Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram - PowerPoint PPT Presentation

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley

Secret Sharing [Shamir ’ 79, Blakley ’ 79] Share 𝜏 𝑡ℎ 1 , … , 𝑡ℎ 𝑜 Reconstruction: Given at least 𝑢 shares, can reconstruct 𝜏 Secrecy: Given (𝑢 − 1) shares, no information about 𝜏 Several applications: MPC, threshold crypto, leakage-resilient circuit compilers, ... 𝜏 Efficient constructions, e.g., Shamir, which has rate = 𝑡ℎ 𝑗 = 1

Secret Sharing [Shamir ’ 79, Blakley ’ 79] Share 𝜏 𝑡ℎ 1 , … , 𝑡ℎ 𝑜 Reconstruction: Given at least 𝑢 shares, can reconstruct 𝜏 Secrecy: Given (𝑢 − 1) shares, no information about 𝜏 What if there are side-channels? What if the adversary, in addition to (𝑢 − 1) full shares, has some information about the others?

Local Leakage Resilient Secret Sharing [GK ’ 18, BDIR ’ 18] 1. Adversary specifies: • Set 𝑇 ⊆ [𝑜] of size at most 𝑢 − 1 • For 𝑗 ∉ 𝑇 , a leakage function 𝑔 𝑗 that outputs 𝜈 bits 2. Adversary is given shares 𝑡ℎ 𝑗 for 𝑗 ∈ 𝑇 , and leakage 𝑔(𝑡ℎ 𝑗 ) for 𝑗 ∉ 𝑇 3. Its views for any two secrets should be statistically close ● Local - each f i depends on one share 𝜈 ● 𝑚𝑓𝑏𝑙𝑏𝑕𝑓 𝑠𝑏𝑢𝑓 = Bounded - each f i outputs few bits 𝑡ℎ 𝑗 ● Otherwise arbitrary

What was known • Guruswami-Wootters ’ 16: Shamir over 𝐻𝐺[2 𝑙 ] not leakage-resilient • Benhamouda et al ’ 18: Shamir over large-characteristic fields is leakage-resilient with leakage rate Θ(1) for thresholds more than 𝑜 − 𝑝(log 𝑜) • Constructions: 1 • Goyal-Kumar ’ 18: 2 -out-of- 𝑜 with rate and leakage rate Θ 𝑜 1 1 • Badrinarayanan-Srinivasan ’ 18: 𝑃(1) -out-of- 𝑜 with rate Θ log 𝑜 and leakage rate Θ 𝑜 log 𝑜 • Other models of leakage-resilience for secret sharing have been studied, e.g., Boyle et al ‘ 14, Dziembowski-Pietrzak ’ 07, etc.

What we do Leakage-resilient threshold secret sharing schemes • for all thresholds, • with constant rate, • supporting any constant leakage rate In this talk: simpler construction with slightly worse rate, supporting leakage rate up to 1/2

Our construction Threshold 𝑢 , secret 𝜏 ∈ 𝔾 , leakage bound of 𝜈 bits Sample 𝒕, 𝒙 𝟐 , … , 𝒙 𝒐 ← 𝔾 𝑛 , and 𝑠 ← 𝔾 ( 𝑛 specified later) 𝑡ℎ 1 , … , 𝑡ℎ 𝑜 𝜏 𝑢 -out-of- 𝑜 Shamir 𝒕𝒔 𝟐 , … , 𝒕𝒔 𝒐 (𝒕, 𝑠) 2 -out-of- 𝑜 Shamir 𝑗 𝑢ℎ share: (𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠 , 𝒕𝒔 𝒋 )

Reconstruction 𝑗 𝑢ℎ share: (𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠 , 𝒕𝒔 𝒋 ) Given shares of 𝑢 different 𝑗 ’ s: Reconstruct 𝒕 and 𝑠 from {𝒕𝒔 𝒋 } 1. Recover 𝑡ℎ 𝑗 from (𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠) 2. Reconstruct 𝜏 from {𝑡ℎ 𝑗 } 3.

Leakage Resilience Adversary knows: • 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 for 𝑗 ∈ 𝑇 , where 𝑇 < 𝑢 • 𝑔 𝑗 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 for 𝑗 ∉ 𝑇 • Possibly 𝒕 and 𝑠 Approach: For the 𝑗 ∉ 𝑇 , replace (𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 ) with random 𝑣 𝑗 ∈ 𝔾 1. 2. Show that adversary cannot tell this was done (by a hybrid argument) By secrecy of 𝑢 -out-of- 𝑜 sharing, adversary ’ s view is independent of secret 𝜏 3.

Leakage Resilience Claim: For any 𝑗 ∉ 𝑇 , even given 𝒕 and 𝑠 , 𝑔 𝑗 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 ≈ 𝑔 𝑗 𝒙 𝒋 , 𝑣 𝑗 + 𝑠, 𝒕𝒔 𝒋 Leftover Hash Lemma [ILL89]: 〈𝒙 𝒋 , 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙 𝒋 ) , if 𝑕 𝒙 𝒋 ≪ |𝒙 𝒋 |

Leakage Resilience Claim: For any 𝑗 ∉ 𝑇 , even given 𝒕 and 𝑠 , 𝑔 𝑗 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 ≈ 𝑔 𝑗 𝒙 𝒋 , 𝑣 𝑗 + 𝑠, 𝒕𝒔 𝒋 Leftover Hash Lemma [ILL89]: 〈𝒙 𝒋 , 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙 𝒋 ) , if 𝑕 𝒙 𝒋 ≪ |𝒙 𝒋 | should be independent of 𝒕

Leakage Resilience Claim: For any 𝑗 ∉ 𝑇 , even given 𝒕 and 𝑠 , 𝑔 𝑗 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 ≈ 𝑔 𝑗 𝒙 𝒋 , 𝑣 𝑗 + 𝑠, 𝒕𝒔 𝒋 independent of 𝒕 and 𝑠 because 2 -out-of- 𝑜 share Leftover Hash Lemma [ILL89]: 〈𝒙 𝒋 , 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙 𝒋 ) , if 𝑕 𝒙 𝒋 ≪ |𝒙 𝒋 | should be independent of 𝒕

Leakage Resilience Claim: For any 𝑗 ∉ 𝑇 , even given 𝒕 and 𝑠 , 𝑔 𝑗 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 ≈ 𝑔 𝑗 𝒙 𝒋 , 𝑣 𝑗 + 𝑠, 𝒕𝒔 𝒋 independent of 𝒕 independent of 𝒕 and 𝑠 because masked with 𝑠 because 2 -out-of- 𝑜 share Leftover Hash Lemma [ILL89]: 〈𝒙 𝒋 , 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙 𝒋 ) , if 𝑕 𝒙 𝒋 ≪ |𝒙 𝒋 | should be independent of 𝒕

Leakage Resilience Claim: For any 𝑗 ∉ 𝑇 , even given 𝒕 and 𝑠 , 𝑔 𝑗 𝒙 𝒋 , 𝑡ℎ 𝑗 + 𝒙 𝒋 , 𝒕 + 𝑠, 𝒕𝒔 𝒋 ≈ 𝑔 𝑗 𝒙 𝒋 , 𝑣 𝑗 + 𝑠, 𝒕𝒔 𝒋 independent of 𝒕 independent of 𝒕 and 𝑠 because masked with 𝑠 because 2 -out-of- 𝑜 share Leftover Hash Lemma [ILL89]: 〈𝒙 𝒋 , 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙 𝒋 ) , if 𝑕 𝒙 𝒋 ≪ |𝒙 𝒋 | should be independent of 𝒕 determines 𝒙 𝒋 and |𝒕| given bound on leakage

What we get For local leakage resilient threshold secret sharing of: • secrets in 𝔾 , • among 𝑜 parties ( 𝑜 ≤ |𝔾| ), • against 𝜈 bits of leakage per share, • with adversarial advantage at most 𝜗 , log 𝔾 + 3 log 4𝑜/𝜗 𝜈 𝒙 𝒋 = 𝒕 = 𝑛 ≈ 1 + log 𝔾 Share size: (2𝑛 + 2) field elements

Share size overhead Share sizes for secrets in a field 𝔾 , with 𝔾 ≈ 2 128 , and 𝜗 = 1/2 80 𝑜 = 2 𝑜 = 100

Computational overhead Computational overhead in sharing time over Shamir secret sharing, for various leakage rates* * as observed on a machine with 4-core 2.9 GHz CPU and 16 GB of RAM

Improvements • Generalisation to secret sharing for any monotone access structure • Leakage rate up to 1, and constant-factor improvement in rate using better extractors than inner product In full version: • Rate-preserving transformation to non-malleable secret sharing • Leakage-tolerant MPC for general interactions patterns

Concurrent work Stronger leakage-resilient and non-malleable secret-sharing schemes for general access structures , Aggarwal et al • general leakage-resilience transformation, with 𝑃(1/𝑜) rate loss, constant leakage rate, • non-malleable secret sharing against concurrent tampering, • leakage-resilient threshold signatures Leakage-resilient secret sharing , Kumar et al • secret sharing schemes resilient against adaptive leakage, • non-malleable secret sharing against tampering with leakage

Thank You!