Non-Malleable Codes from the Wire-Tap Channel

Recently, Dziembowski et al. introduced the notion of non-malleable codes (NMC), inspired from the notion of non-malleability in cryptography and the work of Gennaro et al. in 2004 on tamper proof security. Informally, when using NMC, if an attacker modifies a codeword, decoding this modified codeword will return either the original message or a completely unrelated value. The definition of NMC is related to a family of modifications authorized to the attacker. In their paper, Dziembowski et al. propose a construction valid for the family of all bit-wise independent functions. In this article, we study the link between the second version of the Wire-Tap (WT) Channel, introduced by Ozarow and Wyner in 1984, and NMC. Using coset-coding, we describe a new construction for NMC w.r.t. a subset of the family of bit-wise independent functions. Our scheme is easier to build and more efficient than the one proposed by Dziembowski et al.

💡 Research Summary

The paper investigates the relationship between the second version of the Wire‑Tap (WT) channel, introduced by Ozarow and Wyner, and the notion of non‑malleable codes (NMC) as defined by Dziembowski et al. The authors aim to construct NMCs that are easier to instantiate and more efficient than the earlier construction based on Linear Error‑Correcting Secret‑Sharing (LECSS) and Algebraic Manipulation Detection (AMD) codes.

First, the authors recall the formal definition of NMCs. A coding scheme (Enc, Dec) is non‑malleable with respect to a family F of tampering functions if, for every f ∈ F, there exists a distribution Df over {0,1}^k ∪ {⊥, same} such that, for any source message s, the tampering experiment (encoding a random codeword of s, applying f, decoding) yields a result that is indistinguishable from the following: output “same” with probability equal to the chance that the decoded value equals s, otherwise output a value drawn from Df that is independent of s. The definition is per‑function, not per‑family.

The paper then reviews the two WT channel models. WT I assumes a noisy main channel and a noisier auxiliary channel; security is achieved via random coset coding. WT II, the focus of this work, assumes both channels are noiseless, but the eavesdropper can only observe a limited number of bits of each codeword, chosen arbitrarily. If the number of observed bits is smaller than the dual distance d⊥ of the underlying linear code C, the eavesdropper gains no information about the secret message.

The authors observe that a bit‑wise independent tampering function that only flips bits (i.e., each sub‑function is either “keep” or “flip”) cannot be handled by linear coset coding because the tampered codeword is simply c + e, and decoding yields m + H^T e, which is a deterministic offset of the original message. To break this correlation, the tampering must also include bits that are forced to 0 or 1. Setting a bit to a constant is information‑theoretically equivalent to erasing it, because the attacker loses knowledge of its original value. Hence, WT II’s erasure‑based secrecy can be leveraged: if enough bits are forced to 0 or 1, the attacker’s view is effectively an erasure pattern that reveals no information about the message.

The main construction proceeds as follows. Choose a linear