Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley
Secret Sharing [Shamir โ 79, Blakley โ 79] Share ๐ ๐กโ 1 , โฆ , ๐กโ ๐ Reconstruction: Given at least ๐ข shares, can reconstruct ๐ Secrecy: Given (๐ข โ 1) shares, no information about ๐ Several applications: MPC, threshold crypto, leakage-resilient circuit compilers, ... ๐ Efficient constructions, e.g., Shamir, which has rate = ๐กโ ๐ = 1
Secret Sharing [Shamir โ 79, Blakley โ 79] Share ๐ ๐กโ 1 , โฆ , ๐กโ ๐ Reconstruction: Given at least ๐ข shares, can reconstruct ๐ Secrecy: Given (๐ข โ 1) shares, no information about ๐ What if there are side-channels? What if the adversary, in addition to (๐ข โ 1) full shares, has some information about the others?
Local Leakage Resilient Secret Sharing [GK โ 18, BDIR โ 18] 1. Adversary specifies: โข Set ๐ โ [๐] of size at most ๐ข โ 1 โข For ๐ โ ๐ , a leakage function ๐ ๐ that outputs ๐ bits 2. Adversary is given shares ๐กโ ๐ for ๐ โ ๐ , and leakage ๐(๐กโ ๐ ) for ๐ โ ๐ 3. Its views for any two secrets should be statistically close โ Local - each f i depends on one share ๐ โ ๐๐๐๐๐๐๐ ๐ ๐๐ข๐ = Bounded - each f i outputs few bits ๐กโ ๐ โ Otherwise arbitrary
What was known โข Guruswami-Wootters โ 16: Shamir over ๐ป๐บ[2 ๐ ] not leakage-resilient โข Benhamouda et al โ 18: Shamir over large-characteristic fields is leakage-resilient with leakage rate ฮ(1) for thresholds more than ๐ โ ๐(log ๐) โข Constructions: 1 โข Goyal-Kumar โ 18: 2 -out-of- ๐ with rate and leakage rate ฮ ๐ 1 1 โข Badrinarayanan-Srinivasan โ 18: ๐(1) -out-of- ๐ with rate ฮ log ๐ and leakage rate ฮ ๐ log ๐ โข Other models of leakage-resilience for secret sharing have been studied, e.g., Boyle et al โ 14, Dziembowski-Pietrzak โ 07, etc.
What we do Leakage-resilient threshold secret sharing schemes โข for all thresholds, โข with constant rate, โข supporting any constant leakage rate In this talk: simpler construction with slightly worse rate, supporting leakage rate up to 1/2
Our construction Threshold ๐ข , secret ๐ โ ๐พ , leakage bound of ๐ bits Sample ๐, ๐ ๐ , โฆ , ๐ ๐ โ ๐พ ๐ , and ๐ โ ๐พ ( ๐ specified later) ๐กโ 1 , โฆ , ๐กโ ๐ ๐ ๐ข -out-of- ๐ Shamir ๐๐ ๐ , โฆ , ๐๐ ๐ (๐, ๐ ) 2 -out-of- ๐ Shamir ๐ ๐ขโ share: (๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ )
Reconstruction ๐ ๐ขโ share: (๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ ) Given shares of ๐ข different ๐ โ s: Reconstruct ๐ and ๐ from {๐๐ ๐ } 1. Recover ๐กโ ๐ from (๐กโ ๐ + ๐ ๐ , ๐ + ๐ ) 2. Reconstruct ๐ from {๐กโ ๐ } 3.
Leakage Resilience Adversary knows: โข ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ for ๐ โ ๐ , where ๐ < ๐ข โข ๐ ๐ ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ for ๐ โ ๐ โข Possibly ๐ and ๐ Approach: For the ๐ โ ๐ , replace (๐กโ ๐ + ๐ ๐ , ๐ ) with random ๐ฃ ๐ โ ๐พ 1. 2. Show that adversary cannot tell this was done (by a hybrid argument) By secrecy of ๐ข -out-of- ๐ sharing, adversary โ s view is independent of secret ๐ 3.
Leakage Resilience Claim: For any ๐ โ ๐ , even given ๐ and ๐ , ๐ ๐ ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ โ ๐ ๐ ๐ ๐ , ๐ฃ ๐ + ๐ , ๐๐ ๐ Leftover Hash Lemma [ILL89]: โฉ๐ ๐ , ๐โช is almost uniformly random given ๐ and leakage ๐(๐ ๐ ) , if ๐ ๐ ๐ โช |๐ ๐ |
Leakage Resilience Claim: For any ๐ โ ๐ , even given ๐ and ๐ , ๐ ๐ ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ โ ๐ ๐ ๐ ๐ , ๐ฃ ๐ + ๐ , ๐๐ ๐ Leftover Hash Lemma [ILL89]: โฉ๐ ๐ , ๐โช is almost uniformly random given ๐ and leakage ๐(๐ ๐ ) , if ๐ ๐ ๐ โช |๐ ๐ | should be independent of ๐
Leakage Resilience Claim: For any ๐ โ ๐ , even given ๐ and ๐ , ๐ ๐ ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ โ ๐ ๐ ๐ ๐ , ๐ฃ ๐ + ๐ , ๐๐ ๐ independent of ๐ and ๐ because 2 -out-of- ๐ share Leftover Hash Lemma [ILL89]: โฉ๐ ๐ , ๐โช is almost uniformly random given ๐ and leakage ๐(๐ ๐ ) , if ๐ ๐ ๐ โช |๐ ๐ | should be independent of ๐
Leakage Resilience Claim: For any ๐ โ ๐ , even given ๐ and ๐ , ๐ ๐ ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ โ ๐ ๐ ๐ ๐ , ๐ฃ ๐ + ๐ , ๐๐ ๐ independent of ๐ independent of ๐ and ๐ because masked with ๐ because 2 -out-of- ๐ share Leftover Hash Lemma [ILL89]: โฉ๐ ๐ , ๐โช is almost uniformly random given ๐ and leakage ๐(๐ ๐ ) , if ๐ ๐ ๐ โช |๐ ๐ | should be independent of ๐
Leakage Resilience Claim: For any ๐ โ ๐ , even given ๐ and ๐ , ๐ ๐ ๐ ๐ , ๐กโ ๐ + ๐ ๐ , ๐ + ๐ , ๐๐ ๐ โ ๐ ๐ ๐ ๐ , ๐ฃ ๐ + ๐ , ๐๐ ๐ independent of ๐ independent of ๐ and ๐ because masked with ๐ because 2 -out-of- ๐ share Leftover Hash Lemma [ILL89]: โฉ๐ ๐ , ๐โช is almost uniformly random given ๐ and leakage ๐(๐ ๐ ) , if ๐ ๐ ๐ โช |๐ ๐ | should be independent of ๐ determines ๐ ๐ and |๐| given bound on leakage
What we get For local leakage resilient threshold secret sharing of: โข secrets in ๐พ , โข among ๐ parties ( ๐ โค |๐พ| ), โข against ๐ bits of leakage per share, โข with adversarial advantage at most ๐ , log ๐พ + 3 log 4๐/๐ ๐ ๐ ๐ = ๐ = ๐ โ 1 + log ๐พ Share size: (2๐ + 2) field elements
Share size overhead Share sizes for secrets in a field ๐พ , with ๐พ โ 2 128 , and ๐ = 1/2 80 ๐ = 2 ๐ = 100
Computational overhead Computational overhead in sharing time over Shamir secret sharing, for various leakage rates* * as observed on a machine with 4-core 2.9 GHz CPU and 16 GB of RAM
Improvements โข Generalisation to secret sharing for any monotone access structure โข Leakage rate up to 1, and constant-factor improvement in rate using better extractors than inner product In full version: โข Rate-preserving transformation to non-malleable secret sharing โข Leakage-tolerant MPC for general interactions patterns
Concurrent work Stronger leakage-resilient and non-malleable secret-sharing schemes for general access structures , Aggarwal et al โข general leakage-resilience transformation, with ๐(1/๐) rate loss, constant leakage rate, โข non-malleable secret sharing against concurrent tampering, โข leakage-resilient threshold signatures Leakage-resilient secret sharing , Kumar et al โข secret sharing schemes resilient against adaptive leakage, โข non-malleable secret sharing against tampering with leakage
Thank You!
Recommend
More recommend