 Hello, everyone. I'll talk about non-malleable codes for bounded polynomial depth tampering. This is based on joint work with Dana Dachman-Soled and Raphael Paz. So the problem that we'll be talking about is really simple. It's just two parties, a sender and the receiver. The sender wants to transmit a message to the receiver. What makes the problem challenging is that we consider a men and menal attacker or a tampering function, you can think of it, that sits on the channel, intercepts all the messages that come from the sender, inspect them in any way once, and then spits out a possibly different message to the receiver. What we want to guarantee is that the adversary, this adversary that sits on the channel, cannot meaningfully modify the message. And what we mean by meaningful modification is that we want to make sure that the decoded message that the receiver sees in the end of this game is with very high probability, either the original message that was intended to be sent by the sender or something completely unrelated. And notice that the adversary could always just intercept the message that the sender sent, throw it away and just send something completely random to the receiver. In this case, we want the message received by the receiver to be completely unrelated because it's independent of the message underlying the real code word. Or we want to make sure that the adversary, no matter what he did, he tried to modify the underlying message. It could, it didn't succeed. So this primitive is called the non-malleable code. It was introduced about 10 years or a little bit more, 10 years ago by Zimbabwe-Skippetsch and Riks. And it has received significant attention from various communities in the past decade or so. It was a, for instance, it was used as a building block in modern constructions of multi-source extractors. And interesting connections with other combinatories have been rediscovered. And it was more naturally used as a building block in various non-malleable cryptographic constructions. So this is a very useful and important notion. But before I tell you what we know about it, I wanted to draw some connections with existing primitives that you may have heard about and explain the differences. So two primitives that I'll be talking about or comparing non-malleable codes to are error correcting codes and non-malleable commitments. So the first distinction between these three primitives comes in the class of adversaries that we're willing to tolerate. In an error correcting code, the adversary sees the code word but is limited in the way it can modify it or temper with it. And specifically, usually what we allow the adversary to do is to choose a subset of coordinates, let's say one half of them or one third of them or some fraction of the code word of the symbols in the message and modify them arbitrarily. And we want to guarantee that the receiver can recover the original message. Non-malleable commitments, the adversary sees the message that it sent from a sender to receiver but it can apply an arbitrary polynomial time function on it. So it's not limited in the way that it accesses the code word. It can do arbitrary computation and do anything on it as long as it's polynomial size. And then non-malleable codes as we're gonna see the adversary somewhere in between. It's not an arbitrary polynomial size machine but we hope that it's gonna be a little bit more than just changing a subset of coordinates. And the second difference between these three primitives is that we want to be able to decode them. This is why, for instance, this is why non-malleable commitments, you can allow arbitrary polynomial sized adversary. It's because we don't really expect the receiver to decode, it's just a commitment. In non-malleable code and in the right error correcting code, we do expect the receiver to decode and this is why we cannot support any polynomial size factor. Okay, so this is just to put things a little bit in context. So here's some very basic facts about non-malleable codes. So first of all, as I alluded to in the previous slide, if decoding can be done efficiently, then there's no way to support all polynomial size temporary functions. Because the adversary could decode if it's possible in doing polynomial time. And if the message is equal to some predefined message, let's say it's all zeros, then we just output the all zeros string. And otherwise we output the code word by any meaningful notion of non-malleability. This is a valid tampering attack. And that's why we have to limit the adversary in some way, if we're requiring that decoding is polynomial time. So there has been many suggestions as to how to limit the adversary. So for instance, we can limit its running time and run slower than the decoding. It might have a small space, namely it might use less space than is required by the decoding or we can limit in some way the access to the code word. For instance, we can allow an un-temperable common reference string or we limit the way the adversary accesses the code word, not in the amount of things it can modify, but in the way it can modify them. And this is where, for instance, one useful notion is split state adversaries. So here are some results that are known. So first of all, in the very original work of Zimbalski-Pierre Chicken Weeks, it was already shown that this primitive exists. It lives non-explicitly. Namely, if you choose a random encoding scheme, it will be secure for any circuit of size two to the N over two. And what about explicit construction? So there has been lots of work and here are a couple of examples. If we limit the adversary to be a polynomial size circuit, an arbitrary polynomial size circuit, then we can support the, we can indeed guarantee non-multiability if we assume an untemperable CRS. So we assume there is some CRS that's written in the sky. It had to be bigger than the size of the adversary, so bigger than this S. And the adversary is not allowed to temper with it and it won't be even allowed to read it because it's so long, but there is an explicit construction. There's also explicit constructions in models with something like a random oracle model. If we assume the adversary has bounded space, so we cannot just store the whole random oracle in memory. And more recent work focused on constructing non-multiability codes against complexity classes. Versaries have come from some well-known complexity classes like AC0, NC0, and the most up-to-date results are even construction secure almost again and against NC1. So it's log depth circuits. Specifically, they obtain log over log log depth circuits. So we have many constructions under many assumptions. Some of them are a trust with develop assumptions. Some of them are assumptions about the explicitness of the construction. And arguably the holy grail for this whole line of work where it leads to is a construction of an explicit non-multiability code. So we first want an explicit construction of a non-multiability code. And we want to be secure against the best we can hope for, which is just bounded for the normal size circuit. So I give you a bound, let's say, into the 100. And I want to construct an explicit non-multiability code that is secure or non-multiability for all attackers of size up to the end to the 100. So this is the holy grail. We want to be able to do this for any polynomial, not just end to the 100. And ideally, we would like the encoding to run in fixed polynomial time. So independent of this 100, so maybe end to the fifth for any fixed polynomial which bounds the running time of the adversary. But as I mentioned, the coding has to take longer. So we want encoding in fixed polynomial time and decoding to depend on the class of the adversary. So this is the holy grail. So what has been done towards this holy grail? So the first attempt to really achieve something that looks like comes close to the holy grail was done by Bollett-Ball about three years ago. They suggested, well, let's use crypto to see if this task is even possible. And they indeed obtained the result. They showed that if you assume fabric encryption and non-interactive zero knowledge, plus some average case partners for the class of attackers that you're willing to capture, then there exists a non-multiability code for this class of attackers. So this is a great result in terms of feasibility. The downside is that they're using the public encryption scheme and the NISIC, which both of which rely on CRS. In the case of a public encryption scheme, it's just the public scheme. And both of them have to be written in the sky in some sense and they're untemperable by the attacker. The advantage of this construction over previous ones is that here the CRS is short. It's independent of the class F. So this was the first result. And then the follow-up by Bollett-All was a construction in the plain model. So, right, they got rid of the CRS. They got construction in the plain model. Al-Baif, they had several, still had several caveats. The first is that they relied on P-certificates. P-certificates is a rather strong assumption. It's a succinct one message argument for P for all polynomial and computations. And it's succinct in the strongest sense that you can imagine. The proof size is independent of the computation, the witness for the instance, right? It's just the best notion of succinctness you can imagine. And one candidate for this construction is Michalis CS proof system when you instantiate the random market with the concrete hash function. And this is the best of our knowledge. This is the only candidate up to now to date. So this is a rather strong assumption. And, but they had even ignoring this strong assumption which perhaps we're willing to settle for, they had a couple of more downsides. One was that they obtained normal ability only for uniform adversaries as opposed to the standard notion of non-uniform security against non-uniform attackers. They only obtained normal ability with inverse polynomial distinguishing advantage, namely an adversary could perform a successful tampering attack with some inverse polynomial probability. And lastly, both their decoding and encoding run longer than the adversary. And optimally, we would like to achieve the encoding in a fixed polynomial time. So this is what's known about this problem. What we do, we have like a meta theorem that implies a new construction of a non-malleable code. So here are the three building blocks that we need for our meta theorem. Let me just say that this is not a generic construction in any of this, in any instantiation of these primitives. We use specific constructions and specific properties that I will explain a little bit later. But the general recipe is easy to explain in a generic way. So we use three primitives. It's a time of puzzle, a one message non-malleable commitment and the one message a zero knowledge scheme. By one message, I mean just a single shot, one message, no theorist or anything like that. To be clear, a time of puzzle is this method to create puzzles that are easy to create but require some moderate polynomial sequential effort. So even if you have many processors in, even if the adversary has many processors that you can run in parallel, it's a way to generate problems that are still hard to solve as long as the sequential running time is less than some predefined time. So we use these three primitives with sub exponential security and we obtain the polynomial non-malleable code. So for any polynomial T, there exists a non-malleable code where the encoding takes time polynomial in lambda. So that's the security parameter. So it's a fixed polynomial. The coding takes time polynomial in T and lambda. And notice that the dependence on T is necessary. And we guarantee non-malleability for all adversaries of size of most T. So this is really achieving the Holy Grail dimension before and we check all the boxes that you can imagine. We achieve non-uniform security. We achieve negligible advantage with negligible non-malleability like what you would expect. We have fast encoding as I mentioned and we even get non-malleability for a larger class of adversaries because we're using time log puzzles. We actually get non-malleability for all polynomial size adversaries as long as their depth is a priori bounded. So you only need to bound the depth of the attacker, namely the further runtime of the attacker. And then we can support arbitrary polynomial size attackers. So this is the main theorem. Let me tell you about the specific instantiation that we have. So these are the three primitives which imply non-malleability code and non-malleability code for bounded polynomial depth tempering. We instantiate the time log puzzles using repeated squaring assumption, the most well known construction. And we use two other assumptions a keyless multi-collision resistant hash and the knee-wee to instantiate the other two primitives. So all in all, we get the construction of our non-malleability code from three assumptions. It's the repeated squaring assumption, keyless multi-collision resistant hash and knee-wee for NP. So this is the main result of our paper. Let me tell you a little bit about how the construction works. The construction is very easy to explain in steps. Let's pursue the time of puzzle and see what we get. We encode the message using a time of puzzle and we can decode using the solving procedure of the time of puzzle. This achieves in terms of functionality the achieves what we want. We encode really fast and we can decode within a predefined time again to the one hundred. The problem is that time of puzzles are not non-malleable. So we cannot just, so we cannot claim non-malleability. They're in fact not non-malleable. So let's add a non-malleable component to the scheme and together with the time of puzzles encoding let's also commit with a non-malleable commitment to the message. So this adds some non-malleable component but the problem is that the coding is independent of it and the adversary could just ignore it, right? He could tamper with time of puzzle and modify the output of the experiment. So we add a zero-knowledge proof that shows that the two components are encoding the same message. So the time of puzzle and the non-malleable commitment are consistent with respect to the underlying message. This construction is really in the spirit of an orientable encryption method and I'll talk a little bit more about that soon. So this is our final construction. The security definition that we achieve that this construction achieves is the standard one in the non-malleable coding literature. There are two experiments that need to be indistinguishable. The real world experiment allows an attacker to obtain a code word, modify it in an arbitrary way and then decode and the output of the decoding is the output of the experiment. In the real-world experiment, there is a simulator that doesn't know the underlying message. It either outputs some message and field which is independent of M or it outputs the word same. Same meaning that the adversary didn't change anything. And the output of the experiment is either the original message, if the adversary, if the simulator outputs the same or it's the unrelated message and field. This is the natural thing you would expect and this is what we achieve. Here's a couple of words about the main proof idea. So I mentioned that the construction is in the spirit of non-malleable encryption except that instead of using two public encryption schemes like they do, we use a non-malleable commitment and a time lock puzzle. But one natural approach for the proof would be to say, okay, let's replace the real decryption with a simulated one and decryption in our case is decoding. So let's replace the decoding procedure with a simulated one. But the challenge is that for us, the simulated decoding procedure is to essentially extract from the commitment. So the real decoding procedure is to solve the time lock puzzle but the alternate one would be to break the commitment. And breaking the commitment is a super polynomial time task while breaking the time lock puzzle is a polynomial time task. So it's really non-clear a priori how you would be able to move to the simulated decoding procedure without breaking the scheme, the security of the scheme. So here's the problem in detail and where it comes up. So once in the proof, once we simulate the zero-knowledge proof we are and we're trying to move to the alternate decoding where we extract from the normal commitment two conditions must be satisfied. The first is that the extractor of the non-malleable commitment should not be able to break zero-knowledge. The second one is that the simulator should not be able to break non-malleability. So we get two inequalities. Also for all known one-message zero-knowledge schemes for all of them the simulator running time is larger than the guarantee of zero-knowledge, with the running time of the distinguisher in the zero-knowledge experiment. And it's a major problem to construct one where the inequalities reverse and the simulator is faster, it's really fast. So we cannot use that. So if you take the three inequalities that are written now you see that the time to extract has to be much smaller than non-malleability which is a contradiction, right? Because the extractor of the commitment can extract the underlying value and can trivially break non-malleability. So we got the contradiction at least in the usual proof strategy. The main idea in the proof is to take advantage of the specific primitives that we're using. And specifically we're gonna introduce in the proof another axis of harness, specifically non-uniformity. We're gonna instantiate the primitives in a very careful way so that the inequalities that we need work out what we're gonna do is to instantiate the zero-knowledge system to be zero-knowledge against sub-exponential size attackers while showing that simulation can be done in polynomial size but using a non-uniform simulator that has some advice hard coded. Non-malleability is gonna be for the polynomial size attackers and extraction will be possible in sub-exponential size. If you stare at this for two minutes you'll see that setting the parameters of the schemes of the primitives in this way you indeed satisfy the three inequalities that we need. Extractor cannot break zero-knowledge. The simulator cannot break non-malleability and the extractor can break non-malleability. Before concluding, let me mention a couple of more technical challenges that we encountered during the proof. The first challenge is that the time of puzzles are a polynomial time primitive. An adversary that runs in polynomial time can solve the time of puzzle. So in particular, the step in the proof or the step in the reduction where we use the hardness of the time of puzzle must be implemented in polynomial time. And this seems a priori a little bit challenging but the point is that the time of puzzles are polynomial time in terms of depth or parallel time but they don't have to be polynomial time in size. Namely, we instantiate the time of puzzle in a way that it's secure for attackers that might have super polynomial size but some polynomial, fixed polynomial depth. And this is how we implement this step in the reduction. The second challenge is that non-malleability needs to be dealt with carefully. And the reason is that the instantiation of the zero-knowledge system that we're using because we're in the unknown from setting and the zero-knowledge system is a one-message system with no CRS, there's only one message. Then the system only satisfies a weak notion of soundness. And this weak notion of soundness roughly, very roughly means that the adversary might know some amount of cheating proofs or valid proofs for full statements but not too many of them. And the proof needs to take this into account and we need to deal with it. I'll refer to the paper for more details. So let me summarize our results. So the result is a non-malleable code for all bounded polynomial depth attackers. The construction is in the plain model without any trusted set of assumptions. The construction can be viewed because we get hardness for parallel time for a priori bounded, polynomially bounded parallel time. The construction can be actually viewed as a non-malleable time-lock puzzle. So we're taking a time-lock puzzle and we're making it non-malleable. And in the follow-up work, we, together with the priori and flight again class, we perform a thorough study of non-malleable time-lock puzzles. We have more efficient constructions than what is presented here, which is primarily theoretical and the feasibility results. There we have a really practical and efficient construction with very weak set of assumptions. And we also show that these primitives really useful for applications. For instance, we get multi-party fair co-intoxic protocols and multi-party fair auctions and so on. And I think that this work introduces a couple of very interesting open problems. The first is to improve the assumptions, prove the underlying assumptions, of course, and mostly the thing to focus on, in my opinion, is the Keyleth hash function that we rely on. And of course, the concrete efficiency of our scheme is not that great if you use existing construction, existing instantiation of all the schemes. And it would be interesting to come up with an efficient construction, practically efficient construction without set of assumptions. So thank you very much for listening and have a good day.