Naini, R., Wang, H.: Non-malleable secret sharing against affine tampering. arXiv preprint arXiv:1902.06195 (2019)
Lu, C.-J.: Hyper-encryption against space-bounded adversaries from on-line strong extractors. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 257–271. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_17
Chapter Google Scholar
Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996). https://doi.org/10.1006/jcss.1996.0004
Article MathSciNet MATH Google Scholar
Rabin, M.O.: Probabilistic algorithms in finite fields. SIAM J. Comput. 9(2), 273–280 (1980). https://doi.org/10.1137/0209024
Article MathSciNet MATH Google Scholar
Rao, A.: An exposition of Bourgain’s 2-source extractor. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 14 (2007)
Google Scholar
Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)
Article MathSciNet MATH Google Scholar
Robin, G.: Permanence de relations de récurrence dans certains développements asymptotiques. Pub. Inst. Math. Beograd 43(57), 17–25 (1988)
MATH Google Scholar
Rosser, B.: The n-th prime is greater than nlogn. Proc. Lond. Math. Soc. 2(1), 21–44 (1939)
Article MathSciNet MATH Google Scholar
Schwartz, J.T.: Probabilistic algorithms for verification of polynomial identities. In: Ng, E.W. (ed.) Symbolic and Algebraic Computation. LNCS, vol. 72, pp. 200–215. Springer, Heidelberg (1979). https://doi.org/10.1007/3-540-09519-5_72
Chapter Google Scholar
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Article MathSciNet MATH Google Scholar
Singleton, R.C.: Maximum distance q-nary codes. IEEE Trans. Inf. Theory 10(2), 116–118 (1964). https://doi.org/10.1109/TIT.1964.1053661
Article MathSciNet MATH Google Scholar
Ta-Shma, A., Zuckerman, D.: Extractor codes. IEEE Trans. Inf. Theory 50(12), 3015–3025 (2004)
Article MathSciNet MATH Google Scholar
Weil, A.: On some exponential sums. Proc. Natl. Acad. Sci. U.S.A. 34(5), 204 (1948)
Article MathSciNet MATH Google Scholar
Zippel, R.: Probabilistic algorithms for sparse polynomials. In: Ng, E.W. (ed.) Symbolic and Algebraic Computation. LNCS, vol. 72, pp. 216–226. Springer, Heidelberg (1979). https://doi.org/10.1007/3-540-09519-5_73
Chapter Google Scholar
Zuckerman, D.: Linear degree extractors and the inapproximability of max clique and chromatic number. In: Proceedings of the Thirty-Eighth Annual ACM Symposium on Theory of Computing, pp. 681–690 (2006)
Google Scholar

Download references

Acknowledgements

Marshall Ball is supported by an IBM Research PhD Fellowship. Tal Malkin and Marshall Ball: This work is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA) via Contract No. 2019-1902070006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either express or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.

Eshan Chattopadhyay and Jyun-Jie Liao are supported by NSF grant CCF-1849899. Li-Yang Tan is supported by NSF grant CCF-1921795.

Author information

Authors and Affiliations

Columbia University, New York, USA
Marshall Ball & Tal Malkin
Cornell University, Ithaca, USA
Eshan Chattopadhyay & Jyun-Jie Liao
Stanford University, Stanford, USA
Li-Yang Tan

Authors

Marshall Ball
View author publications
You can also search for this author in PubMed Google Scholar
Eshan Chattopadhyay
View author publications
You can also search for this author in PubMed Google Scholar
Jyun-Jie Liao
View author publications
You can also search for this author in PubMed Google Scholar
Tal Malkin
View author publications
You can also search for this author in PubMed Google Scholar
Li-Yang Tan
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marshall Ball .

Editor information

Editors and Affiliations

UC San Diego, La Jolla, CA, USA
Daniele Micciancio
Cornell Tech, New York, NY, USA
Thomas Ristenpart

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ball, M., Chattopadhyay, E., Liao, JJ., Malkin, T., Tan, LY. (2020). Non-malleability Against Polynomial Tampering. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12172. Springer, Cham. https://doi.org/10.1007/978-3-030-56877-1_4

Download citation

DOI: https://doi.org/10.1007/978-3-030-56877-1_4
Published: 10 August 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-56876-4
Online ISBN: 978-3-030-56877-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Non-malleability Against Polynomial Tampering

Abstract

Similar content being viewed by others

Non-malleable Secret Sharing in the Computational Setting: Adaptive Tampering, Noisy-Leakage Resilience, and Improved Rate

Continuously Non-malleable Codes Against Bounded-Depth Tampering

Leakage-resilient Linear Secret-sharing Against Arbitrary Bounded-size Leakage Family

1 Introduction

1.1 Non-malleable Codes

Theorem 1 (NMCs for bounded-degree polynomials)

Corollary 1 (NMCs for arithmetic circuits)

1.2 Non-malleable Secret Sharing

Theorem 2 (NM secret sharing for polynomial tampering)

1.3 Seedless Non-malleable Extractors

Definition 1

Definition 2

Definition 3

Definition 4

Theorem 3

Corollary 2

2 Overview of Techniques

3 Preliminaries

3.1 Characters Sums over Finite Fields

Theorem 4

Lemma 1

Lemma 2

3.2 Useful Lemmas About Polynomials

Lemma 3

Lemma 4

3.3 Non-malleable Codes and Seedless Non-malleable Extractors

Definition 5

Definition 6

Definition 7

Definition 8

3.4 Non-malleable Codes via Seedless Non-malleable Extractors

Theorem 5

3.5 MDS Code

Definition 9

Definition 10

Lemma 5

3.6 Other Useful Lemmas

Lemma 6

4 Non-malleable Extractors Against Polynomials

Lemma 7

Proof

Lemma 8

Lemma 9

Lemma 10

Lemma 11

Proof

Proof

Theorem 6

Proof

5 Efficient Sampling

Theorem 7

Lemma 12

Lemma 13

Corollary 3

Proof

Proof

Lemma 14

Proof

Proof

Remark 1

6 Non-malleable Secret Sharing

Definition 11 (Adaptive adversary)

Definition 12 (Non-malleable secret sharing)

Theorem 8

Proof

7 Open Questions

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper