New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme

Abstract

We study the local leakage resilience of Shamir’s secret sharing scheme. In Shamir’s scheme, a random polynomial f of degree t is sampled over a field of size \(p>n\), conditioned on \(f(0)=s\) for a secret s. Any t shares (i, f(i)) can be used to fully recover f and thereby f(0). But, any \(t-1\) evaluations of f at non-zero coordinates are completely independent of f(0). Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each share, independently. This question is well motivated due to the wide range of applications of Shamir’s scheme. For instance, it is known that if Shamir’s scheme is leakage resilient in some range of parameters, then known secure computation protocols are secure in a local leakage model.

Over characteristic-2 fields, the answer is known to be negative (e.g., Guruswami and Wootters, STOC ’16). Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO ’18) were the first to give a positive answer assuming computation is done over prime-order fields. They showed that if \(t \ge 0.907n\), then Shamir’s scheme is leakage resilient. Since then, there has been extensive efforts to improve the above threshold and after a series of works, the current record shows leakage resilience for \(t\ge 0.78n\) (Maji et al., ISIT ’22). All existing analyses of Shamir’s leakage resilience for general leakage functions follow a single framework for which there is a known barrier for any \(t \le 0.5 n\).

In this work, we a develop a new analytical framework that allows us to significantly improve upon the previous record and obtain additional new results. Specifically, we show:

1. 1.

   Shamir’s scheme is leakage resilient for any \(t \ge 0.69n\).

2. 2.

   If the leakage functions are guaranteed to be “balanced” (i.e., splitting the domain of possible shares into 2 roughly equal-size parts), then Shamir’s scheme is leakage resilient for any \(t \ge 0.58n\).

3. 3.

   If the leakage functions are guaranteed to be “unbalanced” (i.e., splitting the domain of possible shares into 2 parts of very different sizes), then Shamir’s scheme is leakage resilient as long as \(t \ge 0.01 n\). Such a result is provably impossible to obtain using the previously known technique.

All of the above apply more generally to any MDS codes-based secret sharing scheme.

Confirming leakage resilience is most important in the range \(t \le n/2\), as in many applications, Shamir’s scheme is used with thresholds \(t\le n/2\). As opposed to the previous approach, ours does not seem to have a barrier at \(t=n/2\), as demonstrated by our third contribution.

Appendices

A Proof of Claim 4.5

Let \({f}:{\mathbb F_p} \rightarrow {[-1, 1]}\) have \(\mathop {\mathbb {E}}[f] = \mu \). Then, for all \(k \ne 0\), we must show that

$$\begin{aligned} |\widehat{f}(k)| \le \frac{2}{\pi } \cos \left( \frac{\pi }{2} \mu \right) + O(1/p^2). \end{aligned}$$

(34)

Note \(\widehat{f}(k)\) is a complex number, which we write as \(\widehat{f}(k) = |\widehat{f}(k)| \cdot e^{i\theta }\) with \(\theta \in [-\pi , \pi ]\) and \(|\widehat{f}(k)| \ge 0\) a positive real number. It is sufficient we prove

$$ e^{-i\theta }\widehat{f}(k) = |\widehat{f}(k)| \le \frac{2}{\pi } \cos \left( \frac{\pi }{2} \mu \right) + O(1/p^2). $$

Note that

$$ \begin{aligned} e^{-i\theta }\widehat{f}(k)&= \textrm{Re}(e^{-i\theta }\widehat{f}(k)) = \textrm{Re}(e^{-i\theta } \mathop {\mathrm {\mathbb {E}}}\limits _{x\sim \mathbb {F}_p}[f(x) \exp (-2\pi k x i / p)]) \\&= \mathop {\mathrm {\mathbb {E}}}\limits _{x\sim \mathbb {F}_p}[f(x) \textrm{Re}( \exp (-(2\pi k x / p+\theta ) i))] = \mathop {\mathrm {\mathbb {E}}}\limits _{x\sim \mathbb {F}_p}[f(x) \cos (2\pi k x / p+\theta )] \\&= \mathop {\mathrm {\mathbb {E}}}\limits _{x\sim \mathbb {F}_p}[f(x/k) \cos (2\pi x / p+\theta )] \end{aligned} $$

We define the function \({g}:{\mathbb {F}_p} \rightarrow {[-1,1]}\) having \(g(x) = f(x/k)\) which satisfies \(\mathop {\mathrm {\mathbb {E}}}\limits [g]=\mathop {\mathrm {\mathbb {E}}}\limits [f]=\mu \) and

$$\begin{aligned} e^{-i\theta }\widehat{f}(k) = \underbrace{\mathop {\mathrm {\mathbb {E}}}\limits _{x\sim \mathbb {F}_p}[g(x) \cos (2\pi x / p+\theta )]}_{F(g)} \end{aligned}$$

(35)

We now find a function g that maximizes F(g) among functions satisfying \(\mathop {\mathrm {\mathbb {E}}}\limits [g]=\mu \), and show this value is upper bounded by the right hand side of (34).

Intuitively, a g that maximizes F(g) “should” have g(x) larger as \(\cos (2\pi x / p+\theta )\) is larger (among \(x \in \{0,1,\ldots , p-1\}\)) and smaller when \(\cos (2\pi x / p+\theta )\) is smaller. This intuition can be formalized as follows. Write \(P(x) \mathrel {\mathop :}=\cos (2\pi x / p+\theta )\). If \(P(y) \le P(z)\) and both \(-1 < g(y)\) and \(g(z) < 1\), we may outflow a small quantity from g(y) (thus decreasing it) while increasing g(z), so that both \(\mathop {\mathbb {E}}[g]\) is preserved and (35) grows. Specifically, letting \(\nu = \min \{g(y)+1, 1-g(z)\}\) and defining \({g'}:{\mathbb F_p} \rightarrow {[-1,1]}\) as

$$ g'(x) = g(x) + \nu (\boldsymbol{1}_{\{x=z\}} - \boldsymbol{1}_{\{x=y\}}), $$

has \(|g'| \le 1\) and \(\mathop {\mathbb {E}}[g'] = \mathop {\mathbb {E}}[g] = \mu \) and

$$ F(g', \theta ) = F(g) + \nu (P(z)-P(y)) > F(g). $$

Hence, for all \(\mu \in [-1,1]\) there is a function \(g_{\mu }\) which maximizes \(F(g_{\mu }, \theta )\) under the condition \(\mathop {\mathbb {E}}[g_{\mu }]=\mu \), that has \(|g(x)|=1\) for all points \(x \in \mathbb F_p\), except for at most one point \(x'\). Moreover, \(g_{\mu }(x)\) is monotonically non-decreasing in P(x). We must show

$$ F(g_\mu , \theta ) \le \frac{2}{\pi }\cos \left(\frac{\pi }{2} \mu \right) + O(1/p^2). $$

Consider first the case where \(\mu = -1 + \frac{2}{p}t\), for some positive integer t. In this case, \(g_\mu (x)=1\) on t x’s with largest P(x), and \(g_\mu (x)=-1\) on the remaining \(p-t\) x’s.

For the purpose of computing \(F(g_\mu , \theta )\), these x’s for which \(g_\mu (x)=1\) can be described as \(m\le x \le m+t-1\) for some integer m. Using that \(\sum _{x=0}^{p-1} \cos (2\pi x / p + \theta ) = 0\), we see that

$$ \left| \sum _{x:g_\mu (x)=1} \cos (2\pi x/p+\theta ) \right| = \left| \sum _{x:g_\mu (x)=-1} \cos (2\pi x/p+\theta ) \right| $$

and so

$$\begin{aligned} F(g) = \frac{2}{p} \sum _{x=m}^{m+t-1} \cos (2\pi x/p+\theta ) = \frac{2}{p} \frac{\sin (\pi t / p) \cos ((2m+t-1)\pi /p + \theta ) }{\sin (\pi / p)} \end{aligned}$$

(36)

where the last equality follows from an elementary trigonometric summation. Using that \(|\cos | \le 1\) and that \(t = p/2(1+\mu )\) we get

$$\begin{aligned} F(g) \le \left| \frac{2\sin ((1+\mu )\pi / 2)}{p\sin (\pi /p)}\right| \cdot 1 = \frac{2\cos (\pi \mu / 2)}{p\sin (\pi /p)}. \end{aligned}$$

(37)

Using that \(1/\sin (\epsilon ) = \frac{1}{\epsilon } + O(\epsilon )\) for \(|\epsilon | \le 1\) in Eq. (37), we get

$$ F(g) = 2\cos \left(\frac{\pi }{2} \mu \right) \cdot (1/\pi + O(1/p^2) = \frac{2}{\pi }\cos \left(\frac{\pi }{2} \mu \right) + O(1/p^2), $$

as required. For the case of general \(\mu \in [-1,1]\), it holds that \(F(g_{\mu })\) is a piecewise-linear function in \(\mu \). Thus, the almost-coincidence of \(F(g_{\mu })(1)\) with \(\frac{2}{\pi }\cos (\frac{\pi }{2}\mu )\) on \(\mu \in -1+\frac{2}{p}\mathbb {Z}\), implies a similar \(O(1/p^2)\) approximation for interpolated \(\mu \) values, as \(\frac{2}{\pi }\cos (\frac{\pi }{2}\mu )\) has bounded second derivative (Taylor-approximation type estimate).

B Details for a Barrier of Previous Methods

As pointed out in [28], previous studies of the leakage resilience of Shamir’s secret sharing scheme aim at upper bounding some proxy quantity, which can be too large if \(n \ge 2t\). Their analytic proxy is⁶

$$\begin{aligned} \sum _{c \in \ell ^{\perp } \setminus \{0\}} \prod _{i=1}^{n} |\widetilde{f_i}(c_i)|, \qquad \text {with}\quad \widetilde{f_i}(c_i) = {\left\{ \begin{array}{ll} \widehat{f_i}(c_i) &{}\quad c_i \ne 0\\ 1 &{}\quad c_i = 0, \end{array}\right. } \end{aligned}$$

(38)

where \(\ell ^{\perp }\) is the set of all linear combinations \(c \in \mathbb {F}_p^n\) for which the equation \(\sum _{i=1}^{n} c_i \ell _i = 0\) holds. In particular, \(|\ell ^{\perp }| = p^{n-t}\). See Sect. 2.3 for the interpretation of what Eq. (38) bounds.

In order to show that the quantity in Eq. (38) may be large if \(n \ge 2t\), Maji et al. [28] presented the quadratic-residue function

$$ f_i(s) = f(s) \mathrel {\mathop :}={\left\{ \begin{array}{ll} 1 &{} \qquad s = y^2 \,(\textrm{mod}\ p) \\ -1 &{} \qquad \textrm{otherwise} \end{array}\right. } $$

which satisfies \(|\widehat{f_i}(\alpha )|\sim \sqrt{1/p}\) for all \(\alpha \in \mathbb {F}_p\). Hence, Eq. (38) is a sum of \(p^{n-t}\) terms, each of the order of \(p^{-n/2}\), thus being \(> 1\) if \(n > 2t\).

In order to see the similar barrier in the case where the \(f_i\)’s are constantly biased (that is, as in the setting of Example 3), consider some constant \(\mu < 1\) (the bias), and set

$$ g_i(s) = g(s) \mathrel {\mathop :}=(1-\mu )f_i(s) + \mu . $$

Note that the range of g is \([-1, 1]\), unlike f whose range is \(\left\{ -1, 1\right\} \). Anyways, it follows that \(|\widehat{g}(\alpha )| \gtrsim (1-\mu )/\sqrt{p}\) for all \(\alpha \). Also, \(\mathop {\mathrm {\mathbb {E}}}\limits [g]=\mu + (1-\mu )\mathop {\mathrm {\mathbb {E}}}\limits [f] \approx \mu \).

Substituting \(g_i\) in place of \(f_i\) in (38), we get \(p^{n-t}\) summands, each of the order of \((1-\mu )^{n}/p^{n/2}\), thus being

$$ (1-\mu )^n p^{n/2-t}. $$

In case \(t = (1/2-\epsilon )n\), the sum in Eq. (38) is hence at least

$$\begin{aligned} (1-\mu )^n p^{\epsilon n} \gg 1, \end{aligned}$$

(39)

for any constant \(\epsilon > 0\). This gives a barrier on how effective Eq. (38) can be if \(t = (1/2-\epsilon ) n\).

Note however that g does not strictly output a single bit. We sketch how to fix this issue (since this section only points out a barrier with previous approaches, we skip technical details.) Observe that g is an average of functions whose range is \(\left\{ -1, 1\right\} \). Then, we notice that Eq. (38) is a convex function of the \(g_i\)’s (as a composition of convex functions). If we hence choose \(g_i\) randomly (and independently across i’s) from a distribution whose mean is g, we get in expectation a value larger than Eq. (39). Note that it is important to surely have \(g_i\) with mean \(\approx \mu \). For this, we note that g is two-valued with values 1 and \(2\mu - 1\). By rounding \(\mu \)-fraction out of these s with \(g(s)=2\mu -1\) to have \(g_i(s)=1\), and the rest with \(g_i(s') = -1\), we guarantee \(\mathop {\mathrm {\mathbb {E}}}\limits [g_i] = \mu \). That is, the number of s’s we round to 1 is

$$ \frac{p \cdot \mu \cdot (1-\mathop {\mathrm {\mathbb {E}}}\limits [f])}{2}. $$

There is a fine net of \(\mu \)’s in \([-1,1]\) for which this quantity turns out an integer. We may choose any \(\mu \) with that property.