Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks - - PowerPoint PPT Presentation

non malleable secret sharing against bounded joint
SMART_READER_LITE
LIVE PREVIEW

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks - - PowerPoint PPT Presentation

Jul 20, 2023 273 likes •1.03k views

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio Faonio Gianluca Brian Maciej Obremski IMDEA Software Institute Sapienza University of Rome National University of Singapore Madrid, Spain Rome,

slide-1
SLIDE 1

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model

Gianluca Brian

Sapienza University of Rome Rome, Italy

Antonio Faonio

IMDEA Software Institute Madrid, Spain (Now at EUROCOM)

Maciej Obremski

National University of Singapore Singapore, Singapore

Mark Simkin

Aarhus University Aarhus, Denmark

Daniele Venturi

Sapienza University of Rome Rome, Italy

CRYPTO 2020

Online version

1 / 11

slide-2
SLIDE 2

Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

2 / 11

slide-3
SLIDE 3

Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties Authorized Unauthorized Access structure: t-out-of-n

2 / 11

slide-4
SLIDE 4

Secret Sharing

m m Share Dealer s1 s2 s3 s4

· · ·

sn Parties Authorized Unauthorized Access structure: t-out-of-n Correctness: at least t parties are able to reconstruct the secret. si1 si2 si3 si4 sij

∈ A

Rec m

2 / 11

slide-5
SLIDE 5

Secret Sharing

m

???

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties Authorized Unauthorized Access structure: t-out-of-n Correctness: at least t parties are able to reconstruct the secret. Privacy: less than t parties should not be able to learn any information about the secret. si1 si2 si3 si4 sij

∈ A

Rec m si1 si2 si3 si4 sij

/ ∈ A ???

2 / 11

slide-6
SLIDE 6

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

3 / 11

slide-7
SLIDE 7

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

g ∈ G

Λ = g(s1, ..., sn)

Side channel attacks: partial information from all the shares may reveal some information about the message! SECURITY BREACH!

3 / 11

slide-8
SLIDE 8

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

g ∈ G

Λ = g(s1, ..., sn)

s′

1

s′

2

s′

3

s′

4

· · ·

s′

n

Rec m′

f ∈ F

T

Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m′ may be related to m! SECURITY BREACH!!!

3 / 11

slide-9
SLIDE 9

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

g ∈ G

Λ = g(s1, ..., sn)

s′

1

s′

2

s′

3

s′

4

· · ·

s′

n

Rec m′

f ∈ F

T

Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m′ may be related to m! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G.

3 / 11

slide-10
SLIDE 10

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

g ∈ G

Λ = g(s1, ..., sn)

s′

1

s′

2

s′

3

s′

4

· · ·

s′

n

Rec m′

f ∈ F

T

Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m′ may be related to m! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G. Non-Malleable Secret Sharing [GK18] : m′ is unrelated to m for a restricted family F.

3 / 11

slide-11
SLIDE 11

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

g ∈ G

Λ = g(s1, ..., sn)

s′

1

s′

2

s′

3

s′

4

· · ·

s′

n

Rec m′

f ∈ F

T

Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m′ may be related to m! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G. Non-Malleable Secret Sharing [GK18] : m′ is unrelated to m for a restricted family F. Leakage-resilient non-malleability: the best of both worlds.

3 / 11

slide-12
SLIDE 12

Leakage Resilient and Non-malleable Secret Sharing

m Share Dealer s1 s2 s3 s4

· · ·

sn Parties

g ∈ G

Λ = g(s1, ..., sn)

s′

1

s′

2

s′

3

s′

4

· · ·

s′

n

Rec m′

f ∈ F

T

Side channel attacks: partial information from all the shares may reveal some information about the message! Tampering attacks: m′ may be related to m! SECURITY BREACH!!! Leakage Resilient Secret Sharing [KMS18] : Λ reveals nothing about m for a restricted family G. Non-Malleable Secret Sharing [GK18] : m′ is unrelated to m for a restricted family F. Leakage-resilient non-malleability: the best of both worlds. Limitations: Impossible for arbitrary families G and F.

3 / 11

slide-13
SLIDE 13

Our contributions

Our model

Joint leakage and tampering (selective partitioning, semi-adaptive partitioning).

4 / 11

slide-14
SLIDE 14

Our contributions

Our model

Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits.

4 / 11

slide-15
SLIDE 15

Our contributions

Our model

Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits.

Selective partitioning

Any one-time statistically non-malleable secret sharing scheme is also leakage resilient.

4 / 11

slide-16
SLIDE 16

Our contributions

Our model

Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits.

Selective partitioning

Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. Corollary: lower bounds for the size of the shares of non-malleable secret sharing schemes using [NS20].

4 / 11

slide-17
SLIDE 17

Our contributions

Our model

Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits.

Selective partitioning

Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. Corollary: lower bounds for the size of the shares of non-malleable secret sharing schemes using [NS20].

Semi-adaptive partitioning

We construct a one-time non-malleable secret-sharing scheme against joint leakage and tampering under semi-adaptive partitioning.

4 / 11

slide-18
SLIDE 18

Our contributions

Our model

Joint leakage and tampering (selective partitioning, semi-adaptive partitioning). Bounded leakage: the total leakage amounts to at most ℓ bits.

Selective partitioning

Any one-time statistically non-malleable secret sharing scheme is also leakage resilient. Corollary: lower bounds for the size of the shares of non-malleable secret sharing schemes using [NS20].

Semi-adaptive partitioning

We construct a one-time non-malleable secret-sharing scheme against joint leakage and tampering under semi-adaptive partitioning.

Both settings

Corollary: construction of a p-time non-malleable secret sharing scheme from known techniques [OPVV18, BFV19]. Statistical 1-NMSS Computational p-NMSS compiler

4 / 11

slide-19
SLIDE 19

Security against selective partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn

5 / 11

slide-20
SLIDE 20

Security against selective partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn

T = {1, 4, 5, 7, 8, 9, . . .}

5 / 11

slide-21
SLIDE 21

Security against selective partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn s1 s5 s4 s7 s8 s9

· · ·

sn

5 / 11

slide-22
SLIDE 22

Security against selective partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn s1 s5 s4 s7 s8 s9

· · ·

sn

g1 g2 . . . Λ1 Λ2 . . .

5 / 11

slide-23
SLIDE 23

Security against selective partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn s1 s5 s4 s7 s8 s9

· · ·

sn

g1 g2 . . . Λ1 Λ2 . . . f1 f2 . . .

˜

s1

˜

s5

˜

s4

˜

s7

˜

s8

˜

s9

· · · ˜

sn

˜

m

Rec

5 / 11

slide-24
SLIDE 24

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. m0 or m1?

6 / 11

slide-25
SLIDE 25

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

6 / 11

slide-26
SLIDE 26

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

6 / 11

slide-27
SLIDE 27

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

6 / 11

slide-28
SLIDE 28

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

6 / 11

slide-29
SLIDE 29

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

6 / 11

slide-30
SLIDE 30

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

Advantage > ε

6 / 11

slide-31
SLIDE 31

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

Advantage > ε Guess =

⇒ perfect sim.

Leakage and tampering answers are correct

6 / 11

slide-32
SLIDE 32

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

Advantage > ε Guess =

⇒ perfect sim.

Leakage and tampering answers are correct

¬Guess = ⇒ no advantage

The view of the adversary is independent of m0, m1

6 / 11

slide-33
SLIDE 33

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

Advantage > ε Guess =

⇒ perfect sim.

Leakage and tampering answers are correct

¬Guess = ⇒ no advantage

The view of the adversary is independent of m0, m1

P [Guess] = 2−ℓ

6 / 11

slide-34
SLIDE 34

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

Advantage > ε Guess =

⇒ perfect sim.

Leakage and tampering answers are correct

¬Guess = ⇒ no advantage

The view of the adversary is independent of m0, m1

P [Guess] = 2−ℓ

Advantage > 2−ℓε

6 / 11

slide-35
SLIDE 35

A non-malleable secret sharing is also leakage resilient

Any one-time ǫ/2ℓ-non-malleable secret sharing scheme is also a ℓ-bounded leakage resilient one-time ǫ-non-malleable secret sharing scheme. Proof strategy: complexity leveraging. m0 or m1?

T , B = (B1, . . . , Bt) T , B = (B1, . . . , Bt)

Leak, (g1, . . . , gt) Randomly sample Λ1, . . . , Λt

(Λ1, . . . , Λt)

Tamper, (f1, . . . , ft)

˜

m or ⊥

˜

m or ⊥

ˆ

fi =

if leakage is wrong, fi(sBi)

  • therwise.

b b

Advantage > ε Guess =

⇒ perfect sim.

Leakage and tampering answers are correct

¬Guess = ⇒ no advantage

The view of the adversary is independent of m0, m1

P [Guess] = 2−ℓ

Advantage > 2−ℓε Q.E.D.

6 / 11

slide-36
SLIDE 36

Security against semi-adaptive partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn

7 / 11

slide-37
SLIDE 37

Security against semi-adaptive partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn

7 / 11

slide-38
SLIDE 38

Security against semi-adaptive partitioning

s1 s2 s3 s4 s5 s6 s7 s8 s9

· · ·

sn s1 s2 s3 s1 s2 s3 s1 s2 s3

Y Y Y X X X

The attacker only tampers within partitions whose subsets do not partially overlap with subsets belonging to leakage partitions. Much easier to achieve.

7 / 11

slide-39
SLIDE 39

Our t-out-of-n semi-adaptive leakage-resilient non-malleable secret sharing

Construction inspired by [GK18]

8 / 11

slide-40
SLIDE 40

Our t-out-of-n semi-adaptive leakage-resilient non-malleable secret sharing

Construction inspired by [GK18] m NMC sL sR Building blocks: NMC: a 2-out-of-2 one-time non-malleable secret sharing scheme (i.e. a non malleable code);

8 / 11

slide-41
SLIDE 41

Our t-out-of-n semi-adaptive leakage-resilient non-malleable secret sharing

Construction inspired by [GK18] m NMC sL sR ShareL ShareR sL,1 sL,2 sL,3

. . .

sL,n sR,1 sR,2 sR,3

. . .

sR,n Building blocks: NMC: a 2-out-of-2 one-time non-malleable secret sharing scheme (i.e. a non malleable code); ShareL: a joint-leakage resilient t-out-of-n secret sharing scheme; ShareR: a joint-leakage resilient k′-out-of-n secret sharing scheme, where k′ ≈

t.

8 / 11

slide-42
SLIDE 42

Our t-out-of-n semi-adaptive leakage-resilient non-malleable secret sharing

Construction inspired by [GK18] m NMC sL sR ShareL ShareR sL,1 sL,2 sL,3

. . .

sL,n sR,1 sR,2 sR,3

. . .

sR,n s1 s2 s3

. . .

sn Building blocks: NMC: a 2-out-of-2 one-time non-malleable secret sharing scheme (i.e. a non malleable code); ShareL: a joint-leakage resilient t-out-of-n secret sharing scheme; ShareR: a joint-leakage resilient k′-out-of-n secret sharing scheme, where k′ ≈

t. Security proof inspired by [KMS18] We extend their result obtaining security against joint tampering with k′ − 1 shares (instead of independent tampering).

8 / 11

slide-43
SLIDE 43

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . .

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . .

9 / 11

slide-44
SLIDE 44

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . .

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . . T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR.

9 / 11

slide-45
SLIDE 45

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . .

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,11 sR,11

. . . . . .

s∗

L,7

sR,7 s∗

L,8

sR,8 s∗

L,9

sR,9 s∗

L,10

sR,10

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

9 / 11

slide-46
SLIDE 46

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . .

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,11 sR,11

. . . . . .

s∗

L,7

sR,7 s∗

L,8

sR,8 s∗

L,9

sR,9 s∗

L,10

sR,10

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

Since we put the limitation of the semi-adaptive partitioning, the two subsets of shares T0 and T1 are unrelated each other even conditioning on the leakage.

9 / 11

slide-47
SLIDE 47

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,7 sR,7 sL,8 sR,8 sL,9 sR,9 sL,10 sR,10 sL,11 sR,11

. . . . . .

sL,1 sR,1 sL,2 sR,2 sL,3 sR,3 sL,4 sR,4 sL,5 sR,5 sL,6 sR,6 sL,11 sR,11

. . . . . .

s∗

L,7

sR,7 s∗

L,8

sR,8 s∗

L,9

sR,9 s∗

L,10

sR,10

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

Since we put the limitation of the semi-adaptive partitioning, the two subsets of shares T0 and T1 are unrelated each other even conditioning on the leakage. This is because of each subset of each leakage partition containing only shares that are within at most one subset of the tampering partition.

9 / 11

slide-48
SLIDE 48

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

. . . . . . ˆ

sL,1 sR,1

ˆ

sL,2 sR,2

ˆ

sL,3 sR,3

ˆ

sL,4 sR,4

ˆ

sL,5 sR,5

ˆ

sL,6 sR,6

ˆ

sL,7 sR,7

ˆ

sL,8 sR,8

ˆ

sL,9 sR,9

ˆ

sL,10 sR,10

ˆ

sL,11 sR,11

. . . . . .

s∗

L,7

sR,7 s∗

L,8

sR,8 s∗

L,9

sR,9 s∗

L,10

sR,10

ˆ

sL,1 sR,1

ˆ

sL,2 sR,2

ˆ

sL,3 sR,3

ˆ

sL,4 sR,4

ˆ

sL,5 sR,5

ˆ

sL,6 sR,6

ˆ

sL,11 sR,11

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

Since we put the limitation of the semi-adaptive partitioning, the two subsets of shares T0 and T1 are unrelated each other even conditioning on the leakage. This is because of each subset of each leakage partition containing only shares that are within at most one subset of the tampering partition.

Hybrid 2: replace all the left shares with shares of an unrelated value ˆ sL.

9 / 11

slide-49
SLIDE 49

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

. . . . . . ˆ

sL,1 sR,1

ˆ

sL,2 sR,2

ˆ

sL,3 sR,3

ˆ

sL,4 sR,4

ˆ

sL,5 sR,5

ˆ

sL,6 sR,6

ˆ

sL,7 sR,7

ˆ

sL,8 sR,8

ˆ

sL,9 sR,9

ˆ

sL,10 sR,10

ˆ

sL,11 sR,11

. . . . . .

s∗

L,7

sR,7 s∗

L,8

sR,8 s∗

L,9

sR,9 s∗

L,10

sR,10

ˆ

sL,1 sR,1

ˆ

sL,11 sR,11

ˆ

sL,2 s∗

R,2

ˆ

sL,3 s∗

R,3

ˆ

sL,4 s∗

R,4

ˆ

sL,5 s∗

R,5

ˆ

sL,6 s∗

R,6

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

Since we put the limitation of the semi-adaptive partitioning, the two subsets of shares T0 and T1 are unrelated each other even conditioning on the leakage. This is because of each subset of each leakage partition containing only shares that are within at most one subset of the tampering partition.

Hybrid 2: replace all the left shares with shares of an unrelated value ˆ sL. Hybrid 3-4: the same as in Hybrid 1-2, but on the right shares.

9 / 11

slide-50
SLIDE 50

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

. . . . . . ˆ

sL,1

ˆ

sR,1

ˆ

sL,2

ˆ

sR,2

ˆ

sL,3

ˆ

sR,3

ˆ

sL,4

ˆ

sR,4

ˆ

sL,5

ˆ

sR,5

ˆ

sL,6

ˆ

sR,6

ˆ

sL,7

ˆ

sR,7

ˆ

sL,8

ˆ

sR,8

ˆ

sL,9

ˆ

sR,9

ˆ

sL,10

ˆ

sR,10

ˆ

sL,11

ˆ

sR,11

. . . . . .

s∗

L,7

sR,7 s∗

L,8

sR,8 s∗

L,9

sR,9 s∗

L,10

sR,10

ˆ

sL,1 sR,1

ˆ

sL,11 sR,11

ˆ

sL,2 s∗

R,2

ˆ

sL,3 s∗

R,3

ˆ

sL,4 s∗

R,4

ˆ

sL,5 s∗

R,5

ˆ

sL,6 s∗

R,6

ˆ

sL,1

ˆ

sR,1 s∗

L,7

ˆ

sR,7 s∗

L,8

ˆ

sR,8 s∗

L,9

ˆ

sR,9 s∗

L,10

ˆ

sR,10

ˆ

sL,11

ˆ

sR,11

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

Since we put the limitation of the semi-adaptive partitioning, the two subsets of shares T0 and T1 are unrelated each other even conditioning on the leakage. This is because of each subset of each leakage partition containing only shares that are within at most one subset of the tampering partition.

Hybrid 2: replace all the left shares with shares of an unrelated value ˆ sL. Hybrid 3-4: the same as in Hybrid 1-2, but on the right shares.

9 / 11

slide-51
SLIDE 51

Our semi-adaptive leakage-resilient non-malleable secret sharing – Proof strategy

. . . . . . ˆ

sL,1

ˆ

sR,1

ˆ

sL,2

ˆ

sR,2

ˆ

sL,3

ˆ

sR,3

ˆ

sL,4

ˆ

sR,4

ˆ

sL,5

ˆ

sR,5

ˆ

sL,6

ˆ

sR,6

ˆ

sL,7

ˆ

sR,7

ˆ

sL,8

ˆ

sR,8

ˆ

sL,9

ˆ

sR,9

ˆ

sL,10

ˆ

sR,10

ˆ

sL,11

ˆ

sR,11

. . . . . . ˆ

sL,2 s∗

R,2

ˆ

sL,3 s∗

R,3

ˆ

sL,4 s∗

R,4

ˆ

sL,5 s∗

R,5

ˆ

sL,6 s∗

R,6

ˆ

sL,1

ˆ

sR,1 s∗

L,7

ˆ

sR,7 s∗

L,8

ˆ

sR,8 s∗

L,9

ˆ

sR,9 s∗

L,10

ˆ

sR,10

ˆ

sL,11

ˆ

sR,11

T0 T1

Split the tampering set into two subsets T0 and T1 such that |T0| ≥ threshold of ShareR. Hybrid 1: before tampering, replace the left shares within T1 with valid and consistent shares of the same secret.

Since we put the limitation of the semi-adaptive partitioning, the two subsets of shares T0 and T1 are unrelated each other even conditioning on the leakage. This is because of each subset of each leakage partition containing only shares that are within at most one subset of the tampering partition.

Hybrid 2: replace all the left shares with shares of an unrelated value ˆ sL. Hybrid 3-4: the same as in Hybrid 1-2, but on the right shares. Now we can safely reduce to non-malleability of the non-malleable code.

9 / 11

slide-52
SLIDE 52

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

10 / 11

slide-53
SLIDE 53

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com.

10 / 11

slide-54
SLIDE 54

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r).

10 / 11

slide-55
SLIDE 55

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r).

10 / 11

slide-56
SLIDE 56

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

10 / 11

slide-57
SLIDE 57

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

10 / 11

slide-58
SLIDE 58

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same.

10 / 11

slide-59
SLIDE 59

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I).

10 / 11

slide-60
SLIDE 60

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com.

10 / 11

slide-61
SLIDE 61

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

10 / 11

slide-62
SLIDE 62

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

Key ideas (very similar to [BFV19])

By induction over the number of queries.

10 / 11

slide-63
SLIDE 63

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

Key ideas (very similar to [BFV19])

By induction over the number of queries. Simulate tampering with leakage: obtain the mauled commitment and then extract the respective secret message.

10 / 11

slide-64
SLIDE 64

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

Key ideas (very similar to [BFV19])

By induction over the number of queries. Simulate tampering with leakage: obtain the mauled commitment and then extract the respective secret message. Check if everything is correct with the last tampering query.

10 / 11

slide-65
SLIDE 65

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

Key ideas (very similar to [BFV19])

By induction over the number of queries. Simulate tampering with leakage: obtain the mauled commitment and then extract the respective secret message. Check if everything is correct with the last tampering query. Commitment scheme =

⇒ computational setting.

10 / 11

slide-66
SLIDE 66

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

Key ideas (very similar to [BFV19])

By induction over the number of queries. Simulate tampering with leakage: obtain the mauled commitment and then extract the respective secret message. Check if everything is correct with the last tampering query. Commitment scheme =

⇒ computational setting.

Bounded leakage =

⇒ p-time non-malleability (instead of continuously).

10 / 11

slide-67
SLIDE 67

Corollary: p-time non-malleability

Known techniques [OPVV18, BFV19], building blocks: Share, Com.

Algorithm Share∗(m):

Sample random coins r for Com. Compute com ← Com(m; r). Share (s1, . . . , sn) ← $Share(m||r). Let, for all i ∈ [n], s∗

i = (com, si).

Output (s∗

1, . . . , s∗ n).

Algorithm Rec∗((s∗

i )i∈I):

Parse each s∗

i = (comi, si).

Check if all the com are all the same. Reconstruct m||r ← Rec((si)i∈I). Check that (m, r) is a valid opening for com. If everything is OK, output m; otherwise, output ⊥.

Key ideas (very similar to [BFV19])

By induction over the number of queries. Simulate tampering with leakage: obtain the mauled commitment and then extract the respective secret message. Check if everything is correct with the last tampering query. Commitment scheme =

⇒ computational setting.

Bounded leakage =

⇒ p-time non-malleability (instead of continuously).

Security against joint tampering.

10 / 11

slide-68
SLIDE 68

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient.

11 / 11

slide-69
SLIDE 69

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient. We give a construction of a leakage-resilient non-malleable secret sharing scheme against semi-adaptive partitioning.

11 / 11

slide-70
SLIDE 70

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient. We give a construction of a leakage-resilient non-malleable secret sharing scheme against semi-adaptive partitioning. Corollary: lower bounds on the size of the shares of a non-malleable secret sharing scheme.

11 / 11

slide-71
SLIDE 71

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient. We give a construction of a leakage-resilient non-malleable secret sharing scheme against semi-adaptive partitioning. Corollary: lower bounds on the size of the shares of a non-malleable secret sharing scheme. Corollary: construction of a p-time non-malleable secret sharing scheme.

11 / 11

slide-72
SLIDE 72

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient. We give a construction of a leakage-resilient non-malleable secret sharing scheme against semi-adaptive partitioning. Corollary: lower bounds on the size of the shares of a non-malleable secret sharing scheme. Corollary: construction of a p-time non-malleable secret sharing scheme.

Open problems / Work in Progress

Actually, we already have some preliminary work in progress... Continuous non-mallebility against joint selective/(semi-)adaptive in the plain model.

11 / 11

slide-73
SLIDE 73

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient. We give a construction of a leakage-resilient non-malleable secret sharing scheme against semi-adaptive partitioning. Corollary: lower bounds on the size of the shares of a non-malleable secret sharing scheme. Corollary: construction of a p-time non-malleable secret sharing scheme.

Open problems / Work in Progress

Actually, we already have some preliminary work in progress... Continuous non-mallebility against joint selective/(semi-)adaptive in the plain model. Optimal rate, i.e. size of message

size of share

.

11 / 11

slide-74
SLIDE 74

Conclusion and open problems

Our results

We prove that a non-malleable secret sharing scheme is also leakage resilient. We give a construction of a leakage-resilient non-malleable secret sharing scheme against semi-adaptive partitioning. Corollary: lower bounds on the size of the shares of a non-malleable secret sharing scheme. Corollary: construction of a p-time non-malleable secret sharing scheme.

Open problems / Work in Progress

Actually, we already have some preliminary work in progress... Continuous non-mallebility against joint selective/(semi-)adaptive in the plain model. Optimal rate, i.e. size of message

size of share

.

Thank You!

11 / 11