Non-Malleable Code in the Split-State Model

Non-malleable codes are a natural relaxation of error correction and error detection codes applicable in scenarios where error-correction or error-detection is impossible. Over the last decade, non-malleable codes have been studied for a wide variety of tampering families. Among the most well studied of these is the split-state family of tampering channels, where the codeword is split into two or more parts and each part is tampered with independently. We survey various constructions and applications of non-malleable codes in the split-state model.

• As an application, we also construct the first quantum secure 2-out-of-2 non-malleable secret sharing scheme for message/secret length m = n Ω(1) , error ε = 2 −n Ω(1) and share of size n.

Introduction
In a seminal work, Dziembowski, Pietrzak and Wichs [DPW18] introduced non-malleable codes to provide a meaningful guarantee for the encoded message S in situations where traditional errorcorrection or even error-detection is impossible.Informally, non-malleable codes encode a classical message S in a manner such that tampering the codeword results in decoder either outputting the original message S or a message that is unrelated/independent of S. Using probabilistic arguments, [DPW18] showed the existence of such non-malleable codes against any family F of tampering functions of size as large as 2 2 αn for any fixed constant α < 1, where n is the length of codeword for messages of length Ω(n).
Subsequent works continued to study non-malleable codes in various tampering models.Perhaps the most well known of these tampering function families is the so called split-state model introduced by Liu and Lysyanskaya [LL12], who constructed efficient constant rate non-malleable codes against computationally bounded adversaries under strong cryptographic assumptions.We refer to the (2-part) split-state model as the split-state model in this paper.In the split-state model, the message S is encoded into two parts, X and Y , after which the adversary is allowed to arbitrarily tamper (X, Y ) → (X ′ , Y ′ ) such that (X ′ , Y ′ ) = (f (X), g(Y )) for any functions (f, g) such that f, g : {0, 1} n → {0, 1} n .Dziembowski, Kazana and Obremski [DKO13] proposed a construction that provides non-malleable codes for a single bit message based on strong extractors.Subsequently, multiple works considered non-malleable codes for multi-bit messages leading to constant rate non-malleable codes in the split-state model [LL12, CG16, CGL20, CG14, ADL18, Agg15, Li15, AB16, Li17, Li19, AO20, AKO + 22].Non-malleable codes in the split-state model have found applications to numerous other important security notions such as non-malleable commitments and non-malleable secret sharing [GPR16, GK18a, GK18b, ADN + 19, SV19].
More formally, a non-malleable code in the split-state model in the classical setting can be defined as follows.Let n, m represent positive integers and k, ε, ε ′ > 0 represent reals.Let F denote the set of all functions f : {0, 1} n → {0, 1} n .We consider an encoding and decoding scheme (Enc, Dec) in the split-state model where Enc(S) = (X, Y ).Here S ∼ U m (U m is uniform distribution on m bits) represents the plaintext/message and X, Y ∈ {0, 1} n are the two parts of the codeword.Enc is a randomized function and Dec(X, Y ) is a deterministic function, such that Pr (Dec (Enc(S)) = S) = 1.
Intuitively, if the adversary doesn't tamper the codeword (in which case (X, Y ) = (X ′ , Y ′ )), the decoded message is same (captured by the variable same) as original message S. If the adversary does tamper the codeword (in which case either X = X ′ or Y = Y ′ ), the decoded message is (approximately) distributed according to a distribution (D f minus same normalized) that only depends on f and is independent of the original message S.
Previous classical results in the split-state model [DKO13] constructed the first non-malleable code for a 1-bit message.Following that Aggarwal, Dodis and Lovett [ADL18] gave the first information-theoretic construction for m-bit messages, but the length of codeword being 2n = m O(1) .Chattopadhyay, Goyal and Li [CGL20] gave a non-malleable code for message length m = n Ω(1) , error ε = 2 −n Ω(1) and codeword of size 2n.Improving upon the work of [CGL20], Li [Li19] gave a non-malleable code for message length m = O n log log n log n , error ε = 2 −n Ω(1) and codeword of size 2n.Only recently Aggarwal and Obremski [AO20] gave the first constant rate non-malleable code for message length m = Ω(n), error ε = 2 −n Ω(1) and codeword of size 2n.This construction was improved to a rate 1/3 construction in [AKO + 22].

Motivation to consider the quantum setting
With the rise of quantum computers, it becomes vital to understand if non-malleable codes are secure against quantum adversaries.Quantum entanglement between various parties, used to generate classical information introduces non-local correlations [Bel64].For example in the CHSH game, one can use local measurements on both the halves of a EPR state to generate a probability distribution which contains correlations stronger than those possible classically.Entanglement is of course known to yield several such unexpected effects with no classical counterparts, e.g., superdense coding [BW92].Thus, it motivates us to consider if one can provide non-malleable codes when adversary in the split-state model is allowed to make use of an arbitrary entanglement (between the two parts) to tamper the two parts X and Y (both classical) of an encoded message S. We note to the reader that the (Enc, Dec) schemes considered in this paper are classical, and we provide quantum security in the sense that the adversary is allowed to do quantum operations to tamper (X, Y ) → (X ′ , Y ′ ) using pre-shared unbounded entanglement.

Our results
Our first contribution is setting up the required analogue/framework to define non-malleable codes in the quantum setting.

Quantum split-state adversary
To tamper (X, Y ) → (X ′ , Y ′ ), we let the adversary share an arbitrary entanglement ψ N M 1 between the two different locations where split codewords are stored.The adversary then applies isometries U : The decoding process begins by first measuring (X ′ , Y ′ ) and then outputting the decoded message S ′ from (X ′ , Y ′ ) (post measurement in the computational basis).To show that non-malleable codes are secure against such an adversary, it is sufficient to show that if the adversary doesn't tamper the codeword, the decoded message S ′ is same as the original message S. If the adversary does tamper the codeword, the decoded message S ′ is (approximately) distributed according to a distribution (D (U,V,ψ) that only depends on (U, V, ψ)) that is independent of the original message S .For simplicity, we denote quantum split-state adversary as A = (U, V, ψ) in this paper.

Dec
Figure 1: Quantum split-state adversary along with the process.
We now formally define a quantum split-state adversary in the split-state model.
Definition 2 (Quantum split-state adversary (see Figure 1)).Let σ SXY be the state after encoding the message S. The quantum split-state adversary (denoted A = (U, V, ψ)) will act via two isometries, (U, V ) using an additional shared entangled state |ψ N M as specified by U : and ρ be the final state after measuring the registers (X ′ Y ′ ) in computational basis3 .
Our work provides the first quantum secure non-malleable code with efficient encoding and decoding procedures for message length m = n Ω(1) , error ε = 2 −n Ω(1) and codeword of size 2n.When the tampering of the codeword is performed t-times, we also provide the first quantum secure one-many non-malleable code with efficient encoding and decoding procedures for t = n Ω(1) , message length m = n Ω(1) , error ε = 2 −n Ω(1) and codeword of size 2n.Prior to our work, it remained open to provide such quantum secure non-malleable codes even for a single bit message in the split-state model.We next formally define the quantum secure non-malleable codes in the split-state model.Definition 3 (Quantum secure non-malleable codes in the split-state model).(Enc, Dec) is an (m, n, ε)-quantum secure non-malleable code in the split-state model with error ε, if for state ρ and adversary A = (U, V, ψ) (as defined in Definition 2), there exists a random variable Our first result is to show that a quantum secure non-malleable code in the split-state model can be constructed using a quantum secure 2-source non-malleable extractor.We use the 2-source non-malleable extractor of Boddu, Jain and Kapshikar [BJK21].This is analogous to the classical result by Cheraghchi and Guruswami [CG14], however additional novelty over classical arguments is needed.This is to take care of the specific adversary model in which the security of 2-source nonmalleable extractor is shown by [BJK21] and other additional issues involving quantum information (example purifications of states).
Theorem 1 (Quantum secure non-malleable codes in the split-state model).Let 2nmExt : {0, 1} n × {0, 1} n → {0, 1} m be an (n − k, n − k, ε)-quantum secure 2-source non-malleable extractor.There exists an (m, n, ε ′ )-quantum secure non-malleable code in the split-state model with parameter Above, Enc, Dec for quantum secure non-malleable code in the split-state model are 2nmExt −1 , 2nmExt respectively.It can be noted that computation of Z = 2nmExt(X, Y ) (starting from (X, Y )) is efficient (in n).This ensures that Dec is efficient.However Enc involves given Z, sampling uniformly from the pre-image of Z (under the function 2nmExt) and it is not apriori clear that this is possible.In the next result, we show that this is indeed possible.This result is analogous to a result due to [CGL20], however in our case additional novelty is needed which we explain in the proof overview below.
Theorem 2. There exists an (m, n, ε)-quantum secure non-malleable code in the split-state model with efficient encoding and decoding procedures for message length m = n Ω(1) , error ε = 2 −n Ω(1) and codeword of size 2n.
Prior to this work, it remained open to provide such construction for quantum secure nonmalleable codes, even for a single bit message in the split-state model.
As an application, we construct the first quantum secure 2-out-of-2 non-malleable secret sharing scheme for message/secret length m = n Ω(1) , error ε = 2 −n Ω(1) and share of size n (see Appendix B).
We also study the natural extension when the tampering of the codeword is performed t-times (see Appendix A).Here, the adversary is allowed to tamper making use of an arbitrary entanglement between two parts X and Y .We require, in case of tampering, the original message S to be independent of S 1 . . .S t = Dec(X 1 , Y 1 ) . . .Dec(X t , Y t ).

Proof overview
Let 2nmext-c refer to the 2-source non-malleable extractor from [CGL20].Let XY = U n ⊗ U n (⊗ represents independence).Let Z = 2nmext-c(X, Y ).According to the scheme by [CG14], efficient construction of non-malleable codes requires us to, given any z, sample efficiently from the distribution (XY |Z = z).It is not apriori clear that such efficient (reverse) sampling for 2nmext-c is possible.[CGL20] modified 2nmext-c to come up with a new 2-source non-malleable extractor (say new-2nmext-c) and exhibited efficient reverse sampling for new-2nmext-c.A key difference between the constructions of 2nmext-c and new-2nmext-c is the seeded extractor that is used in the alternating extraction argument (for both the constructions).2nmext-c uses the seeded extractor from [GUV09] while new-2nmext-c uses a seeded extractor IExt constructed by [CGL20].Two key properties of IExt that are crucially used are: 1. Let W be the source, S be the seed and O = IExt(W, S) be the output.
2. IExt is a bi-linear function.This implies that for every (o, s), one can sample (exactly) from (W |OS = (o, s)).
This allows [CGL20] exact reverse sampling.That is for any z, they are able to efficiently sample from the distribution (XY |Z = z) exactly.There are a few other modifications required to finally make new-2nmext-c suitable for efficient reverse sampling.For example, the input sources X and Y are divided into n Ω(1) different blocks (since there are n Ω(1) rounds of alternating extraction in the construction of 2nmext-c).This enables to use different blocks (each with almost full min-entropy) as sources to seeded extractors in each round of alternating extraction.This further ensures the linear constraints that are imposed in the alternating extraction are on different variables of input sources, X, Y in each round which is crucial for the exact reverse sampling argument of [CGL20].
Let us now consider the quantum setting.Let 2nmext-q refer to the 2-source non-malleable extractor from [BJK21].Again it is not apriori clear that efficient reverse sampling for 2nmext-q is possible.Hence we modify the 2nmext-q from [BJK21] to construct (say new-2nmext-q) in the full version.We follow the argument of dividing the input sources X and Y into different blocks (as stated in previous paragraph) and make necessary modifications to 2nmext-q.Next, we note the seeded extractor used in alternating extraction of both 2nmext-q, new-2nmext-q is the Trevison extractor (say Trev) which is quantum secure [DPVR12].One can modify 2nmext-q using a similar modification as that of [CGL20], by considering IExt instead of Trev.However then one would need to first show the quantum security of IExt.This is not known as of now and we leave it for future work.For now we choose to make the arguments work with Trev.We note the two key properties for Trev: 2. For every s, Trev is a linear function of W . Hence for every (o, s), we can sample efficiently (exactly) from W |(OS) = (o, s).
Point 1. above is the differentiating property between IExt and Trev.Hence, unlike [CGL20], we cannot do exact reverse sampling and can only do approximate reverse sampling.We therefore have to carefully keep the overall error introduced under control.
While generating Z = new-2nmext-q(X, Y ), starting from (X, Y ), several intermediate random variables (say (R 1 , R 2 , ..., R k ) in this order) are generated.During the reverse sampling, starting from Z, they need to be generated in the reverse order.We call this process backtracking.Since we have to keep the overall error under control, we need to note and use important Markov-chain structures between the intermediate random variables (see Claim 2 and Claim 3).This is additional technical novelty over [CGL20].

Organization
In Section 2, we describe useful quantum information facts and other preliminaries.It also contains useful lemmas and claims.We describe the existential proof of quantum secure non-malleable codes, i.e.Theorem 1 in Section 3. Section 4 contains the construction of modified 2-source non-malleable extractor along with proof of Theorem 2. The t-tampered version of non-malleable codes can be found in the Appendix A. Appendix B contains a quantum secure 2-out-of-2 non-malleable secret sharing scheme.

Quantum information theory
All the logarithms are evaluated to the base 2. Let X , Y, Z be finite sets (we only consider finite sets in this paper).For a random variable X ∈ X , we use X to denote both the random variable and its distribution, whenever it is clear form the context.We use x ← X to denote x drawn according to X.We also use x ← X to denote x drawn uniformly from X .For two random variables X, Y we use X ⊗ Y to denote independent random variables.
We call random variables X, Y , copies of each other iff Pr[X = Y ] = 1.Let Y 1 , Y 2 , . . ., Y t be random variables.We denote the joint random variable Y 1 Y 2 . . .Y t by Y [t] .Similarly for any subset S ⊆ [t], we use Y S to denote the joint random variable comprised of all the Y s such that s ∈ S. For a random variable X ∈ {0, 1} n and 0 d1,d2] .Let U d represent the uniform distribution over {0, 1} d .For a random variable X ∈ F n q for a prime power q, we view X as a row vector (X 1 , X 2 , . . ., X n ) where each X i ∈ F q .
Consider a finite-dimensional Hilbert space H endowed with an inner-product •, • (we only consider finite-dimensional Hilbert-spaces).A quantum state (or a density matrix or a state) is a positive semi-definite operator on H with trace value equal to 1.It is called pure iff its rank is 1.Let |ψ be a unit vector on H, that is ψ, ψ = 1.With some abuse of notation, we use ψ to represent the state and also the density matrix |ψ ψ|, associated with |ψ .Given a quantum state ρ on H, support of ρ, called supp(ρ) is the subspace of H spanned by all eigenvectors of ρ with non-zero eigenvalues.
A quantum register A is associated with some Hilbert space

The identity operator on H
where {|i } i is an orthonormal basis for the Hilbert space H A .The state ρ B ∈ D(H B ) is referred to as the marginal state of ρ AB on the register B. Unless otherwise stated, a missing register from subscript in a state represents partial trace over that register.Given

is a completely positive and trace preserving (CPTP) linear map. A Hermitian operator H : H
where ρ x E are states.In a pure state ρ XEA in which ρ XE is c-q, we call X a classical register and identify random variable X with it with Pr(X = x) = p(x).For an event S ⊆ X , define For a function Z : X → Z, define the following extension of ρ XE We call an isometry V : All the isometries considered in this paper are safe on classical registers they act upon.For a function Z : X → Z, define ρ Z ẐXEA to be a pure state extension of ρ XEA generated via a safe isometry V : H X → H X ⊗ H Z ⊗ H Ẑ (Z classical with copy Ẑ).For a pure state ρ XE and measurement M in the computational basis on register X, define ρ XXE a pure state extension post the measurement M of state ρ XE generated via a safe isometry V : H X → H X ⊗ H X such that ρ XXE = V ρV † and X a copy of X.
Fact 1 (Uhlmann's Theorem [Uhl76]).Let ρ A , σ A ∈ D(H A ). Let ρ AB ∈ D(H AB ) be a purification of ρ A and σ AC ∈ D(H AC ) be a purification of σ A .There exists an isometry V (from a subspace of H C to a subspace of H B ) such that, Above is equality iff E is a CPTP map corresponding to an isometry.
Fact 3 (Stinespring isometry extension [Wat11]).Let Φ : L(H X ) → L(H Y ) be a CPTP map.Then there exists an isometry V : FvdG06]).Let ρ, σ be states.Then, Fact 5 (Data-processing).Let ρ, σ be states and E be a CPTP map.Then The inequalities above are equalities in case Φ is a CPTP map corresponding to an isometry.Fact 6.Let ρ XE , σ XE be c-q states.Then, Fact 10.For random variables AB, Ã B, we have Fact 11 (Folklore).Let m, n be positive integers such that m ≤ n.Let A be any m × n matrix over the Field F.
There exists an efficient algorithm that runs in time polynomial in (m, n, |F|) and outputs sample x ← S o .
There exists a polynomial time computable function Samp : where the operations are over the Field F M .

Extractors and non-malleable codes
Throughout the paper we use extractor to mean seeded extractor unless stated otherwise.
In addition, the extractor is called strong if S is referred to as the seed for the extractor.

Fact 13 ([DPVR12, CV17]
).There exists an explicit (2m, ε)-quantum secure strong (n, d, m)- Moreover the extractor Ext is linear extractor, i.e. for every fixed seed, the output of the extractor is a linear function of the input source.
Definition 7 (l-qma-state [ABJO21]).Let τ X X , τ Y Ŷ be the canonical purifications of independent and uniform sources X, Y respectively.Let τ N M be a pure state.Let We call σ X XN ′ M ′ Y Ŷ an l-qma-state .

Error correcting codes
Definition 11.Let Σ be a finite set.A mapping ECC : Σ k → Σ n is called an error correcting code with relative distance γ if for any x, y ∈ Σ k such that x = y, the Hamming distance between ECC(x) and ECC(y) is at least γn.The rate of the code denoted by δ, is defined as The alphabet size of the code is the number of elements in Σ.
Fact 16 (MDS Codes).Let q be a prime power.For every positive integer k, there exists a large enough n such that there exists an efficiently computable linear error correcting code ECC : F k q → F n q with rate k n and relative distance n−k+1 n .Such codes are known as maximum distance separable (MDS) codes.Reed-Solomon codes is a typical example of an MDS code family.

Other useful facts, claims and lemmas
Fact 17 There exists an l-qma-state, ρ (1) such that, Fact 20 (Quantum secure 2-source non-malleable extractor [BJK21]).Let k = O(n 1/4 ) and ε = 2 −n Ω(1) .There exists an efficient 2-source non-malleable extractor 2nmExt : Fact 21 (Alternating extraction [BJK21]).Let θ XASB be a pure state with (XS) classical, |X| = n, |S| = d and where Ext is a (k, ε)-quantum secure strong (n, d, m)-extractor.Then, Fact 22 (Min-entropy loss under classical interactive communication [BJK21]).Let ρ XN M be a pure state where Alice holds registers (XN ) and Bob holds register M , such that register X is classical and Let Alice and Bob proceed for t-rounds, where in each round Alice generates a classical register R i and sends it to Bob, followed by Bob generating a classical register S i and sending it to Alice.Alice applies an isometry XNiMi be the state at the end of round-i, where Alice holds registers XN i and Bob holds register M i .Then, we have X ′ Y ′ classical (with copies X′ Ŷ ′ respectively) and either Pr(X = X ′ ) ρ = 1 or Pr(Y = Y ′ ) ρ = 1.7 Notice the state ρ is a (k 1 , k 2 )-qnm-state.Since 2nmExt is a (k 1 , k 2 , ε)-quantum secure 2-source non-malleable extractor (see Definition 10), we have Using Fact 5, we further get The desired now follows by noting σ XN MY = ρ XN MY .
Claim 2. Let random variables ABC, Ã B C be such that Proof.Since AB − Ã B 1 ≤ ε 1 , using Fact 5, we have Consider, This completes the proof.
Since the construction of the quantum secure non-malleable extractor is composed of alternating extraction using Ext from Fact 13, we first state a claim about the invertibility of the Ext given the output (close to the desired).
Claim 3. Let Ext : {0, 1} n × {0, 1} d → {0, 1} m be an explicit (2m, ε)-quantum secure strong extractor from Fact 13 or IP from Fact 158 with error ε9 .Let X, H, O, Õ be random variables such that, Given samples from (õ, h) ← Õ H = Õ ⊗ U d , we can sample from X|( Õ H = õh ) (which is same as Proof.Let X Ĥ = U n ⊗U d and Ô = Ext( X, Ĥ) be the output of the extractor.Since XH − X Ĥ 1 ≤ ε ′ , using Fact 5 we have Also, since Ô = Ext( X, Ĥ) is the output of the strong extractor, we have We now proceed by noting that the extractor is linear.In other words, for every seed H = h, the output of the extractor O = o is a linear function of the input X = x.For a fixed output o of the extractor and seed h, we have a matrix A h of size m × n such that A h x † = o † .Note for any fixing of the seed h and output o, the size of the set {x : Ext(x, h) = o} is 2 n−rank(A h ) and sampling x uniformly from the set can be done efficiently from Fact 11.
Lemma 1.Let ECC : F k q → F n q be an (n, k, n − k + 1) Reed-Solomon code from Fact 16 for q ≥ n + 1.Let random variable M ∈ F k q be uniformly distributed over F k q .Let C = ECC(M ) and t be any positive integer such that t < k.Let S be a subset of [n] such that |S| = t and Q be a subset of [k] such that |Q| = j ≤ k − t.Then, for every fixed string c in F t q and C S = c 11 , the distribution Further more, for any fixed string l in F j q , we can efficiently (in time polynomial in (k, q)) sample from the distribution Proof.The generator matrix for ECC is given by , 10 Inputs are of same size in this case, i.e. d = n. 11C S corresponds to codeword corresponding to columns S of codeword C.
where α 1 , α 2 , . . ., α n are distinct non-zero elements of F q (this is possible since q ≥ n + 1).Let S = {s 1 , s 2 , . . ., s t } and Note we have G S M † = (C S ) † .By fixing C S = c, we have imposed the following linear constraints as given by G S M c † = c † .Note G S is a Vandermonde matrix for any fixed subset S ⊂ [n], |S| = t and t < k.Thus, any t × t submatrix of G S has full rank.Note . ., p k−j } with elements in the set P in any fixed order.Equivalent way to define M c is the distribution, m ← {m ∈ F k q : Gm † = c † }, such that G is t × k matrix, the submatrix of G corresponding to columns given by P ′ = {p 1 , p 2 , . . ., p t } is exactly I t×t (since any t × t submatrix of G S has full rank).Note one can get ( G, c) from (G S , c) using standard Gaussian elimination procedure (in time polynomial in (k, q)).Thus, sampling m = (m 1 , m 2 , . . ., m t ) from the distribution M c can be achieved as follows: • Sample for every i ∈ Q, m i uniformly and independently from F q .
• Sample for every i ∈ P \ P ′ , m i uniformly and independently from F q .
• For every i ∈ P ′ , set m i ∈ F q such that it satisfies the linear constraints Gi m † = c † .12Thus, (M c ) Q = U j log q .Further more, for any fixed string l in F j q , we can efficiently (in time polynomial in (k, q)) sample from the distribution (M
We first show that (Enc, Dec) is a quantum secure non-malleable code in the split-state model (see Definition 3 and Figure 1).Note For the state θ with the following assignment (terms on the left are from Definition 8 and on the right are from here), one can note θ is an (n, n)-qma-state.Using Claim 113 along with Fact 5, we have First inequality follows from Fact 5 and noting Let A = (U, V, ψ) be the quantum split-state adversary from Definition 2. Note ψ N M is an entangled pure state, U : are isometries without any loss of generality.
In the analysis, we consider a pure state ρ ′ which is generated from θ X XX1Y Ŷ Y1 = θ X XX1 ⊗ θ Y Ŷ Y1 , in the following way (see Figure 2): the state after the action of quantum split-state adversary.
• Let ρ ′ be the pure state extension after measuring the registers (X ′ Y ′ ) in the computational basis in ρ′ .Note the measurement in the computational basis of registers (X ′ , Y ′ ) corresponds to applying CNOT14 to modify (X ′ , Y ′ ) → (X ′ X′ , Y ′ Ŷ ′ ) such that X′ , Ŷ ′ are copies of X ′ , Y ′ respectively.
Let binary variables C, D (with copies Ĉ, D) be such that 7), using Fact 5 we have for Z = U m and distribution D A that depends only on A. We get that Figure 2: Analysis of a quantum secure non-malleable code in the split-state model from ρ ′ S1S ′ − ρ SS ′ 1 ≤ ε and the triangle inequality, which implies the desired (using Fact 6), We now proceed to prove Eq. ( 8).For Claim 4. For every c, d ∈ {0, 1} except (c, d) = (0, 0), we have For (c, d) = (0, 0), we have , then we are done.Thus we assume otherwise.Note in state ρ ′ , we have Thus, Using Fact 2, we have We use Fact 17, with the following assignment of registers (below the registers on the left are from Fact 17 and the registers on the right are the registers in this proof), From Fact 17, we get that source non-malleable extractor (see Definition 10), using Fact 5 we have S ′ and for (c, d) = (0, 0), let D 0,0 A be the distribution that is deterministically equal to same.
4 Efficient quantum secure non-malleable codes

Modified non-malleable extractor
These parameters hold throughout this section.

Parameters
Let δ, δ 1 , δ 2 > 0 be small enough constants such that δ 1 < δ 2 .Let n, n 1 , n 2 , n 3 , n 4 , n 5 , n 6 , n 7 , n x , n y , a, s, b, h be positive integers and ε ′ , ε > 0 such that: ; ; n 5 = n δ2/3 ; a = 6n 1 + 2O(n 5 ) log(n + 1) = O(n 1 ) ; • Ext 2 be (2s, ε ′ )-quantum secure (h, b, s)-extractor, • Ext 3 be (4h, ε ′ )-quantum secure (n x , b, 2h)-extractor, • Ext 4 be (n y /4, ε 2 )-quantum secure (4n y , 2h, n y /8)-extractor, • IP 2 be IP • Ext 6 be ( nx 2 , ε 2 )-quantum secure (4n x , n y /8, n x /4)-extractor.We first describe a short overview of the modifications required in the construction of non-malleable extractor for the efficient encoding of quantum secure non-malleable code in the split-state model.We modify the construction of 2nmExt from [BJK21], using ideas from [CGL20] 1) and ε = 2 −n Ω(1) .We divide the sources X and Y into n Ω(1) blocks each of size n 1−Ω(1) .The idea now is to use new blocks of X and Y for each round of alternating extraction in the construction of non-malleable extractor.This enables the linear constraints that are imposed in the alternating extraction are on different variables of input sources, X, Y .Also, since X and Y each have almost full min-entropy, we have block sources, where each block has almost full minentropy using Fact 18.This allows us to generate appropriate intermediate seed random variables (approximately uniform) using alternating extraction.

Definition of modified non-malleable extractor
Let ECC : F n4 q → F n q be an (n, n 4 , n−n 4 +1) Reed-Solomon code from Fact 16.Let Samp : {0, 1} r → [n] t1 be the sampler function from Fact 12 where t 1 = O(n 5 ) and r ≥ n 3 .We identify the output of Samp as t 1 samples from the set [n].By ECC(Y ) Samp(I) , we mean the Samp(I) entries of codeword ECC(Y ).

Efficiently sampling from the preimage of new-2nmExt
Recall that we showed existence of a quantum secure non-malleable code where encoding scheme was based on inverting 2nmExt, a quantum secure 2-source non-malleable extractor.In particular, for any fixed message S = s, the encoder, Enc outputs a uniformly random string from the set 2nmExt −1 (s).The decoder is the function 2nmExt itself.We call this as the encoding and decoding based on 2nmExt.We now state the main result of this paper.
Proof.Consider XY = U n ⊗ U n .Let S = new-2nmExt(X, Y ).From Eq. (7) in the proof of Theorem 5 (after noting Ŝ X Ŷ ≡ (SXY ) σ in Eq. ( 7) and SXY ≡ (SXY ) θ in Eq. ( 7)), we have depending on g = g 1 g 2 . . .g a and inductively using similar arguments involving Corollary 1, Claim 3, Claim 2 along with Fact 5, we can sample from X3 Ỹ3 X[a+1] Ỹ [a+1] S such that We show a claim that states that intermediate random variables in the alternating extraction are approximately uniform even conditioned on every G = g.Claim 8. Let 2nmExt : {0, 1} n × {0, 1} n → {0, 1} nx/4 be the new-2nmExt from Algorithm 1.Let XY = U n ⊗ U n , S = 2nmExt(X, Y ) and set be the intermediate random variables as defined in Algorithms 1, 2, 3.Then, we have for any random variable Q ∈ P \ {G} and any fixing G = g, Proof.From Claim 6, we have a+2,3a] .Also, note from Algorithms 1, 2, 3, any random variable Q ∈ P \ {G} is extracted from sources X 3 Y 3 X [a+1] Y [a+1] .Note for any i ∈ [a] and i-th flip-flop procedure (Algorithm 3), intermediate random variables We remove conditioning on G = g for the random variables for the rest of the proof.
Definition 16 (Quantum secure one-many non-malleable codes in the split-state model).An encoding and decoding scheme (Enc, Dec) is a (t; m, n, ε)-quantum secure one-many non-malleable code in the split-state model with error ε, if for state ρ and adversary A = (U, V, ψ) (as defined in Definition 15), there exists a random variable D A on ({0, 1} m ∪ {same}) t such that ∀s ∈ {0, 1} m : S where S i = t-2nmExt(X i , Y i ).Using Fact 5, we get The desired now follows by noting σ XN MY = ρ XN MY .
Proof.The proof proceeds in similar lines of Theorem 5. We do not repeat the entire argument but provide the necessary details required to complete the proof.Let A = (U, V, ψ) be the quantum split-state adversary from Definition 15.We show that the encoding based on t-2nmExt is a (t; m, n, ε ′ )-quantum secure one-many non-malleable code.Using arguments similar to Theorem 5, it suffices to prove where ρ ′ is the pure state as in Figure 3 after the action of adversary A on state θ.Note S i = t-2nmExt(X i , Y i ) and state θ X XX1Y Ŷ Y1 = θ X XX1 ⊗ θ Y Ŷ Y1 is a pure state such that θ X = θ Y = U n , (X 1 , X) are copies of X, (Y 1 , Ŷ ) are copies of Y respectively. 19In the Figure 3, with some abuse of notation, we used Dec [t] to denote Dec(X i , Y i ) = S i performed for every i ∈ [t].
B A quantum secure non-malleable secret sharing scheme Secret sharing is a fundamental primitive in cryptography where a dealer encodes a secret/message into shares and distributes among many parties.Only the authorized subsets of parties should be able to recover the initial secret.Most well known secret sharing schemes are the so called t-out-of-n secret sharing schemes where at least t-parties are required to decode the secret [Sha79,Bla79].In this paper, we focus only on 2-out-of-2 secret sharing schemes.
Recently non-malleable secret sharing schemes are introduced by Goyal and Kumar [GK18a] with the additional guarantee that when the adversary tampers with possibly all the shares of the secret independently, then the reconstruction procedure outputs original secret or something that is unrelated to the original secret.
In this paper, in addition, we allow the adversary to make use of arbitrary entanglement to tamper the shares.We then require the reconstruction procedure to output original secret or something that is unrelated to the original secret.We call such secret sharing schemes as quantum secure non-malleable secret sharing schemes.We show that quantum secure non-malleable codes in the split-state model gives rise to quantum secure 2-out-of-2 non-malleable secret sharing schemes.
Above S ′ = Dec(X ′ , Y ′ ), S ′ s = (S ′ |S = s) and the function copy is as defined in Definition 17.
20 Distribution depends only on A and is independent of the original secret S.
represent the set of all linear operators on the Hilbert space H A .For operators O, O ′ ∈ L(H A ), the notation O ≤ O ′ represents the Löwner order, that is, O ′ − O is a positive semi-definite operator.We denote by D(H A ), the set of all quantum states on the Hilbert space H A .State ρ with subscript A indicates ρ A ∈ D(H A ).If two registers A, B are associated with the same Hilbert space, we shall represent the relation by A ≡ B. For two states ρ, σ, we let ρ ≡ σ represent that they are identical as states (potentially in different registers).Composition of two registers A and B, denoted AB, is associated with the Hilbert space H A ⊗ H B .For two quantum states ρ ∈ D(H A ) and σ ∈ D(H B ), ρ ⊗ σ ∈ D(H AB ) represents the tensor product (Kronecker product) of ρ and σ.