efficient leakage resilient secret sharing
play

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram - PowerPoint PPT Presentation

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least


  1. Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley

  2. Secret Sharing [Shamir โ€™ 79, Blakley โ€™ 79] Share ๐œ ๐‘กโ„Ž 1 , โ€ฆ , ๐‘กโ„Ž ๐‘œ Reconstruction: Given at least ๐‘ข shares, can reconstruct ๐œ Secrecy: Given (๐‘ข โˆ’ 1) shares, no information about ๐œ Several applications: MPC, threshold crypto, leakage-resilient circuit compilers, ... ๐œ Efficient constructions, e.g., Shamir, which has rate = ๐‘กโ„Ž ๐‘— = 1

  3. Secret Sharing [Shamir โ€™ 79, Blakley โ€™ 79] Share ๐œ ๐‘กโ„Ž 1 , โ€ฆ , ๐‘กโ„Ž ๐‘œ Reconstruction: Given at least ๐‘ข shares, can reconstruct ๐œ Secrecy: Given (๐‘ข โˆ’ 1) shares, no information about ๐œ What if there are side-channels? What if the adversary, in addition to (๐‘ข โˆ’ 1) full shares, has some information about the others?

  4. Local Leakage Resilient Secret Sharing [GK โ€™ 18, BDIR โ€™ 18] 1. Adversary specifies: โ€ข Set ๐‘‡ โŠ† [๐‘œ] of size at most ๐‘ข โˆ’ 1 โ€ข For ๐‘— โˆ‰ ๐‘‡ , a leakage function ๐‘” ๐‘— that outputs ๐œˆ bits 2. Adversary is given shares ๐‘กโ„Ž ๐‘— for ๐‘— โˆˆ ๐‘‡ , and leakage ๐‘”(๐‘กโ„Ž ๐‘— ) for ๐‘— โˆ‰ ๐‘‡ 3. Its views for any two secrets should be statistically close โ— Local - each f i depends on one share ๐œˆ โ— ๐‘š๐‘“๐‘๐‘™๐‘๐‘•๐‘“ ๐‘ ๐‘๐‘ข๐‘“ = Bounded - each f i outputs few bits ๐‘กโ„Ž ๐‘— โ— Otherwise arbitrary

  5. What was known โ€ข Guruswami-Wootters โ€™ 16: Shamir over ๐ป๐บ[2 ๐‘™ ] not leakage-resilient โ€ข Benhamouda et al โ€™ 18: Shamir over large-characteristic fields is leakage-resilient with leakage rate ฮ˜(1) for thresholds more than ๐‘œ โˆ’ ๐‘(log ๐‘œ) โ€ข Constructions: 1 โ€ข Goyal-Kumar โ€™ 18: 2 -out-of- ๐‘œ with rate and leakage rate ฮ˜ ๐‘œ 1 1 โ€ข Badrinarayanan-Srinivasan โ€™ 18: ๐‘ƒ(1) -out-of- ๐‘œ with rate ฮ˜ log ๐‘œ and leakage rate ฮ˜ ๐‘œ log ๐‘œ โ€ข Other models of leakage-resilience for secret sharing have been studied, e.g., Boyle et al โ€˜ 14, Dziembowski-Pietrzak โ€™ 07, etc.

  6. What we do Leakage-resilient threshold secret sharing schemes โ€ข for all thresholds, โ€ข with constant rate, โ€ข supporting any constant leakage rate In this talk: simpler construction with slightly worse rate, supporting leakage rate up to 1/2

  7. Our construction Threshold ๐‘ข , secret ๐œ โˆˆ ๐”พ , leakage bound of ๐œˆ bits Sample ๐’•, ๐’™ ๐Ÿ , โ€ฆ , ๐’™ ๐’ โ† ๐”พ ๐‘› , and ๐‘  โ† ๐”พ ( ๐‘› specified later) ๐‘กโ„Ž 1 , โ€ฆ , ๐‘กโ„Ž ๐‘œ ๐œ ๐‘ข -out-of- ๐‘œ Shamir ๐’•๐’” ๐Ÿ , โ€ฆ , ๐’•๐’” ๐’ (๐’•, ๐‘ ) 2 -out-of- ๐‘œ Shamir ๐‘— ๐‘ขโ„Ž share: (๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘  , ๐’•๐’” ๐’‹ )

  8. Reconstruction ๐‘— ๐‘ขโ„Ž share: (๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘  , ๐’•๐’” ๐’‹ ) Given shares of ๐‘ข different ๐‘— โ€™ s: Reconstruct ๐’• and ๐‘  from {๐’•๐’” ๐’‹ } 1. Recover ๐‘กโ„Ž ๐‘— from (๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ ) 2. Reconstruct ๐œ from {๐‘กโ„Ž ๐‘— } 3.

  9. Leakage Resilience Adversary knows: โ€ข ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ for ๐‘— โˆˆ ๐‘‡ , where ๐‘‡ < ๐‘ข โ€ข ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ for ๐‘— โˆ‰ ๐‘‡ โ€ข Possibly ๐’• and ๐‘  Approach: For the ๐‘— โˆ‰ ๐‘‡ , replace (๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• ) with random ๐‘ฃ ๐‘— โˆˆ ๐”พ 1. 2. Show that adversary cannot tell this was done (by a hybrid argument) By secrecy of ๐‘ข -out-of- ๐‘œ sharing, adversary โ€™ s view is independent of secret ๐œ 3.

  10. Leakage Resilience Claim: For any ๐‘— โˆ‰ ๐‘‡ , even given ๐’• and ๐‘  , ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ โ‰ˆ ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘ฃ ๐‘— + ๐‘ , ๐’•๐’” ๐’‹ Leftover Hash Lemma [ILL89]: โŒฉ๐’™ ๐’‹ , ๐’•โŒช is almost uniformly random given ๐’• and leakage ๐‘•(๐’™ ๐’‹ ) , if ๐‘• ๐’™ ๐’‹ โ‰ช |๐’™ ๐’‹ |

  11. Leakage Resilience Claim: For any ๐‘— โˆ‰ ๐‘‡ , even given ๐’• and ๐‘  , ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ โ‰ˆ ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘ฃ ๐‘— + ๐‘ , ๐’•๐’” ๐’‹ Leftover Hash Lemma [ILL89]: โŒฉ๐’™ ๐’‹ , ๐’•โŒช is almost uniformly random given ๐’• and leakage ๐‘•(๐’™ ๐’‹ ) , if ๐‘• ๐’™ ๐’‹ โ‰ช |๐’™ ๐’‹ | should be independent of ๐’•

  12. Leakage Resilience Claim: For any ๐‘— โˆ‰ ๐‘‡ , even given ๐’• and ๐‘  , ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ โ‰ˆ ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘ฃ ๐‘— + ๐‘ , ๐’•๐’” ๐’‹ independent of ๐’• and ๐‘  because 2 -out-of- ๐‘œ share Leftover Hash Lemma [ILL89]: โŒฉ๐’™ ๐’‹ , ๐’•โŒช is almost uniformly random given ๐’• and leakage ๐‘•(๐’™ ๐’‹ ) , if ๐‘• ๐’™ ๐’‹ โ‰ช |๐’™ ๐’‹ | should be independent of ๐’•

  13. Leakage Resilience Claim: For any ๐‘— โˆ‰ ๐‘‡ , even given ๐’• and ๐‘  , ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ โ‰ˆ ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘ฃ ๐‘— + ๐‘ , ๐’•๐’” ๐’‹ independent of ๐’• independent of ๐’• and ๐‘  because masked with ๐‘  because 2 -out-of- ๐‘œ share Leftover Hash Lemma [ILL89]: โŒฉ๐’™ ๐’‹ , ๐’•โŒช is almost uniformly random given ๐’• and leakage ๐‘•(๐’™ ๐’‹ ) , if ๐‘• ๐’™ ๐’‹ โ‰ช |๐’™ ๐’‹ | should be independent of ๐’•

  14. Leakage Resilience Claim: For any ๐‘— โˆ‰ ๐‘‡ , even given ๐’• and ๐‘  , ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘กโ„Ž ๐‘— + ๐’™ ๐’‹ , ๐’• + ๐‘ , ๐’•๐’” ๐’‹ โ‰ˆ ๐‘” ๐‘— ๐’™ ๐’‹ , ๐‘ฃ ๐‘— + ๐‘ , ๐’•๐’” ๐’‹ independent of ๐’• independent of ๐’• and ๐‘  because masked with ๐‘  because 2 -out-of- ๐‘œ share Leftover Hash Lemma [ILL89]: โŒฉ๐’™ ๐’‹ , ๐’•โŒช is almost uniformly random given ๐’• and leakage ๐‘•(๐’™ ๐’‹ ) , if ๐‘• ๐’™ ๐’‹ โ‰ช |๐’™ ๐’‹ | should be independent of ๐’• determines ๐’™ ๐’‹ and |๐’•| given bound on leakage

  15. What we get For local leakage resilient threshold secret sharing of: โ€ข secrets in ๐”พ , โ€ข among ๐‘œ parties ( ๐‘œ โ‰ค |๐”พ| ), โ€ข against ๐œˆ bits of leakage per share, โ€ข with adversarial advantage at most ๐œ— , log ๐”พ + 3 log 4๐‘œ/๐œ— ๐œˆ ๐’™ ๐’‹ = ๐’• = ๐‘› โ‰ˆ 1 + log ๐”พ Share size: (2๐‘› + 2) field elements

  16. Share size overhead Share sizes for secrets in a field ๐”พ , with ๐”พ โ‰ˆ 2 128 , and ๐œ— = 1/2 80 ๐‘œ = 2 ๐‘œ = 100

  17. Computational overhead Computational overhead in sharing time over Shamir secret sharing, for various leakage rates* * as observed on a machine with 4-core 2.9 GHz CPU and 16 GB of RAM

  18. Improvements โ€ข Generalisation to secret sharing for any monotone access structure โ€ข Leakage rate up to 1, and constant-factor improvement in rate using better extractors than inner product In full version: โ€ข Rate-preserving transformation to non-malleable secret sharing โ€ข Leakage-tolerant MPC for general interactions patterns

  19. Concurrent work Stronger leakage-resilient and non-malleable secret-sharing schemes for general access structures , Aggarwal et al โ€ข general leakage-resilience transformation, with ๐‘ƒ(1/๐‘œ) rate loss, constant leakage rate, โ€ข non-malleable secret sharing against concurrent tampering, โ€ข leakage-resilient threshold signatures Leakage-resilient secret sharing , Kumar et al โ€ข secret sharing schemes resilient against adaptive leakage, โ€ข non-malleable secret sharing against tampering with leakage

  20. Thank You!

Recommend


More recommend