Abstract
We study the local leakage resilience of Shamir’s secret sharing scheme. In Shamir’s scheme, a random polynomial f of degree t is sampled over a field of size \(p>n\), conditioned on \(f(0)=s\) for a secret s. Any t shares (i, f(i)) can be used to fully recover f and thereby f(0). But, any \(t-1\) evaluations of f at non-zero coordinates are completely independent of f(0). Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each share, independently. This question is well motivated due to the wide range of applications of Shamir’s scheme. For instance, it is known that if Shamir’s scheme is leakage resilient in some range of parameters, then known secure computation protocols are secure in a local leakage model.
Over characteristic-2 fields, the answer is known to be negative (e.g., Guruswami and Wootters, STOC ’16). Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO ’18) were the first to give a positive answer assuming computation is done over prime-order fields. They showed that if \(t \ge 0.907n\), then Shamir’s scheme is leakage resilient. Since then, there has been extensive efforts to improve the above threshold and after a series of works, the current record shows leakage resilience for \(t\ge 0.78n\) (Maji et al., ISIT ’22). All existing analyses of Shamir’s leakage resilience for general leakage functions follow a single framework for which there is a known barrier for any \(t \le 0.5 n\).
In this work, we a develop a new analytical framework that allows us to significantly improve upon the previous record and obtain additional new results. Specifically, we show:
-
1.
Shamir’s scheme is leakage resilient for any \(t \ge 0.69n\).
-
2.
If the leakage functions are guaranteed to be “balanced” (i.e., splitting the domain of possible shares into 2 roughly equal-size parts), then Shamir’s scheme is leakage resilient for any \(t \ge 0.58n\).
-
3.
If the leakage functions are guaranteed to be “unbalanced” (i.e., splitting the domain of possible shares into 2 parts of very different sizes), then Shamir’s scheme is leakage resilient as long as \(t \ge 0.01 n\). Such a result is provably impossible to obtain using the previously known technique.
All of the above apply more generally to any MDS codes-based secret sharing scheme.
Confirming leakage resilience is most important in the range \(t \le n/2\), as in many applications, Shamir’s scheme is used with thresholds \(t\le n/2\). As opposed to the previous approach, ours does not seem to have a barrier at \(t=n/2\), as demonstrated by our third contribution.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Shamir’s scheme uses \(t \cdot \log p\) bits of entropy if we work over a p-size field, and so intuitively, the total amount of entropy leaked should not exceed this number. If we leak just one bit from every share, then \(n < t \cdot \log p\) is required for security. As mentioned, \(\log p\) can be replaced by \(\log n\).
- 2.
Typically, Shamir’s scheme is used with p proportional to n.
- 3.
The bias \(\mathop {\mathrm {\mathbb {E}}}\limits [f_i]\) is the proportion of inputs for which \(f_i\) outputs 1 minus the proportion of inputs \(f_i\) outputs \(-1\). Note that intuitively, the balanced case has the highest leakage of information.
- 4.
This is a standard reduction. The view of a distinguisher that sees \(t'\) of the n shares in their entirety, can be reduced to a distinguisher for a Shamir secret sharing scheme over \(n-t'\) parties that sees none of the shares in their entirety.
- 5.
We suspect that this inequality is well known, but we could not find it in the literature. Thus, we include a self contained proof.
- 6.
References
Adams, D.Q., et al.: Lower bounds for leakage-resilient secret-sharing schemes against probing attacks. In: IEEE International Symposium on Information Theory, ISIT, pp. 976–981 (2021)
Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: TCC, pp. 474–495 (2009)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: STOC, pp. 1–10 (1988)
Benhamouda, F., Degwekar, A., Ishai, Y., Rabin, T.: On the local leakage resilience of linear secret sharing schemes. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 531–561. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_18
Benhamouda, F., Degwekar, A., Ishai, Y., Rabin, T.: On the local leakage resilience of linear secret sharing schemes. J. Cryptol. 34(2), 10 (2021)
Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the AFIPS National Computer Conference, vol. 22, pp. 313–317 (1979)
Boyle, E., Segev, G., Wichs, D.: Fully leakage-resilient signatures. J. Cryptol. 26(3), 513–558 (2013)
Chandran, N., Kanukurthi, B., Obbattu, S.L.B., Sekar, S.: Adaptive extractors and their application to leakage resilient secret sharing. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 595–624. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_20
Chandran, N., Kanukurthi, B., Obbattu, S.L.B., Sekar, S.: Short leakage resilient and non-malleable secret sharing schemes. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13507, pp. 178–207. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_7
Chattopadhyay, E., et al.: Extractors and secret sharing against bounded collusion protocols. In: FOCS, pp. 1226–1242 (2020)
Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: STOC, pp. 11–19 (1988)
Davì, F., Dziembowski, S., Venturi, D.: Leakage-resilient storage. In: SCN, pp. 121–137 (2010)
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Advances in Cryptology - CRYPTO, pp. 307–315 (1989)
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS, pp. 293–302 (2008)
Faust, S., Rabin, T., Reyzin, L., Tromer, E., Vaikuntanathan, V.: Protecting circuits from computationally bounded and noisy leakage. SIAM J. Comput. 43(5), 1564–1614 (2014)
Frankel, Y.: A practical protocol for large group oriented networks. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 56–61. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_8
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)
Goyal, V., Kumar, A.: Non-malleable secret sharing. In: STOC, pp. 685–698 (2018)
Goyal, V., Kumar, A.: Non-malleable secret sharing for general access structures. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 501–530. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_17
Guruswami, V., Wootters, M.: Repairing Reed-Solomon codes. IEEE Trans. Inf. Theory 63(9), 5684–5698 (2017)
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Kumar, A., Meka, R., Sahai, A.: Leakage-resilient secret sharing against colluding parties. In: FOCS, pp. 636–660 (2019)
Maji, H.K., Nguyen, H.H., Paskin-Cherniavsky, A., Suad, T., Wang, M.: Leakage-resilience of the Shamir secret-sharing scheme against physical-bit leakages. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 344–374. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_12
Maji, H.K., et al.: Tight estimate of the local leakage resilience of the additive secret-sharing scheme & its consequences. In: Information-Theoretic Cryptography, ITC, pp. 16:1–16:19 (2022)
Maji, H.K., Nguyen, H.H., Paskin-Cherniavsky, A., Wang, M.: Improved bound on the local leakage-resilience of Shamir’s secret sharing. In: IEEE International Symposium on Information Theory, ISIT, pp. 2678–2683 (2022)
Maji, H.K., Paskin-Cherniavsky, A., Suad, T., Wang, M.: Constructing locally leakage-resilient linear secret-sharing schemes. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 779–808. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_26
Massey, J.L.: Some applications of source coding in cryptography. Eur. Trans. Telecommun. 5(4), 421–430 (1994)
Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: TCC, pp. 278–296 (2004)
Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. SIAM J. Comput. 41(4), 772–814 (2012)
Nielsen, J.B., Simkin, M.: Lower bounds for leakage-resilient secret sharing. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 556–577. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_20
Rothblum, G.N.: How to compute under \({\cal{AC}}^{\sf 0}\) leakage without secure hardware. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 552–569. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_32
Santis, A.D., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: STOC, pp. 522–533 (1994)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Srinivasan, A., Vasudevan, P.N.: Leakage resilient secret sharing and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 480–509. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_17
Acknowledgements
Research supported in part by an Alon Young Faculty Fellowship, by a grant from the Israel Science Foundation (ISF Grant No. 1774/20), and by a grant from the US-Israel Binational Science Foundation and the US National Science Foundation (BSF-NSF Grant No. 2020643).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Claim 4.5
Let \({f}:{\mathbb F_p} \rightarrow {[-1, 1]}\) have \(\mathop {\mathbb {E}}[f] = \mu \). Then, for all \(k \ne 0\), we must show that
Note \(\widehat{f}(k)\) is a complex number, which we write as \(\widehat{f}(k) = |\widehat{f}(k)| \cdot e^{i\theta }\) with \(\theta \in [-\pi , \pi ]\) and \(|\widehat{f}(k)| \ge 0\) a positive real number. It is sufficient we prove
Note that
We define the function \({g}:{\mathbb {F}_p} \rightarrow {[-1,1]}\) having \(g(x) = f(x/k)\) which satisfies \(\mathop {\mathrm {\mathbb {E}}}\limits [g]=\mathop {\mathrm {\mathbb {E}}}\limits [f]=\mu \) and
We now find a function g that maximizes F(g) among functions satisfying \(\mathop {\mathrm {\mathbb {E}}}\limits [g]=\mu \), and show this value is upper bounded by the right hand side of (34).
Intuitively, a g that maximizes F(g) “should” have g(x) larger as \(\cos (2\pi x / p+\theta )\) is larger (among \(x \in \{0,1,\ldots , p-1\}\)) and smaller when \(\cos (2\pi x / p+\theta )\) is smaller. This intuition can be formalized as follows. Write \(P(x) \mathrel {\mathop :}=\cos (2\pi x / p+\theta )\). If \(P(y) \le P(z)\) and both \(-1 < g(y)\) and \(g(z) < 1\), we may outflow a small quantity from g(y) (thus decreasing it) while increasing g(z), so that both \(\mathop {\mathbb {E}}[g]\) is preserved and (35) grows. Specifically, letting \(\nu = \min \{g(y)+1, 1-g(z)\}\) and defining \({g'}:{\mathbb F_p} \rightarrow {[-1,1]}\) as
has \(|g'| \le 1\) and \(\mathop {\mathbb {E}}[g'] = \mathop {\mathbb {E}}[g] = \mu \) and
Hence, for all \(\mu \in [-1,1]\) there is a function \(g_{\mu }\) which maximizes \(F(g_{\mu }, \theta )\) under the condition \(\mathop {\mathbb {E}}[g_{\mu }]=\mu \), that has \(|g(x)|=1\) for all points \(x \in \mathbb F_p\), except for at most one point \(x'\). Moreover, \(g_{\mu }(x)\) is monotonically non-decreasing in P(x). We must show
Consider first the case where \(\mu = -1 + \frac{2}{p}t\), for some positive integer t. In this case, \(g_\mu (x)=1\) on t x’s with largest P(x), and \(g_\mu (x)=-1\) on the remaining \(p-t\) x’s.
For the purpose of computing \(F(g_\mu , \theta )\), these x’s for which \(g_\mu (x)=1\) can be described as \(m\le x \le m+t-1\) for some integer m. Using that \(\sum _{x=0}^{p-1} \cos (2\pi x / p + \theta ) = 0\), we see that
and so
where the last equality follows from an elementary trigonometric summation. Using that \(|\cos | \le 1\) and that \(t = p/2(1+\mu )\) we get
Using that \(1/\sin (\epsilon ) = \frac{1}{\epsilon } + O(\epsilon )\) for \(|\epsilon | \le 1\) in Eq. (37), we get
as required. For the case of general \(\mu \in [-1,1]\), it holds that \(F(g_{\mu })\) is a piecewise-linear function in \(\mu \). Thus, the almost-coincidence of \(F(g_{\mu })(1)\) with \(\frac{2}{\pi }\cos (\frac{\pi }{2}\mu )\) on \(\mu \in -1+\frac{2}{p}\mathbb {Z}\), implies a similar \(O(1/p^2)\) approximation for interpolated \(\mu \) values, as \(\frac{2}{\pi }\cos (\frac{\pi }{2}\mu )\) has bounded second derivative (Taylor-approximation type estimate).
B Details for a Barrier of Previous Methods
As pointed out in [28], previous studies of the leakage resilience of Shamir’s secret sharing scheme aim at upper bounding some proxy quantity, which can be too large if \(n \ge 2t\). Their analytic proxy isFootnote 6
where \(\ell ^{\perp }\) is the set of all linear combinations \(c \in \mathbb {F}_p^n\) for which the equation \(\sum _{i=1}^{n} c_i \ell _i = 0\) holds. In particular, \(|\ell ^{\perp }| = p^{n-t}\). See Sect. 2.3 for the interpretation of what Eq. (38) bounds.
In order to show that the quantity in Eq. (38) may be large if \(n \ge 2t\), Maji et al. [28] presented the quadratic-residue function
which satisfies \(|\widehat{f_i}(\alpha )|\sim \sqrt{1/p}\) for all \(\alpha \in \mathbb {F}_p\). Hence, Eq. (38) is a sum of \(p^{n-t}\) terms, each of the order of \(p^{-n/2}\), thus being \(> 1\) if \(n > 2t\).
In order to see the similar barrier in the case where the \(f_i\)’s are constantly biased (that is, as in the setting of Example 3), consider some constant \(\mu < 1\) (the bias), and set
Note that the range of g is \([-1, 1]\), unlike f whose range is \(\left\{ -1, 1\right\} \). Anyways, it follows that \(|\widehat{g}(\alpha )| \gtrsim (1-\mu )/\sqrt{p}\) for all \(\alpha \). Also, \(\mathop {\mathrm {\mathbb {E}}}\limits [g]=\mu + (1-\mu )\mathop {\mathrm {\mathbb {E}}}\limits [f] \approx \mu \).
Substituting \(g_i\) in place of \(f_i\) in (38), we get \(p^{n-t}\) summands, each of the order of \((1-\mu )^{n}/p^{n/2}\), thus being
In case \(t = (1/2-\epsilon )n\), the sum in Eq. (38) is hence at least
for any constant \(\epsilon > 0\). This gives a barrier on how effective Eq. (38) can be if \(t = (1/2-\epsilon ) n\).
Note however that g does not strictly output a single bit. We sketch how to fix this issue (since this section only points out a barrier with previous approaches, we skip technical details.) Observe that g is an average of functions whose range is \(\left\{ -1, 1\right\} \). Then, we notice that Eq. (38) is a convex function of the \(g_i\)’s (as a composition of convex functions). If we hence choose \(g_i\) randomly (and independently across i’s) from a distribution whose mean is g, we get in expectation a value larger than Eq. (39). Note that it is important to surely have \(g_i\) with mean \(\approx \mu \). For this, we note that g is two-valued with values 1 and \(2\mu - 1\). By rounding \(\mu \)-fraction out of these s with \(g(s)=2\mu -1\) to have \(g_i(s)=1\), and the rest with \(g_i(s') = -1\), we guarantee \(\mathop {\mathrm {\mathbb {E}}}\limits [g_i] = \mu \). That is, the number of s’s we round to 1 is
There is a fine net of \(\mu \)’s in \([-1,1]\) for which this quantity turns out an integer. We may choose any \(\mu \) with that property.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Klein, O., Komargodski, I. (2023). New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14081. Springer, Cham. https://doi.org/10.1007/978-3-031-38557-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-38557-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38556-8
Online ISBN: 978-3-031-38557-5
eBook Packages: Computer ScienceComputer Science (R0)