Leakage-Resilient Non-Malleable Secret Sharing in Non-compartmentalized Models
Fuchun Lin, Mahdi Cheraghchi, Venkatesan Guruswami, Reihaneh Safavi-Naini, Huaxiong Wang
aa r X i v : . [ c s . CR ] J un Leakage-Resilient Non-Malleable Secret Sharing inNon-compartmentalized Models
Fuchun Lin ∗ Mahdi Cheraghchi † Venkatesan Guruswami ‡ Reihaneh Safavi-Naini § Huaxiong Wang ∗ Abstract
Non-malleable secret sharing was recently proposed by Goyal and Kumar in independenttampering and joint tampering models for threshold secret sharing (STOC18) and secret sharingwith general access structure (CRYPTO18). The idea of making secret sharing non-malleablereceived great attention and by now has generated many papers exploring new frontiers inthis topic, such as multiple-time tampering and adding leakage resiliency to the one-shot tam-pering model. Non-compartmentalized tampering model was first studied by Agrawal et.al(CRYPTO15) for non-malleability against permutation composed with bit-wise independenttampering, and shown useful in constructing non-malleable string commitments. In spiteof strong demands in application, there are only a few tampering families studied in non-compartmentalized model, due to the fact that compartmentalization (assuming that the ad-versary can not access all pieces of sensitive data at the same time) is crucial for most of theknown techniques.We initiate the study of leakage-resilient secret sharing in the non-compartmentalized model.Leakage in leakage-resilient secret sharing is usually modelled as arbitrary functions with boundedtotal output length applied to each share or up to a certain number of shares (but never thefull share vector) at one time. Arbitrary leakage functions, even with one bit output, appliedto the full share vector is impossible to resist since the reconstruction algorithm itself can beused to construct a contradiction. We allow the leakage functions to be applied to the full sharevector (non-compartmentalized) but restrict to the class of affine leakage functions. The leak-age adversary can corrupt several players and obtain their shares, as in normal secret sharing.The leakage adversary can apply arbitrary affine functions with bounded total output lengthto the full share vector and obtain the outputs as leakage. These two processes can be bothnon-adaptive and do not depend on each other, or both adaptive and depend on each other witharbitrary ordering. We use a generic approach that combines randomness extractors with errorcorrecting codes to construct such leakage-resilient secret sharing schemes, and achieve constantinformation ratio (the scheme for non-adaptive adversary is near optimal).We then explore making the non-compartmentalized leakage-resilient secret sharing alsonon-malleable against tampering. We consider a tampering model, where the adversary canuse the shares obtained from the corrupted players and the outputs of the global leakage func-tions to choose a tampering function from a tampering family F . We give two constructionsof such leakage-resilient non-malleable secret sharing for the case F is the bit-wise indepen-dent tampering and, respectively, for the case F is the affine tampering functions, the latteris non-compartmentalized tampering that subsumes the permutation composed with bit-wiseindependent tampering mentioned above. ∗ Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological Uni-versity, SG † Department of Computing, Imperial College London, UK ‡ Computer Science Department, Carnegie Mellon University, USA § Department of Computer Science, University of Calgary, CA Introduction
Secret sharing, introduced independently by Blakley [Bla79] and Shamir [Sha79], is a fundamentalcryptographic primitive with far-reaching applications; e.g., a major tool in secure multipartycomputation (cf. [CDN15]). The goal in secret sharing is to encode a secret s into a number of shares c , . . . , c P that are distributed among a set P = { , . . . , P } of players such that the accessto the secret through collaboration of players can be accurately controlled. An authorized subset ofplayers is a set A ⊆ P such that the shares with indices in A can be pooled together to reconstructthe secret s . On the other hand, A is an unauthorized subset if the knowledge of the shares withindices in A reveals no information about the secret. The set of authorized and unauthorized setsdefine an access structure, where the most widely used is the so-called threshold structure. Athreshold secret sharing scheme is defined with respect to a reconstruction threshold r and satisfiesthe following property: Any set A ⊆ P with | A | < r is an unauthorized set and any set A ⊆ P with | A | ≥ r is an authorized set. Any threshold secret sharing scheme sharing ℓ -bit secrets necessarilyrequires shares of length at least ℓ , and Shamir’s scheme attains this lower bound [Sti92]. The information ratio defined as the ratio of the maximum share length to the secret length measuresthe storage efficiency of a secret sharing scheme.Non-malleable codes [DPW18] proposed with applications in tamper-resilient cryptographyin mind are codes with a randomized encoder and a deterministic decoder that provide non-malleability guarantee with respect to a family F of tampering functions: Decoding the tam-pered codeword yields the original message or a value that follows a fixed distribution, wherethe probability of the first case and the probability distribution in the second case are dictatedby the particular tampering function f ∈ F alone (all probabilities are taken over the random-ness of the encoder). Intuitively, non-malleable coding prevents the adversary from tamperingwith the protected message in a message-specific way, which is the essence of non-malleable cryp-tology [DDN00]. Perhaps the most widely studied tampering model for non-malleability is the compartmentalized model called the P -split state model, where for a constant integer P , a tamper-ing function is described by f = ( f , . . . , f P ), for arbitrary functions f i : { , } N/P → { , } N/P .Goyal and Kumar initiated a systematic study of non-malleable secret sharing [GK18a, GK18b]with inspirations from the non-malleable codes. Their study started with the observation that a2-split state non-malleable code is a non-malleable 2-out-of-2 (statistical) secret sharing (the pri-vacy follows directly from non-malleability in the 2-split state model, see [ADKO15b] for a proof).So the 2-out-of-2 case has many constructions (just to name a few and restrict to information-theoretic security)[DKO13, ADL18, ADKO15b, ADKO15a, CGL16a, Li17, Li18, CL18]. Goyal andKumar [GK18a] proposed two tampering models for r -out-of- P secret sharing for P > r ≤ P . The independent tampering model of non-malleable secret sharing is essentially a secretsharing with P players, which is non-malleable with respect to the P -split state tampering fam-ily. The joint tampering model allows the adversary to group any r shares into two subsets ofdifferent size and tamper jointly with the shares within each group but independently across thetwo groups. In the follow up work [GK18b], non-malleability was generalized to secret sharingwith general access structures. In the independent tampering model, they constructed a compilerthat transforms any plain secret sharing into a non-malleable secret sharing with the same accessstructure. In the joint tampering model, explicit P -out-of- P threshold secret sharing against morepowerful adversaries that can group shares into two overlapping subsets, as long as no authorizedset is jointly tampered, are constructed. The idea of making secret sharing non-malleable againsttampering has attracted a lot of attention and generated many papers exploring new frontiers inthis topic. Srinivasan and Vasudevan [SV18] constructed the first non-malleable secret sharing2or 4-monotone access structures with constant information ratio. Badrinarayanan and Srinivasan[BS18] considered a multiple-time tampering model (corresponding to continuous non-malleablecodes ) for secret sharing where the tampering adversary can non-adaptively specify a sequence oftampering functions in the independent tampering model and non-malleability guarantee shouldhold for the whole sequence of tampering (assuming the same reconstruction set). Aggarwal etal. [ADN +
18] considered a strengthening of the above multiple-time tampering model that takesinto account the subtlety of secret reconstruction in secret sharing. In particular, they allow thetampering adversary to control the secret reconstruction from tampered shares by specifying thereconstruction set in each time (they dub this non-adaptive concurrent reconstruction ). Kumar,Meka, and Sahai [KMS18] initiated the study of leakage-resilient non-malleable secret sharing,where the tampering adversary is allowed to base the choice of tampering on the information aboutthe encoding obtained from leaking every share independently. This defines a stronger type oftampering (than without leakage) because the randomness of the encoder decreases conditionedon the leaked value, which has an effect on non-malleability guarantee (relying on the randomnessof the encoder by definition). Faonio and Venturi [FV19] considered a strengthen model that hasmultiple-time tampering with adaptive concurrent reconstruction and leakage-resilience, but had toswitch to computational security. See Table 1 for a summary of different models.Table 1: Comparison of models for the existing LR-SS and NM-SS with
P > r -out-of- P LR-SS Ind. L.2-out-of- P LR-SS Ind. L.[GK18a] r -out-of- P NM-SS Independent Tampering (Ind. T.) r -out-of- P NM-SS Joint Tampering (Joint T.)[GK18b] Arbitrary NM-SS Ind. T. P -out-of- P NM-SS Joint T.[BS18] Arbitrary (4-monotone) CNM-SS Continuous Ind. T. (CNM-SS)[ADN +
18] Arbitrary LR-SS Ind. L.Arbitrary (3-monotone) CNM-SS Non-adap. concurrent reconstruct[SV18] r -out-of- P LR-SS Ind. L. ← r − ← Ind. L.[FV19]* Arbitrary LR-CNM-SS Ind. noisy L.Adap. concurrent reconstruct r -out-of- P LR-SS Affine L. ——first NComp. L.This work r -out-of- P LR-NM-SS Bit-wise Ind. T. ← Affine L. r -out-of- P LR-NM-SS NComp.T. ← Affine L. —first NComp.T.
Only the features concerning modelling are captured in this table. Shorthands are defined where they first appearin the table. The symbol “ ← ” denotes “based on”. [FV19]* has a * because it is the only one using computationalassumptions. “NComp.” is short for “Non-Compartmentalized”. The view of the leakage adversary in “Affine L.”model contains a choice of r − r − A leakage-resilient secret sharing scheme hides the secret from an adversary, who in addition to3aving access to an unqualified set of shares, also obtains some bounded length leakage from all othershares. Leakage-resiliency for secret sharing was in fact studied much earlier than non-malleablesecret sharing. Dziembowski and Pietrzak [DP07] developed an intrusion-resilient secret sharingscheme using alternating extractors. Dav`ı, Dziembowski and Venturi [DDV10] constructed the first2-out-of-2 secret sharing scheme that statistically hides the secret even after an adaptive adversaryexecutes a bounded communication leakage protocol on the two shares. The leakage-resilient non-malleable codes in 2-split state model of Liu and Lysyanskaya [LL12] (computational security) and[ADKO15b] are also 2-out-of-2 leakage-resilient secret sharing which also feature non-malleability.Recently, as the dual result of [GW17], which shows that by leaking one bit from each share, thesecret of the a Shamir scheme over finite field with characteristic 2 can be completely reconstructed,Benhamouda, Degwekar, Ishai and Rabin [BDIR18] showed that the Shamir r -out-of- P secretsharing scheme, when the underlying field is of a large prime order and for large values of r = P − o (log P ) is leakage-resilient against a non-adaptive adversary who independently leaks boundedamount of information from each share. Goyal and Kumar [GK18a, GK18b] constructed a 2-out-of- P leakage-resilient secret sharing scheme as a building block for their constructions of non-malleablesecret sharing. Aggarwal et al. [ADN +
18] proposed a construction for general access structure anda new application to leakage-resilient threshold signatures. Several strengthened leakage-resilientsecret sharing models have been proposed. Srinivasan and Vasudevan [SV18] proposed a leakagemodel for r -out-of- P threshold schemes, where the choice of each local leakage function can bebased on a choice of r − + + +
18] and decision tree [BGW19]. Inparticular, the affine tampering model not only includes the permutation composed with bit-wiseindependent tampering of [AGM + + + + F -affine function can depend on all input bits. In this sense, affine functions arearguably the best example of the non-compartmentalized model.There has not been non-compartmentalized tampering model studied in non-malleable secretsharing. This is partly because currently known constructions of non-malleable secret sharingcrucially rely on the tools that only work for compartmentalised models (e.g. independent sourceextractors and secret sharing schemes). Almost all constructions of non-malleable secret sharingtake the approach of building a compiler that transforms several plain secret sharing schemes withvarious extra properties into a non-malleable secret sharing. It is not clear how resiliency againsta global tampering can be realized using this approach.Dav`ı, Dziembowski and Venturi [DDV10], apart from constructing the first 2-out-of-2 leakage-resilient secret sharing, proposed a general leakage model called Leakage-Resilient Storage (LRS) ,4here there is an upper bound on the total output length and the leakage functions can be chosenfrom a set L of functions that is only restricted by its cardinality |L| . The cardinality |L| can stillbe exponential in the length of the encoding and functions computable by Boolean circuits of afixed size was given as an example for this model.Again, there has not been non-compartmentalized leakage model studied for leakage-resiliencyfor secret sharing. The leakage for secret sharing is usually modelled as an arbitrary function withbounded output length applied to each share or up to a certain number of shares (but never the fullshare vector) at one time. Note that arbitrary leakage functions, even with one bit output, appliedto the full share vector is impossible to resist since the reconstruction algorithm itself can be usedto construct a contradiction. Indeed, a counter example could be the reconstruction algorithmoutputting the first bit of the secret. It is not clear how the LRS with L only restricted by itscardinality |L| can be realized for secret sharing. Our contributions.
We take inspiration from the definition of non-malleable (codes) secretsharing and propose a general notion of leakage-resilient secret sharing with respect to a structuredfamily L of leakage functions and a total output size bound β , which is a non-negative integer. Wecall a leakage adversary in this model a β -bounded L -leakage adversary . We fill the gap left open incurrent state of leakage-resilient secret sharing by considering a structured non-compartmentalizedleakage family L . In particular, we focus on the family L affine of F -affine leakage functions anddesign leakage-resilient secret sharing schemes against a β -bounded L affine -leakage adversary. Weemphasize that each output bit of the leakage function can depend on all input bits, namely, thefull share vector. When the context is clear, we simply call it affine leakage-resilient secret sharing . Definition (Informal). An r -out-of- P statistical β -bounded affine leakage-resilient secret sharingis a r -out-of- P statistical secret sharing scheme that is also statistically leakage-resilient against a β -bounded L affine -leakage adversary. More concretely,1. Correctness: given any r shares, the secret is correctly reconstructed with overwhelming prob-ability, over the randomness of the sharing algorithm.2. Privacy and Leakage-Resiliency: • Non-adaptive adversary: any non-adaptive choice of r − shares and the output of anynon-adaptive choice of affine leakage functions of the full share vector with total outputlength bounded by β are statistically indistinguishable for any pair of distinct secrets. • Adaptive adversary: any adaptive choice of r − shares and the output of any adaptivechoice of affine leakage functions of the full share vector with total output length boundedby β are statistically indistinguishable for any pair of distinct secrets. (The choice of the r − shares and the choice of the affine leakage functions can adaptively depend on eachother.) Using the construction of optimal non-adaptive binary secret sharing in [LCG + r -out-of- P statistical secret sharing with asymptotic information ratio1. We are able to prove that by shortening the secret by β bits, the r -out-of- P statistical secretsharing can be made leakage-resilient against a non-adaptive β -bounded L affine -leakage adversary.We then have the following. Theorem (Informal).
There is a non-adaptive r -out-of- P statistical β -bounded affine leakage-resilient secret sharing for any constant r and P with secret length ℓ and information ratio ℓ + β + o ( ℓ ) ℓ . We note that this information ratio is almost the best one can hope for. Intuitively, any r sharescontain the full information about the ℓ bits secret, while r − β bits information about these r shares leaked to anunconditional adversary. The upper bound on the amount of secret information must reduce by β bits. In other words, an information ratio of ℓ + βℓ would be the optimal.One could use the construction of adaptive binary secret sharing in [LCG +
19] to construct affineleakage-resilient secret sharing. We propose a new construction that have a better information ratio.As a result of independent interest, our construction of adaptive leakage-resilient secret sharing herealso gives an adaptive binary secret sharing with improved coding rate (see
Related works formore details).
Theorem (Informal).
There is an adaptive r -out-of- P statistical β -bounded affine leakage-resilientsecret sharing for any constant r and P with secret length ℓ and constant information ratio. We extend our affine leakage-resilient secret sharing model to a leakage-resilient non-malleablesecret sharing model. We again consider a general tampering family F that can possibly be non-compartmentalized. We allow the tampering adversary to base the choice of the tampering function f ∈ F on any unauthorised set of shares and the output of the L -leakage from the full share vector.We call it affine leakage-resilient non-malleable secret sharing , when the tampering family F needsnot be specified. Definition (Informal).
An adaptive r -out-of- P statistical β -bounded affine leakage-resilient secretsharing is said to be non-malleable with respect to a tampering family F if the following non-malleability property is satisfied.Non-malleability: for any up to r − shares, any β -bounded L affine -leakage adversary, any F -tampering strategy σ and any reconstruction set R of size r , reconstructing from the set R of thetampered shares yields the original secret or a value that follows a background distribution, wherethe probability of the first case and the probability distribution in the second case are dictated by theparticular leakage adversary, the particular tampering strategy σ and the particular reconstructionset R (all probabilities are taken over the randomness of the sharing algorithm). The first family F of tampering functions we consider is the family F affine of F -affine tamper-ing functions. By strengthening one of the building blocks of the adaptive binary secret sharingconstruction in [LCG +
19] to its “non-malleable counterpart” (from an affine extractor to an affinenon-malleable extractor , see
Overview of constructions below for more information), we areable to prove that the non-malleability property, in addition to correctness, privacy and leakage-resiliency of affine leakage-resilient secret sharing, is satisfied. This gives us a leakage-resilientnon-malleable secret sharing fully in non-compartmentalized model. That is the leakage model is L affine and the tampering model is F affine , both are non-compartmentalized. Theorem (Informal).
There is an adaptive r -out-of- P statistical β -bounded affine leakage-resilientsecret sharing for any constant r and big enough P that is non-malleable with respect to F affine . The above construction in fact proves a reduction from an affine leakage-resilient non-malleablesecret sharing with respect to F affine to a special type of randomness extractor (affine non-malleableextractor), an object in pseudo-randomness. We would be able to get explicit secret sharing schemesfor any constant r and P , once affine non-malleable extractors with better parameters (one thatcan extract from any constant fraction of entropy) are explicitly constructed.The second family F of tampering functions we consider is the family F BIT of Bit-wise Inde-pendent Tampering (BIT) functions. Let q be the size of each share. A function f ∈ F BIT for a6ecret sharing with P players is described by f = ( f , . . . , f P log q ), where f i is a binary tamperingfunction belonging to { Set0 , Set1 , Keep , Flip } , where Set0 and
Set1 set the value of the bit to 0 and1, respectively, and
Keep and
Flip will keep and flip the bit, respectively. For this tampering family,we are able to modify our construction of adaptive affine leakage-resilient secret sharing to alsosatisfy non-malleability, for any constants r and P . Theorem (Informal).
There is an adaptive r -out-of- P statistical β -bounded affine leakage-resilientsecret sharing for any constant r and P that is non-malleable with respect to F affine . Note that since the tampering function f ∈ F is chosen based on any up to r − F = F BIT . In particular, the tampering at the r − F affine . We replace the linear seeded extractor with a linear seeded non-malleableextractor (see Overview of constructions below for more information). Seeded non-malleableextractors are under scrutiny in the past few years and many good constructions are known (justto name a few [DW09, Li12, DLWZ14, CGL16b, Li17, Li18]). But as far as we know, only the innerproduct construction of [Li12] gives a linear seeded non-malleable extractor. We then prove anexistence result concerning the linear seeded non-malleable extractors with our required properties(one that can extract from less than one half of the entropy) and leave its explicit construction asan interesting open problem.
Overview of constructions.
A ( t, r, P )-ramp scheme is defined with respect to two thresholds, t and r . The knowledge of any t shares or fewer does not reveal any information about the secret.On the other hand, any r shares can be used to reconstruct the secret. The subsets of size ≥ t + 1or ≤ r − r − t >
1. We state our results in the language of ( t, r, P )-ramp schemes and the resultsspecialised to threshold secret sharing mentioned above can be recovered by letting r − t = 1. Affine leakage-resilient secret sharing.
An extractor is a function that turns non-uniform distribu-tions (called source ) over the domain into an almost uniform distribution over the range (smaller insize than the domain). An affine source is a flat distribution on an affine subspace and an extractorfor affine sources is called an affine extractor. An extractor is invertible if there is an efficient algo-rithm that, given an extractor output, samples a pre-image for that output uniformly at random.Very recently, Lin et.al. [LCG +
19] proposed a construction of secret sharing through combining aninvertible affine extractor and a linear erasure correcting code. In their construction, the secret isthe output of the affine extractor. The sharing algorithm first uses the inverter of the extractor tosample a random pre-image for the secret, then encodes the pre-image using the erasure correctingcode. The key observation is if we start with a uniformly distributed secret, the inverter will outputa distribution that is uniform over the domain of the extractor. The privacy analysis is focused onthis uniform pre-image. Now this pre-image is further encoded using the erasure correcting code toyield the share vector. But since the erasure correcting code is linear, knowing several componentsof its codeword and knowing several bits output of an affine function of its codeword amount toputting several linear equations on the uniform pre-image, which is now flatly distributed on anaffine sub-space of the domain of the extractor, hence an affine source. If this affine source hasenough entropy, then the distribution of the uniform secret conditioned on the adversary’s viewremains uniform. This means that the adversary’s view and the secret are independent and hence7rivacy is provided. Using this construction, ramp secret sharing families with statistical privacy and probabilistic reconstruction over binary shares can be constructed, given any relative privacythreshold τ and relative reconstruction threshold ρ , for arbitrary constants 0 ≤ τ < ρ ≤
1. Nowgiven a privacy threshold t and a reconstruction threshold r for a ramp scheme with P players, weset τ = t/P and ρ = r/P , and obtain a family of binary ramp schemes with N -bit share vector,where N is a multiple of P . We then divide the N -bit share vector into P blocks and call eachblock a share of a ( t, r, P )-ramp scheme.Our construction of non-adaptive leakage-resilient secret sharing uses the same high level ideasas described above but with a linear seeded extractor instead of a seedless one. A seeded extractoris a function that takes a second input (called the seed) which is uniform and independent ofthe source input. The interest in the use of seeded, as opposed to seedless affine, extractors istwofold. First, nearly optimal and very efficient constructions of seeded extractors are known inthe literature that extract nearly the entire source entropy with only a short seed. This allows usto attain nearly optimal rates for the non-adaptive case. Furthermore, and crucially, such nearlyoptimal extractor constructions (in particular, Trevisan’s extractor [Tre01, RRV02]) can in factbe linear functions for every fixed choice of the seed (in contrast, seedless affine extractors cannever be linear functions). We take advantage of the linearity of the extractor in a crucial way anduse a rather delicate analysis to show that in fact the linearity of the extractor can be utilized toprove that the resulting secret sharing scheme provides the stringent worst-case secret guarantee.The construction and its proof follows similarly as the optimal construction of binary non-adaptivesecret sharing in [LCG + + +
19] (see
Related works ).The improvement comes from making good use of the linearity of the seeded extractor and a moreefficient way of inverting the extractor that exploits this classical structure.
Affine leakage-resilient non-malleable secret sharing.
In a nut shell, our constructions start withthe extractor based construction of secret sharing scheme and strengthen the extractor towardsobtaining non-malleability. This idea is inspired by the following extractor based construction ofnon-malleable codes. An important theoretical discovery in constructions of non-malleable codesis the connection between non-malleable codes and invertible seedless non-malleable extractors byCheraghchi and Guruswami [CG17]. A seedless non-malleable extractor is defined with respect toa family of tampering functions, which are applied to the input of the extractor. Non-malleabilityhere means that the output corresponding to the original input is independent of the output of atampered input. Intuitively, if one uses the extractor as the decoder then non-malleability of theobtained code follows naturally from the independence of the two outcomes. This connection playsan important role in the construction of C -split state non-malleable codes [CZ14, CGL16a, Li17,Li18, CL18]. This result was recently extended to affine tampering functions through explicitlyconstructing seedless non-malleable extractors with respect to affine tampering functions [CL17].8ur construction of adaptive affine leakage-resilient non-malleable secret sharing with respect to F affine strengthens the affine extractor to an affine non-malleable extractor. Intuitively, we triviallyhave an affine leakage-resilient secret sharing scheme, since an affine non-malleable extractor is inparticular an affine extractor. We can further show that the scheme is non-malleableThe analysisis again focused on the uniform pre-image (of a uniform secret) generated by the inverter of theextractor. As argued before, conditioned on a view v of the t shares and β -bounded affine leakageadversary A , the uniform pre-image becomes an affine source. Under the same conditioning, theaffine tampering strategy σ outputs the corresponding affine tampering function f v that is appliedto the share vector. Due to the linearity of the erasure correcting code, this f v induces an affinetampering function g that is in effect applied to the pre-image we are investigating. If the extractorcan non-malleably (with respect to affine functions) extract from the affine source, the tamperedoutcome is independent of the original secret. We then obtain a clean reduction from affine leakage-resilient non-malleable secret sharing to affine non-malleable extractors (see Theorem 24).Our construction of adaptive affine leakage-resilient non-malleable secret sharing with respectto F BIT is built on the particular adaptive affine leakage-resilient secret sharing construction above.We strengthen the linear seeded extractor to a linear seeded non-malleable extractor. Seeded non-malleable extractors were proposed (in fact before the notion of seedless non-malleable extractors)for application in privacy amplification over public unauthenticated discussion [DW09]. A seedednon-malleable extractor is very different from its seedless counterpart and the only thing that thesetwo objects have in common is to achieve independence of the original extractor output from thetampered extractor output. The first difference lies in what is tampered. The source of the seededextractor is not tampered, it is its seed that is tampered. The second difference lies in whattampering is allowed. The seed tampering of the seeded extractor is not restricted by a familyof functions, but is allowed to be any tampering function as long as it does not have any fixedpoints. We overcome the first difference through suitably conditioning on some event such thatthe tampered source is equal to the original source adding a constant offset, thanks to restrictionto F BIT ⊂ F affine . Since the seeded non-malleable extractor is linear, we can separate the constantoffset from the tampered source completely and reduce to the same source situation. We overcomethe second difference through detecting the tampering, whenever the tampered seed coincides theoriginal seed, using an Algebraic Manipulation Detection AMD [CDF +
08] pre-coding of the secret.We can not guarantee that the tampered share vector always leads to a seed different from theoriginal seed. But when the two seeds do coincide, as mentioned a few lines ago, the linearity of thenon-malleable extractor allows for separating out an additive offset. This results in reconstructingan (obliviously) additively tampered secret, which is easily detected using, for example, the AMDcode [CDF + Related works.
Another line of works related to the current work is the study of ramp secret sharing overa constant share size q . The main characteristics of this line of works are fixed share size q ,unconstrained number N of players and ramp parameters ( t, r ) satisfying t = τ N , r = ρN . Thegoal is minimizing the relative threshold gap γ = gN = r − tN = ρ − τ . It is shown in [CCX13]and [BGK16] that for 0 < t < N − g ≥ ( N + 2) / (2 q − . This means that once q is fixed, the relative gap γ = gN > q − . In particular, when q = 2, we musthave γ > /
3. This constraint is recently showed avoidable once the perfect privacy and perfectreconstruction of the ramp secret sharing are relaxed to statistical privacy (any t shares from a pairof secrets have a statistical distance negligible in N ) and probabilistic reconstruction (reconstruction9ith r shares has a failure probability that is negligible in N ), respectively [LCG + ≤ τ < ρ ≤
1, ramp secret sharing families (with relaxed privacy and reconstruction)can be explicitly constructed such that the privacy threshold t = τ N and the reconstructionthreshold r = ρN . The non-perfect privacy brings out the distinction between an adaptive readingadversary and a non-adaptive reading adversary. The authors then give two constructions for thesetwo types of reading adversaries, respectively. In particular, the construction for non-adaptiveadversary shares a secret of N ( ρ − τ − o (1)) log q bits, which they show is optimal. The constructionfor adaptive adversary does not achieve this secret length and the authors leave improving the secretlength as an open problem. As mentioned previously, the tools developed in our second constructionof affine leakage resilient secret sharing can be used to significantly improve the secret length ofthe construction in [LCG + coding rate ( ℓ/N ) was used as the design criterionand shown to be upper-bounded by ρ − τ . The coding rate is related to the information ratio inthe current work as follows. Information ratio = N/Pℓ = 1 /P coding rate . The rest of the paper is organised as follows. Section 2 contains the definitions of variousrandomness extractors that appear in this work. Section 3 contains two constructions of affineleakage-resilient secret sharing, for non-adaptive adversary and adaptive adversary, respectively.Section 4 contains two constructions of adaptive affine leakage-resilient secret sharing that arenon-malleable with respect to affine tampering and bit-wise independent tampering, respectively.
Coding schemes define the basic properties for codes (schemes) that are used in cryptography. Let ⊥ denote a special symbol that means detection. Definition 1 ([DPW18]) . A ( k, n )-coding scheme consists of two polynomial-time functions: arandomised encoding function
Enc : { , } k → { , } n , where the randomness is implicit, and adeterministic decoding function Dec : { , } n → { , } k ∪ {⊥} such that, for each m ∈ { , } k , Pr [ Dec ( Enc ( m )) = m ] = 1 (correctness), and the probability is over the randomness of the encodingalgorithm.The statistical distance of two random variables (their corresponding distributions) is definedas follows. For X , Y ← Ω, SD ( X ; Y ) = 12 X ω ∈ Ω | Pr( X = ω ) − Pr( Y = ω ) | . We say X and Y are ε -close (denoted X ε ∼ Y ) if SD ( X , Y ) ≤ ε .A tampering function for a ( k, n )-coding scheme is a function f : { , } n → { , } n . Definition 2 ([DPW18]) . Let F be a family of tampering functions. For each f ∈ F and m ∈{ , } k , define the tampering-experimentTamper f m = (cid:26) x ← Enc ( m ) , ˜ x = f ( x ) , ˜ m = Dec (˜ x )Output ˜ m , (cid:27) . Enc . A coding scheme(
Enc , Dec ) is non-malleable with respect to F if for each f ∈ F , there exists a distribution D f overthe set { , } k S {⊥ , same ∗ } , such that, for all m ∈ { , } k , we have:Tamper f m ε ∼ (cid:26) ˜ m ← D f Output m if ˜ m = same ∗ , and ˜ m otherwise; (cid:27) (1)and D f is efficiently samplable given oracle access to f ( · ).The right hand side of (1) is sometimes denoted by Copy ( D f , m ). Using this notation, (1) canbe written as, Tamper f m ε ∼ Copy ( D f , m ) . (1’)The following coding scheme, originally proposed for constructing robust secret sharing, isfrequently used as a building block for constructing non-malleable codes. Definition 3 ([CDF + . Let (
AMDenc , AMDdec ) be a coding scheme with
AMDenc : { , } k →{ , } n . We say that ( AMDenc , AMDdec ) is a δ -secure Algebraic Manipulation Detection (AMD)code if for all m ∈ { , } k and all non-zero ∆ ∈ { , } n , we have Pr [ AMDdec ( AMDenc ( m ) + ∆) / ∈{ m , ⊥} ] ≤ δ , where the probability is over the randomness of the encoding.An explicit optimal construction of AMD code is given in [CDF +
08] that in fact gives a tamperdetection code [JW15]. We say an AMD code achieves δ -tamper detection security if for all ∆ = 0 n , Pr [ AMDdec ( AMDenc ( m ) + ∆) = ⊥ ] ≤ δ .We use various types of randomness extractors in our constructions. Randomness extractorsextract close to uniform bits from input sequences that are not uniform but have some guaranteedentropy. See [NZ96] and references there in for more information about randomness extractors.A randomness source is a random variable with lower bound on its min-entropy, which is definedby H ∞ ( X ) = − log max x { Pr [ X = x ] } . We say a random variable X ← { , } n is a ( n, k ) -source , if H ∞ ( X ) ≥ k . For well structured sources, there exist deterministic functions that can extract closeto uniform bits. An affine ( n, k )-source is a random variable that is uniformly distributed on anaffine translation of some k -dimensional sub-space of { , } n . Let U m denote the random variableuniformly distributed over { , } m . Definition 4.
A function aExt : { , } n → { , } m is an affine ( k, ε )-extractor if for any affine( n, k )-source X , we have SD ( aExt ( X ); U m ) ≤ ε. We will use Bourgain’s affine extractor (or the alternative [Li11] due to Li) in our constructions.
Lemma 5 ([Bou07]) . For every constant 0 < µ ≤
1, there is an explicit affine extractor aExt : { , } n →{ , } m for affine ( n, nµ )-sources with output length m = Ω( n ) and error at most 2 − Ω( n ) .For general ( n, k )-sources, there does not exist a deterministic function that can extract closeto uniform bits from all of them simultaneously. A family of deterministic functions are needed. Definition 6.
A function
Ext : { , } d × { , } n → { , } m is a strong seeded ( k, ε )-extractor if forany ( n, k )-source X , we have SD ( S , Ext ( S , X ); S , U m ) ≤ ε, where S is chosen uniformly from { , } d . A seeded extractor Ext ( · , · ) is called linear if for any fixedseed S = s , the function Ext ( s , · ) is a linear function.11here are linear seeded extractors that extract all the randomness, for example, the Trevisan’sextractor [Tre01]. In particular, we use the following improvement of this extractor due to Raz,Reingold and Vadhan [RRV02]. Lemma 7 ([RRV02]) . There is an explicit linear strong ( k, ε )-extractor
Ext : { , } d × { , } n →{ , } m with d = O (log ( n/ε )) and m = k − O ( d ).Non-malleability of randomness extractors captures their tolerance against tampering. It wasfirst defined for seeded extractors by Dodis and Wichs [DW09] with application in privacy amplifi-cation over public and unauthenticated discussion. The tampering considered is an arbitrary seedtampering that does not have any fixed point. Definition 8 ([DW09]) . A seeded ( k, ε )-non-malleable extractor is a function nmExt : { , } d ×{ , } n → { , } m such that given any ( n, k )-source X , an independent uniform seed Z ∈ { , } d ,for any (deterministic) function A : { , } d → { , } d such that A ( z ) = z for any z , we have SD ( Z , nmExt ( A ( Z ) , X ) , nmExt ( Z , X ); Z , nmExt ( A ( Z ) , X ) , U m ) ≤ ε. (2)Non-malleable seedless extractors were proposed by Cheraghchi and Guruswami for constructingnon-malleable codes. The tampering now is a source tampering and is restricted to a particulartampering family. Definition 9 ([CG17]) . A function nmExt : { , } n → { , } m is a ( k, ε )-seedless non-malleableextractor with respect to a class X of sources over { , } n and a class F of tampering functionsacting on { , } n , if for every X ∈ X with min-entropy k and every f ∈ F , there is a distribution D f over { , } m ∪ { same ∗ } such that for an independent Y sampled from D f , we have SD ( nmExt ( f ( X ) , nmExt ( X ); Copy ( Y , U m ) , U m ) ≤ ε, (3)where the two copies of U m denote the same random variable and Copy ( y , u ) = y always exceptwhen y = same ∗ , in which case it outputs u .We will use Chattopadhyay and Li’s affine non-malleable extractor. We first give the restrictedform of the extractor, where the source tampering function does not have any fixed points. Lemma 10 ([CL17]) . For all n, k >
0, any δ > k ≥ n − n δ , there exists an efficientfunction anmExt : { , } n → { , } m , m = n Ω(1) , such that if X is an affine ( n, k )-source and A : { , } n → { , } n is an affine function with no fixed point, then SD ( anmExt ( A ( X )) , anmExt ( X ); anmExt ( A ( X )) , U m ) ≤ − n Ω(1) . Let F affine be the set of tampering functions from { , } n to { , } n where each output bit is anaffine function of the input bits. The affine non-malleable extractors in Lemma 10 can be easiliyconverted into a seedless non-malleable extractor with respect to F affine . Lemma 11 ([CL17]) . Let anmExt : { , } n → { , } m be a ( k − η, ε )-non-malleable extractor foraffine sources, with respect to affine tampering functions with on fixed points. Then anmExt is a( k, ε + ( n + 1)2 − η )-non-malleable extractor for affine sources, with respect to F affine .Explicit constructions of randomness extractors have efficient forward direction of extraction.In some applications, we usually need to efficiently invert the process: Given an extractor output,sample a random pre-image. This is not necessarily efficient if the extractor is not a linear function,in which case we need to explicitly construct an invertible extractor . If the extractor is linear,sampling a random pre-image can be done in polynomial time. In general,12 efinition 12 ([CDS12]) . Let f be a mapping from { , } n to { , } m . For v ≥
0, a function
Inv : { , } m × { , } r → { , } n is called a v -inverter for f if the following conditions hold: • (Inversion) Given y ∈ { , } m such that its pre-image f − ( y ) is nonempty, for every r ∈ { , } r we have f ( Inv ( y , r )) = y . • (Uniformity) Inv ( U m , U r ) is µ -close to U n .A µ -inverter is called efficient if there is a randomized algorithm that runs in worst-case polynomialtime and, given y ∈ { , } m and r as a random seed, computes Inv ( y , r ). We call a mapping µ -invertible if it has an efficient µ -inverter, and drop the prefix µ from the notation when it is zero.We abuse the notation and denote the inverter of f by f − .Finally, we need the following simple lemma whose proof can be found in Appendix A. Lemma 13.
Let V , V ′ be two random variables distributed over the set V and W , W ′ over W satisfying SD ( V , W ; V ′ , W ′ ) ≤ ε . Let E ⊂ W be an event. Then we have the following. SD ( V | W ∈ E ; V ′ | W ′ ∈ E ) ≤ ε Pr [ W ′ ∈ E ] . A stochastic code has a randomised encoder and a deterministic decoder. The encoder Enc : { , } m ×R → { , } n uses local randomness R ← R to encode a message m ∈ { , } m . The decoder is adeterministic function Dec : { , } n → { , } m ∪ {⊥} . The decoding probability is defined over theencoding randomness R ← R . Stochastic codes are known to explicitly achieve the capacity ofsome special adversarial channels [GS16].Affine sources play an important role in our constructions. We define a general requirement forthe stochastic code used in our constructions. Definition 14 ([LCG + . Let
Enc : { , } m × R → { , } n be the encoder of a stochastic code.We say it is a stochastic affine code if for any r ∈ R , the encoding function Enc ( · , r ) specified by r is an affine function of the message. That is we have Enc ( m , r ) = m G r + ∆ r , where G r ∈ { , } m × n and ∆ r ∈ { , } n are specified by the randomness r .We then adapt a construction in [GS16] to obtain the following capacity-achieving StochasticAffine-Erasure Correcting Code (SA-ECC). In particular, we show for any p ∈ [0 , p fraction of adversarial erasures and achieves the rate1 − p . Lemma 15 ([LCG + . For every p ∈ [0 , ξ >
0, there is an efficiently encod-able and decodable stochastic affine code (
Enc , Dec ) with rate R = 1 − p − ξ such that for ev-ery m ∈ { , } NR and erasure pattern of at most p fraction, we have Pr [ Dec ( ^ Enc ( m )) = m ] ≥ − exp( − Ω( ξ N/ log N )), where ^ Enc ( m ) denotes the partially erased random codeword and N denotes the length of the codeword. 13 Affine Leakage-Resilient Secret Sharing
In this section, we study a new leakage model for secret sharing. All results are stated as ( t, r, P )-ramp schemes. The special results concerning r -out-of- P threshold schemes can be recoveredthrough letting t = r −
1. We start with recalling the
Leakage-Resilient Storage (LRS) modelof [DDV10].A leakage-resilient storage scheme is a pair (
Enc , Dec ), where
Enc : { , } ℓ × R → { , } N is arandomised, efficiently computable function ( R is the randomness set) and Enc : { , } ℓ → { , } N isa deterministic, efficiently computable function. Consider the following game between an adversary A and an oracle O .1. The adversary A chooses a pair of messages m , m ∈ { , } ℓ and sends them to the oracle O .2. The oracle O chooses a random bit b ∈ { , } and compute Enc ( m b ).3. The following is executed θ times, for i = 1 , . . . , θ :(a) A selects a function l i : { , } N → { , } c i from a set L of functions, and sends it to O ,(b) O sends l i ( Enc ( m b )) to A . This is called A retrieves c i bits through L -leakage.We will call the adversary A a β -bounded L -leakage adversary if P θi =1 c i ≤ β .We consider statistical secret sharing, where the privacy with respect to a given access structureis defined using indistinguishability of unauthorised set of shares for a pair of secrets. The privacyadversary’s choice of shares may be non-adaptive or adaptive, which become different notions whenthe privacy error is non-zero. We want to consider leakage-resiliency for statistical secret sharingon top of the privacy with respect to a given access structure. We now view the full share vector ofthe secret sharing for P players as an encoding of a secret s ∈ { , } ℓ (the sharing algorithm beingthe randomised encoder) in the codeword space { , } N , where N = P log q and q is the share size.A non-compartmentalized leakage model means that the set L contains leakage functions whoseoutputs can depend on all parts of the full share vector. Inspired by the non-compartmentalizedtampering models considered in the non-malleable codes literature, we study the set L affine of F -affine leakage functions. Each output bit of a F -affine leakage function l : { , } N → { , } c is anaffine function of the input in { , } N . Definition 16.
For integers 0 ≤ t < r ≤ P , a ( ε ( N ) , δ ( N ))-statistical secret sharing for rampparameters ( t, r, P ) that is leakage-resilient against a β -bounded L affine -leakage adversary is a pairof polynomial-time algorithms ( Share , Recst ), Share : { , } ℓ ( N ) × R → { , } N , P | N where R denotes the randomness set, and for any reconstruction set R ⊂ P of size | R | = r , Recst R : (cid:16) { , } N/P (cid:17) r → { , } ℓ ( N ) ∪ {⊥} , that satisfy the following properties. • Correctness: Given any r out of the P blocks of the share vector Share ( s ), the reconstructalgorithm Recst reconstructs the secret s with probability at least 1 − δ ( N ). • Privacy and leakage-resiliency: 14
Non-adaptive adversary: for any pair s , s ∈ { , } ℓ ( N ) of secrets, any A ⊂ P of size | A | ≤ t , any affine leakage function l : { , } N → { , } c with c ≤ β , SD ( l ( Share ( s )) , Share ( s ) A ; l ( Share ( s )) , Share ( s ) A ) ≤ ε ( N ) , (4)where Share ( s ) A denotes the projection of Share ( s ) ∈ (cid:0) { , } N/P (cid:1) P on the blocks specifiedby A . – Adaptive adversary: For any s , s ∈ { , } ℓ ( N ) and any adaptive adversary A β, affine thatis β -bounded and affine, SD (cid:16) View O ( Share ( s )) A β, affine ; View O ( Share ( s )) A β, affine (cid:17) ≤ ε ( N ) , (5)where View O ( Share ( s )) A β, affine denotes the view of the adversary A β, affine after playing the LRSgame described above with the oracle O and, at any time, can adaptively select up to t shares to append to the messages retrieved from O ( Share ( s )).When it is clear from the context, instead of ε ( N ) , δ ( N ) , ℓ ( N ), we write ε, δ, ℓ .In the sequel, we simply refer to the objects defined in Definition 16 non-adaptive/adaptiveaffine leakage-resilient secret sharing. We first give a construction of non-adaptive affine leakage-resilient secret sharing.
Theorem 17.
Let
Ext : { , } d × { , } n → { , } ℓ be a linear strong seeded ( n − τ N − β, ε )-extractor and Ext − ( z , · ) : { , } ℓ × R → { , } n be the inverter of the function Ext ( z , · ) that mapsan s ∈ { , } ℓ to one of its pre-images chosen uniformly at random. Let ( SA - ECCenc , SA - ECCdec ) bea stochastic affine-erasure correcting code with the encoder SA - ECCenc : { , } d + n × R → { , } N that tolerates N − ρN bit erasures and decodes with success probability at least 1 − δ . Thenthe following coding scheme ( Share , Recst ) is a non-adaptive affine leakage-resilient secret sharingwith security parameters ε , δ , leakage bound β and ramp parameters ( t, r, P ) such that τ = t/P , ρ = r/P . ( Share ( s ) = SA - ECCenc ( Z || Ext − ( Z , s )) , where Z $ ← { , } d ; Recst (˜ y ) = Ext ( z , x ) , where ( z || x ) = SA - ECCdec (˜ y ) . Here ˜ y denotes an incomplete version of a share vector y ∈ { , } N with some of its componentsreplaced by erasure symbols.The proof is similar to the proof for the optimal construction of non-adaptive binary rampscheme in [LCG +
19] and is given in Appendix B for completeness. We provide the intuition of theconstruction here, starting with the high-level idea with an affine extractor aExt , which is sharedby our new construction for adaptive adversary in the next subsection.Intuitively, the SA - ECC enables the reconstruction from any ρN bits. The privacy for any τ N shares is not as straightforward. Imagine we share a uniformly distributed random secret S $ ← { , } ℓ and want to find out the distribution of the secret conditioned on the adversary’s view V , which is consist of up to t shares and up to β bits retrieved through applying an affine leakage15unction. Intuitively, if the distribution of the uniform secret conditioned on V remains uniform, wehave privacy and leakage-resiliency. Since we are using extractors to extract uniform distribution,the focus is then to make sure the source has enough entropy and is of the right structure (affinesource). According to the definition of an inverter, if the secret has uniform distribution U ℓ , thenthe inverter outputs a uniform distribution U n . U n µ ∼ aExt − ( U ℓ ) . On the other hand, in the construction, the source is the message of the SA - ECC , which is an affinefunction. Obtaining any τ N bits of the SA - ECC codeword is equivalent to applying an affine functionof τ N -bit output to the source. Moreover, applying an affine leakage function l : { , } N → { , } β to the SA - ECC codeword is equivalent to applying the composition l ◦ SA - ECC to the source. Anaffine function induces a partition of the space { , } n into cosets each corresponding to a particularvalue of the adversary’s view V = v . Given that the adversary observes V = v , the message of SA - ECC can only be one element in the coset corresponding to v . This confirms that the sourceis a flat distribution on an affine subspace in { , } n , hence an affine source. The entropy of theaffine source is then the dimension of the affine space, which is at least n − τ N − β . Since this istrue for any V = v , one has the following( V , aExt ( U n )) ε A ∼ ( V , U ℓ ) , where ε A is the error (measured in statistical distance) of the extractor aExt . Finally, the privacyand leakage-resiliency error is the statistical distance between two views V and V that are cor-responding to a pair of secrets s and s , respectively. One can use the above bound for uniformsecret to obtain the following bound for any secret s (using Lemma 13 for example).( V | aExt ( U n ) = s ) ℓ · ε A ∼ V . (6)Observe that V = ( V | aExt ( U n ) = s ) and V = ( V | aExt ( U n ) = s ). They are both (2 ℓ · ε A + µ )-close to the distribution of V . It then follows that the privacy and leakage-resiliency error is ε = 2 ℓ +1 · ε A + 2 µ .The construction in Theorem 17 uses a linear seeded extractor instead of an affine extractor toavoid the exponential grow (from ε A to 2 ℓ · ε A ) of errors (see the proof in [LCG + t = r − SA - ECC from Lemma 15 and the
Ext from Lemma 7. The secret length is ℓ = n − τ N − β − O ( d ), where the seed length is d = O (log (2 n/ε )). The SA - ECC encodes d + n bits to N bits and with coding rate R ECC = ρ − ξ for a small ξ determined by δ (satisfying the relation δ = exp( − Ω( ξ N/ log N )) according to Lemma 15). We then have n = N ( ρ − ξ ) − d , resulting inthe information ratio N/Pℓ = N/Pn − τ N − β − O ( d ) = N/PN ( ρ − ξ ) − τ N − β − O ( d ) = N/PN ( ρ − τ ) − β − ( ξN + O ( d )) , where by letting t = r −
1, we have ρ − τ = ( r − t ) /P = 1 /P and hence the information ratio is ℓ + β + o ( ℓ ) ℓ . Corollary 18.
There is a non-adaptive r -out-of- P statistical β -bounded affine leakage-resilientsecret sharing for any constant r and P with secret length ℓ and information ratio ℓ + β + o ( ℓ ) ℓ and thesecurity parameters ε and δ are both negligible in ℓ .16 .2 Adaptive Affine Leakage-Resilient Secret Sharing We now provide a different way of reducing the explosion of error in (6), which does not sacrificeresiliency against an adaptive adversary.We first recall a classical framework of constructing seedless extractors from seeded extractors.Seeded extractors are known to explicitly extract all the entropy and are not restricted by sourcestructures. Moreover, there are known constructions of linear seeded extractors perform almost aswell as the best seeded extractors. The elegant idea of this framework is to use a seedless extractorto extract a short output from the structured source, which then serves as the seed for a seededextractor to extract all the entropy from the same source. For this idea to work, the dependenceof the extracted seed on the source has to be carefully analyzed (and removed).
Lemma 19 ([Sha06]) . Let C be a class of distributions over { , } n . Let E : { , } n → { , } d be aseedless extractor for C with error ǫ . Let F : { , } d × { , } n → { , } m . Let X be a distribution in C and assume that for every z ∈ { , } d and y ∈ { , } m , the distribution ( X | F ( z , X ) = y ) belongsto C . Then SD ( E ( X ) , F ( E ( X ) , X ); U d , F ( U d , X )) ≤ d +3 ǫ. An example of such a class of distributions is the affine source, in which case we can use an affine extractor F = aExt and a linear seeded extractor E = Ext . An affine source X conditioned on Ext ( z , X ) = y , which amounts to a set of linear equations, is still an affine source for aExt . Withappropriate choice of parameters, we obtain a better affine extractor aExt ′ ( X ) : = Ext ( aExt ( X ) , X ).With an increase of d bits in the input, we have the following invertible affine extractor. aExt ′′ ( Sd || X ) : = Ext ( aExt ( X ) + Sd , X ) , whose inverter is ( aExt ′′ ) − ( s ) : = (cid:0) aExt ( Ext − ( Z , s )) + Z || Ext − ( Z , s ) (cid:1) , where Z $ ← { , } d . Theorem 20.
Let aExt : { , } n → { , } d be a ( n − τ N − β − ℓ, ε A )-affine extractor. Let Ext : { , } d × { , } n → { , } ℓ be a linear ( n − τ N − β − d, ε E )-strong extractor with ε E < .Let SA - ECCenc : { , } d + n → { , } N be the encoder of a statistical affine erasure correcting code SA - ECC that corrects (1 − ρ ) N erasures with error probability δ . Let Share ( s ) = SA - ECCenc ( Sd || X ) , where X $ ← Ext − ( Z , s ) and Sd = Z + aExt ( X ) with Z $ ← { , } d Recst (˜ y ) = Ext ( aExt (˜ x ) + ˜ sd , ˜ x ), where ( ˜ sd || ˜ x ) = SA - ECCdec (˜ y ) , Here ˜ y denotes an incomplete version of a share vector y ∈ { , } N with some of its componentsreplaced by erasure symbols. Let ε = 2 ( ℓ +1)+( d +4)+2 ε A +8 ε E . Then the coding scheme ( Share , Recst )is an adaptive affine leakage-resilient secret sharing with security parameters ε , δ , leakage bound β and ramp parameters ( t, r, P ) such that τ = t/P , ρ = r/P . Proof.
Reconstruction from any r shares follows from the functionality of SA - ECC and the invert-ibility guarantee of the invertible extractor, which insures that any correctly recovered pre-imageis mapped back to the original secret.We next prove privacy and leakage resiliency. Consider a uniform secret U ℓ . By the uniformityguarantee of the inverter, we have Share ( U ℓ ) = SA - ECCenc ( Sd || U n ). Our analysis is done for anyfixed Sd = sd . This captures a stronger adversary who on top of adaptively reading t shares, alsohas access to Sd through an oracle. It is easy to see that the fixing of Sd = sd does not alter the17istribution of the source U n , which remains uniform over { , } n . Let V : = View O ( SA - ECCenc ( sd || U n )) A β, affine denote the view of the adversary A β, affine on the encoding of a uniform source for the fixed Sd = sd .Let Z : = aExt ( U n ) + sd denote the seed of the strong linear extractor Ext . Finally, let S : = Ext ( Z , U n ). We study the random variable tuple ( V , Z , S ) to complete the proof.The pair ( Z , S ) | V = v for any fixed V = v is by definition ( aExt ( U n ) + sd , Ext ( aExt ( U n ) + sd , U n )) | V = v . Since ( U n | V = v ) is an affine source with at least n − τ N − β entropy, according toLemma 19, we have ( Z , S ) | V = v d +3 ε A ∼ ( U d , Ext ( U d , U n )) | V = v . Our concern is the relation between S and V , and therefore would like to further condition on valuesof Z . In this step, we crucially use the linearity of Ext and the underlying linear space structureof the affine source U n | V = v to claim that there is a subset G ⊂ { , } d of good seeds such that Pr [ U d ∈ G ] ≥ − ε E and for any z ∈ G , the distribution of Ext ( z , U n ) | V = v is exactly uniform.This is true because Ext ( z , U n ) | V = v is an affine source. If its entropy is ℓ , then it is exactlyuniform. If its entropy is less than ℓ , its statistical distance ε z E from uniform is at least . Usingan averaging argument we have that at least 1 − ε E fraction of the seeds should satisfy ε z E < ,and hence ε z E = 0. We then use Lemma 13 with respect to the event Z ∈ G to claim that( S | ( V = v , Z ∈ G )) d +4 εA − εE ∼ ( Ext ( U d , X ) | ( V = v , U d ∈ G )) , where the right hand side is exactly U ℓ . Note that the subset G is determined by the indices of the t shares and by the leakage adversary A β, affine , hence remains the same for any value of V = v . Wethen have (( V , S ) | Z ∈ G ) d +4 εA − εE ∼ ( V , U ℓ ) . Another application of Lemma 13 with respect to the event S = s gives( V | ( Z ∈ G , S = s )) ℓ +1)+( d +4) εA − εE ∼ V . We finally bound the privacy and leakage-resiliency error as follows. SD (( V | S = s ); ( V | S = s )) ≤ SD (( V | S = s ); V )= 2 Pr [ Z ∈ G ] · SD (( V | ( Z ∈ G , S = s )); V ) + 2 Pr [ Z / ∈ G ] · SD (( V | ( Z / ∈ G , S = s )); V ) ≤ (cid:16) · ( ℓ +1)+( d +4) ε A − ε E + (4 ε E + ε A ) · (cid:17) < ( ℓ +1)+( d +4)+2 ε A + 8 ε E . Remark 21.
Note that in the error bound 2 ( ℓ +1)+( d +4)+2 ε A + 8 ε E above, the exponential term2 ( ℓ +1)+( d +4)+2 only appears as the multiplier of ε A , the error of aExt . There are known constructionsof affine extractor that can extract from any constant fraction of entropy with error exponentiallysmall in the entropy (see Lemma 5). Instantiate aExt with such an affine extractor and Ext withTrevisan’s seeded extractor (see Lemma 7), we have an explicit construction that provide negligibleerror with seed length d negligible in ℓ . This adaptive affine leakage-resilient secret sharing hasbetter information ratio (both constant) than the one constructed using aExt alone. When usedalone, one has to make aExt invertible using a One-Time-Pad trick (see [LCG + ℓ bits18ncrease in the input. So the information ratio is ( ℓ + n ) /R ECC
P ℓ , where R ECC is the rate of the erasurecorrecting code. Recall that making aExt ′ ( · ) = Ext ( aExt ( · ) , · ) invertible only costs d bits, which isnegligible in ℓ if we use the linear seeded extractor from Lemma 7. We then have information ratio ( d + n ) /R ECC
P ℓ ≈ n/R ECC
P ℓ , for the same level of privacy and reconstruction errors.
We now extend our model of leakage-resilient secret sharing to the paradigm of leakage-resilientnon-malleable secret sharing initiated in [KMS18]. Let V : = View O ( Share ( s )) A β, affine be the view of anadaptive β -bounded affine adversary A β, affine as defined in Definition 16. A F -tampering strategyassociated with A β, affine is a metafunction σ : (cid:16) { , } N/P (cid:17) t × { , } β → F that takes as input a view V = v and outputs a tampering function f v ∈ F . Definition 22.
For integers 0 ≤ t < r ≤ P , an adaptive affine leakage-resilient secret sharingwith security parameters ε ( N ), δ ( N ), leakage bound β and ramp parameters ( t, r, P ) is said to benon-malleable with respect to a family F of tampering functions from { , } N to { , } N , if thefollowing property is satisfied. Let the secret sharing scheme ( Share , Recst ) be as follows.
Share : { , } ℓ ( N ) × R → { , } N , P | N, where R denote the randomness set, and for any R ⊂ P of size | R | = r , there is a Recst R : (cid:16) { , } N/P (cid:17) r → { , } ℓ ( N ) ∪ {⊥} . • Non-malleability: For any adaptive β -bounded affine leakage adversary A β, affine , any F -tampering strategy σ associate with A β, affine , any R ⊂ P of size | R | = r and any secret s ∈ { , } ℓ ( N ) , define the tampering-experimentTamper A β, affine ,σ,R s = c ← Share ( s ) v = View O ( c ) A β, affine , f v = σ ( v ) , ˜ c = f v ( c )˜ s = Recst R (˜ c R )Output ˜ s . , which is a random variable over the randomness of the share algorithm Share . We say thescheme is ε ( N )-non-malleable if for any A β, affine , σ , R and s , there exists a distribution D A β, affine ,σ,R over the set { , } ℓ ( N ) ∪ {⊥} ∪ { same ∗ } such thatTamper A β, affine ,σ,R s ε ( N ) ∼ Copy ( D A β, affine ,σ,R , s ) , (7)where Copy ( · , · ) is as defined in (3).When it is clear from the context, instead of ε ( N ) , δ ( N ) , ℓ ( N ), we write ε, δ, ℓ .The general approach we take in constructing affine leakage-resilient non-malleable secret shar-ing in this work is to start with our adaptive affine leakage-resilient secret sharing construction inprevious section and consider how to strengthen it for providing non-malleability.19ecall that the idea behind the constructions of affine leakage-resilient secret sharing in theprevious section can be summarized as identifying an affine source and managing the extractorerror (see Section 3.1). The analysis is focused on the message of the erasure correcting code, whichis at the same time the source of the affine extractor aExt . The block-wise projection function andthe affine leakage function applied to the share vector induces an affine leakage on the source of aExt . For non-malleability, we similarly consider the tampering on the source of aExt induced by theshare vector tampering using functions from the family F . There are a few factors we need to takeinto account while mimicking the analysis for leakage-resilience. Firstly, leakage-resilience is definedonly concerning the encoder (here sharing algorithm) of the coding scheme while tamper resilience (e.g. non-malleability) involves both the encoder and the decoder. In this case, the induced sourcetampering should take the decoding process (here reconstruction algorithm) into account. Secondly,the reconstruction algorithm of a secret sharing only takes r shares and hence the induced sourcetampering depends on which r (tampered) shares take part in the reconstruction. Finally, theshare vector tampering in Definition 22 is chosen based on the view of the leakage adversary. Weshould also take that into account. We first formerly define the concept of an induced tampering for analysing secret sharing that uses an erasure correcting code as a building block. Definition 23.
Let
ECC be a linear erasure correcting code with an encoder
ECCenc : { , } n →{ , } N and a decoding algorithm ECCdec . Let σ be an F -tampering strategy associate with A β, affine . Let R ⊂ P be of size | R | = r and Π R denotes the block-wise projection function on theblock index set R . The induced tampering g v σ,R : { , } n → { , } n at a particular view value v forgiven ECC , σ and R is defined as follows. g v σ,R : = ECCdec R ◦ Π R ◦ f v ◦ ECCenc , (8)where σ ( v ) = f v ∈ F . We are now in a good position to show a reduction from affine leakage-resilient non-malleable secretsharing with respect to F affine to affine non-malleable extractors. Theorem 24.
Let anmExt : { , } n → { , } ℓ be a µ -invertible affine non-malleable ( n − tN/P − β, ε A )-extractor and anmExt − : { , } ℓ × R → { , } n be its inverter that maps an s ∈ { , } ℓ toone of its pre-images chosen uniformly at random. Let ECCenc : { , } n → { , } N be the encoderof a linear erasure correcting code ECC that tolerates N − rN/P erasures with decoding error δ .Let (cid:26) Share ( s ) = ECCenc ( anmExt − ( s )) Recst R ( c R ) = anmExt ( ECCdec R ( c R )) , where R ⊂ P with | R | = r . Then the coding scheme ( Share , Recst ) is an adaptive affine leakage-resilient non-malleable secret sharing with respect to F affine with security parameters ε = (2 ℓ +1 ε A + µ , δ , leakage bound β and ramp parameters ( t, r, P ). Proof.
Reconstruction from any r shares follows trivially from the functionality of ECC . We nextshow privacy and leakage-resiliency. Our analysis starts with sharing a uniform secret. Accordingto the definition of a µ -invertible extractor, we have U n µ ∼ anmExt − ( U ℓ ) . (9)20ithout loss of generality, we will assume the message of the erasure correcting code ECC is U n atthe cost of an increase of µ in the final error parameter. For any adaptive β -bounded affine leakageadversary A β, affine , let V : = View O ( ECCenc ( U n )) A β, affine be the view of the adversary on the encoding of auniform source. Since ECCenc is a linear function, V is the image of an affine function. This showsthat ( U n | V = v ) is an affine source with at least n − tN/P − β entropy. The affine non-malleable( n − tN/P − β, ε A )-extractor amnExt is in particular an affine ( n − tN/P − β, ε A )-extractor, whichyields (( V , anmExt ( U n )) | V = v ) ε A ∼ (( V , U ℓ ) | V = v ) or simply ( V , anmExt ( U n )) ε A ∼ ( V , U ℓ ) . This together with Lemma 13 with respect to the event anmExt ( U n ) = s for any secret s gives aprivacy and leakage-resiliency error of 2 ℓ +1 ε A .We finally show non-malleability. For any affine tampering strategy σ and R ⊂ P with | R | = r ,let W : = g V σ,R ( U n ) denote the tampered source of anmExt . According to Definition 23, the inducedtampering g v σ,R is an affine function for any V = v . The functionality of the affine non-malleable( n − tN/P − β, ε A )-extractor asserts that there is a distribution D g v σ,R such that(( anmExt ( W ) , anmExt ( U n )) | V = v ) ε A ∼ ( Copy ( D g v σ,R , U ℓ ) , U ℓ ) , where the two copies of U ℓ are the same random variable and are independent of D g v σ,R .Let D A β, affine ,σ,R be the convex combination of {D g v σ,R | v ∈ V} with coefficients { Pr [ V = v ] | v ∈ V} ,where V is the range of the affine leakage function. We then have( anmExt ( W ) , anmExt ( U n )) ε A ∼ ( Copy ( D A β, affine ,σ,R , U ℓ ) , U ℓ ) , (10)where the two copies of U ℓ are the same random variable and are independent of D A β, affine ,σ,R .Applying Lemma 13 to (10) with respect to the event anmExt ( U n ) = s for any secret s yields( anmExt ( W ) | anmExt ( U n ) = s ) ℓ · ε A ∼ Copy ( D A β, affine ,σ,R , s ) , where D A β, affine ,σ,R is independent of s .Since the tampering experiment with respect to the tuple A β, affine , σ, R and s is µ -close to( anmExt ( W ) | anmExt ( U n ) = s ) according to (9), we have Tamper A β, affine ,σ,R s µ +2 ℓ · ε A ∼ Copy ( D A β, affine ,σ,R , s ) . Theorem 24 gives a clean reduction from an affine leakage-resilient non-malleable secret sharingto an invertible affine non-malleable extractor and a linear code that correct erasures. Note thatwe can use any explicit constructions of invertible affine non-malleable extractors and erasurecorrecting codes. Any improvement in the constructions of the building blocks will lead to affineleakage-resilient non-malleable secret sharing with better parameters.
Remark 25.
The constructions of affine non-malleable extractors (Lemma 10 and Lemma 11)require source entropy n − n ξ / ℓ = n Ω(1) with extractor error ε A =2 − n Ω(1) + n − n ξ / , for some 0 < ξ <
1. According to [CL17], they can be made invertible with µ = ε A . This means that the privacy threshold t must satisfy n − tN/P ≥ n − n ξ / τ = t/P −→ τ Nn ≤ n ξ / n nN ≤ −→ τ ≤ n ξ n , ℓ + 1) · ε A . The construction in [CL17] crucially relies on highentropy of the source (entropy n − n ξ / τ = t/P to be small, hence a large P for given t . On the other hand, by replacingthe linear erasure correcting code ECC with a stochastic affine code, we can reconstruct the secretwith any ρ fraction of share vector with negligible error probability at rate R ECC = nN ≈ rP . Andthis replacement does not affect the analysis of non-malleability in Theorem 24. In particular, theinduced tampering g v σ,R in (8) becomes g v σ,R : = ECCdec ˜ r R ◦ Π R ◦ f v ◦ ECCenc r , (8’)where r and ˜ r denote the randomness of the stochastic code and its tampered version, respectively.But since the stochastic code is affine, which means for any fixing of its randomness r both ECCenc r and ECCdec ˜ r R are affine functions, the induced tampering g v σ,R is still an affine function. This meansthat we can obtain a scheme with arbitrary relative reconstruction threshold ρ > τ . Finally, theoutput length of the affine non-malleable extractor is ℓ = n Ω(1) and the non-malleability errorbound from Theorem 24 is (2 ℓ + 1) · ε A . In this case, we can not use all ℓ bits for secrets. A way tocontrol the non-malleability error is to use ℓ − a bits for the real secret and append a random bits.This, however, reduces the secret length. We consider strengthening the construction of affine leakage-resilient secret sharing in Theorem 20to obtain affine leakage-resilient non-malleable secret sharing. Intuitively, we want to replace thelinear seeded extractor
Ext in Theorem 20 with a linear seeded non-malleable extractor nmExt . Us-ing a seeded non-malleable extractor in the construction of non-malleable codes has many challenges(as far as we known this has not been considered in the literature). First of all, the tampered sourceand the original source are not the same. We should first reduce the different sources situation toa same source situation in order to be able to use the functionality of nmExt . Secondly, seedednon-malleable extractors allow the seed to be arbitrarily tampered, but impose a condition that thetampered seed should never be the same as the original seed (the seed tampering function has nofixed point). Lemma 19 only shows that the original seed and the tampered seed are both uniformand independent of the original source and tampered source, respectively. But the two seeds couldbe related in an arbitrary way, for example, collide with any probability. When the tampered seedcoincides the original seed, we don’t have independence guarantee for the two copies of outputs. Infact, they are related. We then exploit this relation and use an AMD pre-coding of the secret todetect the tampering. Besides the challenges coming from using a seeded non-malleable extractor,to be able to invoke Lemma 19, the tampered source should have enough entropy. But we knowthe adversary of non-malleable secret sharing can overwrite almost the full share vector and leavea small amount of entropy in the tampered source. Luckily, in this case, we can simply considerthe tampered source as a leakage and make the source itself independent of the secret. To addressthese challenges in a systematic fashion, we define the entropy of an affine function with respect toan affine source and use it to separate our discussion into two cases.The entropy of a function is the entropy of its output when the input is uniform. Recall thatour analysis is focused on induced tampering (see Definition 23) that is applied to the source of theinvertible affine extractor. Since the induced tampering g v σ,R is applied only under the conditionthat the view value is v , we then have to consider the entropy of a function when its input is notuniform. We consider an extension of the notion and define the entropy of a function g with respectto a source X . 22 efinition 26. The entropy of a function g with respect to a source X is the quantity H ∞ ( g ( X )).From now on, we consider a linear erasure correcting code ECC with encoder
ECCenc : { , } d + n →{ , } N . Let the input to aExt ′′ be ( Sd || U n ). We refer to the first d bits as the seed indica-tor and only consider U n as the source of aExt ′′ . In fact, in the security analysis, we alwaysconsider a fixed Sd = sd . For any adaptive β -bounded affine leakage adversary A β, affine , let V : = View O ( ECCenc ( sd || U n )) A β, affine denote the view of the adversary on the encoding of a uniform source.We have that ( U n | V = v ) is an affine source with at least n − tN/P − β entropy. For any tamperingstrategy f and reconstruction set R ⊂ [ N ] with | R | = r , let( ˜ sd || W ) : = g V σ,R ( sd || U n )denote the tampered source of aExt ′′ . According to Definition 23, the induced tampering g v σ,R is anaffine function for any V = v . We call the entropy of g v σ,R with respect to the source ( U n | V = v )the entropy of g v σ,R for short. The entropy of an affine function g with respect to an affine source X is equal to the dimension of the support of the affine source g ( X ). The entropy of g v σ,R is then aninteger. It is easier to consider g v σ,R as a function defined over the support of the distribution U n | V = v (instead of { , } n ). Then we have that the entropy of g v σ,R is H ∞ ( W | V = v ) = dim( Im ( g v σ,R )).Now the fundamental theorem of linear algebra yields n − H ∞ ( V ) = dim( Ker ( g v σ,R )) + H ∞ ( W | ( V = v )) . (11)The quantity dim( Ker ( g v σ,R )) characterizes the remaining entropy of ( U n | V = v ) after revealing W = w for some particular w .We are now ready to strengthen the linear seeded extractor Ext in Theorem 20 to a linearnon-malleable extractor nmExt and show that this together with an AMD pre-coding of the secretprovides non-malleability.
Theorem 27.
Let aExt : { , } n → { , } d be a ( n − tN/P − β − ℓ, ε A )-affine extractor. Let nmExt : { , } d ×{ , } n → { , } ℓ be a linear ( n − tN/P − β − d, ε E )-strong extractor with error ε E < − ( d +3) . Let ECCenc : { , } d + n → { , } N be the encoder of a linear erasure correcting code ECC that corrects N − rN/P erasures with probability δ . Let ( AMDenc , AMDdec ) be an AMD code with detectionerror ε AMD . Let
Share ( s ) = ECCenc ( Sd || X ) , where X $ ← nmExt − ( Z , AMDenc ( s )) and Sd = Z + aExt ( X ) with Z $ ← { , } d Recst R ( c R ) = AMDdec ( nmExt ( aExt (˜ x ) + ˜ sd , ˜ x )), where ( ˜ sd || ˜ x ) = ECCdec R ( c R ) , where R ⊂ P with | R | = r . Let ε = 2 ℓ + d +7 ε A + 4 ε E + ε AMD . Then the coding scheme (
Share , Recst )is an adaptive affine leakage-resilient non-malleable secret sharing with respect to F BIT with securityparameters ε , δ , leakage bound β and ramp parameters ( t, r, P ).The proof of Theorem 27 is rather involved and is given in Appendix C. We provide outlineof the proof here. Recall that our goal is to replace the anmExt in (10) with an invertible affineextractor aExt ′′ ( sd ||· ) : = nmExt ( aExt ( · ) + sd , · ) constructed from suitable affine extractor aExt and seeded non-malleable extractor nmExt such that there is a distribution D A β, affine ,σ,R satisfying( aExt ′′ ( ˜ sd || W ) , aExt ′′ ( sd || U n )) ∼ ( Copy ( D A β, affine ,σ,R , U ℓ ) , U ℓ ) , (10’)23here ( ˜ sd || W ) : = g V σ,R ( sd || U n ) denote the tampered source of the affine extractor with V : = View O ( ECCenc ( sd || U n )) A β, affine denoting the view of the adversary A β, affine on the encoding of a uniformsource. In other words, we want the secret S : = aExt ′′ ( sd || U n ) to be independent of the tamperedoutcome aExt ′′ ( ˜ sd || W ). Similar to the proof of Theorem 24, we proceed by first conditioned on aparticular view V = v . A slight difference is we now need to discuss two cases according to theentropy H ∞ ( W | V = v ).1. If the entropy H ∞ ( W | V = v ) is less than n − tN/P − β , we can prove (12). Intuitively, if theinduced affine tampering function g v σ,R ( · ) overwrites many bits and the information containedin W is small enough that we can consider W as a virtual leakage (together with the real leakage V ) and directly argue independence. More concretely, the affine source U n | ( V = v , W = w )has entropy n − H ∞ ( V ) − H ∞ ( W | V = v ), which is at least n − tN/P − n − tN/P − β , big enoughfor the affine extractor aExt ′′ ( · ). We then have ( aExt ′′ ( sd || U n )) | ( V = v , W = w )) ∼ U ℓ andhence (( W , aExt ′′ ( sd || U n ))) | V = v ) ∼ (( W , U ℓ ) | V = v ) . (12)2. If the entropy H ∞ ( W | V = v ) is at least n − tN/P − β , our target is (10’) and we have enoughentropy for generating an independent uniform seed for nmExt in the term aExt ′′ ( ˜ sd || W ).But two differences between seedless and seeded non-malleable extractors prevent us fromobtaining (10’), and have to settle for (13). Roughly speaking, we allow the tampered outcometo be related to the original secret S : = aExt ′′ ( sd || U n ) in a simple way (thanks to restrictionto bit-wise tampering) in the event ¯ E g v σ,R , when the tampered seed is the same as the originalseed and the security of a seeded non-malleable extractor is not available. More concretely, ( (( aExt ′′ ( ˜ sd || W ) , S ) | ( V = v , E g v σ,R )) ∼ (( aExt ′′ ( ˜ sd || W ) , U ℓ ) | ( V = v , E g v σ,R ))(( aExt ′′ ( ˜ sd || W ) , S ) | ( V = v , ¯ E g v σ,R )) ∼ (( S + ∆ g v σ,R , S ) | ( V = v , ¯ E g v σ,R )) , (13)where E g v σ,R denotes the event that the tampered seed is different from the original seed,which is solely determined by g v σ,R , and ∆ g v σ,R is a distribution determined by g v σ,R (henceindependent of S ). In the event E g v σ,R , the reconstructed secret is independent of the originalsecret. In the event ¯ E g v σ,R , the AMD decoder outputs ⊥ , by definition. Remark 28 (On Explicit Constructions of Linear Non-malleable Extractors) . The only linear non-malleable extractors we found in the literature is an inner product based construction IP ( X , enc ( Z )),where IP ( · , · ) denotes the inner product of vectors over finite field F q and enc ( Z ) is a specific encodingof the seed Z [Li12]. Let q = 2 ℓ . We can have a non-malleable extractor that outputs ℓ bits withexponentially small error, if the source X ← F nℓ q has more than half entropy rate. This extractoris F -linear because for any seed Z = z , we have IP ( X + X ′ , enc ( z )) = IP ( X , enc ( z )) + IP ( X ′ , enc ( z )).This linear non-malleable extractor’s output is a constant fraction of n and error is exponentiallysmall in n . This extractor requires a source entropy rate bigger than half, which makes it notapplicable in our construction since the entropy requirement of nmExt is n − tN/P − β − d < n .This entropy rate around half barrier existed in the literature of (non-linear) non-malleableextractor constructions [DLWZ14], but was quickly overcome [CGL16b], being only a technicalbarrier (not inherent). We next show that to output a Ω(log n ) number of uniform bits withnegligible error, at most φn bits of entropy suffices, for any constant φ >
0. This is shown using a24robabilistic argument (see Appendix D for its proof) and we leave the explicit construction as aninteresting open problem.We conclude this section by stating an existence result for the linear seeded non-malleableextractors with our required parameters.
Theorem 29.
For all integers n, d, m and positive parameters k, ε , there is a linear seeded non-malleable ( k, ε )-extractor E : { , } d × { , } n → { , } m provided that (cid:26) d ≥ log( n/ε ) + O (1) , m ≤ log( k + log ε ) − log(1 /ε ) − log d − O (1) . (14) We studied leakage-resilient secret sharing in the non-compartmentalized models and explicitlyconstructed them for the class of affine leakage functions. The adversary can apply affine leakagefunctions to the full share vector to obtain the outputs (subject to only a total length bound)as well as outputting any unauthorized set of shares. We gave constructions for non-adaptiveadversary and adaptive adversary, respectively. The construction for non-adaptive adversary isnear optimal in the sense that the secret length is almost equal to the share length minus thenumber of leaked bits. We extended our study to make these affine leakage-resilient secret sharingalso non-malleable with respect to a family F of tampering functions. We gave a constructionfor the family F affine of affine tampering functions for secret sharing with low threshold. For thefamily F BIT of Bit-wise Independent Tampering functions, we gave a construction with all choice ofthreshold. One interesting open question is whether affine leakage and tampering can be studied forsecret sharing with arbitrary monotone access structure. Or on the other hand, whether other non-compartmentalized models can be studied for secret sharing, even the threshold secret sharing. Ourresults about leakage-resilient non-malleable secret sharing also motivate open questions concerningexplicit constructions of randomness extractors, in particular, affine non-malleable extractors andlinear seeded non-malleable extractors.
References [ADKO15a] Divesh Aggarwal, Yevgeniy Dodis, Tomasz Kazana, and Maciej Obremski. Non-malleable reductions and applications. In
ACM SIGACT Symposium on Theory ofComputing, STOC 2015 , pages 459–468, 2015.[ADKO15b] Divesh Aggarwal, Stefan Dziembowski, Tomasz Kazana, and Maciej Obremski.Leakage-resilient non-malleable codes. In
Theory of Cryptography Conference, TCC2015 , pages 398–426, 2015.[ADL18] Divesh Aggarwal, Yevgeniy Dodis, and Shachar Lovett. Non-malleable codes fromadditive combinatorics.
SIAM J. Comput. , 47(2):524–546, 2018.[ADN +
18] Divesh Aggarwal, Ivan Damg˚ard, Jesper Buus Nielsen, Maciej Obremski, Erick Pur-wanto, Joao Ribeiro, and Mark Simkin. Stronger leakage-resilient and non-malleablesecret-sharing schemes for general access structures.
IACR Cryptology ePrint Archive ,page https://eprint.iacr.org/2018/1147, 2018.25AGM + Advances in Cryptology - CRYPTO 2015 , pages 538–557, 2015.[AGM + Theory of Cryptography Conference, TCC 2015 ,pages 375–397, 2015.[BDG +
18] Marshall Ball, Dana Dachman-Soled, Siyao Guo, Tal Malkin, and Li-Yang Tan. Non-malleable codes for small-depth circuits. In
IEEE Annual Symposium on Foundationsof Computer Science, FOCS , pages 826–837, 2018.[BDIR18] Fabrice Benhamouda, Akshay Degwekar, Yuval Ishai, and Tal Rabin. On the lo-cal leakage resilience of linear secret sharing schemes. In
Advances in Cryptology -CRYPTO 2018 , pages 531–561, 2018.[BGK16] Andrej Bogdanov, Siyao Guo, and Ilan Komargodski. Threshold secret sharing re-quires a linear size alphabet. In
Theory of Cryptography TCC 2016-B , pages 471–484,2016.[BGW19] Marshall Ball, Siyao Guo, and Daniel Wichs. Non-malleable codes for decision trees.page https://eprint.iacr.org/2019/379, 2019.[Bla79] George R. Blakley. Safeguarding cryptographic keys. In
Proceedings of the 1979 AFIPSNational Computer Conference , pages 313–317, 1979.[Bou07] Jean Bourgain. On the construction of affine extractors.
Geometric and FunctionalAnalysis , 17(1):33–57, 2007.[BS18] Saikrishna Badrinarayanan and Akshayaram Srinivasan. Revisitingnon-malleable secret sharing.
IACR Cryptology ePrint Archive , pagehttps://eprint.iacr.org/2018/1144, 2018.[CCX13] Ignacio Cascudo Pueyo, Ronald Cramer, and Chaoping Xing. Bounds on the thresh-old gap in secret sharing and its applications.
IEEE Trans. Information Theory ,59(9):5600–5612, 2013.[CDF +
08] Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padr´o, and Daniel Wichs. De-tection of algebraic manipulation with applications to robust secret sharing and fuzzyextractors. In
Advances in Cryptology - EUROCRYPT 2008 , volume 4965 of
LectureNotes in Computer Science , pages 471–488. Springer, 2008.[CDN15] Ronald Cramer, Ivan Damg˚ard, and Jesper Buus Nielsen.
Secure Multiparty Compu-tation and Secret Sharing . Cambridge University Press, 2015.[CDS12] Mahdi Cheraghchi, Fr´ed´eric Didier, and Amin Shokrollahi. Invertible extractors andwiretap protocols.
IEEE Trans. Information Theory , 58(2):1254–1274, 2012.[CG17] Mahdi Cheraghchi and Venkatesan Guruswami. Non-malleable coding against bit-wiseand split-state tampering.
J. Cryptology , 30(1):191–241, 2017.26CGL16a] Eshan Chattopadhyay, Vipul Goyal, and Xin Li. Non-malleable extractors and codes,with their many tampered extensions. In
ACM SIGACT Symposium on Theory ofComputing, STOC 2016 , pages 285–298, 2016.[CGL16b] Eshan Chattopadhyay, Vipul Goyal, and Xin Li. Non-malleable extractors and codes,with their many tampered extensions.
ACM SIGACT Symposium on Theory of Com-puting, STOC 2016. , pages 285–298, 2016.[CKR16] Nishanth Chandran, Bhavana Kanukurthi, and Srinivasan Raghuraman. Information-theoretic local non-malleable codes and their applications. In
Theory of Cryptography- TCC , pages 367–392, 2016.[CL17] Eshan Chattopadhyay and Xin Li. Non-malleable codes and extractors for small-depthcircuits, and affine functions. In
ACM SIGACT Symposium on Theory of Computing,STOC 2017 , pages 1171–1184, 2017.[CL18] Eshan Chattopadhyay and Xin Li. Non-malleable extractors and codes in the inter-leaved split-state model and more. page http://arxiv.org/abs/1804.05228, 2018.[CZ14] Eshan Chattopadhyay and David Zuckerman. Non-malleable codes against constantsplit-state tampering. In
Foundations of Computer Science, FOCS 2014 , pages 306–315, 2014.[DDN00] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography.
SIAM J.Comput. , 30(2):391–437, 2000.[DDV10] Francesco Dav`ı, Stefan Dziembowski, and Daniele Venturi. Leakage-resilient storage.In
Security and Cryptography for Networks SCN , pages 121–137, 2010.[DKO13] Stefan Dziembowski, Tomasz Kazana, and Maciej Obremski. Non-malleable codesfrom two-source extractors. In
Advances in Cryptology - CRYPTO 2013 , pages 239–257, 2013.[DLWZ14] Yevgeniy Dodis, Xin Li, Trevor D. Wooley, and David Zuckerman. Privacy amplifica-tion and nonmalleable extractors via character sums.
SIAM J. Comput. , 43(2):800–830, 2014.[DP07] Stefan Dziembowski and Krzysztof Pietrzak. Intrusion-resilient secret sharing. In
Foundations of Computer Science FOCS 2007 , pages 227–237, 2007.[DPW18] Stefan Dziembowski, Krzysztof Pietrzak, and Daniel Wichs. Non-malleable codes.
J.ACM , 65(4):20:1–20:32, 2018.[DW09] Yevgeniy Dodis and Daniel Wichs. Non-malleable extractors and symmetric key cryp-tography from weak secrets. In
ACM Symposium on Theory of Computing, STOC2009 , pages 601–610, 2009.[FV19] Antonio Faonio and Daniele Venturi. Non-malleable secret sharing in the computa-tional setting: Adaptive tampering, noisy-leakage resilience, and improved rate.
IACRCryptology ePrint Archive , page https://eprint.iacr.org/2019/105, 2019.[GK18a] Vipul Goyal and Ashutosh Kumar. Non-malleable secret sharing. In
ACM SIGACTSymposium on Theory of Computing, STOC 2018 , pages 685–698, 2018.27GK18b] Vipul Goyal and Ashutosh Kumar. Non-malleable secret sharing for general accessstructures. In
Advances in Cryptology - CRYPTO 2018 , pages 501–530, 2018.[GS16] Venkatesan Guruswami and Adam D. Smith. Optimal rate code constructions forcomputationally simple channels.
J. ACM , 63(4):35:1–35:37, 2016.[GW17] Venkatesan Guruswami and Mary Wootters. Repairing reed-solomon codes.
IEEETrans. Information Theory , 63(9):5684–5698, 2017.[JW15] Zahra Jafargholi and Daniel Wichs. Tamper detection and continuous non-malleablecodes. In
Theory of Cryptography Conference, TCC 2015 , pages 451–480, 2015.[KMS18] Ashutosh Kumar, Raghu Meka, and Amit Sahai. Leakage-resilient secret sharing.
IACR Cryptology ePrint Archive , page https://eprint.iacr.org/2018/1138, 2018.[LCG +
19] Fuchun Lin, Mahdi Cheraghchi, Venkatesan Guruswami, Reihaneh Safavi-Naini, andHuaxiong Wang. Secret sharing with binary shares. In
Innovations in TheoreticalComputer Science Conference, ITCS 2019 , pages 53:1–53:20, 2019.[Li11] Xin Li. A new approach to affine extractors and dispersers.
IEEE Conference onComputational Complexity, CCC 2011 , pages 137–147, 2011.[Li12] Xin Li. Non-malleable extractors, two-source extractors and privacy amplification.In
ACM SIGACT Symposium on Theory of Computing, STOC 2012 , pages 688–697,2012.[Li17] Xin Li. Improved non-malleable extractors, non-malleable codes and independentsource extractors. In
ACM SIGACT Symposium on Theory of Computing, STOC2017 , pages 1144–1156, 2017.[Li18] Xin Li. Pseudorandom correlation breakers, independence preserving mergers andtheir applications.
Electronic Colloquium on Computational Complexity (ECCC) ,25:28, 2018.[LL12] Feng-Hao Liu and Anna Lysyanskaya. Tamper and leakage resilience in the split-statemodel. In
Advances in Cryptology - CRYPTO , pages 517–532, 2012.[NZ96] Noam Nisan and David Zuckerman. Randomness is linear in space.
Journal of Com-puter and System Sciences , 1(52):43–52, 1996.[RRV02] Ran Raz, Omer Reingold, and Salil P. Vadhan. Extracting all the randomness andreducing the error in Trevisan’s extractors.
J. Comput. Syst. Sci. , 65(1):97–128, 2002.[Sha79] Adi Shamir. How to share a secret.
Commun. ACM , 22(11):612–613, 1979.[Sha06] Ronen Shaltiel. How to get more mileage from randomness extractors. In
IEEEConference on Computational Complexity (CCC) 2006 , pages 46–60, 2006.[Sti92] Douglas R. Stinson. An explication of secret sharing schemes.
Des. Codes Cryptogra-phy , 2(4):357–390, 1992.[SV18] Akshayaram Srinivasan and Prashant Nalini Vasudevan. Leakage resilientsecret sharing and applications.
IACR Cryptology ePrint Archive , pagehttps://eprint.iacr.org/2018/1154, 2018.28Tre01] Luca Trevisan. Extractors and pseudorandom generators.
J. ACM , 48(4):860–879,2001.
AppendicesA Proof for Lemma 13
Proof.
Assume by contradiction that SD ( V | W ∈ E ; V ′ | W ′ ∈ E ) > ε Pr [ W ∈E ] = ε . W.l.o.g. there is anevent Ω ⊂ V (complementing Ω if necessary) , such that Pr [ V ∈ Ω | W ∈ E ] − Pr [ V ′ ∈ Ω | W ′ ∈ E ] > ε . Now consider the event Ω × E ⊂ V × W . We have (cid:26) Pr [( V , W ) ∈ Ω × E ] = Pr [ V ∈ Ω | W ∈ E ] · Pr [ W ∈ E ]; Pr [( V ′ , W ′ ) ∈ Ω × E ] = Pr [ V ′ ∈ Ω | W ′ ∈ E ] · Pr [ W ′ ∈ E ] . On the other hand, we have SD ( W ; W ′ ) ≤ SD ( V , W ; V ′ , W ′ ) ≤ ε and hence Pr [ W ∈ E ] ≥ Pr [ W ′ ∈ E ] − ε. We then can derive the following contradiction. Pr [( V , W ) ∈ Ω × E ] − Pr [( V ′ , W ′ ) ∈ Ω × E ] ≥ Pr [ W ′ ∈ E ] · ( Pr [ V ∈ Ω | W ∈ E ] − Pr [ V ′ ∈ Ω | W ′ ∈ E ]) − ε> Pr [ W ′ ∈ E ] · ε − ε = ε. This concludes the proof.
B Proof for Theorem 17
The proof of Theorem 17 will follow naturally from Lemma 30. We first recall this general propertyof a linear strong extractor, which is proved in [LCG + Lemma 30 ([LCG + . Let
Ext : { , } d × { , } n → { , } m be a linear strong ( k, ε )-extractor.Let f A : { , } d + n → { , } a be any affine function with output length a ≤ n − k . For any m , m ′ ∈{ , } m , let ( Z , X ) = ( U d , U n ) | ( Ext ( U d , U n ) = m ) and ( Z ′ , X ′ ) = ( U d , U n ) | ( Ext ( U d , U n ) = m ′ ). Wehave SD ( f A ( Z , X ); f A ( Z ′ , X ′ )) ≤ ε. (15)With Lemma 30 at hand, we are now in a good position to prove Theorem 17. Proof of Theorem 17.
The reconstruction from r shares follows trivially from the definition ofstochastic erasure correcting code. We now prove the privacy and leakage resiliency.The sharing algorithm of the scheme (before applying the stochastic affine code) takes a secret,which is a particular extractor output s ∈ { , } ℓ , and uniformly samples a seed z ∈ { , } d of Ext before uniformly finds an x ∈ { , } n such that Ext ( z , x ) = s . This process of obtaining ( z , x ) is29he same as sampling uniformly and independently ( U d , U n ) $ ← { , } d + n and then restricting to Ext ( U d , U n ) = s . We define the random variable pair( Z , X ) := ( U d , U n ) | ( Ext ( U d , U n ) = s ) (16)and refer to it as the pre-image of s .Let Π A : (cid:0) { , } N/P (cid:1) P → (cid:0) { , } N/P (cid:1) t be the projection function that maps a share vectorto the t shares with index set A ⊆ P chosen by the non-adaptive adversary. Observe that thecombination (Π A ◦ SA - ECCenc ) : { , } d + n → { , } t (for any fixed randomness r of SA - ECCenc ) isan affine function. Moreover, for any affine leakage function l : { , } N → { , } β , the composition( l ◦ SA - ECCenc ) : { , } d + n → { , } β is also an affine function. So the view of the adversary issimply the output of the affine function f A = (Π A ◦ SA - ECCenc || l ◦ SA - ECCenc ), where “ || ” denotesconcatenation, applied to the random variable tuple ( Z , X ) defined in (16).We can now formulate the privacy of the scheme in this context. We want to prove that thestatistical distance of the views of the adversary for a pair of secrets s and s ′ can be made arbitrarilysmall. The views of the adversary are the outputs of the affine function f A with inputs ( Z , X ) and( Z ′ , X ′ ) for the secret s and s ′ , respectively. According to Lemma 30, we then have that the privacyand leakage-resiliency error is 8 × ε = ε . C Proof for Theorem 27
Proof.
Reconstruction from any r shares follows from the functionality of ECC and the invertibil-ity guarantee of the invertible extractor, which insures that any correctly recovered pre-image ismapped back to the original secret.We next prove non-malleability. Consider a uniform secret U ℓ . By the uniformity guaranteeof the inverter, we have Share ( U ℓ ) = ECCenc ( Sd || U n ). Our analysis is done for any fixed Sd = sd .This captures a stronger adversary who on top of adaptively reading t shares, also has access to Sd through an oracle. It is easy to see that the fixing of Sd = sd does not alter the distribution ofthe source U n , which remains uniform over { , } n . Let V : = View O ( ECCenc ( sd || U n )) A β, affine denote the viewof the adversary A on the encoding of a uniform source. Let ( ˜ sd || W ) : = g V σ,R ( sd || U n ) denote thetampered source of the affine extractor aExt ′′ ( sd ||· ) : = Ext ( aExt ( · ) + sd , · ). Let Z : = aExt ( U n ) + sd denote the original seed of nmExt , which is in particular a strong linear extractor. Let S : = nmExt ( Z , U n ). We study the random variable tuple ( V , W , Z , S ) to complete the proof.1. Handling the low entropy case.
We assume the induced tampering g v σ,R has entropy at most n − tN/P − β . This means that ( U n | ( V = v , W = w )) has entropy at least n − tN/P − β , accordingto (11).The tuple ( Z , S ) | ( V = v , W = w ) for any fixed V = v and W = w is by definition ( aExt ( U n ) + sd , Ext ( aExt ( U n ) + sd , U n )) | ( V = v , W = w ). Since ( U n | ( V = v , W = w )) is an affine sourcewith at least n − tN/P − β entropy, according to Lemma 19, we have( Z , S ) | ( V = v , W = w ) d +3 ε A ∼ ( U d , Ext ( U d , U n )) | ( V = v , W = w ) . Our concern is the relation between S and W , and therefore would like to further conditionon values of Z . In this step, we crucially use the linearity of nmExt and the underlyinglinear space structure of the affine source ( U n | ( V = v , W = w )) to claim that there is a30ubset G ⊂ { , } d of good seeds such that Pr [ U d ∈ G ] ≥ − ε E and for any z ∈ G ,the distribution of nmExt ( z , U n ) | ( V = v , W = w ) is exactly uniform. This is true because nmExt ( z , U n ) | ( V = v , W = w ) is an affine source. If its entropy is ℓ , then it is exactly uniform.If its entropy is less than ℓ , its statistical distance ε z E from uniform is at least . Using anaveraging argument we have that at least 1 − ε E fraction of the seeds should satisfy ε z E < ,and hence ε z E = 0. We then use Lemma 13 with respect to the event Z ∈ G to claim that S | ( V = v , W = w , Z ∈ G ) d +4 εA − εE ∼ nmExt ( U d , X ) | ( V = v , W = w , U d ∈ G ) , where the right hand side is exactly U ℓ . Note that the subset G is determined by the indicesof the t shares chosen by the leakage adversary A β, affine and the induced tampering function g v σ,R , hence remains the same for any value of W = w . We then have(( W , S ) | ( V = v , Z ∈ G )) d +4 εA − εE ∼ (( W , U ℓ ) | V = v ) . Another application of Lemma 13 with respect to the event S = s gives( W | ( V = v , Z ∈ G , S = s )) ℓ +1)+( d +4) εA − εE ∼ ( W | V = v ) . We finally bound the non-malleability error as follows. SD ( W | ( V = v , S = s ); ( W | V = v ))= Pr [ Z ∈ G ] · SD (( W | ( V = v , S = s , Z ∈ G )); ( W | V = v ))+ Pr [ Z / ∈ G ] · SD (( W | ( V = v , S = s , Z / ∈ G )); ( W | V = v )) ≤ · ( ℓ +1)+( d +4) ε A − ε E + (4 ε E + ε A ) · < ( ℓ +1)+( d +4)+1 ε A + 4 ε E . Handling the high entropy case.
We assume the induced tampering g v σ,R has entropy at least n − tN/P − β .Note that for any bit-wise independent function f v , we can define a difference function ∆ f v such that for any c ∈ { , } N , f v ( c ) = c + ∆ f v ( c ) . The difference function ∆ f v also induces a source tampering ∆ g v σ,R . Now since the erasurecorrecting code ECC is linear, we must have for any m ∈ { , } d + n , g v σ,R ( m ) = m + ∆ g v σ,R ( m ) . Let ∆ W : = ∆ g V σ,R ( sd || U n ) be the tapered source induced by the difference function ∆ f v . Weimmediately have W = U n + ∆ W . (17)Moreover, since the overwrite bit functions of f v become non-overwrite bit functions of ∆ f v ,we then have H ∞ (∆ W | V = v ) = n − H ∞ ( V ) − H ∞ ( W | V = v ) . f v restricted to the support of ( U n | V = v ) satisfies the following.dim( Ker (∆ g v σ,R )) = n − H ∞ ( V ) − H ∞ (∆ W | V = v ) = H ∞ ( W | V = v ) ≥ n − tN/P − β . (18)The quantity dim( Ker (∆ g v σ,R )) characterises the remaining entropy in U n after conditioningon V = v and ∆ W = ∆ w , for any particular ∆ w .Now since by assumption H ∞ ( W | V = v ) ≥ n − tN/P − β , Lemma 19 says that(( aExt ( W ) + ˜ sd , aExt ′′ ( ˜ sd || W )) | V = v ) d +3 ε A ∼ (( Z ′ , nmExt ( Z ′ , W )) | V = v ) , (19)where Z ′ is a uniform seed independent of W . We next use (17) and the linearity of nmExt toclaim that(( Z ′ , nmExt ( Z ′ , W )) | V = v ) = (( Z ′ , nmExt ( Z ′ , U n ) + nmExt ( Z ′ , ∆ W )) | V = v ) . We next show that the additive term nmExt ( Z ′ , ∆ W ) can be ignored in the subsequent analysisof comparing nmExt ( Z ′ , W ) against nmExt ( Z , U n ). Since the remaining entropy in U n afterconditioning on V = v and ∆ W = ∆ w is at least n − tN/P − β (see (18)), we have according tothe functionality of nmExt that(( Z , nmExt ( T ( Z ) , U n ) , nmExt ( Z , U n )) | ( V = v , ∆ W = ∆ w )) ε E ∼ (( Z , nmExt ( T ( Z ) , U n ) , U ℓ ) | ( V = v , ∆ W = ∆ w )) , where T ( · ) is a seed tampering function without fixed point. Let E g v σ,R denote the event that Z = Z ′ and w.l.o.g. assume 0 < Pr h E g v σ,R i <
1. Applying Lemma 13 with respect to the event E g v σ,R yields(( Z , nmExt ( Z ′ , U n ) , nmExt ( Z , U n )) | ( V = v , ∆ W = ∆ w , E g v σ,R )) εE Pr " E g v σ,R ∼ (( Z , nmExt ( Z ′ , U n ) , U ℓ ) | ( V = v , ∆ W = ∆ w , E g v σ,R )) . Now for any original seed z and its tampered version z ′ , we always have that ( nmExt ( z , U n ) | ( V = v , ∆ W = ∆ w , E g v σ,R , nmExt ( z ′ , U n ) = ˜ s )), for any ˜ s , is an affine source. Its statistical distanceto uniform is then either 0 or at least . Using an averaging argument, we have for at most ε E Pr (cid:20) E g v σ,R (cid:21) fraction of such seeds, the above statistical distance exceeds . Let B denote thesebad seeds. We then have(( nmExt ( Z ′ , W ) , nmExt ( Z , U n )) | ( V = v , ∆ W = ∆ w , E g v σ,R , Z / ∈ B ))= (( nmExt ( Z ′ , W ) , U ℓ ) | ( V = v , ∆ W = ∆ w , E g v σ,R , Z / ∈ B )) . Taking the error that incurs transforming from seedless extractor to seeded extractor (19)into account, we have that when the event E g v σ,R occurs, the non-malleability error is upper32ounded as follows. ε E g v σ,R ≤ · ( ℓ +1)+( d +4) ε A − εE Pr " E g v σ,R + ε E Pr (cid:20) E g v σ,R (cid:21) + ε A · ≤ ( ℓ +1)+( d +4) ε A − d +2 ε E + ε E Pr (cid:20) E g v σ,R (cid:21) + ε A < ( ℓ +2)+( d +4) ε A + ε E Pr (cid:20) E g v σ,R (cid:21) , where the second inequality follows from the fact that Pr h E g v σ,R i ≥ − d once Pr h E g v σ,R i > ε E < − ( d +3) .On the other hand, if the complimentary event ¯ E g v σ,R occurs, then(( Z , nmExt ( Z , W ) , S ) | ( V = v , ∆ W = ∆ w ))= (( Z , S + nmExt ( Z , ∆ w ) , S ) | ( V = v , ∆ W = ∆ w )) . This means that the tampering results in turning S into S + nmExt ( Z , ∆ w ), where the offset nmExt ( Z , ∆ w ) is independent of S . In this case, let S be the AMD codeword of the realsecret with fresh independent encoding randomness. The decoder of the AMD code outputs ⊥ with ε AMD . Taking the error that incurs transforming from seedless extractor to seededextractor (19) into account, we have that when the complimentary event ¯ E g v σ,R occurs, thenon-malleability error is upper bounded as follows. ε ¯ E g v σ,R ≤ · ( ℓ +1)+( d +4) ε A − Pr h E g v σ,R i + ε AMD · . Finally, the total non-malleability error is ε ≤ Pr h E g v σ,R i · ε E g v σ,R + (cid:16) − Pr h E g v σ,R i(cid:17) · ε ¯ E g v σ,R < (cid:0) ( ℓ +2)+( d +4) ε A + 4 ε E (cid:1) + (cid:0) ( ℓ +1)+( d +4) ε A + ε AMD (cid:1) < ℓ + d +7 ε A + 4 ε E + ε AMD . D Proof for Theorem 29
Proof.
We adapt the proof of [DW09] to show the existence of non-malleable extractors that arelinear; i.e., the extractor is a linear function for every fixed seed. This will however result in muchweaker parameters than non-linear counterparts.For a function E : { , } d × { , } n → { , } m , distinguisher D : { , } d × { , } m → { , } m , seedtampering adversary A : { , } d → { , } d , and error parameter ε , call an input x ∈ { , } n bad forthe tuple ( E , A , D ) if it violates the following condition for a uniform random seed S $ ← { , } d : | Pr [ D ( S , E ( A ( S ) , x ) , E ( S , x )) = 1] − Pr [ D ( S , E ( A ( S ) , x ) , U m ) = 1] | ≤ ε. Let B ( E , A , D , ε ) denote the set of all bad inputs for ( E , A , D ) for the parameter ε . We have thefollowing. 33 emma 31. Suppose |B ( E , A , D , ε ) | ≤ ε k for all distinguishers D and adversaries A . Then E is anon-malleable ( k, ε )-extractor. Proof.
Consider any source X of min-entropy at least k , any distinguisher D and adversary A .Then, Pr [ X ∈ B ( E , A , D , ε )] ≤ |B ( E , A , D , ε ) | − k ≤ ε. Let ∆ : = | Pr [ D ( S , E ( A ( S ) , X ) , E ( S , X )) = 1] − Pr [ D ( S , E ( A ( S ) , X ) , U m ) = 1] | . We have∆ ≤ Pr [ X ∈ B ( E , A , D , ε )] + ε ≤ ε, where the first inequality follows from the definition of the bad inputs. The result follows.Adapting the notation of [DW09], the Martingale-based argument of [DW09] proves the follow-ing: Lemma 32 ([DW09], Implicit in Theorem 37) . Let x ∈ { , } n be fixed and E : { , } d × { , } n →{ , } m be any random function such that E ( s , x ) is uniformly random and independent for allchoices of s ∈ { , } d . Then, for any distinguisher D , adversary A , and error ε > Pr [ x is bad for ( E , A , D )] ≤ − d − ε ) , where the probability is over the randomness of E .We now consider a random function E : { , } d × { , } n → { , } m . This time, however, therandom function is linear. That is for every seed s , we independently sample a random m × n matrix M s over F and define E ( s , x ) = M s x . Consider an adversary that perturbs a seed s to A ( s ),and a distinguisher D .Let X ⊂ { , } n be any set of size ε k . Then X must have a subset I ( X ) ⊂ X of size at leastlog |X | = k + log ε such that the elements of I ( X ) are linearly independent. This means that therandom variables E ( s , x ) for all x ∈ I ( X ) and s ∈ { , } d are jointly independent. In particular, theevents “ x is bad for ( E , A , D )” are also jointly independent for x ∈ I ( X ). Therefore, using Lemma32, Pr [all x ∈ X are bad for ( E , A , D )] ≤ Pr [all x ∈ I ( X ) are bad for ( E , A , D )] ≤ | I ( X ) | exp( − d − ε | I ( X ) | ) < exp(2 | I ( X ) | − d − ε | I ( X ) | ) . Now, using the above bound and the fact that | I ( X ) | = k + log ε , we have Pr [ |B ( E , A , D , ε ) | > ε k ] ≤ Pr [( ∃X ) : all x ∈ X are bad for ( E , A , D )] < exp (cid:0) (2 − d − ε ) | I ( X ) | (cid:1) · (cid:0) n | I ( X ) | (cid:1) = exp (cid:0) (2 − d − ε )( k + log ε ) (cid:1) · (cid:0) n k +log ε (cid:1) , where in the last inequality we have used a union bound over all possibilities of I ( X ). Now, byusing a union bound over all choices of D and A and using Lemma 31, we conclude that Pr [ E is not a non-malleable ( k, ε )-extractor] ≤ exp (cid:0) (2 − d − ε )( k + log ε ) (cid:1) · n ( k +log ε )+2 d +2 m + d d . The right hand side can be made less than 1, hence ensuring the existence of a linear non-malleable( k, εk, ε