On the Local Leakage Resilience of Linear Secret Sharing Schemes

Abstract

We consider the following basic question: to what extent are standard secret sharing schemes and protocols for secure multiparty computation that build on them resilient to leakage? We focus on a simple local leakage model, where the adversary can apply an arbitrary function of a bounded output length to the secret state of each party, but cannot otherwise learn joint information about the states. We show that additive secret sharing schemes and high-threshold instances of Shamir’s secret sharing scheme are secure under local leakage attacks when the underlying field is of a large prime order and the number of parties is sufficiently large. This should be contrasted with the fact that any linear secret sharing scheme over a small characteristic field is clearly insecure under local leakage attacks, regardless of the number of parties. Our results are obtained via tools from Fourier analysis and additive combinatorics. We present two types of applications of the above results and techniques. As a positive application, we show that the “GMW protocol” for honest-but-curious parties, when implemented using shared products of random field elements (so-called “Beaver Triples”), is resilient in the local leakage model for sufficiently many parties and over certain fields. This holds even when the adversary has full access to a constant fraction of the views. As a negative application, we rule out multiparty variants of the share conversion scheme used in the 2-party homomorphic secret sharing scheme of Boyle et al. (in: Crypto, 2016).

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Notes

  1. 1.

    In the whole paper, a (nt)-Shamir’s secret sharing scheme or Shamir’s secret sharing scheme with (reconstruction) threshold t uses polynomials of degree \(t-1\), so that the secret cannot be recovered from a collusion of less t parties. The secret can be recovered from the shares of t parties.

  2. 2.

    This can be done by locally adding shares of an arbitrary \((n,\alpha 'n)\)-Shamir’s sharing of 0 to the given \((n,\alpha n)\)-Shamir’s shares for \( \alpha ' > \alpha \).

  3. 3.

    A Beaver triple consists of (abab) where ab are randomly chosen field elements.

  4. 4.

    To recall, in the quotient group \( \mathbb {F}_{2^k} \diagup A_0 \), the elements are the cosets \( A_0, A_1 \). The sum of two cosets is the coset formed by the sum of elements of the first coset with elements of the second coset. Concretely, we have \( A_0 + A_0 = A_0 \), \( A_0 + A_1 = A_1 \), and \(A_1 + A_1 = A_0\).

  5. 5.

    We abuse notation and sometimes consider elements of \(\mathbb {F}_{2^k}\) as vectors in \(\mathbb {F}_{2}^k\).

  6. 6.

    While the constant \( c_L \) has a some dependence on p, whereby it decreases as p increases, it is dwarfed by the \( p^{n-t} \) term.

  7. 7.

    A relation is trivial if no matter what secret is shared, a constant output by the conversion scheme would satisfy correctness. Or put another way, in a non-trivial relation R, there exist \( s_0 \) and \( s_1 \) such that \( s_0 \) has to be mapped to 0 and \( s_1 \) has to be mapped to 1 by the relation R.

  8. 8.

    We consider more general case in Sect. 6 which also tolerates a higher error probability of 1/6.

  9. 9.

    Both complexity measures do not assign complexity to all possible linear forms. To give an example, the linear form \(( L_1(x) = x, L_2(x) = x+2 )\), which corresponds to the twin primes conjecture, is not assigned a complexity value and the twin primes conjecture is still open.

  10. 10.

    \( z_1 \circ z_2 = x_1x_2 + y_1y_2 \) where \( z_b = x_b + i\cdot y_b \) is the dot product of \( z_1 \) and \( z_2 \). Equivalently, \( z_1 \circ z_2 = |z_1| |z_2| \cos \theta \) where \( \theta \) is the angle between \( z_1 \) and \( z_2 \).

  11. 11.

    As in [37], we do not need to use the standard convolution, which is normally defined as \(f \star g: \mathbb {G}\rightarrow \mathbb {C}\), \((f \star g)(y) = \mathbb {E}_{x \leftarrow \mathbb {G}} {[ f(x) \cdot g(y - x) ]}\).

References

  1. 1.

    T. Araki, J. Furukawa, Y. Lindell, A. Nof, K. Ohara, High-throughput semi-honest secure three-party computation with an honest majority, in CCS (2016)

  2. 2.

    A. Akavia, S. Goldwasser, V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks, in TCC (2009)

  3. 3.

    C.H. Bennett, G. Brassard, C. Crépeau, U.M. Maurer, Generalized privacy amplification. IEEE Trans. Inf. Theory 41(6):1915–1923 (1995)

    MathSciNet  Article  Google Scholar 

  4. 4.

    C.H. Bennett, G. Brassard, J.-M. Robert, Privacy amplification by public discussion. SIAM J. Comput. 17(2):210–229 (1988)

    MathSciNet  Article  Google Scholar 

  5. 5.

    M. Ben-Or, D. Coppersmith, M. Luby, R. Rubinfeld, Non-abelian homomorphism testing, and distributions close to their self-convolutions, in Random Structures and Algorithms (2008)

  6. 6.

    F. Benhamouda, A. Degwekar, Y. Ishai, T. Rabin, On the local leakage resilience of linear secret sharing schemes, in H. Shacham and A. Boldyreva (eds.), Advances in Cryptology—CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part I, Volume 10991 of Lecture Notes in Computer Science (Springer, 2018), pp. 531–561

  7. 7.

    N. Bitansky, D. Dachman-Soled, H. Lin, Leakage-tolerant computation with input-independent preprocessing, in CRYPTO (2014)

  8. 8.

    D. Beaver, Efficient multiparty protocols using circuit randomization, in CRYPTO (1991)

  9. 9.

    E. Boyle, N. Gilboa, Y. Ishai, Breaking the circuit size barrier for secure computation under DDH, in CRYPTO (2016)

  10. 10.

    E. Boyle, S. Goldwasser, Y.T. Kalai, Leakage-resilient coin tossing, in Distributed Computing (2011)

  11. 11.

    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in STOC (1988)

  12. 12.

    A. Beimel, Y. Ishai, E. Kushilevitz, I. Orlov, Share conversion and private information retrieval, in CCC (2012)

  13. 13.

    A. Bogdanov, Y. Ishai, E. Viola, C. Williamson, Bounded indistinguishability and the complexity of recovering secrets, in CRYPTO 2016, Part III (2016), pp. 593–618

  14. 14.

    E. Boyle, L. Kohl, P. Scholl, Homomorphic secret sharing from lattices without FHE, in IACR Cryptology ePrint Archive, vol. 2019 (2019), p. 129. To appear in Eurocrypt 2019

  15. 15.

    G.R. Blakley, Safeguarding cryptographic keys, in AFIPS National Computer Conference (1979)

  16. 16.

    M. Blum, M. Luby, R. Rubinfeld, Self-testing/correcting with applications to numerical problems. J. Comput. Syst. Sci. (1993)

  17. 17.

    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in STOC (1988)

  18. 18.

    R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz, A. Sahai, Exposure-resilient functions and all-or-nothing transforms, in International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 2000), pp. 453–469

  19. 19.

    R. Cramer, I. Damgård, Y. Ishai, Share conversion, pseudorandom secret-sharing and applications to secure computation, in TCC 2005 (2005)

  20. 20.

    A. Duc, S. Dziembowski, S. Faust, Unifying leakage models: from probing attacks to noisy leakage, in EUROCRYPT (2014)

  21. 21.

    F. Davì, S. Dziembowski, D. Venturi, Leakage-resilient storage, in J.A. Garay and R. De Prisco (eds.), SCN 10, Volume 6280 of LNCS (Springer, Heidelberg, 2010), pp. 121–137

  22. 22.

    S. Dziembowski, S. Faust, Leakage-resilient circuits without computational assumptions, in TCC 2012 (2012), pp. 230–247

  23. 23.

    Y. Dodis, S. Halevi, R.D. Rothblum, D. Wichs, Spooky encryption and its applications, in CRYPTO 2016, Part III (2016), pp. 93–122

  24. 24.

    D. Dachman-Soled, F.-H. Liu, H.-S. Zhou, Leakage-resilient circuits revisited—optimal number of computing components without leak-free hardware, in EUROCRYPT (2015)

  25. 25.

    S. Dziembowski, K. Pietrzak, Intrusion-resilient secret sharing, in FOCS (2007)

  26. 26.

    S. Dziembowski, K. Pietrzak, Leakage-resilient cryptography, in FOCS (2008)

  27. 27.

    I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in CRYPTO (2012)

  28. 28.

    Y. Dodis, A. Sahai, A. Smith, On perfect and adaptive security in exposure-resilient cryptography, in International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 2001), pp. 301–324

  29. 29.

    N. Fazio, R. Gennaro, T. Jafarikhah, W.E. Skeith III, Homomorphic secret sharing from paillier encryption, in ProvSec 2017 (2017), pp. 381–399

  30. 30.

    S. Faust, T. Rabin, L. Reyzin, E. Tromer, V. Vaikuntanathan, Protecting circuits from leakage: the computationally-bounded and noisy cases, in EUROCRYPT (2010)

  31. 31.

    V. Goyal, Y. Ishai, H.K. Maji, A. Sahai, A.A. Sherstov, Bounded-communication leakage resilience via parity-resilient circuits, in FOCS (2016)

  32. 32.

    D. Genkin, Y. Ishai, M. Weiss, How to construct a leakage-resilient (stateless) trusted party, in TCC (2017)

  33. 33.

    V. Goyal, A. Kumar, Non-malleable secret sharing, in STOC (2018)

  34. 34.

    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in STOC 1987 (1987)

  35. 35.

    W.T. Gowers, A new proof of Szemerédi’s theorem. Geom. Funct. Anal. (2001)

  36. 36.

    S. Goldwasser, G.N. Rothblum, How to compute in the presence of leakage, in SICOMP (2015)

  37. 37.

    B. Green, Montréal notes on quadratic Fourier analysis. Addit. Combin. (2007)

  38. 38.

    B. Green, T. Tao, Linear equations in primes. Ann. Math. (2010)

  39. 39.

    W.T. Gowers, J. Wolf, The true complexity of a system of linear equations. Proc. London Math. Soc. (2010)

  40. 40.

    W.T. Gowers, J. Wolf, Linear forms and higher-degree uniformity for functions On \(\mathbb{F}_n^p \). Geom. Funct. Anal. (2011)

  41. 41.

    W.T. Gowers, J. Wolf, Linear forms and quadratic uniformity for functions on \( \mathbb{F}_n^p \). Mathematika (2011)

  42. 42.

    V. Guruswami, M. Wootters, Repairing Reed–Solomon codes. IEEE Trans. Inf. Theory (2017)

  43. 43.

    Y. Ishai, A. Sahai, D.A. Wagner, Private circuits: securing hardware against probing attacks, in CRYPTO (2003)

  44. 44.

    P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom, Spectre attacks: exploiting speculative execution. ArXiv e-prints, January (2018)

  45. 45.

    P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in CRYPTO (1999)

  46. 46.

    A. Kumar, R. Meka, A. Sahai, Leakage-resilient secret sharing, in FOCS (2019)

  47. 47.

    P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in CRYPTO (1996)

  48. 48.

    M. Keller, E. Orsini, P. Scholl, MASCOT: faster malicious arithmetic secure computation with oblivious transfer, in CCS (2016)

  49. 49.

    E. Kiltz, K. Pietrzak, Leakage resilient elgamal encryption, in ASIACRYPT (2010)

  50. 50.

    M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, M. Hamburg, Meltdown. ArXiv e-prints (2018)

  51. 51.

    H. Maji, A. Paskin-Cherniavsky, T. Suad, M. Wang, On leakage-resilient secret sharing. Cryptology ePrint Archive, Report 2020/1517 (2020). https://eprint.iacr.org/2020/1517

  52. 52.

    S. Micali, L. Reyzin, Physically observable cryptography (extended abstract), in TCC (2004)

  53. 53.

    J.B. Nielsen, M. Simkin, Lower bounds for leakage-resilient secret sharing. Cryptology ePrint Archive, Report 2019/181 (2019). https://eprint.iacr.org/2019/181

  54. 54.

    R.L. Rivest, All-or-nothing encryption and the package transform, in International Workshop on Fast Software Encryption (Springer, 1997), pp. 210–218

  55. 55.

    G.N. Rothblum, How to compute under \({{\sf AC}}^0\) leakage without secure hardware, in R. Safavi-Naini and R. Canetti (eds.), CRYPTO 2012, Volume 7417 of LNCS (Springer, Heidelberg, 2012), pp. 552–569

  56. 56.

    A. Shamir, How to share a secret. Commun. ACM (1979)

  57. 57.

    A. Srinivasan, P.N. Vasudevan, Leakage resilient secret sharing and applications, in IACR Cryptology ePrint Archive, vol. 2018 (2018), p. 1154

  58. 58.

    T. Tao, V.H. Vu, Additive Combinatorics (Cambridge University Press, 2006)

  59. 59.

    A.C.-C. Yao, How to generate and exchange secrets (extended abstract), in FOCS (1986)

Download references

Acknowledgements

We thank Anat Paskin-Cherniavsky for pointing out an error in an earlier version of Theorem 1.2. We thank Andrej Bogdanov, one of our JoC reviewers, for pointing out the current simpler proof of Lemma 4.21 that greatly simplifies the proof of Theorem 1.2 and sharpens its bound. We thank Serge Fehr, our Journal of Cryptology editor, and the anonymous reviewers of Crypto 2018 and JoC for their valuable comments.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Akshay Degwekar.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An extended abstract of this paper appeared in [6].

F. Benhamouda and T. Rabin: Research done while at IBM Research and supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236. A. Degwekar: The views expressed herein are solely the views of the author(s) and are not necessarily the views of Two Sigma Investments, LP or any of its affiliates. They are not intended to provide, and should not be relied upon for, investment advice. This work was done when the author was a graduate student at MIT and a summer intern at IBM Research. Research supported in part by NSF Grants CNS-1413920 and CNS-1350619, and by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236. Y. Ishai: Research supported in part by ERC Grant 742754, ISF Grant 1709/14, and NSF-BSF Grant 2015782, and a grant from the Ministry of Science and Technology, Israel and Department of Science and Technology, Government of India.

Communicated by Serge Fehr.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Benhamouda, F., Degwekar, A., Ishai, Y. et al. On the Local Leakage Resilience of Linear Secret Sharing Schemes. J Cryptol 34, 10 (2021). https://doi.org/10.1007/s00145-021-09375-2

Download citation

Keywords

  • Leakage resilience
  • Secret sharing
  • Fourier analysis