## Abstract

We consider the following basic question: to what extent are standard secret sharing schemes and protocols for secure multiparty computation that build on them resilient to leakage? We focus on a simple *local leakage* model, where the adversary can apply an arbitrary function of a bounded output length to the secret state of each party, but cannot otherwise learn joint information about the states. We show that additive secret sharing schemes and high-threshold instances of Shamir’s secret sharing scheme are secure under local leakage attacks when the underlying field is of a large prime order and the number of parties is sufficiently large. This should be contrasted with the fact that any linear secret sharing scheme over a small characteristic field is clearly insecure under local leakage attacks, regardless of the number of parties. Our results are obtained via tools from Fourier analysis and additive combinatorics. We present two types of applications of the above results and techniques. As a positive application, we show that the “GMW protocol” for honest-but-curious parties, when implemented using shared products of random field elements (so-called “Beaver Triples”), is resilient in the local leakage model for sufficiently many parties and over certain fields. This holds even when the adversary has *full access* to a constant fraction of the views. As a negative application, we rule out multiparty variants of the share conversion scheme used in the 2-party homomorphic secret sharing scheme of Boyle et al. (in: Crypto, 2016).

This is a preview of subscription content, access via your institution.

## Notes

- 1.
In the whole paper, a (

*n*,*t*)-Shamir’s secret sharing scheme or Shamir’s secret sharing scheme with (reconstruction) threshold*t*uses polynomials of degree \(t-1\), so that the secret cannot be recovered from a collusion of less*t*parties. The secret can be recovered from the shares of*t*parties. - 2.
This can be done by locally adding shares of an arbitrary \((n,\alpha 'n)\)-Shamir’s sharing of 0 to the given \((n,\alpha n)\)-Shamir’s shares for \( \alpha ' > \alpha \).

- 3.
A Beaver triple consists of (

*a*,*b*,*ab*) where*a*,*b*are randomly chosen field elements. - 4.
To recall, in the quotient group \( \mathbb {F}_{2^k} \diagup A_0 \), the elements are the cosets \( A_0, A_1 \). The sum of two cosets is the coset formed by the sum of elements of the first coset with elements of the second coset. Concretely, we have \( A_0 + A_0 = A_0 \), \( A_0 + A_1 = A_1 \), and \(A_1 + A_1 = A_0\).

- 5.
We abuse notation and sometimes consider elements of \(\mathbb {F}_{2^k}\) as vectors in \(\mathbb {F}_{2}^k\).

- 6.
While the constant \( c_L \) has a some dependence on

*p*, whereby it decreases as*p*increases, it is dwarfed by the \( p^{n-t} \) term. - 7.
A relation is trivial if no matter what secret is shared, a constant output by the conversion scheme would satisfy correctness. Or put another way, in a non-trivial relation

*R*, there exist \( s_0 \) and \( s_1 \) such that \( s_0 \) has to be mapped to 0 and \( s_1 \) has to be mapped to 1 by the relation*R*. - 8.
We consider more general case in Sect. 6 which also tolerates a higher error probability of 1/6.

- 9.
Both complexity measures do not assign complexity to all possible linear forms. To give an example, the linear form \(( L_1(x) = x, L_2(x) = x+2 )\), which corresponds to the twin primes conjecture, is not assigned a complexity value and the twin primes conjecture is still open.

- 10.
\( z_1 \circ z_2 = x_1x_2 + y_1y_2 \) where \( z_b = x_b + i\cdot y_b \) is the dot product of \( z_1 \) and \( z_2 \). Equivalently, \( z_1 \circ z_2 = |z_1| |z_2| \cos \theta \) where \( \theta \) is the angle between \( z_1 \) and \( z_2 \).

- 11.
As in [37], we do not need to use the standard convolution, which is normally defined as \(f \star g: \mathbb {G}\rightarrow \mathbb {C}\), \((f \star g)(y) = \mathbb {E}_{x \leftarrow \mathbb {G}} {[ f(x) \cdot g(y - x) ]}\).

## References

- 1.
T. Araki, J. Furukawa, Y. Lindell, A. Nof, K. Ohara, High-throughput semi-honest secure three-party computation with an honest majority, in

*CCS*(2016) - 2.
A. Akavia, S. Goldwasser, V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks, in

*TCC*(2009) - 3.
C.H. Bennett, G. Brassard, C. Crépeau, U.M. Maurer, Generalized privacy amplification.

*IEEE Trans. Inf. Theory***41**(6):1915–1923 (1995) - 4.
C.H. Bennett, G. Brassard, J.-M. Robert, Privacy amplification by public discussion.

*SIAM J. Comput.***17**(2):210–229 (1988) - 5.
M. Ben-Or, D. Coppersmith, M. Luby, R. Rubinfeld, Non-abelian homomorphism testing, and distributions close to their self-convolutions, in

*Random Structures and Algorithms*(2008) - 6.
F. Benhamouda, A. Degwekar, Y. Ishai, T. Rabin, On the local leakage resilience of linear secret sharing schemes, in H. Shacham and A. Boldyreva (eds.),

*Advances in Cryptology—CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part I, Volume 10991 of Lecture Notes in Computer Science*(Springer, 2018), pp. 531–561 - 7.
N. Bitansky, D. Dachman-Soled, H. Lin, Leakage-tolerant computation with input-independent preprocessing, in

*CRYPTO*(2014) - 8.
D. Beaver, Efficient multiparty protocols using circuit randomization, in

*CRYPTO*(1991) - 9.
E. Boyle, N. Gilboa, Y. Ishai, Breaking the circuit size barrier for secure computation under DDH, in

*CRYPTO*(2016) - 10.
E. Boyle, S. Goldwasser, Y.T. Kalai, Leakage-resilient coin tossing, in

*Distributed Computing*(2011) - 11.
M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in

*STOC*(1988) - 12.
A. Beimel, Y. Ishai, E. Kushilevitz, I. Orlov, Share conversion and private information retrieval, in

*CCC*(2012) - 13.
A. Bogdanov, Y. Ishai, E. Viola, C. Williamson, Bounded indistinguishability and the complexity of recovering secrets, in

*CRYPTO 2016, Part III*(2016), pp. 593–618 - 14.
E. Boyle, L. Kohl, P. Scholl, Homomorphic secret sharing from lattices without FHE, in

*IACR Cryptology ePrint Archive*, vol. 2019 (2019), p. 129. To appear in Eurocrypt 2019 - 15.
G.R. Blakley, Safeguarding cryptographic keys, in

*AFIPS National Computer Conference*(1979) - 16.
M. Blum, M. Luby, R. Rubinfeld, Self-testing/correcting with applications to numerical problems.

*J. Comput. Syst. Sci.*(1993) - 17.
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in

*STOC*(1988) - 18.
R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz, A. Sahai, Exposure-resilient functions and all-or-nothing transforms, in

*International Conference on the Theory and Applications of Cryptographic Techniques*(Springer, 2000), pp. 453–469 - 19.
R. Cramer, I. Damgård, Y. Ishai, Share conversion, pseudorandom secret-sharing and applications to secure computation, in

*TCC 2005*(2005) - 20.
A. Duc, S. Dziembowski, S. Faust, Unifying leakage models: from probing attacks to noisy leakage, in

*EUROCRYPT*(2014) - 21.
F. Davì, S. Dziembowski, D. Venturi, Leakage-resilient storage, in J.A. Garay and R. De Prisco (eds.),

*SCN 10, Volume 6280 of LNCS*(Springer, Heidelberg, 2010), pp. 121–137 - 22.
S. Dziembowski, S. Faust, Leakage-resilient circuits without computational assumptions, in

*TCC 2012*(2012), pp. 230–247 - 23.
Y. Dodis, S. Halevi, R.D. Rothblum, D. Wichs, Spooky encryption and its applications, in

*CRYPTO 2016, Part III*(2016), pp. 93–122 - 24.
D. Dachman-Soled, F.-H. Liu, H.-S. Zhou, Leakage-resilient circuits revisited—optimal number of computing components without leak-free hardware, in

*EUROCRYPT*(2015) - 25.
S. Dziembowski, K. Pietrzak, Intrusion-resilient secret sharing, in

*FOCS*(2007) - 26.
S. Dziembowski, K. Pietrzak, Leakage-resilient cryptography, in

*FOCS*(2008) - 27.
I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in

*CRYPTO*(2012) - 28.
Y. Dodis, A. Sahai, A. Smith, On perfect and adaptive security in exposure-resilient cryptography, in

*International Conference on the Theory and Applications of Cryptographic Techniques*(Springer, 2001), pp. 301–324 - 29.
N. Fazio, R. Gennaro, T. Jafarikhah, W.E. Skeith III, Homomorphic secret sharing from paillier encryption, in

*ProvSec 2017*(2017), pp. 381–399 - 30.
S. Faust, T. Rabin, L. Reyzin, E. Tromer, V. Vaikuntanathan, Protecting circuits from leakage: the computationally-bounded and noisy cases, in

*EUROCRYPT*(2010) - 31.
V. Goyal, Y. Ishai, H.K. Maji, A. Sahai, A.A. Sherstov, Bounded-communication leakage resilience via parity-resilient circuits, in

*FOCS*(2016) - 32.
D. Genkin, Y. Ishai, M. Weiss, How to construct a leakage-resilient (stateless) trusted party, in

*TCC*(2017) - 33.
V. Goyal, A. Kumar, Non-malleable secret sharing, in

*STOC*(2018) - 34.
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in

*STOC 1987*(1987) - 35.
W.T. Gowers, A new proof of Szemerédi’s theorem.

*Geom. Funct. Anal.*(2001) - 36.
S. Goldwasser, G.N. Rothblum, How to compute in the presence of leakage, in

*SICOMP*(2015) - 37.
B. Green, Montréal notes on quadratic Fourier analysis.

*Addit. Combin.*(2007) - 38.
B. Green, T. Tao, Linear equations in primes.

*Ann. Math.*(2010) - 39.
W.T. Gowers, J. Wolf, The true complexity of a system of linear equations.

*Proc. London Math. Soc.*(2010) - 40.
W.T. Gowers, J. Wolf, Linear forms and higher-degree uniformity for functions On \(\mathbb{F}_n^p \).

*Geom. Funct. Anal.*(2011) - 41.
W.T. Gowers, J. Wolf, Linear forms and quadratic uniformity for functions on \( \mathbb{F}_n^p \).

*Mathematika*(2011) - 42.
V. Guruswami, M. Wootters, Repairing Reed–Solomon codes.

*IEEE Trans. Inf. Theory*(2017) - 43.
Y. Ishai, A. Sahai, D.A. Wagner, Private circuits: securing hardware against probing attacks, in

*CRYPTO*(2003) - 44.
P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom, Spectre attacks: exploiting speculative execution.

*ArXiv e-prints*, January (2018) - 45.
P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in

*CRYPTO*(1999) - 46.
A. Kumar, R. Meka, A. Sahai, Leakage-resilient secret sharing, in

*FOCS*(2019) - 47.
P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in

*CRYPTO*(1996) - 48.
M. Keller, E. Orsini, P. Scholl, MASCOT: faster malicious arithmetic secure computation with oblivious transfer, in

*CCS*(2016) - 49.
E. Kiltz, K. Pietrzak, Leakage resilient elgamal encryption, in

*ASIACRYPT*(2010) - 50.
M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, M. Hamburg, Meltdown.

*ArXiv e-prints*(2018) - 51.
H. Maji, A. Paskin-Cherniavsky, T. Suad, M. Wang, On leakage-resilient secret sharing. Cryptology ePrint Archive, Report 2020/1517 (2020). https://eprint.iacr.org/2020/1517

- 52.
S. Micali, L. Reyzin, Physically observable cryptography (extended abstract), in

*TCC*(2004) - 53.
J.B. Nielsen, M. Simkin, Lower bounds for leakage-resilient secret sharing. Cryptology ePrint Archive, Report 2019/181 (2019). https://eprint.iacr.org/2019/181

- 54.
R.L. Rivest, All-or-nothing encryption and the package transform, in

*International Workshop on Fast Software Encryption*(Springer, 1997), pp. 210–218 - 55.
G.N. Rothblum, How to compute under \({{\sf AC}}^0\) leakage without secure hardware, in R. Safavi-Naini and R. Canetti (eds.),

*CRYPTO 2012, Volume 7417 of LNCS*(Springer, Heidelberg, 2012), pp. 552–569 - 56.
A. Shamir, How to share a secret.

*Commun. ACM*(1979) - 57.
A. Srinivasan, P.N. Vasudevan, Leakage resilient secret sharing and applications, in

*IACR Cryptology ePrint Archive*, vol. 2018 (2018), p. 1154 - 58.
T. Tao, V.H. Vu,

*Additive Combinatorics*(Cambridge University Press, 2006) - 59.
A.C.-C. Yao, How to generate and exchange secrets (extended abstract), in

*FOCS*(1986)

## Acknowledgements

We thank Anat Paskin-Cherniavsky for pointing out an error in an earlier version of Theorem 1.2. We thank Andrej Bogdanov, one of our JoC reviewers, for pointing out the current simpler proof of Lemma 4.21 that greatly simplifies the proof of Theorem 1.2 and sharpens its bound. We thank Serge Fehr, our Journal of Cryptology editor, and the anonymous reviewers of Crypto 2018 and JoC for their valuable comments.

## Author information

### Affiliations

### Corresponding author

## Additional information

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An extended abstract of this paper appeared in [6].

F. Benhamouda and T. Rabin: Research done while at IBM Research and supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236. A. Degwekar: The views expressed herein are solely the views of the author(s) and are not necessarily the views of Two Sigma Investments, LP or any of its affiliates. They are not intended to provide, and should not be relied upon for, investment advice. This work was done when the author was a graduate student at MIT and a summer intern at IBM Research. Research supported in part by NSF Grants CNS-1413920 and CNS-1350619, and by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236. Y. Ishai: Research supported in part by ERC Grant 742754, ISF Grant 1709/14, and NSF-BSF Grant 2015782, and a grant from the Ministry of Science and Technology, Israel and Department of Science and Technology, Government of India.

Communicated by Serge Fehr.

## Rights and permissions

## About this article

### Cite this article

Benhamouda, F., Degwekar, A., Ishai, Y. *et al.* On the Local Leakage Resilience of Linear Secret Sharing Schemes.
*J Cryptol* **34, **10 (2021). https://doi.org/10.1007/s00145-021-09375-2

Received:

Revised:

Accepted:

Published:

### Keywords

- Leakage resilience
- Secret sharing
- Fourier analysis