Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio Faonio Gianluca Brian Maciej Obremski IMDEA Software Institute Sapienza University of Rome National University of Singapore Madrid, Spain Rome, Italy Singapore, Singapore (Now at EUROCOM) Mark Simkin Daniele Venturi Aarhus University Sapienza University of Rome Aarhus, Denmark Rome, Italy CRYPTO 2020 Online version 1 / 11
Secret Sharing Dealer Parties s 1 s 2 s 3 m Share s 4 · · · s n 2 / 11
Secret Sharing Dealer Parties s 1 Unauthorized s 2 s 3 m Share s 4 · · · Authorized s n Access structure: t -out-of- n 2 / 11
Secret Sharing Dealer Parties s 1 Unauthorized s 2 s 3 m Share s 4 · · · m Authorized s n Access structure: t -out-of- n Correctness: at least t parties are able to reconstruct the secret. s i 1 s i 2 s i 3 Rec m s i 4 s i j ∈ A 2 / 11
Secret Sharing Dealer Parties s 1 ??? Unauthorized s 2 s 3 m Share s 4 · · · m Authorized s n Access structure: t -out-of- n Correctness: at least t parties are able to reconstruct the secret. Privacy: less than t parties should not be able to learn any information about the secret. s i 1 s i 1 s i 2 s i 2 s i 3 s i 3 Rec m ??? s i 4 s i 4 s i j s i j ∈ A ∈ A / 2 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s 1 s 2 s 3 m Share s 4 · · · s n 3 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s 1 s 2 s 3 m Share s 4 · · · g ∈ G s n Λ = g ( s 1 , ..., sn ) Side channel attacks: partial information from all the shares may reveal some information about the message! SECURITY BREACH! 3 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s ′ s 1 1 s ′ s 2 2 s ′ s 3 3 m m ′ Share Rec s ′ s 4 4 · · · · · · f ∈ F g ∈ G s ′ s n T n Λ = g ( s 1 , ..., sn ) Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m ′ may be related to m ! SECURITY BREACH!!! 3 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s ′ s 1 1 s ′ s 2 2 s ′ s 3 3 m m ′ Share Rec s ′ s 4 4 · · · · · · f ∈ F g ∈ G s ′ s n T n Λ = g ( s 1 , ..., sn ) Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m ′ may be related to m ! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G . 3 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s ′ s 1 1 s ′ s 2 2 s ′ s 3 3 m m ′ Share Rec s ′ s 4 4 · · · · · · f ∈ F g ∈ G s ′ s n T n Λ = g ( s 1 , ..., sn ) Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m ′ may be related to m ! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G . Non-Malleable Secret Sharing [GK18] : m ′ is unrelated to m for a restricted family F . 3 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s ′ s 1 1 s ′ s 2 2 s ′ s 3 3 m m ′ Share Rec s ′ s 4 4 · · · · · · f ∈ F g ∈ G s ′ s n T n Λ = g ( s 1 , ..., sn ) Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m ′ may be related to m ! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G . Non-Malleable Secret Sharing [GK18] : m ′ is unrelated to m for a restricted family F . Leakage-resilient non-malleability: the best of both worlds. 3 / 11
Leakage Resilient and Non-malleable Secret Sharing Dealer Parties s ′ s 1 1 s ′ s 2 2 s ′ s 3 3 m m ′ Share Rec s ′ s 4 4 · · · · · · f ∈ F g ∈ G s ′ s n T n Λ = g ( s 1 , ..., sn ) Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m ′ may be related to m ! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G . Non-Malleable Secret Sharing [GK18] : m ′ is unrelated to m for a restricted family F . Leakage-resilient non-malleability: the best of both worlds. Limitations: Impossible for arbitrary families G and F . 3 / 11
Our contributions Our model Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). 4 / 11
Our contributions Our model Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits. 4 / 11
Our contributions Our model Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits. Selective partitioning Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. 4 / 11
Our contributions Our model Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits. Selective partitioning Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. Corollary: lower bounds for the size of the shares of non-malleable secret sharing schemes using [NS20]. 4 / 11
Our contributions Our model Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits. Selective partitioning Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. Corollary: lower bounds for the size of the shares of non-malleable secret sharing schemes using [NS20]. Semi-adaptive partitioning We construct a one-time non-malleable secret-sharing scheme against joint leakage and tampering under semi-adaptive partitioning. 4 / 11
Our contributions Our model Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits. Selective partitioning Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. Corollary: lower bounds for the size of the shares of non-malleable secret sharing schemes using [NS20]. Semi-adaptive partitioning We construct a one-time non-malleable secret-sharing scheme against joint leakage and tampering under semi-adaptive partitioning. Both settings Corollary: construction of a p -time non-malleable secret sharing scheme from known techniques [OPVV18, BFV19]. compiler Computational p -NMSS Statistical 1-NMSS 4 / 11
Security against selective partitioning s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 · · · s n 5 / 11
Security against selective partitioning s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 · · · s n T = { 1 , 4 , 5 , 7 , 8 , 9 , . . . } 5 / 11
Security against selective partitioning s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 · · · s n s 1 s 5 s 4 s 7 s 8 s 9 · · · s n 5 / 11
Security against selective partitioning s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 · · · s n s 1 s 5 s 4 s 7 s 8 s 9 · · · s n . . . g 1 g 2 . . . Λ 1 Λ 2 5 / 11
Security against selective partitioning s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 · · · s n s 1 s 5 s 4 s 7 s 8 s 9 · · · s n . . . g 1 g 2 . . . Λ 1 Λ 2 . . . f 1 f 2 ˜ ˜ ˜ ˜ ˜ ˜ · · · ˜ s 1 s 5 s 4 s 7 s 8 s 9 s n ˜ m Rec 5 / 11
A non-malleable secret sharing is also leakage resilient Any one-time ǫ/ 2 ℓ -non-malleable secret sharing scheme is also a ℓ -bounded leakage resilient one-time ǫ -non-malleable secret sharing scheme. m 0 or m 1 ? 6 / 11
A non-malleable secret sharing is also leakage resilient Any one-time ǫ/ 2 ℓ -non-malleable secret sharing scheme is also a ℓ -bounded leakage resilient one-time ǫ -non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m 0 or m 1 ? 6 / 11
A non-malleable secret sharing is also leakage resilient Any one-time ǫ/ 2 ℓ -non-malleable secret sharing scheme is also a ℓ -bounded leakage resilient one-time ǫ -non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m 0 or m 1 ? T , B = ( B 1 , . . . , B t ) T , B = ( B 1 , . . . , B t ) 6 / 11
A non-malleable secret sharing is also leakage resilient Any one-time ǫ/ 2 ℓ -non-malleable secret sharing scheme is also a ℓ -bounded leakage resilient one-time ǫ -non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m 0 or m 1 ? T , B = ( B 1 , . . . , B t ) T , B = ( B 1 , . . . , B t ) Leak , ( g 1 , . . . , g t ) Randomly sample Λ 1 , . . . , Λ t (Λ 1 , . . . , Λ t ) 6 / 11
A non-malleable secret sharing is also leakage resilient Any one-time ǫ/ 2 ℓ -non-malleable secret sharing scheme is also a ℓ -bounded leakage resilient one-time ǫ -non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m 0 or m 1 ? T , B = ( B 1 , . . . , B t ) T , B = ( B 1 , . . . , B t ) Leak , ( g 1 , . . . , g t ) Randomly sample Λ 1 , . . . , Λ t (Λ 1 , . . . , Λ t ) Tamper , ( f 1 , . . . , f t ) � ⊥ if leakage is wrong , ˆ f i = f i ( s B i ) otherwise . ˜ ˜ m or ⊥ m or ⊥ 6 / 11
Recommend
More recommend