Abstract
Efficient Reed-Solomon code reconstruction algorithms, for example, by Guruswami and Wootters (STOC–2016), translate into local leakage attacks on Shamir secret-sharing schemes over characteristic-2 fields. However, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) showed that the Shamir secret sharing scheme over prime-fields is leakage resilient to one-bit local leakage if the reconstruction threshold is roughly 0.87 times the total number of parties. In several application scenarios, like secure multi-party multiplication, the reconstruction threshold must be at most half the number of parties. Furthermore, the number of leakage bits that the Shamir secret sharing scheme is resilient to is also unclear.
Towards this objective, we study the Shamir secret-sharing scheme’s leakage-resilience over a prime-field F. The parties’ secret-shares, which are elements in the finite field F, are naturally represented as \(\lambda \)-bit binary strings representing the elements \(\{0,1,\dotsc ,p-1\}\). In our leakage model, the adversary can independently probe m bit-locations from each secret share. The inspiration for considering this leakage model stems from the impact that the study of oblivious transfer combiners had on general correlation extraction algorithms, and the significant influence of protecting circuits from probing attacks has on leakage-resilient secure computation.
Consider arbitrary reconstruction threshold \(k\geqslant 2\), physical bit-leakage parameter \(m\geqslant 1\), and the number of parties \(n\geqslant 1\). We prove that Shamir’s secret-sharing scheme with random evaluation places is leakage-resilient with high probability when the order of the field F is sufficiently large; ignoring polylogarithmic factors, one needs to ensure that \(\log \left|F \right| \geqslant n/k\). Our result, excluding polylogarithmic factors, states that Shamir’s scheme is secure as long as the total amount of leakage \(m\cdot n\) is less than the entropy \(k\cdot \lambda \) introduced by the Shamir secret-sharing scheme. Note that our result holds even for small constant values of the reconstruction threshold k, which is essential to several application scenarios.
To complement this positive result, we present a physical-bit leakage attack for \(m=1\) physical bit-leakage from \(n=k\) secret shares and any prime-field F satisfying \(\left|F \right|=1\mod k\). In particular, there are (roughly) \(\left|F \right|^{n-k+1}\) such vulnerable choices for the n-tuple of evaluation places. We lower-bound the advantage of this attack for small values of the reconstruction threshold, like \(k=2\) and \(k=3\), and any \(\left|F \right|=1\mod k\). In general, we present a formula calculating our attack’s advantage for every k as \(\left|F \right|\rightarrow \infty .\)
Technically, our positive result relies on Fourier analysis, analytic properties of proper rank-r generalized arithmetic progressions, and Bézout ’s theorem to bound the number of solutions to an equation over finite fields. The analysis of our attack relies on determining the “discrepancy” of the Irwin-Hall distribution. A probability distribution’s discrepancy is a new property of distributions that our work introduces, which is of potential independent interest.
H. K. Maji, H. H. Nguyen and M. Wang—The research effort is supported in part by an NSF CRII Award CNS–1566499, an NSF SMALL Award CNS–1618822, the IARPA HECTOR project, MITRE Innovation Program Academic Cybersecurity Research Awards (2019–2020, 2020–2021), a Purdue Research Foundation (PRF) Award, and The Center for Science of Information, an NSF Science and Technology Center, Cooperative Agreement CCF–0939370.
A. Paskin-Cherniavsky and T. Suad—Research supported by the Ariel Cyber Innovation Center in conjunction with the Israel National Cyber directorate in the Prime Minister’s Office.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The term “local” in local leakage-resilience refers to the fact that the adversary performs arbitrary leakage on each secret-share independently.
- 2.
Leakage-resilient secret-sharing was also, independently, introduced by [14] as an intermediate primitive.
- 3.
The information-rate of a secret-sharing scheme is the ratio on the size of the secret to the largest size of the secret-share that a party receives.
- 4.
We assume this for the ease of presentation for now, while our results do not require such restrictions. When there are two identical evaluation places, leaking one bit from each share is equivalent to leaking two bits from one of those shares. Since our results naturally extend to leaking multiple bits from each share, we do not need the restriction that all the evaluation places are distinct. Furthermore, when all the evaluation places are chosen independently randomly (at most a polynomial in the security parameter), the probability that there are two identical evaluation places are exponentially small (by the birthday bound) since the field size is exponentially large in the security parameter.
- 5.
For instance, let \(\lambda =5\) and \(p=19\). The element \(5\in F=\{0,1,\ldots ,18\}\) is represented as 00101. The first bit is 1, second bit is 0, third bit is 1, and the fourth and the fifth bits are both 0.
- 6.
One can simulate the leakage joint distribution as follows. The simulator shall fix an arbitrary secret (say, 0), generate its secret shares, and output the evaluation of the leakage function on the respective secret shares. The simulation error for this strategy is a two-approximation of the indistinguishability advantage by the triangle inequality.
- 7.
The definition considers perfect privacy. For secret-sharing schemes based on Massey’s construction [35] from linear error-correcting codes, the shares of any set of parties either witness perfect privacy, or the set of shares suffices to reconstruct the secret. A statistical notion of privacy is relevant when using non-linear codes instead. However, in our work we shall primarily study secret-sharing schemes based on Massey’s construction from linear error-correcting codes. Consequently, we define perfect privacy only.
- 8.
Note that, in the definition of [40], the Fourier coefficients are scaled by the field size compared to our definition.
- 9.
The sign of a permutation is \(+1\) is an even number of swaps transform the permutation into the identity-permutation. Otherwise, the sign is \(-1\).
- 10.
By Observation 1, \(C_{\vec {X}}\) is an \((n,k-1,\vec {X},\vec {X})\)-GRS with generator matrix
$$\begin{aligned} \begin{pmatrix} X_1 &{} X_2 &{} \cdots &{} X_n\\ X_1^2 &{} X_2^2 &{} \cdots &{} X_n^2\\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ X_1^{k-1} &{} X_2^{k-1} &{} \cdots &{} X_n^{k-1} \end{pmatrix}. \end{aligned}$$.
- 11.
We note that the \(\lambda =\log _2 p\). However, in Theorem 2, the logrithm is natural log. Hence, we did not merge \(\lambda \) with \(\log p\).
- 12.
One can explicit calculate the probability. When \(k=2\), \(\text {Pr}\left[ S_1\in I_{2,\varDelta }\right] = 1\). When \(k=3\), \(\text {Pr}\left[ S_1+S_2\in I_{3,\varDelta }\right] = \frac{3}{4}\left( 1+\frac{1}{p}-\frac{1}{p^2}\right) \).
References
Aggarwal, D., et al.: Stronger leakage-resilient and non-malleable secret sharing schemes for general access structures. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 510–539. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_18
Badrinarayanan, S., Srinivasan, A.: Revisiting non-malleable secret sharing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 593–622. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_20
Benhamouda, F., Degwekar, A., Ishai, Y., Rabin, T.: On the local leakage resilience of linear secret sharing schemes. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 531–561. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_18
Block, A.R., Gupta, D., Maji, H.K., Nguyen, H.H.: Secure computation using leaky correlations (asymptotically optimal constructions). In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 36–65. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_2
Block, A.R., Maji, H.K., Nguyen, H.H.: Secure computation based on leaky correlations: high resilience setting. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 3–32. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_1
Bogdanov, A., Ishai, Y., Srinivasan, A.: Unconditionally secure computation against low-complexity leakage. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 387–416. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_14
Candel, G., Géraud-Stewart, R., Naccache, D.: How to compartment secrets. In: Laurent, M., Giannetsos, T. (eds.) WISTP 2019. LNCS, vol. 12024, pp. 3–11. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41702-4_1
Cascudo, I., Damgård, I., Farràs, O., Ranellucci, S.: Resource-efficient OT combiners with active security. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 461–486. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_15
Chattopadhyay, E., et al.: Extractors and secret sharing against bounded collusion protocols. In: 61st FOCS, pp. 1226–1242. IEEE Computer Society Press, November 2020
Chen, X., Kayal, N., Wigderson, A.: Partial derivatives in arithmetic complexity and beyond. Found. Trends Theor. Comput. Sci. 6(1–2), 1–138 (2011). https://doi.org/10.1561/0400000043
Dau, H., Duursma, I.M., Kiah, H.M., Milenkovic, O.: Repairing Reed-Solomon codes with multiple erasures. IEEE Trans. Inf. Theory 64(10), 6567–6582 (2018)
Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_24
Franklin, M.K., Yung, M.: Communication complexity of secure computation (extended abstract). In: 24th ACM STOC, pp. 699–710. ACM Press, May 1992
Goyal, V., Kumar, A.: Non-malleable secret sharing. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th ACM STOC, pp. 685–698. ACM Press, June 2018
Guruswami, V., Wootters, M.: Repairing Reed-Solomon codes. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC, pp. 216–226. ACM Press, June 2016
Guruswami, V., Wootters, M.: Repairing Reed-Solomon codes. IEEE Trans. Inf. Theory 63(9), 5684–5698 (2017)
Hall, J.I.: Notes on Coding Theory (2015). https://users.math.msu.edu/users/halljo/classes/codenotes/coding-notes.html
Hall, P.: The distribution of means for samples of size n drawn from a population in which the variate takes values between 0 and 1, all such values being equally probable. Biometrika 19, 240–245 (1927)
Harnik, D., Ishai, Y., Kushilevitz, E., Nielsen, J.B.: OT-combiners via secure computation. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 393–411. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_22
Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_6
Hazay, C. Ishai, Y., Marcedone, A. Venkitasubramaniam, M.: LevioSA: lightweight secure arithmetic computation. In: Cavallaro, L. Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 327–344. ACM Press, November 2019
Hazay, C., Venkitasubramaniam, M., Weiss, M.: The price of active security in cryptographic protocols. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 184–215. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_7
Irwin, J.O.: On the frequency distribution of the means of samples from a population having any law of frequency with finite moments, with special reference to Pearson’s type II. Biometrika 19, 225–239 (1927)
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Extracting correlations. In: 50th FOCS, pp. 261–270. IEEE Computer Society Press, October 2009
Ishai, Y., Maji, H.K., Sahai, A., Wullschleger, J.: Single-use ot combiners with near-optimal resilience. In: 2014 IEEE International Symposium on Information Theory, Honolulu, HI, USA, 29 June–4 July 2014, pp. 1544–1548. IEEE (2014)
Ishai, Y., Prabhakaran, M., Sahai, A., Wagner, D.: Private circuits II: keeping secrets in tamperable circuits. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 308–327. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_19
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Kalai, Y.T., Reyzin, L.: A survey of leakage-resilient cryptography. In: Goldreich, O. (ed.) Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali, pp 727–794. ACM (2019)
Kumar, A., Meka, R., Sahai, A.: Leakage-resilient secret sharing against colluding parties. In: Zuckerman, D. (ed.) 60th FOCS, pp. 636–660. IEEE Computer Society Press, November 2019
Lin, F., Cheraghchi, M., Guruswami, V., Safavi-Naini, R., Wang, H.: Leakage-resilient secret sharing in non-compartmentalized models. In: Kalai, Y.T., Smith, A.D., Wichs, D. (eds.) 1st Conference on Information-Theoretic Cryptography, ITC 2020, Boston, MA, USA, 17–19 June 2020. LIPIcs, vol. 163, pp. 7:1–7:24. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020)
Lindell, Y.: Introduction to coding theory lecture notes (2010)
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes, vol. 16. Elsevier, Amsterdam (1977)
Maji, H.K. Paskin-Cherniavsky, A., Suad, T., Wang, M.: On leakage resilient secret sharing (2020)
Manurangsi, P., Srinivasan, A., Vasudevan, P.N.: Nearly optimal robust secret sharing against rushing adversaries. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 156–185. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_6
Massey, J.L.: Some applications of code duality in cryptography. In: Mat. Contemp, vol. 21, pp. 187–209:16th (2001)
Meier, R., Przydatek, B., Wullschleger, J.: Robuster combiners for oblivious transfer. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 404–418. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_22
Nielsen, J.B., Simkin, M.: Lower bounds for leakage-resilient secret sharing. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 556–577. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_20
Rao, A.: An exposition of Bourgain’s 2-source extractor (2007)
Selberg, A.: An elementary proof of Dirichlet’s theorem about primes in an arithmetic progression. Ann. Math. 50, 297–304 (1949)
Shao, X.: On character sums and exponential sums over generalized arithmetic progressions. Bull. Lond. Math. Soc. 45(3), 541–550 (2013)
Srinivasan, A., Vasudevan, P.N.: Leakage resilient secret sharing and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 480–509. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_17
Wooley, T.D.: A note on simultaneous congruences. J. Number Theory 58(2), 288–297 (1996)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Maji, H.K., Nguyen, H.H., Paskin-Cherniavsky, A., Suad, T., Wang, M. (2021). Leakage-Resilience of the Shamir Secret-Sharing Scheme Against Physical-Bit Leakages. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)