Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram - - PowerPoint PPT Presentation

▶

Nov 18, 2022 1.23k likes •1.45k views

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

SLIDE 1

Efficient Leakage-Resilient Secret Sharing

Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley

SLIDE 2

Secret Sharing [Shamir’79, Blakley’79]

𝜏 𝑡ℎ1 , … , 𝑡ℎ𝑜

Reconstruction: Given at least 𝑢 shares, can reconstruct 𝜏 Secrecy: Given (𝑢 − 1) shares, no information about 𝜏 Several applications: MPC, threshold crypto, leakage-resilient circuit compilers, ... Efficient constructions, e.g., Shamir, which has rate =

𝜏 𝑡ℎ𝑗 = 1

SLIDE 3

Secret Sharing [Shamir’79, Blakley’79]

𝜏 𝑡ℎ1 , … , 𝑡ℎ𝑜

What if there are side-channels? What if the adversary, in addition to (𝑢 − 1) full shares, has some information about the others? Reconstruction: Given at least 𝑢 shares, can reconstruct 𝜏 Secrecy: Given (𝑢 − 1) shares, no information about 𝜏

SLIDE 4

Local Leakage Resilient Secret Sharing [GK’18, BDIR’18]

1. Adversary specifies:
2. Adversary is given shares 𝑡ℎ𝑗 for 𝑗 ∈ 𝑇, and leakage 𝑔(𝑡ℎ𝑗) for 𝑗 ∉ 𝑇
3. Its views for any two secrets should be statistically close
Set 𝑇 ⊆ [𝑜] of size at most 𝑢 − 1
For 𝑗 ∉ 𝑇, a leakage function 𝑔𝑗 that outputs 𝜈 bits
Local - each fi depends on one share
Bounded - each fi outputs few bits
Otherwise arbitrary

𝑚𝑓𝑏𝑙𝑏𝑕𝑓 𝑠𝑏𝑢𝑓 = 𝜈 𝑡ℎ𝑗

SLIDE 5

What was known

Guruswami-Wootters ’16: Shamir over 𝐻𝐺[2𝑙] not leakage-resilient
Benhamouda et al ’18: Shamir over large-characteristic fields is leakage-resilient with

leakage rate Θ(1) for thresholds more than 𝑜 − 𝑝(log 𝑜)

Constructions:
Other models of leakage-resilience for secret sharing have been studied, e.g., Boyle et

al ‘14, Dziembowski-Pietrzak ’07, etc.

Goyal-Kumar ’18: 2-out-of-𝑜 with rate and leakage rate Θ

1 𝑜

Badrinarayanan-Srinivasan ’18: 𝑃(1)-out-of-𝑜 with rate Θ

1 log 𝑜 and leakage rate Θ 1 𝑜 log 𝑜

SLIDE 6

What we do

Leakage-resilient threshold secret sharing schemes

for all thresholds,
with constant rate,
supporting any constant leakage rate

In this talk: simpler construction with slightly worse rate, supporting leakage rate up to 1/2

SLIDE 7

Our construction

𝜏 𝑡ℎ1 , … , 𝑡ℎ𝑜

𝑢-out-of-𝑜 Shamir

Threshold 𝑢, secret 𝜏 ∈ 𝔾, leakage bound of 𝜈 bits 𝑗𝑢ℎ share: (𝒙𝒋 , 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠 , 𝒕𝒔𝒋) Sample 𝒕, 𝒙𝟐, … , 𝒙𝒐 ← 𝔾𝑛, and 𝑠 ← 𝔾

(𝒕, 𝑠) 𝒕𝒔𝟐 , … , 𝒕𝒔𝒐

2-out-of-𝑜 Shamir

(𝑛 specified later)

SLIDE 8

Reconstruction

𝑗𝑢ℎ share: (𝒙𝒋 , 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠 , 𝒕𝒔𝒋) Given shares of 𝑢 different 𝑗’s: 1. Reconstruct 𝒕 and 𝑠 from {𝒕𝒔𝒋} 2. Recover 𝑡ℎ𝑗 from (𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠) 3. Reconstruct 𝜏 from {𝑡ℎ𝑗}

SLIDE 9

Leakage Resilience

Adversary knows:

𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 for 𝑗 ∈ 𝑇, where 𝑇 < 𝑢
𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 for 𝑗 ∉ 𝑇
Possibly 𝒕 and 𝑠

Approach: 1. For the 𝑗 ∉ 𝑇, replace (𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 ) with random 𝑣𝑗 ∈ 𝔾 2. Show that adversary cannot tell this was done (by a hybrid argument) 3. By secrecy of 𝑢-out-of-𝑜 sharing, adversary’s view is independent of secret 𝜏

SLIDE 10

Leakage Resilience

Claim: For any 𝑗 ∉ 𝑇, even given 𝒕 and 𝑠,

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

Leftover Hash Lemma [ILL89]:

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

SLIDE 11

Leakage Resilience

Claim: For any 𝑗 ∉ 𝑇, even given 𝒕 and 𝑠,

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

Leftover Hash Lemma [ILL89]:

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

should be independent of 𝒕

SLIDE 12

Leakage Resilience

Claim: For any 𝑗 ∉ 𝑇, even given 𝒕 and 𝑠,

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

Leftover Hash Lemma [ILL89]:

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

independent of 𝒕 and 𝑠 because 2-out-of-𝑜 share should be independent of 𝒕

SLIDE 13

Leakage Resilience

Claim: For any 𝑗 ∉ 𝑇, even given 𝒕 and 𝑠,

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

Leftover Hash Lemma [ILL89]:

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

independent of 𝒕 and 𝑠 because 2-out-of-𝑜 share independent of 𝒕 because masked with 𝑠 should be independent of 𝒕

SLIDE 14

Leakage Resilience

Claim: For any 𝑗 ∉ 𝑇, even given 𝒕 and 𝑠,

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

Leftover Hash Lemma [ILL89]:

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

independent of 𝒕 and 𝑠 because 2-out-of-𝑜 share independent of 𝒕 because masked with 𝑠 should be independent of 𝒕 determines 𝒙𝒋 and |𝒕| given bound on leakage

SLIDE 15

What we get

For local leakage resilient threshold secret sharing of:

secrets in 𝔾,
among 𝑜 parties (𝑜 ≤ |𝔾|),
against 𝜈 bits of leakage per share,
with adversarial advantage at most 𝜗,

𝒙𝒋 = 𝒕 = 𝑛 ≈ 1 + 𝜈 log 𝔾 + 3 log 4𝑜/𝜗 log 𝔾 Share size: (2𝑛 + 2) field elements

SLIDE 16

Share size overhead

Share sizes for secrets in a field 𝔾, with 𝔾 ≈ 2128, and 𝜗 = 1/280 𝑜 = 2 𝑜 = 100

SLIDE 17

Computational overhead

Computational overhead in sharing time over Shamir secret sharing, for various leakage rates*

* as observed on a machine with 4-core 2.9 GHz CPU and 16 GB of RAM

SLIDE 18

Improvements

Generalisation to secret sharing for any monotone access structure
Leakage rate up to 1, and constant-factor improvement in rate using better

extractors than inner product In full version:

Rate-preserving transformation to non-malleable secret sharing
Leakage-tolerant MPC for general interactions patterns

SLIDE 19

Concurrent work

Stronger leakage-resilient and non-malleable secret-sharing schemes for general access structures, Aggarwal et al

general leakage-resilience transformation, with 𝑃(1/𝑜) rate loss, constant leakage rate,
non-malleable secret sharing against concurrent tampering,
leakage-resilient threshold signatures

Leakage-resilient secret sharing, Kumar et al

secret sharing schemes resilient against adaptive leakage,
non-malleable secret sharing against tampering with leakage

SLIDE 20

Efficient Leakage-Resilient Secret Sharing

Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley

Secret Sharing [Shamir’79, Blakley’79]

𝜏 𝑡ℎ1 , … , 𝑡ℎ𝑜

Secret Sharing [Shamir’79, Blakley’79]

𝜏 𝑡ℎ1 , … , 𝑡ℎ𝑜

Local Leakage Resilient Secret Sharing [GK’18, BDIR’18]

What was known

What we do

Leakage-resilient threshold secret sharing schemes

In this talk: simpler construction with slightly worse rate, supporting leakage rate up to 1/2

Our construction

𝜏 𝑡ℎ1 , … , 𝑡ℎ𝑜

(𝒕, 𝑠) 𝒕𝒔𝟐 , … , 𝒕𝒔𝒐

Reconstruction

Leakage Resilience

Leakage Resilience

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

Leakage Resilience

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

Leakage Resilience

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

Leakage Resilience

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

Leakage Resilience

𝑔𝑗 𝒙𝒋, 𝑡ℎ𝑗 + 𝒙𝒋, 𝒕 + 𝑠, 𝒕𝒔𝒋 ≈ 𝑔𝑗 𝒙𝒋, 𝑣𝑗 + 𝑠, 𝒕𝒔𝒋

〈𝒙𝒋, 𝒕〉 is almost uniformly random given 𝒕 and leakage 𝑕(𝒙𝒋), if 𝑕 𝒙𝒋 ≪ |𝒙𝒋|

What we get

For local leakage resilient threshold secret sharing of:

𝒙𝒋 = 𝒕 = 𝑛 ≈ 1 + 𝜈 log 𝔾 + 3 log 4𝑜/𝜗 log 𝔾 Share size: (2𝑛 + 2) field elements

Share size overhead

Computational overhead

Improvements

extractors than inner product In full version:

Concurrent work

Thank You!