on the local leakage resilience of linear secret sharing
play

On the Local Leakage Resilience of Linear Secret Sharing Schemes - PowerPoint PPT Presentation

Oct 20, 2022 •227 likes •547 views

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

  1. On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research)

  2. Leakage attacks can be devastating Proposed Solution: Secret Sharing, MPC Proposed Solution: Secret Sharing, MPC A few full corruptions All the servers? All the servers? Partial leak from all

  3. Leakage Resilient Cryptography [ISW03, MR04, DP07, DP08, AGV09, NS09, FRR+10, [ISW03, MR04, DP07, DP08, AGV09, NS09, FRR+10, BKKV10, LLW11, BGJK12, DF12, BDL14, BGK14, GR15, DLZ15, GIMSS16 … ] - Strong leakage models - Specially-designed schemes - Specially-designed schemes

  4. Additive Shamir Are standard Are standard Secret Sharing Schemes Leakage Resilient? Leakage Resilient?

  5. Limited General Results Secret Sharing generically protects against weak forms of leakage. [DDF14] Noisy Leakage [BIVW16] Low approximate degree leaks [BIVW16] Low approximate degree leaks

  6. Leakage Model: Local Leakage … … Leak any partial Leak any partial information about state. Restricted form of Only Computation Leaks[Micali-Reyzin04, GR12, BDL14], Bounded Comm. Leakage [GIMSS16]

  7. Is Local Leakage reasonable? Local: Justified by physical separation Local: Justified by physical separation Shrinking: Timing, power, selective failures give limited information limited information Adversarial

  8. Additive Secret Sharing Shamir Secret Sharing Completely random Shares are evaluations Shares are evaluations Threshold: Degree + 1 points to reconstruct

  9. Is Additive Secret Sharing Local Leakage Resilient? A. Not Necessarily. One bit each leaks one bit of the secret!

  10. How about Shamir ? Guruswami-Wootters 16: One bit per server A. Not secure. Convert to additive. can reconstruct the whole secret! Regenerating Codes: When a server goes Lagrange Interpolation down, minimum communication you need to reconstruct.

  11. Results Overview Leakage Resilience of Additive & Shamir Secret Sharing Application: Leakage Resilience of GMW protocol Application: Local Share Conversion

  12. Results: Additive Secret Sharing Thm . Thm .

  13. Results: Shamir Secret Sharing Thm . Thm .

  14. GW16: Reconstruct secret 1 bit of secret leaked Full Break Full Break n/2 degree t ?? Conjecture .

  15. 0 0 0 Random Secret 6 6 6 6 6 6 1 1 1 1 1 1 5 5 5 2 2 2 4 4 4 3 3 3 6 2 4 0 1 5 3 Generalizes to const. servers

  16. Application: MPC Honest-but-Curious GMW w/ preprocessed Beaver Triples Goldreich-Micali-Wigderson87, Beaver91 Secret Shared Inputs Preprocessing Beaver Triples for product gates Computation Computation Addition: Locally Add Shares Addition: Locally Add Shares Multiplication: Use Beaver Triples

  17. Application: MPC Thm .

  18. Byproduct : On Local Share Conversion [Beimel-Ishai-Kushilevitz-Orlov12] Locally convert secret under one scheme to related secret under other scheme related secret under other scheme Lagrange Coefficients.

  19. Byproduct : On Local Share Conversion Homomorphic Secret Sharing (Boyle-Gilboa-Ishai16) To get 3-server HSS:

  20. Techniques 0 0 0 0 4 1 4 4 4 1 1 1 2 3 2 2 2 3 3 3 No subgroups No subgroups Some Some information. 2 4 0 1 3

  21. Techniques

  22. Summary Application : Honest-but-Curious GMW is leakage resilient. Application : Local Share Conversion Impossibility results.

  24. Usually in Leakage Resilience [Cite many works on leakage. ] Here: Here: Given existing schemes, Given existing schemes, how Leakage Resilient are they?

  25. Results: Thm . Thm . Thm .

  26. Q: How Leakage Resilient are - Shamir & Additive Secret Sharing? - Shamir & Additive Secret Sharing? - GMW & BGW style MPC Protocols? Why? Why? - Exist and are Used. - Useful Properties: Homomorphisms.

  27. Is Additive Secret Sharing Local Leakage Resilient? A. Not always. … … One bit each leaks one bit of the secret! Guruswami-Wootters16: For Shamir, one bit each allows full reconstruction of secret.

  28. Techniques To show: 0 0 0 4 1 4 1 4 1 Pr[ ] 3 3 2 2 3 3 2 2 3 3 2 2 secret = 1 secret = 1 secret = 0 secret = 0

  29. Application : Honest-but-Curious GMWs w/ preprocessed Beaver Triples Secret Share Inputs Secret Share Inputs Preprocess Beaver Triples for product gates: Compute: Addition: Locally Add Shares

  30. Techniques Secret: 10 = 11 + 01 + 00 00 01 00 01 00 01 00 01 00 01 00 01 Attack: Leak lsb(share) Attack: Leak lsb(share) 10 11 10 11 10 11 lsb(secret) = sum of leaks Leak reveals: Share’s coset 00 01 00 01 00 01 00 01 The coset is a group. The coset is a group. 10 11 10 11 Learn secret’s coset.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with Vipul Goyal, Raghu Meka, and Amit Sahai Secret Sharing secret s n s 1 s i Correctness: Any out of parties can

1.72k views • 144 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

1.45k views • 20 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Enforcing ideal-world leakage bounds in real-world secret sharing MPC frameworks Almeida 1 , 4

Enforcing ideal-world leakage bounds in real-world secret sharing MPC frameworks Almeida 1 , 4

Enforcing ideal-world leakage bounds in real-world secret sharing MPC frameworks Almeida 1 , 4 Barbosa 1 , 3 Barthe 2 Jos e Bacelar Manuel Gilles Hugo Pacheco 1 , 4 Vitor Pereira 1 , 3 Bernardo Portela 1 , 3 July 10, 2018 @ CSF 2018 1

282 views • 24 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

790 views • 75 slides
Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013 Outline 1. Introduction 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret sharing 3. Adjustments to HKS secret sharing and analysis

444 views • 27 slides
Tamper and Leakage Resilience in the Split State Model Feng-Hao Liu Anna Lysyanskaya

Tamper and Leakage Resilience in the Split State Model Feng-Hao Liu Anna Lysyanskaya

Tamper and Leakage Resilience in the Split State Model Feng-Hao Liu Anna Lysyanskaya Brown University I/O Access to a Device Secret s x x D s (x) D s (x) Device for D s ( ) User

683 views • 24 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and Dominique Schrder Friedrich-Alexander University Erlangen-Nrnberg Homomorphic Secret Sharing A secret-sharing scheme allows a client to share his

247 views • 14 slides
Robust Secret Sharing Schemes Against Local Adversaries Allison Bishop Lewko Valerio Pastro

Robust Secret Sharing Schemes Against Local Adversaries Allison Bishop Lewko Valerio Pastro

Robust Secret Sharing Schemes Against Local Adversaries Allison Bishop Lewko Valerio Pastro Columbia University April 2, 2015 Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 1 / 22 Secret Sharing (Informal) (Share , Rec) pair of

505 views • 47 slides
Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod Vaikuntanathan Hoeteck Wee MIT MIT CNRS and ENS May 6, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret s { 0 , 1 }

1.02k views • 85 slides
CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom Austin San Jos State University Secret Sharing: Motivation Goal: make secret available, but make it hard to peek. Divide secret among

731 views • 48 slides
Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and

Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and

Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and Multi-linear Maps agan 1 and Ferucio Laurent iplea 2 Constantin C at alin Dr iu T 1 CNRS, LORIA, 54506 Vandoeuvre-l` es-Nancy Cedex France

623 views • 18 slides
FORECAST ANNUAL RECONCILIATION PAYMENT Q3 GAS YEAR 2019/20 Forecast Annual Reconciliation

FORECAST ANNUAL RECONCILIATION PAYMENT Q3 GAS YEAR 2019/20 Forecast Annual Reconciliation

FORECAST ANNUAL RECONCILIATION PAYMENT Q3 GAS YEAR 2019/20 Forecast Annual Reconciliation Payments Assumptions: Forecast Required Revenue (FRR) of TSOs equal Actual Required Revenue (ARR) of TSOs* Q4 licence revenue forecast updated to

152 views • 4 slides
NOSQL GAMES Patrick Huesler wooga GmbH D o you like to play? technical challenges monthly acti

NOSQL GAMES Patrick Huesler wooga GmbH D o you like to play? technical challenges monthly acti

NOSQL GAMES Patrick Huesler wooga GmbH D o you like to play? technical challenges monthly acti v e use r s 20,543,500 f o r D iamond D ash http:/ /www.appdata.com/apps/facebook/127995567256931-diamond-dash (03/10/2012) daily acti v e use r s

1.23k views • 93 slides
Dynamics of Linear Perturbations in Modified Gravity COSMO 2007 University of Sussex, Brighton,

Dynamics of Linear Perturbations in Modified Gravity COSMO 2007 University of Sussex, Brighton,

Dynamics of Linear Perturbations in Modified Gravity COSMO 2007 University of Sussex, Brighton, August 07 Alessandra Silvestri collaborators: M.T rodden, L.Pogosian, R.Bean, S.M.Carroll, I.Sawicki and D.Bernat references :

256 views • 23 slides
BGP Here, There and Everywhere Tor Ldre 2 BGP Here, There and Everywhere The networking

BGP Here, There and Everywhere Tor Ldre 2 BGP Here, There and Everywhere The networking

1 BGP Here, There and Everywhere Tor Ldre 2 BGP Here, There and Everywhere The networking revolution is coming now 3 BGP Here, There and Everywhere Extend your code defined network to the data center, using linux on the control plane

564 views • 20 slides
PARADIS PAssive RAdiometric Device Identification System : Identifying Transmitters via

PARADIS PAssive RAdiometric Device Identification System : Identifying Transmitters via

PARADIS PAssive RAdiometric Device Identification System : Identifying Transmitters via Radiometric Signatures Sang-Ho Oh Radiometric Identification Waveform Impairments in Analog Frontend Transmitter Hardware imperfection

527 views • 13 slides
Biometrics & Privacy Stefan Katzenbeisser Security Engineering Group Technische Universitt

Biometrics & Privacy Stefan Katzenbeisser Security Engineering Group Technische Universitt

Biometrics & Privacy Stefan Katzenbeisser Security Engineering Group Technische Universitt Darmstadt skatzenbeisser@acm.org http://www.seceng.informatik.tu-darmstadt.de 1 Biometrics Goal : Identification of people through

286 views • 14 slides
Disclosures CLINICAL DECISION-MAKING: CASE STUDIES Radius - Consulting Dolores Shoback, MD

Disclosures CLINICAL DECISION-MAKING: CASE STUDIES Radius - Consulting Dolores Shoback, MD

Disclosures CLINICAL DECISION-MAKING: CASE STUDIES Radius - Consulting Dolores Shoback, MD Professor of Medicine, UCSF Osteoporosis 2018: New Insights in Research, Diagnosis, and Clinical Care July 13, 2018 Selecting Treatment -

444 views • 11 slides
CIMAT, Guanajuato, Mexico 5th Workshop on Game-Theoretic Probability and Related Topics, 13-15

CIMAT, Guanajuato, Mexico 5th Workshop on Game-Theoretic Probability and Related Topics, 13-15

CIMAT, Guanajuato, Mexico 5th Workshop on Game-Theoretic Probability and Related Topics, 13-15 November 2014 A Prequential Approach to Financial Risk Management Mark Davis Department of Mathematics Imperial College London

690 views • 37 slides

More recommend