Securing Secret Sharing Against Leakage and Tampering Ashutosh - PowerPoint PPT Presentation

Phase 1: -LRSS ( p , p + 1, p + 1) 𝖳𝗂𝖻𝗌𝖿 ( m ) • 𝖲𝖻𝗈𝖾𝗉𝗇 a 1 , …, a p +1 ∈ {0,1} r • a ← 𝖦 ( a 1 , …, a p +1 ) • b 1 , …, b p +1 ← 𝖸𝖯𝖲 p +1 p +1 ( m ⊕ a ) • share i ← a i , b i 𝖲𝖿𝖽 ( m )

Phase 1: -LRSS ( p , p + 1, p + 1) 𝖳𝗂𝖻𝗌𝖿 ( m ) • 𝖲𝖻𝗈𝖾𝗉𝗇 a 1 , …, a p +1 ∈ {0,1} r • a ← 𝖦 ( a 1 , …, a p +1 ) • b 1 , …, b p +1 ← 𝖸𝖯𝖲 p +1 p +1 ( m ⊕ a ) • share i ← a i , b i 𝖲𝖿𝖽 ( m ) • a ← 𝖦 ( a 1 , …, a p +1 )

Phase 1: -LRSS ( p , p + 1, p + 1) 𝖳𝗂𝖻𝗌𝖿 ( m ) • 𝖲𝖻𝗈𝖾𝗉𝗇 a 1 , …, a p +1 ∈ {0,1} r • a ← 𝖦 ( a 1 , …, a p +1 ) • b 1 , …, b p +1 ← 𝖸𝖯𝖲 p +1 p +1 ( m ⊕ a ) • share i ← a i , b i 𝖲𝖿𝖽 ( m ) • a ← 𝖦 ( a 1 , …, a p +1 ) • m ← a ⊕ b 1 ⊕ … ⊕ b p +1

Phase 1: -LRSS ( p , p + 1, p + 1) 𝖳𝗂𝖻𝗌𝖿 ( m ) • 𝖲𝖻𝗈𝖾𝗉𝗇 a 1 , …, a p +1 ∈ {0,1} r • a ← 𝖦 ( a 1 , …, a p +1 ) b 1 , …, b p +1 ← 𝖸𝖯𝖲 p +1 • p +1 ( m ⊕ a ) • share i ← a i , b i Leakage-Resilience: 
 Not resilient NOF protocol for → 𝖦 𝖦 : ({0,1} r ) p +1 → {0,1} ϵ -‘hard’ for 
 NOF protocols with communication. μ


 Phase 2: Lifting 
 to ( p , p + 1, p + 1) ( p , p + 1, n ) Naive: For every subset of parties, create p + 1 an instance of scheme ( p , p + 1, p + 1) 𝖯𝗆𝖾 ⋅ n p Share length: Ine ffi cient for p = ω (1)

Scatter and Reuse Shares [Kurosawa and Stinson 90s] independent instances of -LRSS M ( p , p + 1, p + 1) parties n s 1 1 , …, s 1 3 2 1 p +1 s 2 1 , …, s 2 p p + 1 1 → p +1 instances ⋮ M p 1 2 s M 1 , …, s M p +1 Scattering Matrix

Scatter and Reuse Shares [Kurosawa and Stinson 90s] independent instances of -LRSS M ( p , p + 1, p + 1) parties n n s 1 1 , …, s 1 s 1 s 1 s 1 3 2 1 p +1 3 2 1 s 2 s 2 s 2 1 , …, s 2 s 2 p p + 1 1 → 1 p p +1 → p +1 ⋮ M s M s M s M p 1 2 s M 1 , …, s M p 1 2 p +1 Scattered Shares Scattering Matrix

Scatter and Reuse Shares [Kurosawa and Stinson 90s] independent instances of -LRSS M ( p , p + 1, p + 1) parties n n s 1 1 , …, s 1 s 1 s 1 s 1 3 2 1 p +1 3 2 1 s 2 s 2 s 2 1 , …, s 2 s 2 p p + 1 1 → 1 p p +1 → p +1 ⋮ M s M s M s M p 1 2 s M 1 , …, s M p 1 2 p +1 Scattered Shares Scattering Matrix Final share of party i ← 𝖽𝗉𝗆𝗏𝗇𝗈 i

Scatter and Reuse Shares What property of scattering matrix? n columns row 
 ∀ p + 1 ∃ 3 2 1 containing {1,…, p + 1} p p + 1 1 ↓ M Any parties 
 p + 1 p 1 2 can reconstruct

Scatter and Reuse Shares How to construct such a matrix? n columns row 
 ∀ p + 1 ∃ 3 2 1 containing {1,…, p + 1} p p + 1 1 ↑ M Perfect hash functions: p 1 2 M = 2 p log n [Fredman, Komlos, and Szemeredi 84] [Alon, Yuster and Zwick 95] [Naor, Schulman and Srinivasan 95]


 
 
 Phase 2: Lifting 
 to ( p , p + 1, p + 1) ( p , p + 1, n ) 𝖯𝗆𝖾 ⋅ (2 p ⋅ log n ) • Share length: • Secrecy: Immediate 
 • Leakage-resilience: Hybrid argument

Disjoint subsets? Handling overlapping collusions in base scheme 
 is crucial for scattering. Weaker adversary: • Partition into disjoint subsets of size p • Non-adaptively leak from each subset Don’t know how to handle without NOF . p = ω (1)


 Phase 3: Lifting 
 to ( p , p + 1, n ) ( p , t , n ) • a , b ← 𝖸𝖯𝖲 𝟥 𝟥 ( m ) • a 1 , …, a n ← 𝖳𝗂𝖻𝗇𝗃𝗌 t n ( a ) • b 1 , …, b n ← 𝖬𝖲𝖳𝗂𝖻𝗌𝖿 p +1 ( b ) n • share i ← a i , b i • Secrecy: From 𝖳𝗂𝖻𝗇𝗃𝗌 t n • Leakage-resilience: From 𝖬𝖲𝖳𝗂𝖻𝗌𝖿 p +1 n


 Phase 3: Lifting 
 to ( p , p + 1, n ) ( p , t , n ) • a , b ← 𝖸𝖯𝖲 𝟥 𝟥 ( m ) • a 1 , …, a n ← 𝖳𝗂𝖻𝗇𝗃𝗌 t n ( a ) • b 1 , …, b n ← 𝖬𝖲𝖳𝗂𝖻𝗌𝖿 p +1 ( b ) n • share i ← a i , b i • Secrecy: From 𝖳𝗂𝖻𝗇𝗃𝗌 t n • Leakage-resilience: From 𝖬𝖲𝖳𝗂𝖻𝗌𝖿 p +1 n ∎

Agenda Leakage-Resilience Non-Malleability

What if a party tampers? s 4 s 3 s 2 secret s 1

What if a party tampers? s 4 s 2 s 3 s 1

What if a party tampers? s 4 s 2 s 3 secret s 1 Error Correction: Only 1 set of collinear triples

What if a party tampers? s 4 s 2 s 3 secret s 1 Error Correction: Only 1 set of collinear triples How about 3 parties?

What if a party tampers? s 3 s 2 secret s 1

What if a party tampers? s 2 s 3 s 1

What if a party tampers? s 2 s 3 s 1

What if a party tampers? s 2 s 3 s 1 Cannot correct an error with only 3 parties.

What if a party tampers? s 2 s 3 s 1 Cannot correct an error with only 3 parties. Can achieve weaker guarantee of 
 Error Detection: Non-collinear points

What if everyone tampers? s 3 s 2 secret s 1

What if everyone tampers? Overwrites 
 with 0 s 2 s 1 s 3

What if everyone tampers? Overwrites 
 with 0 0 s 2 s 1 s 3

What if everyone tampers? Overwrites 
 with 0 0 s 2 s 1 s 3 Cannot even detect errors!

What if everyone tampers? Overwrites 
 with 0 0 s 2 s 1 s 3 Cannot even detect errors! But notice: Original secret was ‘destroyed’.

Modeling ‘Destruction’ Inspired from Non-Malleable Codes: [Dziembowski, Pietrzak, Wichs 10] 0 s 1 s 2 s n … s 1 ˜ s 2 ˜ s n ˜ … Any t m ˜

Modeling ‘Destruction’ Inspired from Non-Malleable Codes: [Dziembowski, Pietrzak, Wichs 10] 1 ≠ 0 s 1 s 2 s n … s 1 s 2 s n … s 1 ˜ s 2 ˜ s n ˜ … s 1 ˜ s 2 ˜ s n ˜ … Any t Any t m ˜ m ˜

Modeling ‘Destruction’ Inspired from Non-Malleable Codes: [Dziembowski, Pietrzak, Wichs 10] 1 ≠ 0 s 1 s 2 s n … s 1 s 2 s n … s 1 ˜ s 2 ˜ s n ˜ … s 1 ˜ s 2 ˜ s n ˜ … Any t Any t ≈ ϵ m ˜ m ˜


 Non-Malleable Secret Sharing [Goyal-K 18] m NMSS: 
 s 1 s 2 s n … The distribution of tampered 
 secret is either identical or 
 statistically independent of the original secret. s 1 ˜ s 2 ˜ s n ˜ … Any t m ˜


 Non-Malleable Secret Sharing [Goyal-K 18] m NMSS: 
 s 1 s 2 s n … The distribution of tampered 
 secret is either identical or 
 statistically independent of the original secret. s 1 ˜ s 2 ˜ s n ˜ … Any t m ˜ Intuition: Secret hidden even after learning tampered secret.

Shamir’s scheme is Malleable s 3 s 2 𝗍𝖿𝖽𝗌𝖿𝗎 s 1

Shamir’s scheme is Malleable s 3 + 1 s 2 + 1 s 1 + 1 s 3 s 2 𝗍𝖿𝖽𝗌𝖿𝗎 s 1

Shamir’s scheme is Malleable s 3 + 1 s 2 + 1 𝗍𝖿𝖽𝗌𝖿𝗎 + 1 s 1 + 1 s 3 s 2 𝗍𝖿𝖽𝗌𝖿𝗎 s 1

Shamir’s scheme is Malleable s 3 + 1 s 2 + 1 𝗍𝖿𝖽𝗌𝖿𝗎 + 1 s 1 + 1 s 3 s 2 𝗍𝖿𝖽𝗌𝖿𝗎 s 1 In fact, all linear schemes are malleable.

Our Results for NMSS Theorem [Goyal-K 18] : Compile any scheme into 
 non-malleable one against individual tampering.

Our Results for NMSS Theorem [Goyal-K 18] : Compile any scheme into 
 non-malleable one against individual tampering. Theorem [K, Meka, Sahai 19] : Allow tampering 
 to depend on individual leakage.

Our Results for NMSS Theorem [Goyal-K 18] : Compile any scheme into 
 non-malleable one against individual tampering. Theorem [K, Meka, Sahai 19] : Allow tampering 
 to depend on individual leakage. -out-of- NMSS 
 2 2 studied as NM Codes

Joint Tampering? [Goyal-K 18]

Joint Tampering? [Goyal-K 18] Theorem: -out-of- scheme that is non-malleable 
 t n against joint tampering in two subsets 
 (except equal sized subsets).

Outline for NMSS Non-Malleable Codes ↓ • Ingredient 1: -out-of- NMSS 2 2

Outline for NMSS Non-Malleable Codes ↓ • Ingredient 1: -out-of- NMSS 2 2 • Ingredient 2: A pair of ‘unfriendly’ SS schemes

Outline for NMSS Non-Malleable Codes ↓ • Ingredient 1: -out-of- NMSS 2 2 • Ingredient 2: A pair of ‘unfriendly’ SS schemes ↓

Outline for NMSS Non-Malleable Codes ↓ • Ingredient 1: -out-of- NMSS 2 2 • Ingredient 2: A pair of ‘unfriendly’ SS schemes ↓ Our Compiler for NMSS

-out-of- NMSS 2 2 m l r ˜ l r ˜ m ˜

-out-of- NMSS 2 2 m Follows from split-state 
 2 non-malleable codes l r ˜ l r ˜ m ˜

-out-of- NMSS 2 2 m Follows from split-state 
 2 non-malleable codes l r [Dziembowski, Pietrzak, Wichs 10] [Liu, Lysyanskaya 12] ˜ l r ˜ [Dziembowski, Kazana, Obremski 13] [Aggarwal, Dodis, Lovett 14] … m ˜

-out-of- NMSS? 3 n