Leakage-resilient Algebraic Manipulation Detection Codes with Optimal Parameters

TL;DR

This paper establishes optimal bounds on leakage rate and code rate for leakage-resilient Algebraic Manipulation Detection codes, providing constructions that meet these bounds and analyzing their security under different adversarial models.

Contribution

It proves fundamental bounds on leakage and code rates for leakage-resilient AMD codes and presents constructions that are asymptotically optimal within these bounds.

Findings

Bounds 2r + k < 1 and r + k < 1 are proven for leakage-resilient AMD codes.

Constructed AMD codes asymptotically meet the optimal bounds for a wide parameter range.

Computationally bounded leakage functions can break the established bounds under certain models.

Abstract

Algebraic Manipulation Detection (AMD) codes is a cryptographic primitive that was introduced by Cramer, Dodis, Fehr, Padro and Wichs. They are keyless message authentication codes that protect messages against additive tampering by the adversary assuming that the adversary cannot "see" the codeword. For certain applications, it is unreasonable to assume that the adversary computes the added offset without any knowledge of the codeword c. Recently, Ahmadi and Safavi-Naini, and then Lin, Safavi-Naini, and Wang gave a construction of leakage-resilient AMD codes where the adversary has some partial information about the codeword before choosing added offset, and the scheme is secure even conditioned on this partial information. In this paper we establish bounds on the leakage rate r and the code rate k for leakage-resilient AMD codes. In particular we prove that 2r + k < 1 and for the weak case (security is averaged over a uniformly random message) r + k < 1. These bounds hold even if adversary is polynomial-time bounded, as long as we allow leakage function to be arbitrary. We present constructions of AMD codes that (asymptotically) fulfill the above bounds for almost full range of parameters r and k. This shows that the above bounds and constructions are in-fact optimal. In the last section we show that if a leakage function is computationally bounded (we use the Ideal Cipher Model) then it is possible to break these bounds.