On the Local Leakage Resilience of Linear Secret Sharing Schemes - - PowerPoint PPT Presentation

on the local leakage resilience of linear secret sharing
SMART_READER_LITE
LIVE PREVIEW

On the Local Leakage Resilience of Linear Secret Sharing Schemes - - PowerPoint PPT Presentation

Oct 20, 2022 227 likes •555 views

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

slide-1
SLIDE 1

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

Akshay Degwekar

(MIT)

Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research)

slide-2
SLIDE 2

Leakage attacks can be devastating Proposed Solution: Secret Sharing, MPC Proposed Solution: Secret Sharing, MPC A few full corruptions All the servers? All the servers? Partial leak from all

slide-3
SLIDE 3

Leakage Resilient Cryptography

[ISW03, MR04, DP07, DP08, AGV09, NS09, FRR+10, [ISW03, MR04, DP07, DP08, AGV09, NS09, FRR+10, BKKV10, LLW11, BGJK12, DF12, BDL14, BGK14, GR15, DLZ15, GIMSS16 … ]

  • Strong leakage models
  • Specially-designed schemes
  • Specially-designed schemes
slide-4
SLIDE 4

Are standard

Additive Shamir

Are standard Secret Sharing Schemes Leakage Resilient? Leakage Resilient?

slide-5
SLIDE 5

Limited General Results

[DDF14] Noisy Leakage Secret Sharing generically protects against weak forms of leakage. [BIVW16] Low approximate degree leaks [BIVW16] Low approximate degree leaks

slide-6
SLIDE 6

Leakage Model: Local Leakage

Leak any partial

Leak any partial information about state.

Restricted form of Only Computation Leaks[Micali-Reyzin04, GR12, BDL14], Bounded Comm. Leakage [GIMSS16]

slide-7
SLIDE 7

Local: Justified by physical separation

Is Local Leakage reasonable?

Local: Justified by physical separation Shrinking: Timing, power, selective failures give limited information Adversarial limited information

slide-8
SLIDE 8

Additive Secret Sharing Shamir Secret Sharing

Completely random

Shares are evaluations Threshold: Degree + 1 points to reconstruct Shares are evaluations

slide-9
SLIDE 9

Is Additive Secret Sharing Local Leakage Resilient?

  • A. Not Necessarily.

One bit each leaks

  • ne bit of the secret!
slide-10
SLIDE 10

How about Shamir ?

  • A. Not secure. Convert to additive.

Guruswami-Wootters 16: One bit per server can reconstruct the whole secret! Lagrange Interpolation Regenerating Codes: When a server goes down, minimum communication you need to reconstruct.

slide-11
SLIDE 11

Results Overview

Application: Leakage Resilience of GMW protocol Leakage Resilience of Additive & Shamir Secret Sharing Application: Local Share Conversion

slide-12
SLIDE 12

Results: Additive Secret Sharing

Thm. Thm.

slide-13
SLIDE 13

Results: Shamir Secret Sharing

Thm. Thm.

slide-14
SLIDE 14

Full Break

GW16: Reconstruct secret 1 bit of secret leaked

Full Break

n/2 degree t

??

Conjecture.

slide-15
SLIDE 15

1 6 1 6 1 6

Random Secret

1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 2 4 0 1 3 6 5

Generalizes to const. servers

slide-16
SLIDE 16

Application: MPC

Honest-but-Curious GMW w/ preprocessed Beaver Triples Goldreich-Micali-Wigderson87, Beaver91

Secret Shared Inputs Beaver Triples for product gates

Preprocessing Computation

Addition: Locally Add Shares

Computation

Multiplication: Use Beaver Triples Addition: Locally Add Shares

slide-17
SLIDE 17

Application: MPC

Thm.

slide-18
SLIDE 18

Byproduct : On Local Share Conversion

Locally convert secret under one scheme to related secret under other scheme

[Beimel-Ishai-Kushilevitz-Orlov12]

Lagrange Coefficients.

related secret under other scheme

slide-19
SLIDE 19

Byproduct : On Local Share Conversion

Homomorphic Secret Sharing (Boyle-Gilboa-Ishai16) To get 3-server HSS:

slide-20
SLIDE 20

Techniques

No subgroups

1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4

No subgroups Some Some information.

2 4 0 1 3

slide-21
SLIDE 21

Techniques

slide-22
SLIDE 22

Summary

Application: Honest-but-Curious GMW is leakage resilient. Application: Local Share Conversion Impossibility results.

slide-23
SLIDE 23
slide-24
SLIDE 24

Usually in Leakage Resilience

Given existing schemes,

Here:

[Cite many works on leakage. ] Given existing schemes, how Leakage Resilient are they?

Here:

slide-25
SLIDE 25

Results:

Thm. Thm. Thm.

slide-26
SLIDE 26

Q: How Leakage Resilient are

  • Shamir & Additive Secret Sharing?
  • Shamir & Additive Secret Sharing?
  • GMW & BGW style MPC Protocols?

Why? Why?

  • Exist and are Used.
  • Useful Properties: Homomorphisms.
slide-27
SLIDE 27

Is Additive Secret Sharing Local Leakage Resilient?

  • A. Not always.

One bit each leaks

  • ne bit of the secret!

Guruswami-Wootters16: For Shamir, one bit each allows full reconstruction of secret.

slide-28
SLIDE 28

Techniques

1 2 3 4 1 2 3 4 1 2 3 4

To show: secret = 0 Pr[ ] secret = 1

2 3 2 3 2 3

secret = 0 secret = 1

slide-29
SLIDE 29

Secret Share Inputs

Application: Honest-but-Curious GMWs

w/ preprocessed Beaver Triples

Secret Share Inputs Beaver Triples for product gates:

Preprocess Compute:

Addition: Locally Add Shares

slide-30
SLIDE 30

00 01 00 01

Techniques

00 01

Secret: 10 = 11 + 01 + 00 Attack: Leak lsb(share)

00 01 10 11 00 01 10 11 00 01 00 01 10 11

Leak reveals: Share’s coset The coset is a group. Attack: Leak lsb(share) lsb(secret) = sum of leaks

00 01 00 01 10 11

The coset is a group. Learn secret’s coset.

00 01 10 11