Non-malleable Codes from Average-Case Hardness: \({\mathsf {A}}{\mathsf {C}}^0\), Decision Trees, and Streaming Space-Bounded Tampering

Abstract

We show a general framework for constructing non-malleable codes against tampering families with average-case hardness bounds. Our framework adapts ideas from the Naor-Yung double encryption paradigm such that to protect against tampering in a class \({\mathcal {F}}\), it suffices to have average-case hard distributions for the class, and underlying primitives (encryption and non-interactive, simulatable proof systems) satisfying certain properties with respect to the class.

We instantiate our scheme in a variety of contexts, yielding efficient, non-malleable codes (NMC) against the following tampering classes:

• Computational NMC against \({\mathsf {A}}{\mathsf {C}}^0\) tampering, in the CRS model, assuming a PKE scheme with decryption in \({\mathsf {A}}{\mathsf {C}}^0\) and NIZK.

• Computational NMC against bounded-depth decision trees (of depth \(n^\epsilon \), where n is the number of input variables and constant \(0<\epsilon <1\)), in the CRS model and under the same computational assumptions as above.

• Information theoretic NMC (with no CRS) against a streaming, space-bounded adversary, namely an adversary modeled as a read-once branching program with bounded width.

Ours are the first constructions that achieve each of the above in an efficient way, under the standard notion of non-malleability.

1 Introduction

Non-malleable codes, introduced in the seminal work of Dziembowski et al. [31], are an extension of error-correcting codes. Whereas error-correcting codes provide the guarantee that (if not too many errors occur) the receiver can recover the original message from a corrupted codeword, non-malleable codes are essentially concerned with security. In other words, correct decoding of corrupted codewords is not guaranteed (nor required), but it is instead guaranteed that adversarial corruptions cannot influence the output of the decoding in a way that depends on the original message: the decoding is either correct or independent of the original message.

The main application of non-malleable codes is in the setting of tamper-resilient computation (although non-malleable codes have also found connections in other areas of cryptography [22, 23, 36] and theoretical computer science [18]). Indeed, as suggested in the initial work of Dziembowski et al. [31], non-malleable codes can be used to encode a secret state in the memory of a device such that a tampering adversary interacting with the device does not learn anything more than the input-output behavior. Unfortunately, it is impossible to construct non-malleable codes secure against arbitrary tampering, since the adversary can always apply the tampering function that decodes the entire codeword to recover the message m and then re-encodes a related message \(m'\). Thus, non-malleable codes are typically constructed against limited classes of tampering functions \({\mathcal {F}}\). Indeed, given this perspective, error correcting codes can be viewed as a special case of non-malleable codes, where the class of tampering functions, \({\mathcal {F}}\), consists of functions which can only modify some fraction of the input symbols. Since non-malleable codes have a weaker guarantee than error correcting codes, there is potential to achieve non-malleable codes against much broader classes of tampering functions \({\mathcal {F}}\) (including tampering that modifies every bit).

Exploring rich classes of tampering functions. Several works construct non-malleable codes (NMC) against general tampering classes of bounded size, but with non-explicit, existential, or inefficient constructions (cf. [19, 31, 35]). For efficient and explicit constructions, a large body of works construct NMC against bit-wise tampering (cf. [10, 21, 31]), and more generally split-state tampering (cf. [1,2,3, 15, 19, 20, 30, 39, 40, 44, 47]), where the adversary can tamper each part of the codeword independently of other parts, as well as NMC against permutations, flipping, and setting bits [5].

A recent line of works is shifting towards considering the construction of NMC against tampering classes \({\mathcal {F}}\) that correspond to well-studied complexity-theoretic classes, and may also better correspond to tampering attacks in practice. Specifically, Ball et al. [7] construct NMC against local tampering functions including \({\mathsf {N}}{\mathsf {C}}^0\), and Chattopadhyay and Li [16] construct NMC against \({\mathsf {A}}{\mathsf {C}}^0\) tampering, but inefficiently (with super-poly size codewords). Additionally, NMC with weaker notions of security are constructed by Faust et al. [32] against space-bounded tampering (in the random-oracle model), and by Chandran et al. [12] for block-wise tampering (where the adversary receives the message in a streaming fashion, block-by-block). We discuss these works in Sect. 1.3.

In this work, we continue this line of research and consider constructing non-malleable codes against various complexity classes, including: (1) \({\mathsf {A}}{\mathsf {C}}^0\) tampering, where the tampering function is represented by a polynomial size constant-depth, unbounded fan-in/fan-out circuit, (2) tampering with bounded-depth decision trees, where the tampering function is represented by a decision tree with n variables and depth \(n^\epsilon \) for \(\epsilon <1\), (3) streaming tampering with quadratic space, where the tampering function is represented by a read-once, bounded-width (\(2^{o(n^2)}\)) branching program, (4) small threshold circuits: depth d circuits of majority gates with a quasilinear number of wires, (5) fixed polynomial time tampering: randomized turing machines running in time \(O(n^{k})\) for any fixed k. Constructing non-malleable codes against a wide array of complexity classes is desirable since in practice, the capabilities of a tampering adversary are uniquely tied to the computational setting under consideration and/or the physical device being used. For example, our motivation for studying \({\mathsf {A}}{\mathsf {C}}^0\) stems from a setting wherein an attacker has limited time to tamper, since the tampering function must complete before race conditions take effect (e.g. before the end of a clock-cycle in a synchronous circuit). \({\mathsf {A}}{\mathsf {C}}^0\) circuits, which are constant-depth circuits, model such attackers since the propagation delay of a circuit is proportional to the length of the longest path from input to output.

1.1 Our Results

We present general frameworks for constructing non-malleable codes for encoding one and multi-bits against various tampering classes \({\mathcal {F}}\) for which average case hardness results are known. Our frameworks (one for single-bit and one for multi-bit) include both a generic construction, which requires that certain underlying primitives are instantiated in a suitable way, as well as a proof “template.” Our frameworks are inspired by the well-known double-encryption paradigm for constructing CCA2-secure public key encryption schemes [45, 48, 50]. And although we rely on techniques that are typically used in the cryptographic setting, we instantiate our framework for particular tampering classes \({\mathcal {F}}\) in both the computational setting and in the information theoretic one. For the computational setting, our results rely on computational assumptions, and require a common-reference string (CRS), which the adversary can see before selecting the tampering function (as typical in other NMC works using CRS or random oracles). For the information theoretic setting, our results do not require CRS nor any computational assumption (as the primitives in our framework can be instantiated information theoretically). Our general theorem statements provide sufficient conditions for achieving NMC against a class \({\mathcal {F}}\). Somewhat informally, the main such condition, especially for the one-bit framework, is that there are sufficiently strong average-case hardness results known for the class \({\mathcal {F}}\). In particular, we obtain the following results, where all the constructions are efficient and, for the multi-bit NMC, the achieved rate is \(1/{{\mathrm{poly}}}(m)\) where m is the length of the message being encoded.

• Constructions for \({\mathsf {A}}{\mathsf {C}}^0\) tampering: We obtain computational NMC in the CRS model against \({\mathsf {A}}{\mathsf {C}}^0\) tampering. Our constructions require public key encryption schemes with decryption in \({\mathsf {A}}{\mathsf {C}}^0\), which can be constructed e.g. from exponential hardness of learning parity with noise [9], as well as non-interactive zero knowledge (NIZK), which can be constructed in the CRS model from enhanced trapdoor permutations.

  Previous results by Chattopadhyay and Li [16] achieve NMC for \({\mathsf {A}}{\mathsf {C}}^0\) with information theoretic security (with no CRS), but are inefficient, with super-polynomial rate.

• Constructions for bounded-depth decision trees: We obtain computational NMC in the CRS model against tampering with bounded-depth decision trees. Our construction requires the same computational assumptions as the \({\mathsf {A}}{\mathsf {C}}^0\) construction above. The depth of the decision tree we can handle is \(n^\epsilon \), where n is the number of bits being encoded, and \(\epsilon \) is any constant. No results for this class were previously known.

• Constructions for streaming, space-bounded tampering: We obtain unconditional non-malleable codes against streaming, space-bounded tampering, where the tampering function is represented by a read-once, bounded-width branching program. Our construction does not require CRS or computational assumptions.

  No NMC results for this standard complexity theoretic class were previously known. However, this tampering class can be viewed as a subset (or the intersection) of the space bounded class considered by Faust et al. [32] (who don’t limit the adversary to be streaming), and the block-wise tampering class considered by Chandran et al. [12] (who don’t bound the adversary’s space, but don’t give security in the event that decoding fails). In both cases there cannot be NMC with the standard notion of security, and so those previous works must relax the security requirement (and [32] also relies on a random oracle). In contrast, we achieve standard (in fact, even stronger) notion of NMC, without random oracle (nor CRS, nor any computational assumption) for our class.

• Additional Constructions: We also briefly note two additional applications of our paradigm as proof of concept. Both complexity classes can be represented circuits of size \(O(n^c)\) for some fixed c, a class which [35] provide non-malleable codes for in the CRS model, without computational assumptions. We include these results here, merely to show the applicability of our framework to general correlation bounds; for example strong correlation bounds against \(\mathsf {ACC}^0[p]\) or \({\mathsf {T}}{\mathsf {C}}^0\) are likely immediately lead to non-malleable codes against the same classes using our framework.

  1. 1.

     Under the same assumptions invoked in the constructions against \({\mathsf {A}}{\mathsf {C}}^0\) and bounded-depth decision trees we obtain computational NMC in the CRS model against tampering with small threshold circuits: threshold circuits with depth d and \(n^{1+\epsilon }\) wires.

  2. 2.

     Assuming any public key encryption scheme and zk-SNARKs, we obtain computational NMC in the CRS model against tampering by Turing Machines running in time \(O(n^{k})\), where k is a constant. However, we should note that these codes have weak tampering guarantees: tampering experiments with respect to different messages are only polynomially close to one another.

1.2 Technical Overview

We begin by describing our computational NMC construction (in the CRS model) for one-bit messages secure against tampering in \({\mathsf {A}}{\mathsf {C}}^0\), which will give the starting point intuition for our results. We then show how the \({\mathsf {A}}{\mathsf {C}}^0\) construction can be modified to derive a general template for constructing NMC for one-bit messages secure against a wider range of tampering classes \({\mathcal {F}}\), and discuss various classes \({\mathcal {F}}\) for which the template can be instantiated. We then discuss how the template can be extended to achieve NMC for multi-bit messages secure against a wide range of tampering classes \({\mathcal {F}}\). Finally, we discuss some particular instantiations of our multi-bit template, including our constructions of computational NMC (in the CRS model) against tampering in \({\mathsf {A}}{\mathsf {C}}^0\) and against bounded-depth decision trees, as well as our unconditional NMC (with no CRS) against streaming tampering adversaries with bounded memory.

The starting point: Computational NMC against \({\mathsf {A}}{\mathsf {C}}^0\) for one-bit messages. The idea is to use a very similar paradigm to the Naor and Yung paradigm for CCA1 encryption [48] (later extended to achieve CCA2 [45, 50]), using double encryption with simulation-sound NIZK. The main observation is that using the tableau method, we can convert any NIZK proof system with polynomial verification into a NIZK proof system with a verifier in \({\mathsf {A}}{\mathsf {C}}^0\).

We also need a PKE scheme with perfect correctness and decryption in \({\mathsf {A}}{\mathsf {C}}^0\)(this can be constructed using the transformation of Dwork et al. [29] on top of the scheme of Bogdanov and Lee [9]).

We now sketch (a slightly simplified version of) the NM encoding scheme:

The CRS will contain a public key \(\textsc {pk}\) for an encryption scheme \({\mathcal {E}} = (\mathsf {Gen}, \mathsf {Encrypt}, \mathsf {Decrypt})\) as above, and a CRS \(\mathsf {crs}\) for a NIZK. For \(b \in \{0,1\}\), Let \({\mathcal {D}}_b\) denote the distribution over \(x_1, \ldots , x_n \in \{0,1\}^n\) such that \(x_1, \ldots , x_n\) are uniform random, conditioned on the parity of the bits being equal to b.

To encode a bit b:

1. 1.

   Randomly choose bits \(x_1, \ldots , x_n\) from \({\mathcal {D}}_b\).

2. 2.

   Compute \(c_1 \leftarrow \mathsf {Encrypt}_\textsc {pk}(x_1), \ldots , c_n \leftarrow \mathsf {Encrypt}_\textsc {pk}(x_n)\) and \(c \leftarrow \mathsf {Encrypt}_\textsc {pk}(b)\).

3. 3.

   Compute n NIZK proofs \(\pi _1, \ldots , \pi _n\) that \(c_1, \ldots , c_n\) are encryptions of bits \(x_1, \ldots , x_n\).

4. 4.

   Compute a NIZK proof \(\pi \) that there exists a bit \(b'\) such that the plaintexts underlying \(c_1, \ldots , c_n\) are in the support of \({\mathcal {D}}_{b'}\) and \(b'\) is the plaintext underlying c.

5. 5.

   Compute tableaus \(T_1, \ldots , T_n\) of the computation of the NIZK verifier on \(\pi _1, \ldots , \pi _n\).

6. 6.

   Compute a tableau T of the computation of the NIZK verifier on proof \(\pi \).

7. 7.

   Output \((c_1, \ldots , c_n , c, T, (x_1, T_1), \ldots , (x_n, T_n))\).

To decode \((c_1, \ldots , c_n , c, T, (x_1, T_1), \ldots , (x_n, T_n)\)):

1. 1.

   Check the tableaus \(T_1, \ldots , T_n, T\).

2. 2.

   If they all accept, output the parity of \(x_1, \ldots , x_n\).

In the proof we will switch from an honest encoding of b to a simulated encoding and from an honest decoding algorithm to a simulated decoding algorithm. At each point we will show that the decodings of tampered encodings stay the same. Moreover, if, in the final hybrid, decodings of tampered encodings depend on b, we will use this fact to build a circuit in \({\mathsf {A}}{\mathsf {C}}^0\), whose output is correlated with the parity of its input, reaching a contradiction. In more detail, in the first hybrid we switch to simulated proofs. Then we switch \(c_1, \ldots , c_n, c\), in the “challenge" encoding to encryptions of garbage \(c'_1, \ldots , c'_n, c'\), and next we switch to an alternative decoding algorithm in \({\mathsf {A}}{\mathsf {C}}^0\), which requires the trapdoor \(\textsc {sk}\) (corresponding to the public key \(\textsc {pk}\) which is contained in the CRS).

Alternative Decoding Algorithm:

To decode \((c_1, \ldots , c_n , c, T, (x_1, T_1), \ldots , (x_n, T_n))\) :

1. 1.

   check the tableaus \(T_1, \ldots , T_n, T\)

2. 2.

   If it accepts, output the decryption of c using trapdoor \(\textsc {sk}\).

In the final hybrid, the simulator will not know the parity of \(x_1, \ldots , x_n\) in the challenge encoding and will have received precomputed \(T^0_1, T^1_1, \ldots ,T^0_n,T^1_n, T\) as non-uniform advice, where T is a simulated proof of the statement “the plaintexts underlying \(c'_1, \ldots , c'_n\) and the plaintext underlying \(c'\) have the same parity” and for \(i \in [n], \beta \in \{0,1\}, T^\beta _i\) is a simulated proof of the statement “\(c'_i\) is an encryption of the bit \(\beta \)”.

We will argue by contradiction that if the decoding of the tampered encoding is correlated with the parity of \(x_1, \ldots , x_n\) then we can create a circuit whose output is correlated with the parity of its input in \({\mathsf {A}}{\mathsf {C}}^0\). Specifically, the \({\mathsf {A}}{\mathsf {C}}^0\) circuit will have the \(\mathsf {crs}\), \(\textsc {sk}\), precomputed \(c'_1, \ldots , c'_n , c', T, T^0_1, T^1_1, \ldots , T^0_n, T^1_n\) and adversarial tampering function f hardwired in it. It will take \(x_1, \ldots , x_n\) as input. It will compute the simulated encoding in \({\mathsf {A}}{\mathsf {C}}^0\) by selecting the correct tableaus: \(T^{x_1}_1, \ldots , T^{x_n}_n\) according to the corresponding input bit. It will then apply the adversarial tampering function (in \({\mathsf {A}}{\mathsf {C}}^0\)), perform the simulated decoding (in \({\mathsf {A}}{\mathsf {C}}^0\)) and output a guess for the parity of \(x_1, . . x_n\) based on the result of the decoding. Clearly, if the decoding in the final hybrid is correlated with parity, then we have constructed a distribution over \({\mathsf {A}}{\mathsf {C}}^0\) circuits such that w.h.p. over choice of circuit from the distribution, the output of the circuit is correlated with the parity of its input. This contradicts known results on the hardness of computing parity in \({\mathsf {A}}{\mathsf {C}}^0\).

A general template for one-bit NMC. The above argument can be used to derive a template for the construction/security proof of NMC against more general classes \({\mathcal {F}}\). The idea is to derive a high-level sequence of hybrid distributions and corresponding minimal requirements for proving the indistinguishability of consecutive hybrids. We can now instantiate the tampering class \({\mathcal {F}}\), “hard distributions” (\({\mathcal {D}}_0, {\mathcal {D}}_1\)), encryption scheme and NIZK proof in any way that satisfies these minimal requirements. Note that each hybrid distribution is a distribution over the output of the tampering experiment. Therefore, public key encryption and NIZK against arbitrary PPT adversaries may be too strong of a requirement. Indeed, it is by analyzing the exact security requirements needed to go from one hybrid to the other that (looking ahead) we are able to remove the CRS and all computational assumptions from our construction of NMC against streaming adversaries with bounded memory. In addition, we can also use our template to obtain constructions (in the CRS model and under computational assumptions) against other tampering classes \({\mathcal {F}}\).

Extending the template to multi-bit NMC. The construction for \({\mathsf {A}}{\mathsf {C}}^0\) given above and the general template do not immediately extend to multi-bit messages. In particular, encoding m bits by applying the parity-based construction bit-by-bit fails, even if we use the final proof T to “wrap together” the encodings of multiple individual bits. The problem is that the proof strategy is to entirely decode the tampered codeword and decide, based on the results, whether to output 0 or 1 as the guess for the parity of some \(x_1, \ldots , x_n\). But if we encode many bits, \(b_1, \ldots , b_m\), then the adversary could maul in such a way that the tampered codeword decodes to \(b'_1, \ldots , b'_m\) where each of \(b'_i\) is individually independent of the parity of the corresponding \(x_1^i, \ldots , x_n^i\), but taken as a whole, the entire output may be correlated. As a simple example, the attacker might maul the codeword so that it decodes to \(b'_1, \ldots , b'_m\) that are uniform subject to satisfying \(b'_1 \oplus \cdots \oplus b'_m = b_1 \oplus \cdots \oplus b_m\). Clearly, there is a correlation here between the input and output, but we cannot detect this correlation in \({\mathsf {A}}{\mathsf {C}}^0\), since detecting the correlation itself seems to require computing parity!

In the case of parity (and the class \({\mathsf {A}}{\mathsf {C}}^0\)), the above issue can be solved by setting m sufficiently small (but still polynomial) compared to n. We discuss more details about the special case of parity below. However, we would first like to explain how the general template must be modified for the multi-bit case, given the above counterexample. Specifically, note that the difficulty above comes into play only in the final hybrid. Thus, we only need to modify the final hybrid slightly and require that for any Boolean function F over m variables, it must be the case that the composition of F with the simulated decoding algorithm is in a computational class that still cannot distinguish between draws \(x_1, \ldots , x_n\) from \({\mathcal {D}}_0\) or \({\mathcal {D}}_1\). While the above seems like a strong requirement, we show that by setting m much smaller than n, we can still obtain meaningful results for classes such as \({\mathsf {A}}{\mathsf {C}}^0\) and bounded-depth decision trees.

Multi-bit NMC against \({\mathsf {A}}{\mathsf {C}}^0\). If we want to encode m bits, for each of the underlying encodings \(i \in [m]\), we will use \(n :\approx m^3\) bits: \({\varvec{x}}^i = x^i_1, \ldots , x^i_{n}\). To see why this works, we set up a hybrid argument, where in each step we will fix all the underlying encodings except for a single one: \({\varvec{x}} = x_1, \ldots , x_{n}\), which we will switch from having parity 0 to having parity 1. Therefore, we can view C—the function computing the output of the tampering experiment in this hybrid—to be a function of variables \({\varvec{x}} = x_1, \ldots , x_{n}\) only (everything else is constant and “hardwired”). For \(i \in [m]\), let \(C_i\) denote the i-th output bit of C. We use \(\mathsf {PAR}({\varvec{x}})\) to denote the parity of \({\varvec{x}}\).

Now, for any Boolean function F over m variables, consider \(F(C_1({\varvec{x}}),\)\(C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\), where we are simply taking an arbitrary Boolean function F of the decodings of the individual bits. Our goal is to show that \(F(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) is not correlated with parity of \({\varvec{x}}\). Consider the Fourier representation of \(F(y_1, \ldots , y_m)\). This is a linear combination of parities of the input variables \(y_1, \ldots , y_m\), denoted \(\chi _S(y_1, \ldots , y_m)\), for all subsets \(S \in \{0,1\}^m\). (See here [26]).

On the other hand, \(F(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) is a Boolean function over \(n \approx m^3\) variables (i.e. a linear combination over parities of the input variables \(x_1, \ldots , x_n\), denoted \(\chi _{S'}(x_1, \ldots , x_n)\), for all subsets \(S' \in \{0,1\}^{n}\)). A representation of \(F(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) can be obtained by taking each term \({\hat{F}}(S) \chi _S(y_1, \ldots , y_m)\) in the Fourier representation of F and composing with \(C_1, \ldots , C_m\) to obtain the term \({\hat{F}}(S)\chi _S(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\). Since, by well-known properties of the Fourier transform, \(|{\hat{F}}(S)| \le 1\), we can get an upper bound on the correlation of \(F(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) and \(\mathsf {PAR}({\varvec{x}})\), by summing the correlations of each function \(\chi _S(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) and \(\mathsf {PAR}({\varvec{x}})\). Recall that the correlation of a Boolean function g with \(\mathsf {PAR}({\varvec{x}})\) is by definition, exactly the Fourier coefficient of g corresponding to parity function \(\chi _{[n]}\). Thus, to prove that the correlation of \(\chi _S(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) and \(\mathsf {PAR}({\varvec{x}})\) is low, we use the fact that \(\chi _S(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) can be computed by a (relatively) low depth circuit. To see this, note that each \(C_i\) is in \({\mathsf {A}}{\mathsf {C}}^0\) and so has low depth, moreover, since S has size at most m, we only need to compute parity over m variables, which can be done in relatively low depth when \(m \ll n\). We now combine the above with Fourier concentration bounds for low-depth circuits [51]. Ultimately, we prove that for each S, the correlation of \(\chi _S(C_1({\varvec{x}}), C_2({\varvec{x}}), \ldots , C_m({\varvec{x}}))\) and \(\mathsf {PAR}({\varvec{x}})\), is less than \(1/2^{m(1+\delta )}\), where \(\delta \) is a constant between 0 and 1. This means that we can afford to sum over all \(2^m\) terms in the Fourier representation of F and still obtain negligible correlation.

Multi-bit NMC against bounded-depth decision trees. Our result above extends to bounded-depth decision trees by noting that (1) If we apply a random restriction (with appropriate parameters) to input \(x_1, \ldots , x_n\) then, w.h.p. the \({\mathsf {A}}{\mathsf {C}}^0\) circuit used to compute the output of the tampering experiment collapses to a bounded-depth decision tree of depth \(m^\varepsilon -1\); (2) on the other hand, again choosing parameters of the random restriction appropriately, \(\mathsf {PAR}(x_1, \ldots , x_n)\) collapses to parity over at least \(m^{1 + \varepsilon }\) variables; (3) any Boolean function over m variables can be computed by a decision tree of depth m; (4) the composition of a depth-\(m^\varepsilon -1\) decision tree and depth-m decision tree yields a decision tree of depth at most \((m^\varepsilon -1)(m) < m^{1 + \varepsilon }\). Finally, we obtain our result by noting that decision trees of depth less than \(m^{1 + \varepsilon }\) are uncorrelated with parity over \(m^{1 + \varepsilon }\) variables.

Unconditional NMC (with no CRS) against bounded, streaming tampering. Recently, Raz [49] proved that learning parity is hard for bounded, streaming adversaries. In particular, this gives rise to hard distributions \({\mathcal {D}}_b, b \in \{0,1\}\) such that no bounded, streaming adversary can distinguish between the two. \({\mathcal {D}}_b\) corresponds to choosing a random parity \(\chi _S\), outputting random examples \(({\varvec{x}}, \chi _S({\varvec{x}}))\) and then outputting \({\varvec{x}}^*\) such that \(\chi _S({\varvec{x}}^*)\) is equal to b. The above also yields an unconditional, “parity-based” encryption scheme against bounded, streaming adversaries. Note, however, that in order to decrypt (without knowledge of the secret key), we require space beyond the allowed bound of the adversary. Given the above, we use \({\mathcal {D}}_b, b \in \{0,1\}\) as the hard distributions in our construction and use the parity-based encryption scheme as the “public key encryption scheme” in our construction. Thus, we get rid of the public key in the CRS (and the computational assumptions associated with the public key encryption scheme).

To see why this works, note that in the hybrid where we require semantic security of the encryption scheme, the decryption algorithm is not needed for decoding (at this point the honest decoding algorithm is still used). So essentially we can set the parameters for the encryption scheme such that the output of the Tampering experiment in that hybrid (which outputs the decoded value based on whether \(x_1, . . , x_n\) is in the support of \({\mathcal {D}}_0\) or \({\mathcal {D}}_1\)) can be computed in a complexity class that is too weak to run the decryption algorithm. On the other hand, we must also consider the later hybrid where we show that the output of the tampering experiment can be computed in a complexity class that is too weak to distinguish \({\mathcal {D}}_0\) from \({\mathcal {D}}_1\). In this hybrid, we do use the alternate decoding procedure. But now it seems that we need decryption to be contained in a complexity class that is too weak to decide whether \(x_1, \ldots , x_n\) is in the support of \({\mathcal {D}}_0\) or \({\mathcal {D}}_1\), while previously we required exactly the opposite! The key insight is that since we are in the streaming model and since (1) the simulated ciphertexts (\(c'_1, \ldots , c'_n, c'\)) in this hybrid contain no information about \(x_1, \ldots , x_n\) and (2) the simulated ciphertexts precede \(x_1, \ldots , x_n\), the output of the tampering function in blocks containing ciphertexts does not depend on \(x_1, \ldots , x_n\) at all. So the decryption of the tampered ciphertexts can be given as non-uniform advice, instead of being computed on the fly, and we avoid contradiction.

In order to get rid of the CRS and computational assumption for the NIZK, we carefully leverage some additional properties of the NMC setting and the streaming model. First, we consider cut-and-choose based NIZK’s (based on MPC-in-the-head), where the Verifier is randomized and randomly checks certain locations or “slots” in the proof to ensure soundness. Specifically, given a Circuit-SAT circuit C and witness w, the prover will secret share \(w := w_1 \oplus \cdots \oplus w_\ell \) and run an MPC protocol among \(\ell \) parties (for constant \(\ell \)), where party \(P_i\) has input \(w_i\) and the parties are computing the output of \(C(w_1 \oplus \cdots \oplus w_\ell )\). The prover will then “encrypt” each view of each party in the MPC protocol, using the parity-based encryption scheme described above and output this as the proof. This is then repeated \(\lambda \) times (where \(\lambda \) is security parameter). The Verifier will then randomly select two parties from each of the \(\lambda \) sets, decrypt the views and check that the views correspond to the output of 1 and are consistent internally and with each other.

We next note that in our setting, the NIZK simulator can actually know the randomness used by the Verifier. This is because the simulated codeword and the decoding are done by the same party in the NMC security experiment. Therefore, the level of “zero-knowledge” needed from the simulation of the NIZK is in-between honest verifier and malicious. This is because the adversary can still use the tampering function to “leak” information from the unchecked slots of the proof to the checked slots, while a completely honest verifier would learn absolutely nothing about the unchecked slots. In order to switch from a real proof to a simulated proof, we fill in unchecked slots one-by-one with parity-based encryptions of garbage. We must rely on the fact that a bounded, streaming adversary cannot distinguish real encryptions from garbage encryptions in order to argue security. Specifically, since we are in the bounded streaming model, we can argue that the adversary can only “leak” a small amount of information from the unchecked slots to the checked slots. This means that the entire output of the experiment can be simulated by a bounded, streaming adversary, which in turn means that the output of the experiment must be indistinguishable when real, unchecked encodings are replaced with encodings of garbage. Arguing simulation soundness, requires a similar argument, but more slots are added to the proof and slots in an honest proof are only filled if the corresponding position in the bit-string corresponding to the statement to be proven is set to 1. We encode the statement in such a way that if the statement changes, the adversary must switch an unfilled slot to a filled slot. Intuitively, since the bounded streaming attacker can only carry over a small amount of information from previous slots, this will be as difficult as constructing a new proof from scratch.

1.3 Related Work

The notion of NMC was formalized by Dziembowski et al. [31]. Split state classes of tampering functions introduced by Liu and Lysyanskaya [47], have subsequently received much attention with a sequence of improvements achieving reduced number of states, improved rate, or other desirable features [1,2,3, 6, 15, 17, 30, 39,40,41, 44]. Recently [5, 7] gave efficient constructions of non-malleable codes for “non-compartmentalized” tampering function classes.

Faust et al. [35] presented a construction of efficient NMC in CRS model, for tampering function families \({\mathcal {F}}\) with size \(\vert {\mathcal {F}} \vert \le 2^{\mathsf {poly}(n)}\), where n is the length of codeword. The construction is based on t-wise independent hashing for t proportional to \(\mathrm {log} \, \vert {\mathcal {F}} \vert \). This gives information-theoretically secure NMC resilient to tampering classes which can be represented as \(\mathsf {poly}\)-size circuits. While [35] construction allows adaptive selection of tampering function \(f \in {\mathcal {F}}\) after the t-wise independent hash function h (CRS) is chosen, the bound on the size of \(\mathsf {F}\) needs to be fixed before h is chosen. In particular, this means that the construction does not achieve security against the tampering functions \(f \in \) \({\mathsf {A}}{\mathsf {C}}^0\) in general, since \({\mathsf {A}}{\mathsf {C}}^0\) contains all \(\mathsf {poly}\)-size and constant depth circuit families, but rather provides tamper resilience against specific families in \({\mathsf {A}}{\mathsf {C}}^0\) (\(\textsf {ACC}^0\), etc.) Cheraghchi and Guruswami [19] in an independent work showed the existence of information theoretically secure NMC against tampering families \({\mathcal {F}}\) of size \(\vert {\mathcal {F}} \vert \le 2^{2^{\alpha n}}\) with optimal rate \(1 - \alpha \). This paper gave the first characterization of the rate of NMC, however the construction of [19] is inefficient for negligible error.

Ball et al. [7] gave a construction of efficient NMC against \(n^\delta \)-local tampering functions, for any constant \(\delta >0\). Notably, this class includes \({\mathsf {N}}{\mathsf {C}}^0\) tampering functions, namely constant depth circuits with bounded fan-in. It should be noted however, that the results of [7] do not extend to tampering adversaries in \({\mathsf {A}}{\mathsf {C}}^0\), since even for a low depth circuit in \({\mathsf {A}}{\mathsf {C}}^0\), any single output bit can depend on all input bits, thus violating the \(n^\delta \)-locality constraint.

In a recent work, Chattopadhyay and Li [16] gave constructions of NMC based on connections between NMC and seedless non-malleable extractors. One of their results is an efficient NMC against t-local tampering functions, where the decoding algorithm for the NMC is deterministic (in contrast, the result in [7] has randomized decoding). The locality parameters of the NMC in [16] are not as good as the one in [7], but better than the deterministic-decoding construction given in the appendix of the full version of [7]. Additionally, [16] also present a NMC against \({\mathsf {A}}{\mathsf {C}}^0\) tampering functions. However, this NMC results in a codeword that is super-polynomial in the message length, namely inefficient.

A recent work by Faust et al. [32] considered larger tampering classes by considering space bounded tampering adversaries in random oracle model. The construction achieves a new notion of leaky continuous non-malleable codes, where the adversary is assumed to learn some bounded \(\mathrm {log}(\vert m \vert )\) bits of information about the underlying message m. However, this result is not directly comparable to ours as the adversarial model we consider is a that of standard non-malleability (without leakage), and for a subset of this tampering class (streaming space-bounded adversary) we achieve information theoretic security without random oracles.

Chandran et al. [12] considered another variant of non-malleable codes, called block-wise non-malleable codes. In this model, the codeword consists of number of blocks and the adversary receives the codeword block-by-block. The tampering function also consists of various function \(f_i\)s, where each \(f_i\) can depend on codeword blocks \(c_1, \ldots , c_{i}\) and modifies \(c_i\) to \({c'}_i\). It can be observed that standard non-malleability cannot be achieved in this model since, the adversary can simply wait to receive all the blocks of the codeword and then decode the codeword as part of last tampering function. Therefore, [12] define a new notion called non-malleability with replacement which relaxes the non-malleability requirement and considers the attack to be successful only if the tampered codeword is valid and related to the original message.

Other works on non-malleable codes include [2, 4, 11, 13, 14, 20, 24, 25, 28, 33, 34, 37, 41]. We guide the interested reader to [38, 47] for a discussion of various models for tamper and leakage resilience.

2 Definitions

Where appropriate, we interpret functions \(f:S\rightarrow \{\pm 1\}\) as boolean functions (and vice-versa) via the mapping: \(0\leftrightarrow 1\) and \(1 \leftrightarrow -1\). The support of vector \({\varvec{x}}\) is the set of indices i such that \(x_i \ne 0\). A bipartite graph is an undirected graph \(G = (V,E)\) in which V can be partitioned into two sets \(V_1\) and \(V_2\) such that \((u,v) \in E\) implies that either \(u \in V_1\) and \(v \in V_2\) or \(v \in V_1\) and \(u \in V_2\).

Non-malleable Codes. In this section we define the notion of non-malleable codes and its variants. In this work, we assume that the decoding algorithm of the non-malleable code may be randomized and all of our generic theorems are stated for this case. Nevertheless, only our instantiation for the streaming adversary (refer Sect. 7 in full version [8]) requires a randomized decoding algorithm, while our other instantiations enjoy deterministic decoding. We note that the original definition of non-malleable codes, given in [31], required a deterministic decoding algorithm. Subsequently, in [7], an alternative definition that allows for randomized decoding was introduced. We follow here the definition of [7]. Please see [7] for a discussion on why deterministic decoding is not necessarily without loss of generality in the non-malleable codes setting and for additional motivation for allowing randomized decoding.

Definition 1

(Coding Scheme). Let \(\varSigma , {\widehat{\varSigma }}\) be sets of strings, and \(\kappa , {\widehat{\kappa }} \in {\mathbb {N}}\) be some parameters. A coding scheme consists of two algorithms \((\mathsf {E},\mathsf {D})\) with the following syntax:

• The encoding algorithm (perhaps randomized) takes input a block of message in \(\varSigma \) and outputs a codeword in \({\hat{\varSigma }}\).

• The decoding algorithm (perhaps randomized) takes input a codeword in \({{\hat{\varSigma }}}\) and outputs a block of message in \(\varSigma \).

We require that for any message \(m\in \varSigma \), \(\Pr [\mathsf {D}(\mathsf {E}(m)) = m] =1\), where the probability is taken over the choice of the encoding algorithm. In binary settings, we often set \(\varSigma = \{0,1\}^{\kappa }\) and \({\widehat{\varSigma }} = \{0,1\}^{{\widehat{\kappa }}}\).

We next provide definitions of non-malleable codes of varying levels of security. We present general, game-based definitions that are applicable even for NMC that are in a model with a CRS, or that require computational assumptions. The corresponding original definitions of non-malleability, appropriate for an unconditional setting without a CRS, can be obtained as a special case of our definitions when setting \(\mathsf {crs}=\bot \) and taking \({\mathcal {G}}\) to include all computable functions. These original definitions are also presented in Appendix A.1 of the full version [8].

Definition 2

(Non-malleability). Let \(\varPi = (\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\) be a coding scheme. Let \({\mathcal {F}}\) be some family of functions. For each attacker A, \(m \in \varSigma \), define the tampering experiment \({\mathsf {Tamper}}^{\varPi , {\mathcal {F}}}_{A,m}(n)\) (Fig. 1):

Fig. 1.

Non-malleability experiment \({\mathsf {Tamper}}^{\varPi , {\mathcal {F}}}_{A,m}(n)\)

We say the coding scheme \(\varPi = (\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\) is non-malleable against tampering class \({\mathcal {F}}\) and attackers \(A \in {\mathcal {G}}\), if for every \(A \in {\mathcal {G}}\) there exists a PPT simulator \(\mathsf {Sim}\) such that for any message \(m \in \varSigma \) we have,

$$ {\mathsf {Tamper}}^{\varPi , {\mathcal {F}}}_{A,m}(n) \approx \mathbf {Ideal}_{\mathsf {Sim}, m}(n) $$

where \(\mathbf {Ideal}_{\mathsf {Sim}, m}(n)\) is an experiment defined as follows (Fig. 2),

Fig. 2.

Non-malleability experiment \(\mathbf {Ideal}_{\mathsf {Sim}, m}(n)\)

Definition 3

(Strong Non-malleability). Let \(\varPi = (\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\) be a coding scheme. Let \({\mathcal {F}}\) be some family of functions. For each attacker \(A \in {\mathcal {G}}\), \(m \in \varSigma \), define the tampering experiment \({\mathsf {StrongTamper}}^{\varPi , {\mathcal {F}}}_{A,m}(n)\) (Fig. 3):

Fig. 3.

Strong non-malleability experiment \({\mathsf {StrongTamper}}^{\varPi , {\mathcal {F}}}_{A,m}(n)\)

We say the coding scheme \(\varPi = (\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\) is strong non-malleable against tampering class \({\mathcal {F}}\) and attackers \(A \in {\mathcal {G}}\) if we have

$$ {\mathsf {StrongTamper}}^{\varPi , {\mathcal {F}}}_{A,m_0}(n) \approx {\mathsf {StrongTamper}}^{\varPi , {\mathcal {F}}}_{A,m_1}(n) $$

for any \(A \in {\mathcal {G}}\), \(m_0, m_1 \in \varSigma \).

We now introduce an intermediate variant of non-malleability, called Medium Non-malleability, which informally gives security guarantees “in-between” strong and regular non-malleability. Specifically, the difference is that the experiment is allowed to output \(\mathsf {same}^*\) only when some predicate g evaluated on \((c, {\tilde{c}})\) is set to true. Thus, strong non-malleability can be viewed as a special case of medium non-malleability, by setting g to be the identity function. On the other hand, regular non-malleability does not impose restrictions on when the experiment is allowed to output \(\mathsf {same}^*\). Note that g cannot be just any predicate in order for the definition to make sense. Rather, g must be a predicate such that if g evaluated on \((c, {\tilde{c}})\) is set to true, then (with overwhelming probability over the random coins of \(\mathsf {D}\)) \(\mathsf {D}({\tilde{c}}) = \mathsf {D}(c)\).

Definition 4

(Medium Non-malleability). Let \(\varPi = (\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\) be a coding scheme. Let \({\mathcal {F}}\) be some family of functions.

Let \(g(\cdot ,\cdot ,\cdot ,\cdot )\) be a predicate such that, for each attacker \(A \in {\mathcal {G}}\), \(m \in \varSigma \), the output of the following experiment, \(\mathsf {Expt}^{\varPi , {\mathcal {F}}}_{A,m,g}(n)\) is 1 with at most negligible probability (Fig. 4):

Fig. 4.

The experiment corresponding to the special predicate g

For g as above, each \(m \in \varSigma \), and attacker \(A \in {\mathcal {G}}\), define the tampering experiment

\({\mathsf {MediumTamper}}^{\varPi , {\mathcal {F}}}_{A,m,g}(n)\) as shown in Fig. 5:

Fig. 5.

Medium non-malleability experiment \({\mathsf {MediumTamper}}^{\varPi , {\mathcal {F}}}_{A,m,g}(n)\)

We say the coding scheme \(\varPi = (\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\) is medium non-malleable against tampering class \({\mathcal {F}}\) and attackers \(A \in {\mathcal {G}}\) if we have

$$ {\mathsf {MediumTamper}}^{\varPi , {\mathcal {F}}}_{A,m_0,g}(n) \approx {\mathsf {MediumTamper}}^{\varPi , {\mathcal {F}}}_{A,m_1,g}(n) $$

for any \(A \in {\mathcal {G}}\), \(m_0, m_1 \in \varSigma \).

We next recall some standard definitions of public-key encryption (PKE), pseudorandom generator (PRG), and non-interactive zero knowledge proof systems with simulation soundness in Sects. 2.2 and 2.3 of the full version [8].

Definition 5

(Non-interactive Simulatable Proof System). A tuple of probabilistic polynomial time algorithms \(\varPi ^{{\mathsf {N}}{\mathsf {I}}} = (\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}}, \mathsf {P}^{{\mathsf {N}}{\mathsf {I}}}, \mathsf {V}^{{\mathsf {N}}{\mathsf {I}}} ,\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\) is a non-interactive simulatable proof system for language \(L \in NP\) with witness relation W if \((\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}}, \mathsf {P}^{{\mathsf {N}}{\mathsf {I}}}, \mathsf {V}^{{\mathsf {N}}{\mathsf {I}}} ,\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\) have the following syntax:

• \(\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}}\) is a randomized algorithm that outputs \((\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}, \tau _\mathsf{sim})\).

• On input \(\mathsf {crs}\), \(x \in L\) and witness w such that \(W(x,w) = 1\), \(\mathsf {P}^{{\mathsf {N}}{\mathsf {I}}}(\mathsf {crs}, x, w)\) outputs proof \(\pi \).

• On input \(\mathsf {crs}\), \(x, \pi \), \(\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}(\mathsf {crs}, x, \pi )\) outputs either 0 or 1.

• On input \(\mathsf {crs}\), \(\tau _\mathsf{sim}\) and \(x \in L\), \(\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}}(\mathsf {crs}, \tau _\mathsf{sim}, x)\) outputs simulated proof \(\pi '\).

Completeness: We require the following completeness property: For all \(x \in L\), and all w such that \(W(x,w) = 1\), for all strings \(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}\) of length \({{\mathrm{poly}}}(|x|)\), and for all adversaries \({\mathcal {A}}\) we have

$$\begin{aligned} {\Pr \left[ {\begin{aligned}&(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}, \tau _\mathsf {Sim}) \leftarrow \mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}}(1^n); (x,w) \leftarrow {\mathcal {A}}(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}); \\&\qquad \pi \leftarrow \mathsf {P}^{{\mathsf {N}}{\mathsf {I}}}(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}, x, w) : \mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}},x,\pi ) = 1 \end{aligned}}\right] } \ge 1 - \mathsf {negl}(n) \end{aligned}$$

Soundness: We say that \(\varPi ^{{\mathsf {N}}{\mathsf {I}}}\) enjoys soundness against adversaries \({\mathcal {A}} \in {\mathcal {G}}\) if: For all \(x \notin L\), and all adversaries \({\mathcal {A}} \in {\mathcal {G}}\):

$$\begin{aligned} {\Pr \left[ { \begin{aligned} (\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}, \tau _\mathsf {Sim}) \leftarrow \mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}}(1^n); \\ (x,\pi ) \leftarrow {\mathcal {A}}(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}) : \mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}(\mathsf {crs}^{{\mathsf {N}}{\mathsf {I}}}, x, \pi ) = 0 \end{aligned} }\right] } \ge 1 - \mathsf {negl}(n) \end{aligned}$$

The security properties that we require of \(\varPi ^{{\mathsf {N}}{\mathsf {I}}}\) will depend on our particular non-malleable code construction as well as the particular class, \({\mathcal {F}}\), of tampering functions that we consider. The exact properties needed are those that will arise from Theorems 2 and 4. In subsequent sections, we will show how to construct non-interactive simulatable proof systems satisfying these properties.

Proof Systems for Circuit SAT. We now consider proof of knowledge systems for Circuit SAT, where the prover and/or verifier have limited computational resources.

Definition 6

(Proof of Knowledge Systems for Circuit SAT with Computationally Bounded Prover/Verifier). For a circuit C, let \({\mathcal {L}}(C)\) denote the set of strings x such that there exists a witness w such that \(C(x,w) = 1\). For a class \({\mathcal {C}}\), let \({\mathcal {L}}({\mathcal {C}})\) denote the set \(\{ {\mathcal {L}}(C) \mid C \in {\mathcal {C}} \}\). \(\varPi = (\mathsf {P}, \mathsf {V})\) is a Circuit SAT proof system for the class \({\mathcal {L}}({\mathcal {C}})\) with prover complexity \({\mathcal {D}}\) and verifier complexity \({\mathcal {E}}\) if the following are true:

• For all \(C \in {\mathcal {C}}\) and all valid inputs (x, w) such that \(C(x, w) = 1\), \(\mathsf {P}(C, \cdot , \cdot )\) can be computed in complexity class \({\mathcal {D}}\).

• For all \(C \in {\mathcal {C}}\), \(\mathsf {V}(C, \cdot , \cdot )\) can be computed in complexity class \({\mathcal {E}}\).

• Completeness: For all \(C \in {\mathcal {C}}\) and all (x, w) such that \(C(x, w) = 1\), we have \(\mathsf {V}(C, x, \mathsf {P}(C, x, w)) = 1\).

• Extractability: For all \((C, x, \pi )\), if \(\mathrm {Pr}_{r} [\mathsf {V}(C, x, \pi ; r) = 1 ]\) is non-negligible, then given \((C, x, \pi )\) it is possible to efficiently extract w such that \(C(x,w) = 1\).

We construct Circuit SAT proof systems for the class \({\mathcal {L}}(\mathsf {P/poly})\) with verifier complexity \({\mathsf {A}}{\mathsf {C}}^0\) in Sect. 2.4 of full version [8]. We also construct Circuit SAT proof systems for the class. \({\mathcal {L}}(\mathsf {P/poly})\) with streaming verifier in Sect. 2.4 of full version [8].

Given the above, we have the following theorem:

Theorem 1

Assuming the existence of same-string, weak one-time simulation sound NIZK with deterministic verifier, there exists same-string, weak one-time simulation sound NIZK with verifier in \({\mathsf {A}}{\mathsf {C}}^0\).

We also recall some definitions and results related to boolean analysis and present them next. in Sect. 2.5 of full version [8].

Computational Model for Streaming Adversaries. In this section we discuss the computational model used for analysis of the streaming adversaries. This model is similar to the one used in [49].

General Streaming Adversaries. The input is represented as a stream \(S_1, \ldots , S_\ell \), where for \(i \in [\ell ]\), each \(S_i \in \{0,1\}^{B}\), where B is the block length. We model the adversary by a branching program. A branching program of length \(\ell \) and width w, is a directed acyclic graph with the vertices arranged in \(\ell +1\) layers such that no layer contains more than w vertices. Intuitively, each layer represents a time step of computation whereas, each vertex in the graph corresponds to the potential memory state learned by the adversary. The first layer (layer 0) contains a single vertex, called the start vertex, which represents the input. A vertex is called leaf if it has out-degree 0, and represents the output (the learned value of x) of the program. Every non-leaf vertex in the program has exactly \(2^{B}\) outgoing edges, labeled by elements \(S \in \{0,1\}^B\), with exactly one edge labeled by each such S, and all the edges from layer \(j-1\) going to vertices in layer j. Intuitively, these edges represent the computation on reading \(S_i\) as streaming input. The stream \(S_1, \ldots , S_\ell \), therefore, define a computation-path in the branching program.

We discuss the streaming branching program adversaries, and streaming adversaries for learning parity in Sect. 2.6 of full version [8].

3 Generic Construction for One-Bit Messages

In this section we present the generic construction for encoding a single bit.

Fig. 6.

Non-malleable code \((\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\), secure against \({\mathcal {F}}\) tampering.

Fig. 7.

Encoding algorithm with simulated proofs.

Fig. 8.

Encoding algorithm with simulated proofs and encryptions.

Fig. 9.

Extracting procedure \(\mathsf {Ext}\).

Fig. 10.

Alternate decoding procedure \(\mathsf {D}'\), given additional extracted key k as input.

Fig. 11.

The predicate \(g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}},{\mathsf {C}}{\mathsf {W}}^*,r)\).

Let \(\varPsi (p,c,x,y,r,z)\) be defined as a function that takes as input a predicate p, and variables c, x, y, r, z. If \(p(c,x,y,r) = 1\), then \(\varPsi \) outputs 0. Otherwise, \(\varPsi \) outputs z.

Theorem 2

Let \((\mathsf {E}, \mathsf {D})\), \(\mathsf {E}_1\), \(\mathsf {E}_2\), \(\mathsf {Ext}\), \(\mathsf {D}'\) and g be as defined in Figs. 6, 7, 8, 9, 10 and 11. Let \({\mathcal {F}}\) be a computational class. If, for every adversary \({\mathcal {A}} \in {\mathcal {G}}\) outputting tampering functions \(f \in {\mathcal {F}}\), all of the following hold:

• Simulation of proofs.

  1. 1.

     \(\Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_0, f({\mathsf {C}}{\mathsf {W}}_0),r_0) = 1] \approx \Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),r_1) = 1]\),

  2. 2.

     \(\varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_0, f({\mathsf {C}}{\mathsf {W}}_0), r_0, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_0);r_0)) \approx \varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),\)\(r_1, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_1);r_1))\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_0, r_1\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_0 \leftarrow \mathsf {E}(\mathsf {crs}, 0)\) and \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,0)\).

• Simulation of Encryptions.

  1. 1.

     \(\Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),r_1) = 1] \approx \Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1]\),

  2. 2.

     \(\varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1), r_1, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_1);r_1)) \approx \varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),\)\(r_2, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2);r_2))\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_1, r_2\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,0)\) and \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\)\( \overrightarrow{\tau }_\mathsf{sim},r_2,0)\).

• Simulation Soundness.

  $$\begin{aligned} {\Pr \left[ { \begin{aligned}&\mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2); r_2) \ne \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2); r_2) \\&\qquad \qquad \qquad \wedge g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2), r_2) = 0 \end{aligned} }\right] } \le \mathsf {negl}(n), \end{aligned}$$

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_2\) is sampled uniformly at random and \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r,0)\).

• Hardness of \(D_b\) relative to Alternate Decoding.

  1. 1.

     \(\Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1] \approx \Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_3, f({\mathsf {C}}{\mathsf {W}}_3),r_3) = 1]\),

  2. 2.

     \(\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2);r_2) \approx \mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_3)), f({\mathsf {C}}{\mathsf {W}}_3); r_3)\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_2, r_3\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_2,0)\) and \({\mathsf {C}}{\mathsf {W}}_3 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_3,1)\). Then the construction presented in Fig. 6 is a non-malleable code for class \({\mathcal {F}}\) against adversaries \({\mathcal {A}} \in {\mathcal {G}}\).

Proof

(Proof of Theorem 2). We take g to be the predicate that is used in the \(\mathsf {MediumTamper}^{\varPi , {\mathcal {F}}}_{A,m,g}(n)\) tampering experiment. We must argue that for every \(m \in \{0,1\}\) and every attacker \(A \in {\mathcal {G}}\) the output of the experiment \(\mathsf {Expt}^{\varPi , {\mathcal {F}}}_{A,m,g}(n)\) is 1 with at most negligible probability.

Assume towards contradiction that for some \(A \in {\mathcal {G}}\) the output of the experiment is 1 with non-negligible probability. Then this means that the probability in the last line of experiment \(\mathsf {Expt}^{\varPi , {\mathcal {F}}}_{A,m,g}(n)\) that \(g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}, {\mathsf {C}}{\mathsf {W}}^*,r) = 1 \wedge \mathsf {D}(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}^*;r) \ne m\) is non-negligible. Parse \({\mathsf {C}}{\mathsf {W}}= (\hat{{{\varvec{k}}}}, {\varvec{c}}, c, T, x_1, T_1, . ., x_n, T_n)\), \({\mathsf {C}}{\mathsf {W}}^* = (\hat{{{\varvec{k}}}}^*, {\varvec{c}}^*, c^*, T^*, x^*_1, T^*_1, . ., x^*_n, T^*_n)\).

Recall that \(\mathsf {D}(\mathsf {crs},{\mathsf {C}}{\mathsf {W}};r) = m\). Thus, if the above event occurs, it means that \(\mathsf {D}(\mathsf {crs},{\mathsf {C}}{\mathsf {W}};r) \ne \mathsf {D}(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}^*;r)\). But since \(g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}, {\mathsf {C}}{\mathsf {W}}^*,r) = 1\), it means that \(\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}\) outputs 1 on all proofs \(T^*, [{T}^*_i]_{i \in [n]}\) and \((\hat{{{\varvec{k}}}}, {\varvec{c}}, c) = (\hat{{{\varvec{k}}}}^*, {\varvec{c}}^*, c^*)\).

This, in turn, means that there must be some bit \(x_i, x^{*}_i\) that \({\mathsf {C}}{\mathsf {W}}\) and \({\mathsf {C}}{\mathsf {W}}^*\) differ on. But note that by assumption \(c_i = c^{*}_i\). Due to the fact that \({\mathsf {C}}{\mathsf {W}}\) is well-formed and perfect correctness of the encryption scheme, it must mean that \(c^{*}_i \notin {\mathcal {L}}^{x^*_i}_{i}\). But recall that by assumption, proof \(T^{*}_i\) verifies correctly. This means that soundness is broken by \(A \in {\mathcal {G}}\). This contradicts the security of the proof system \(\varPi ^{{{\mathsf {N}}{\mathsf {I}}}}\).

Next, recall that we wish to show that for any adversary \(A \in {\mathcal {G}}\) outputting tampering function \(\{\mathsf {MediumTamper}^{\varPi , {\mathcal {F}}}_{A, 0, g} \}_{k \in {\mathbb {N}}} \approx \{ \mathsf {MediumTamper}^{\varPi , {\mathcal {F}}}_{A, 1,g }\}_{k\in {\mathbb {N}}}\)

To do so we consider the following hybrid argument:

• Hybrid 0: The real game, \(\mathsf {MediumTamper}^{\varPi , {\mathcal {F}}}_{A, 0,g}\), relative to g, where the real encoding \({\mathsf {C}}{\mathsf {W}}_0 \leftarrow \mathsf {E}(\mathsf {crs}, 0)\) and the real decoding oracle \(\mathsf {D}\) are used.

• Hybrid 1: Replace the encoding from the previous game with \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,0)\) where \(r_1\) is chosen uniformly at random and g, \(\mathsf {D}\) use random coins \(r_1\).

• Hybrid 2: Replace the encoding from the previous game with \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_2,0)\), where \(r_2\) is chosen uniformly at random and g, \(\mathsf {D}\) use random coins \(r_2\).

• Hybrid 3: Replace the decoding from the previous game, with \(\mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2); r_2)\). where \(r_2\) is chosen uniformly at random and g, \(\mathsf {E}_2\) use random coins \(r_2\).

• Hybrid 4: Same as Hybrid 3, but replace the encoding with \({\mathsf {C}}{\mathsf {W}}_3 \leftarrow \mathsf {E}_2(\mathsf {crs}, \overrightarrow{\tau }_\mathsf{sim},r_3,1)\), where \(r_3\) is chosen uniformly at random and g, \(\mathsf {D}'\) use random coins \(r_3\).

Now, we prove our hybrids are indistinguishable.

Claim

Hybrid 0 is computationally indistinguishable from Hybrid 1.

Proof

The claim follows immediately from the Simulation of proofs property in Theorem 2.

Claim

Hybrid 1 is computationally indistinguishable from Hybrid 2.

Proof

The claim follows immediately from the Simulation of Encryptions property in Theorem 2.

Claim

Hybrid 2 is computationally indistinguishable from Hybrid 3.

Proof

This claim follows from the fact that (1) if \(g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}},{\mathsf {C}}{\mathsf {W}}^*,r) = 1\), then the experiment outputs \(\mathsf {same}^*\) in both Hybrid 2 and Hybrid 3; and (2) the probability that \(g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}},{\mathsf {C}}{\mathsf {W}}^*,r) = 0\) and the output of the experiment is different in Hybrid 2 and Hybrid 3 is at most negligible, due to the Simulation Soundness property in Theorem 2.

Claim

Hybrid 3 is computationally indistinguishable from Hybrid 4.

Proof

This follows from the fact that (1) for \(\gamma \in \{2,3\}\) if \(g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2,\)\(f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1\) then \(\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_\gamma )), f({\mathsf {C}}{\mathsf {W}}_\gamma );r_\gamma )\) always outputs 0 and so

$$\begin{aligned}&\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_\gamma )), f({\mathsf {C}}{\mathsf {W}}_\gamma );r_\gamma )\\&\quad \quad \quad \equiv \varPsi (g, \mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_\gamma , f({\mathsf {C}}{\mathsf {W}}_\gamma ), r_\gamma , \mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_\gamma )), f({\mathsf {C}}{\mathsf {W}}_\gamma );r_\gamma )); \end{aligned}$$

and (2) the Hardness of \(D_b\) relative to Alternate Decoding property in Theorem 2.

4 One-Bit NMC for \({\mathsf {A}}{\mathsf {C}}^0\)

In this section, we show that our generic construction yields efficient NMC for \({\mathsf {A}}{\mathsf {C}}^0\) in the CRS model, when each of the underlying primitives is appropriately instantiated.

Theorem 3

\(\varPi = (\mathsf {CRSGen},\mathsf {E},\mathsf {D})\) (presented in Fig. 6) is a one-bit, computational, non-malleable code in the CRS model, secure against every \(\mathsf {PPT}\) adversary \({\mathcal {A}}\) outputting tampering functions \(f \in \) \({\mathsf {A}}{\mathsf {C}}^0\), if the underlying components are instantiated in the following way:

• \({\mathcal {E}} := (\mathsf {Gen},\mathsf {Encrypt},\mathsf {Decrypt})\) is a public key encryption scheme with perfect correctness and decryption in \({\mathsf {A}}{\mathsf {C}}^0\).

• \(\varPi ^{{\mathsf {N}}{\mathsf {I}}} := (\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {P}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\) is a same-string, weak one-time simulation-sound NIZK with verifier in \({\mathsf {A}}{\mathsf {C}}^0\).

• For \(b \in \{0,1\}\), \(D_b\) is the distribution that samples bits \(x_1 \ldots x_n\) uniformly at random, conditioned on \(x_1 \oplus \cdots \oplus x_n = b\).

Note that given Theorem 1, proof systems \(\varPi ^{{\mathsf {N}}{\mathsf {I}}}\) as above exist, under the assumption that same-string, weak one-time simulation-sound NIZK with (arbitrary polynomial-time) deterministic verifier exists. Such NIZK can be constructed in the CRS model from enhanced trapdoor permutations [50]. Public key encryption with perfect correctness and decryption in \({\mathsf {A}}{\mathsf {C}}^0\) can be constructed by applying the low-decryption-error transformation of Dwork et al. [29] to the (reduced decryption error) encryption scheme of Bogdanov and Lee [9]. Refer to Sect. 4 of the full version [8] for additional details.

Proof

(Proof of Theorem 3). To prove the theorem, we need to show that for every PPT adversary \({\mathcal {A}}\) outputting tampering functions \(f \in {\mathcal {F}}\), the necessary properties from Theorem 2 hold. We next go through these one by one.

• Simulation of proofs.

  1. 1.

     \(\Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_0, f({\mathsf {C}}{\mathsf {W}}_0),r_0) = 1] \approx \Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),r_1) = 1]\),

  2. 2.

     \(\varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_0, f({\mathsf {C}}{\mathsf {W}}_0), r_0, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_0);r_0)) \approx \varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),\)\(r_1, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_1);r_1))\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_0, r_1\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_0 \leftarrow \mathsf {E}(\mathsf {crs}, 0)\) and \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,0)\). This follows immediately from the zero-knowledge property of \(\varPi ^{{\mathsf {N}}{\mathsf {I}}} = (\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {P}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\).

• Simulation of Encryptions.

  1. 1.

     \(\Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),r_1) = 1] \approx \Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1]\),

  2. 2.

     \(\varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1), r_1, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_1);r_1)) \approx \varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),\)\(r_2, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2);r_2))\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_1, r_2\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,0)\) and \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_2,0)\). This follows immediately from the fact that \({\varvec{c}}, c\) and \({\varvec{c}}', c'\) are identically distributed when generated by \(\mathsf {E}_1\) versus \(\mathsf {E}_2\) and from the semantic security of the public key encryption scheme \({\mathcal {E}} = (\mathsf {Gen},\mathsf {Encrypt},\mathsf {Decrypt})\).

• Simulation Soundness.

  $$\begin{aligned} {\Pr \left[ { \begin{aligned}&\mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2); r_2) \ne \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2); r_2) \\&\qquad \qquad \qquad \wedge g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2), r_2) = 0 \end{aligned} }\right] } \le \mathsf {negl}(n), \end{aligned}$$

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_2\) is sampled uniformly at random and \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r,0)\).

  Note that \(g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2), r_2) = 0\) only if either of the following is true: (1) \(\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}\) did not output 1 on all tampered proofs \(T^*, T^*_1, \ldots , T^*_n\) in \(f({\mathsf {C}}{\mathsf {W}}_2)\); or (2) the first 3 elements of \({\mathsf {C}}{\mathsf {W}}_2\) and \(f({\mathsf {C}}{\mathsf {W}}_2)\) are not identical (i.e., \((\hat{{{\varvec{k}}}}, {{\varvec{c}}}, c) \ne (\hat{{{\varvec{k}}}^{\varvec{*}}}, {{\varvec{c}}}^{\varvec{*}}, c^*))\). Now in case (1), both \(\mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2); r_2)\), and \(\mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2); r_2)\) output 0. This is contradiction to the claim that \(\mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2); r_2) \ne \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2); r_2)\). In case (2), the extractor \(\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2))\) outputs \(k^*_{n+1} :=\)\({\mathsf {Decrypt}_{\textsc {sk}}(\hat{k^*}_{n+1})}\) and \(\mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)),f({\mathsf {C}}{\mathsf {W}}_2); r_2)\) outputs \(b^* = c^* \oplus k^*_{n+1}\). Now, if \(\mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2); r_2) \ne \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)),\)\(f({\mathsf {C}}{\mathsf {W}}_2); r_2)\) but \(\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}\) outputs 1 on all tampered proofs \(T^*, T^*_1, \ldots , T^*_n\) in \(f({\mathsf {C}}{\mathsf {W}}_2)\) then one-time simulation soundness of \(\varPi ^{{\mathsf {N}}{\mathsf {I}}} = (\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {P}^{{\mathsf {N}}{\mathsf {I}}},\)\(\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}}, \mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\) does not hold.

• Hardness of \(D_b\) relative to Alternate Decoding.

  1. 1.

     \(\Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1] \approx \Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_3, f({\mathsf {C}}{\mathsf {W}}_3),r_3) = 1]\),

  2. 2.

     \(\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2);r_2) \approx \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_3)),\)\(f({\mathsf {C}}{\mathsf {W}}_3);r_3)\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_2, r_3\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_2,0)\) and \({\mathsf {C}}{\mathsf {W}}_3 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_3,1)\).

  Let \({\varvec{X}}\) denote a random variable where \({\varvec{X}}\) is sampled from \(D_0\) with probability 1/2 and \({\varvec{X}}\) is sampled from \(D_1\) with probability 1/2 and let random variable \({\mathsf {C}}{\mathsf {W}}\) denote the output of \(\mathsf {E}_2\) when \({\varvec{X}}\) replaces \({\varvec{x}}\).

  To show (1), assume \(\Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1]\) and \(\Pr [g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}_3,\)\(f({\mathsf {C}}{\mathsf {W}}_3),r_3) = 1]\) differ by a non-negligible amount. This implies that takes as input \({\varvec{X}}\), hardwires all other random variables, and outputs 1 in the case that \(g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}, f({\mathsf {C}}{\mathsf {W}}),r) = 1\) and 0 otherwise, implying that it has non-negligible correlation to the parity of its input \({\varvec{X}}\). We will show that the above can be computed by an \({\mathsf {A}}{\mathsf {C}}^0\) circuit with input \({\varvec{X}}\), thus contradicting Theorem 2 from [8] which says that an \({\mathsf {A}}{\mathsf {C}}^0\) circuit has at most negligible correlation with parity of its input \({\varvec{X}}\), denoted \({\mathcal {P}}({\varvec{X}})\).

  We construct the distribution of circuits \({\mathcal {C}}^1_{\mathcal {F}}\), and \(C \sim {\mathcal {C}}^1_{\mathcal {F}}\) is drawn as:

  1. 1.

     Sample \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\).

  2. 2.

     Sample tampering function \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\).

  3. 3.

     Sample \({\varvec{c}}', c'\) uniformly at random.

  4. 4.

     Set \({\varvec{k}}' = c'_1, \ldots , c'_n, c\). For \(i \in [n]\), compute \({\hat{k}}'_i \leftarrow \mathsf {Encrypt}_{\textsc {pk}}(k'_i)\) and compute \({\hat{k}}'_{n+1} \leftarrow \mathsf {Encrypt}_{\textsc {pk}}(k')\).

  5. 5.

     Sample r uniformly at random.

  6. 6.

     Sample simulated proofs \([T^{'\beta }_i]_{\beta \in \{0,1\}, i \in [n]}\) and \(T'\) (as described in Fig. 8).

  7. 7.

     Output the following circuit C that has the following structure:

     • hardwired variables: \(\mathsf {crs}\), \(\textsc {sk}\), f, \(\hat{{\varvec{k}}}'\), \({\varvec{c}}', c'\), r, \([T^{'\beta }_i]_{\beta \in \{0,1\}, i \in [n]}\).

     • input: \({\varvec{X}}\).

     • computes and outputs: \(g(\mathsf {crs}, {\mathsf {C}}{\mathsf {W}}, f({\mathsf {C}}{\mathsf {W}}),r)\).

     Note that given all the hardwired variables, computing \({\mathsf {C}}{\mathsf {W}}\) is in \({\mathsf {A}}{\mathsf {C}}^0\) since all it does is, for \(i \in [n]\), select the correct simulated proof \(T_i^{'x_i}\) based on the corresponding input bit \(x_i\). Additionally, f in \({\mathsf {A}}{\mathsf {C}}^0\) and g in \({\mathsf {A}}{\mathsf {C}}^0\), since bit-wise comparison is in \({\mathsf {A}}{\mathsf {C}}^0\) and \(V^\mathsf{SAT}\) is in \({\mathsf {A}}{\mathsf {C}}^0\). Thus, the entire circuit is in \({\mathsf {A}}{\mathsf {C}}^0\).

  To show (2), assume \(\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2);r_2)\) and \(\mathsf {D}'(\mathsf {crs},\)\(\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_3)), f({\mathsf {C}}{\mathsf {W}}_3);r_3)\) have non-negligible statistical distance. This implies that a circuit that takes as input \({\varvec{X}}\), hardwires all other random variables, and outputs \(\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}})), f({\mathsf {C}}{\mathsf {W}});r_2)\) has non-negligible correlation to the parity of \({\varvec{X}}\). We will show that \(\mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}})), f({\mathsf {C}}{\mathsf {W}});r_2)\) can be computed by an \({\mathsf {A}}{\mathsf {C}}^0\) circuit with input \({\varvec{X}}\), thus contradicting Theorem 2 from [8], which says that an \({\mathsf {A}}{\mathsf {C}}^0\) circuit has at most negligible correlation with the parity of its input \({\varvec{X}}\), denoted \({\mathcal {P}}({\varvec{X}})\).

  We construct the distribution of circuits \({\mathcal {C}}^2_{\mathcal {F}}\), and \(C \sim {\mathcal {C}}^2_{\mathcal {F}}\) is drawn as:

  1. 1.

     Sample \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\).

  2. 2.

     Sample tampering function \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\).

  3. 3.

     Sample \({\varvec{c}}', c'\) uniformly at random.

  4. 4.

     Set \({\varvec{k}}' = c'_1, \ldots , c'_n, c\). For \(i \in [n]\), compute \({\hat{k}}'_i \leftarrow \mathsf {Encrypt}_{\textsc {pk}}(k'_i)\) and compute \({\hat{k}}'_{n+1} \leftarrow \mathsf {Encrypt}_{\textsc {pk}}(k')\).

  5. 5.

     Sample r uniformly at random.

  6. 6.

     Sample simulated proofs \([T^{'\beta }_i]_{\beta \in \{0,1\}, i \in [n]}\) and \(T'\) (as described in Fig. 8).

  7. 7.

     Output the following circuit C that has the following structure:

     • hardwired variables: \(\mathsf {crs}\), \(\textsc {sk}\), f, \(\hat{{\varvec{k}}}'\), \({\varvec{c}}', c'\), r, \([T^{'\beta }_i]_{\beta \in \{0,1\}, i \in [n]}\).

     • input: \({\varvec{X}}\).

     • computes and outputs: \( \mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}})), f({\mathsf {C}}{\mathsf {W}});r_2)\).

     Note that \(\mathsf {Ext}\in \) \({\mathsf {A}}{\mathsf {C}}^0\) since decryption for \({\mathcal {E}} := (\mathsf {Gen}, \mathsf {Encrypt}, \mathsf {Decrypt})\) in \({\mathsf {A}}{\mathsf {C}}^0\). Moreover, as above, given all the hardwired variables, computing \({\mathsf {C}}{\mathsf {W}}\) is in \({\mathsf {A}}{\mathsf {C}}^0\) since all it does is, for \(i \in [n]\), select the correct simulated proof \(T_i^{'x_i}\) based on the corresponding input bit \(x_i\). Additionally, f in \({\mathsf {A}}{\mathsf {C}}^0\) and \(\mathsf {D}'\) is in \({\mathsf {A}}{\mathsf {C}}^0\), since xor of two bits is in \({\mathsf {A}}{\mathsf {C}}^0\) and \(V^\mathsf{SAT}\) is in \({\mathsf {A}}{\mathsf {C}}^0\). Thus, the entire circuit is in \({\mathsf {A}}{\mathsf {C}}^0\).

Analysis for more tampering classes is presented in Sect. 4.1 of full version [8]

5 Construction for Multi-bit Messages

The construction for encoding multi-bit messages is similar to that for encoding a single bit, presented in Sect. 3. The construction repeats the procedure for encoding single bit m times, for encoding m-bit messages and binds it with a proof T.

Fig. 12.

Non-malleable code \((\mathsf {CRSGen}, \mathsf {E}, \mathsf {D})\), secure against \({\mathcal {F}}\) tampering.

Fig. 13.

Encoding algorithm with simulated proofs.

Fig. 14.

Encoding algorithm with simulated proofs and encryptions.

Fig. 15.

Extracting procedure \(\mathsf {Ext}\).

Fig. 16.

Alternate decoding procedure \(\mathsf {D}'\), given additional extracted key \([k^i]_{i \in [m]}\) as input.

Fig. 17.

The predicate \(g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}},{\mathsf {C}}{\mathsf {W}}^*,r)\).

Let \(\varPsi (p,c,x,y,r,z)\) be defined as a function that takes as input a predicate p, and variables c, x, y, r, z. If \(p(c,x,y,r) = 1\), then \(\varPsi \) outputs the m-bit string \({\varvec{0}}\). Otherwise, \(\varPsi \) outputs z.

Theorem 4

Let \((\mathsf {E}, \mathsf {D})\), \(\mathsf {E}_1\), \(\mathsf {E}_2\), \(\mathsf {Ext}\), \(\mathsf {D}'\) and g be as defined in Figs. 12, 13, 14, 15, 16 and 17. Let \({\mathcal {F}}\) be a computational class. If, for every pair of m-bit messages \({\varvec{b}}_0, {\varvec{b}}_1\) and if, for every adversary \({\mathcal {A}} \in {\mathcal {G}}\) outputting tampering functions \(f \in {\mathcal {F}}\), all of the following hold:

• Simulation of proofs.

  1. 1.

     \(\Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_0, f({\mathsf {C}}{\mathsf {W}}_0),r_0) = 1] \approx \Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),r_1) = 1]\),

  2. 2.

     \(\varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_0, f({\mathsf {C}}{\mathsf {W}}_0), r_0, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_0);r_0)) \approx \varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),\)\( r_1, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_1);r_1))\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_0, r_1\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_0 \leftarrow \mathsf {E}(\mathsf {crs}, {\varvec{b}}_0)\) and \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,{\varvec{b}}_0)\).

• Simulation of Encryptions.

  1. 1.

     \(\Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1),r_1) = 1] \approx \Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1]\),

  2. 2.

     \(\varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_1, f({\mathsf {C}}{\mathsf {W}}_1), r_1, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_1);r_1)) \approx \varPsi (g,\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),\)\( r_2, \mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2);r_2))\),

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_1, r_2\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_1 \leftarrow \mathsf {E}_1(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_1,{\varvec{b}}_0)\) and \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_2,{\varvec{b}}_0)\).

• Simulation Soundness.

  $$\begin{aligned} {\Pr \left[ {\begin{aligned}&\mathsf {D}(\mathsf {crs}, f({\mathsf {C}}{\mathsf {W}}_2); r_2) \ne \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2); r_2) \\&\qquad \qquad \qquad \wedge g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2), r_2) = 0 \end{aligned}}\right] }\,{\le }\,\mathsf {negl}(n), \end{aligned}$$

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_2\) is sampled uniformly at random and \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r,{\varvec{b}}_0)\).

• Hardness of \(D_{{\varvec{b}}}\) relative to Alternate Decoding.

  1. 1.

     \(\Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_2, f({\mathsf {C}}{\mathsf {W}}_2),r_2) = 1] \approx \Pr [g(\mathsf {crs},{\mathsf {C}}{\mathsf {W}}_3, f({\mathsf {C}}{\mathsf {W}}_3),r_3) = 1]\),

  2. 2.

     For every Boolean function, represented by a circuit F over m variables, \( F \circ \mathsf {D}'(\mathsf {crs},\mathsf {Ext}(\mathsf {crs}, \textsc {sk}, f({\mathsf {C}}{\mathsf {W}}_2)), f({\mathsf {C}}{\mathsf {W}}_2);r_2) \approx F \circ \mathsf {D}'(\mathsf {crs}, \mathsf {Ext}(\mathsf {crs}, \textsc {sk},\)\(f({\mathsf {C}}{\mathsf {W}}_3)), f({\mathsf {C}}{\mathsf {W}}_3);r_3), \)

  where \((\mathsf {crs}, \textsc {sk}, \overrightarrow{\tau }_\mathsf{sim}) \leftarrow \mathsf {CRSGen}(1^n)\), \(f \leftarrow {\mathcal {A}}(\mathsf {crs})\), \(r_2, r_3\) are sampled uniformly at random, \({\mathsf {C}}{\mathsf {W}}_2 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},r_2,{\varvec{b}}_0)\) and \({\mathsf {C}}{\mathsf {W}}_3 \leftarrow \mathsf {E}_2(\mathsf {crs},\overrightarrow{\tau }_\mathsf{sim},\)\(r_3,{\varvec{b}}_1)\).

Then the construction presented in Fig. 12 is a non-malleable code for class \({\mathcal {F}}\) against adversaries \({\mathcal {A}} \in {\mathcal {G}}\).

We present the proof of Theorem 4 in Sect. 5.1 of the full version [8]

6 Efficient, Multi-bit NMC for \({\mathsf {A}}{\mathsf {C}}^0\)

Theorem 5

\(\varPi = (\mathsf {CRSGen},\mathsf {E},\mathsf {D})\) (presented in Fig. 12) is an m-bit, computational, non-malleable code in the CRS model against tampering by depth-\((m^{\log ^\delta m}/2 - c)\) circuits with unbounded fan-in and size \(\delta \cdot \frac{\log m}{\log \log m} - p(n)\) (where c is constant and \(p(\cdot )\) is a fixed polynomial), and m is such that \(n = m^{3 + 5\delta }\), if the underlying components are instantiated in the following way:

• \({\mathcal {E}} := (\mathsf {Gen},\mathsf {Encrypt},\mathsf {Decrypt})\) is a public key encryption scheme with perfect correctness and decryption in \({\mathsf {A}}{\mathsf {C}}^0\).

• \(\varPi ^{{\mathsf {N}}{\mathsf {I}}} := (\mathsf {CRSGen}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {P}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\) is a same-string, weak one-time simulation-sound NIZK with verifier in \({\mathsf {A}}{\mathsf {C}}^0\).

• For \(b \in \{0,1\}\), \(D_b\) is the distribution that samples bits \(x_1 \ldots x_n\) uniformly at random, conditioned on \(x_1 \oplus \cdots \oplus x_n = b\).

For as in the one-bit case, given Theorem 1, proof systems \(\varPi ^{{\mathsf {N}}{\mathsf {I}}}\) as above exist, under the assumption that same-string, weak one-time simulation-sound NIZK with (arbitrary polynomial-time) deterministic verifier exists. Refer to Sect. 4 of the full version [8] for a discussion of how such NIZK and public key encryption can be instantiated. The proof of the Theorem 5, is presented as proof for Theorem 11 in [8], followed by the analysis for tampering with decision trees in Sect. 6.1.

7 One-Bit NMC Against Streaming Adversaries

In this section, we show that our generic construction yields efficient unconditional NMC resilient against the tampering class \({\mathcal {F}}\) corresponding to streaming adversaries with memory \(o(n'')\).

Let n be the parameter for the hard distribution described below, \(n'\) be the parameter for the semantically secure parity based encryption scheme against streaming adversaries with \(o(n')\) storage (described in Sect. 7.2 of [8]), and \(n''\) be the parameter for the non-interactive simulatable proof system with streaming verifier (described in Sect. 7.4 of [8]). Such that \(n \in \omega (n'')\) and \(n' \in \omega (n)\).

The Hard Distribution \({{\varvec{D}}}_{{\varvec{b}}}\) (parameter \({{\varvec{n}}}\)). Let \(n = (\mu +1)^2-1\). For \(b \in \{0,1\}\), a draw from the distribution \(D_b\) is defined as follows: Choose a parity \(\chi _S\) uniformly at random from the set of all (non-zero) parities over \(\mu \) variables (\(\emptyset \ne S \subseteq [\mu ]\)). Choose \(y_1, \ldots , y_\mu \sim \{0,1\}^\mu \) uniformly at random. Choose y uniformly at random, conditioned on \(\chi _S(y) = b\). Output the following n-bit string: \([(y_i, \chi _S(y_i)]_{i \in [\mu ]} || y\).

The proof of the hardness of \(D_b\) described above, along with the details of the parity-based encryption scheme, and non-interactive simulatable proof system with streaming verifier are described in Sects. 7.1, 7.2, and 7.4 of [8] respectively.

Theorem 6

\(\varPi = (\mathsf {E},\mathsf {D})\) (presented in Fig. 6) is a one-bit, unconditional non-malleable code against streaming adversaries with space \(o(n'')\), if the underlying components are instantiated in the following way:

• \({\mathcal {E}} := (\mathsf {Encrypt},\mathsf {Decrypt})\) is the parity based encryption scheme (with parameter \(n' := n'(n)\)).

• \(\varPi ^{{\mathsf {N}}{\mathsf {I}}} := (\mathsf {P}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {V}^{{\mathsf {N}}{\mathsf {I}}},\mathsf {Sim}^{{\mathsf {N}}{\mathsf {I}}})\) the simulatable proof system with streaming verifier with parameter \(n'' := n''(n)\).

• For \(b \in \{0,1\}\), \(D_b\) is the distribution described above (with parameter n).

We wish to emphasize that no CRS or computational assumptions are needed for this result. Therefore, we can assume that the adversary \({\mathcal {A}}\) outputting tampering function f is computationally unbounded. Moreover, the result extends trivially for any number m of bits and all other parameters (\(n, n', n''\)) can remain the same and do not need to be increased. To see this, note that the only one additional property that needs to be proved in the multi-bit case (regarding hardness of \(D_{{\varvec{b}}}\) relative to alternate decoding in Theorem 4. But in the bounded, it can be achieved without requiring any additional memory beyond what is required in the one-bit case. We refer the interested readers to Sect. 7.5 of [8] for further details.