Securing Secret Sharing Against Leakage and Tampering Ashutosh - - PowerPoint PPT Presentation

Securing Secret Sharing Against Leakage and Tampering

Ashutosh Kumar

Based on joint works with Vipul Goyal, Raghu Meka, and Amit Sahai

Secret Sharing

Correctness: Any out of parties can reconstruct the secret

t n

Secrecy: Secret remains hidden given less than shares

t

secret

s1 sn 𝖳𝗂𝖻𝗌𝖿 si … …

[Blakley79] and [Shamir79]

Shamir’s -out-of- Scheme

2 n

secret

Shamir’s -out-of- Scheme

2 n

secret

Shamir’s -out-of- Scheme

2 n

s1 s2 s3

secret

s4

Shamir’s -out-of- Scheme

2 n

s1 s2 s3

secret

s4

Correctness: Any points determine the line

2

Shamir’s -out-of- Scheme

2 n

s1 s2 s3

secret

s4

Correctness: Any points determine the line

2

Secrecy: point does not

1

What if everyone is slightly ‘corrupt’?

Typically modeled as side-channel attacks

What if everyone is slightly ‘corrupt’?

Passive Adversary: Leakage-Resilience Typically modeled as side-channel attacks

What if everyone is slightly ‘corrupt’?

Passive Adversary: Leakage-Resilience Tampering Adversary: Non-Malleability Typically modeled as side-channel attacks

What if everyone is slightly ‘corrupt’?

Passive Adversary: Leakage-Resilience Tampering Adversary: Non-Malleability Typically modeled as side-channel attacks Long history in cryptography

What if everyone is slightly ‘corrupt’?

Passive Adversary: Leakage-Resilience Tampering Adversary: Non-Malleability Our Goal: Protect secret sharing from such side channel attacks. Typically modeled as side-channel attacks Long history in cryptography

Agenda

Leakage-Resilience Non-Malleability

Leakage?

s1 sn 𝖳𝗂𝖻𝗇𝗃𝗌𝖳𝗂𝖻𝗌𝖿 si … …

secret

Leakage?

Just give me one bit from each share.

s1 sn 𝖳𝗂𝖻𝗇𝗃𝗌𝖳𝗂𝖻𝗌𝖿 si … …

secret

Leakage?

Just give me one bit from each share.

s1 sn 𝖳𝗂𝖻𝗇𝗃𝗌𝖳𝗂𝖻𝗌𝖿 c1 cn si ci … … … …

secret

Leakage?

Just give me one bit from each share. Shamir’s scheme is insecure for some parameter regime! 
 [Guruswami-Wootters 16]

s1 sn 𝖳𝗂𝖻𝗇𝗃𝗌𝖳𝗂𝖻𝗌𝖿 c1 cn si ci … … … …

secret

Leakage-Resilient Secret Sharing

Dziembowski and Pietrzak 07, Goyal-K 18 Benhamouda, Degwekar, Ishai, and Rabin 18

Leakage-Resilience: Secret statistically hidden even 
 given leakage from each share.

ci … … f1(s1) fi(si) fn(sn) s1 sn c1 cn si … …

secret

Limitations of Model

Except for [Davi, Dziembowski, and Venturi 10]

n = 2

• Individual Leakage

• Non-adaptive Leakage


ci … … f1(s1) fi(si) fn(sn) s1 sn c1 cn si … …

secret

Modeling Leakage

Adversary runs a multi-party communication protocol 
 and ‘learns’ transcript

• Constraint 1: Total leakage/communication

• Constraint 2: Type of protocols allowed

[K,Meka,Sahai 19]

Bounded Collusion Protocols (BCP)

s1 sn s2

…

s3

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

• = collusion bound
• = leakage bound

p μ

Bounded Collusion Protocols (BCP)

s1 sn s2

…

b1 ← f1(s1, s2) s3

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

Round 1: b1

• = collusion bound
• = leakage bound

p μ

Bounded Collusion Protocols (BCP)

s1 sn s2

…

s3

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

Round 1: b1

• = collusion bound
• = leakage bound

p μ

Bounded Collusion Protocols (BCP)

s1 sn s2

…

s3 b2 ← f2(s2, s3)

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

Round 1: b1 Round 2: b2

• = collusion bound
• = leakage bound

p μ

Bounded Collusion Protocols (BCP)

s1 sn s2

…

s3

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

Round 1: b1 Round 2: b2

• = collusion bound
• = leakage bound

p μ

Bounded Collusion Protocols (BCP)

s1 sn s2

…

s3

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

Round 1: b1 Round 2: b2 Round :

⋮ μ bμ

• = collusion bound
• = leakage bound

p μ

Bounded Collusion Protocols (BCP)

s1 sn s2

…

s3

• party Collusion Protocol (CP): 


Each round parties collude and write a bit on the public board

p p

• Joint leakage
• Overlapping leakage
• Adaptive

Round 1: b1 Round 2: b2 Round :

⋮ μ bμ

• = collusion bound
• = leakage bound

p μ

BCPs in Communication Complexity

• party CP: Number-in-hand (NIH)

1

BCPs in Communication Complexity

• party CP: Number-on-forehead (NOF)

[Chandra, Furst, Lipton 83] [Babai, Nisan, Szegedy 89]

(n − 1)

• party CP: Number-in-hand (NIH)

1

BCPs in Communication Complexity

• party CP: Number-on-forehead (NOF)

[Chandra, Furst, Lipton 83] [Babai, Nisan, Szegedy 89]

(n − 1)

• party CP: Number-in-hand (NIH)

1

• party CP interpolates between the two

p

Leakage-Resilience against BCPs

s1 sn s2 … sn−1

Round 1: Round :

b1 ⋮ μ bμ

Secret Sharing: 
 Any can recover secret No can recover

t t − 1

Leakage-Resilience: Secret statistically hidden
 given -party CP transcript

p

secret

• party CP

p

• LRSS:

(p, t, n)

Our Result for LRSS

Efficient

• LRSS for

(p, t, n) p = O(log n)

[K,Meka,Sahai 19]

Our Result for LRSS

Efficient

• LRSS for

(p, t, n) p = O(log n)

Theorem: Compile any scheme into leakage-resilient one 
 against -party CP .


p

New share = Old share +2p ⋅ log n ⋅ (μ + log(1/ϵ))

[K,Meka,Sahai 19]

Why BCPs?

Worst possible adversary: p = t − 1

Why BCPs?

Worst possible adversary: p = t − 1 Useful Primitive:

• Allows for composition.
• Ex: Disjoint leakage
• for non-malleability

p = 2

Logarithmic Barrier

Observation: Efficient

• LRSS for

bits of 
 non-adaptive leakage and share size will imply 
 reconstruction fn.

(p, p + 1,n) p2 2po(1) ∉ 𝖡𝖣𝖣0

Leakage-resilience implies communication lower bounds.

[Williams 14]: [Murray, Williams 18]:

𝖮𝖥𝖸𝖰 ⊄ 𝖡𝖣𝖣0 𝖮𝖱𝖰 ⊄ 𝖡𝖣𝖣0

Concurrent and Independent Work

[Badrinarayanan and Srinivasan 19]

• out-of-n LRSS

Positive rate NMSS Multi-Tampering NMSS [Aggarwal et al. 19] Compiler for LRSS Multi-Tampering NMSS Threshold signatures [Srinivasan and Vasudevan 19] Rate efficient LRSS Rate efficient NMSS An application to MPC

O(1)

Their Focus: 
 Good rate for individual 
 and non-adaptive leakage.

Concurrent and Independent Work

[Badrinarayanan and Srinivasan 19]

• out-of-n LRSS

Positive rate NMSS Multi-Tampering NMSS [Aggarwal et al. 19] Compiler for LRSS Multi-Tampering NMSS Threshold signatures [Srinivasan and Vasudevan 19] Rate efficient LRSS Rate efficient NMSS An application to MPC

O(1)

Our Focus: Joint and adaptive leakage. Rate for constant .

1/log n p

Their Focus: 
 Good rate for individual 
 and non-adaptive leakage.

Our Construction for LRSS

Efficient

• LRSS for

(p, t, n) p = O(log n)

Simple construction using NOF lower bounds

Outline

• Phase 1:
• LRSS

(p, p + 1,p + 1)

NOF lower bounds

↓

Outline

• Phase 1:
• LRSS

(p, p + 1,p + 1)

• Phase 2:
• LRSS
• LRSS

(p, p + 1,p + 1) → (p, p + 1,n)

Increase # of parties

↓

NOF lower bounds

↓

Outline

• Phase 1:
• LRSS

(p, p + 1,p + 1)

• Phase 2:
• LRSS
• LRSS

(p, p + 1,p + 1) → (p, p + 1,n)

• Phase 3:
• LRSS
• LRSS

(p, p + 1,n) → (p, t, n)

Increase # of parties

↓

Increase threshold

↓

NOF lower bounds

↓

Phase 1:

• LRSS

(p, p + 1,p + 1)

: Total leakage allowed
 : error in leakage-resilience

μ ϵ

Main ingredient: 


• ‘hard’ for 


NOF protocols with communication.

𝖦 : ({0,1}r)p+1 → {0,1} ϵ μ

[Babai, Nisan, and Szegedy 89]: 
 Explicit with

𝖦 r = 2p(μ + log(1/ϵ))

Phase 1:

• LRSS

(p, p + 1,p + 1)

Phase 1:

• LRSS

(p, p + 1,p + 1)

𝖳𝗂𝖻𝗌𝖿(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r

𝖳𝗂𝖻𝗌𝖿(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r
• a ← 𝖦(a1, …, ap+1)

𝖳𝗂𝖻𝗌𝖿(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r
• a ← 𝖦(a1, …, ap+1)
• b1, …, bp+1 ← 𝖸𝖯𝖲p+1

p+1(m ⊕ a)

𝖳𝗂𝖻𝗌𝖿(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r
• a ← 𝖦(a1, …, ap+1)
• b1, …, bp+1 ← 𝖸𝖯𝖲p+1

p+1(m ⊕ a)

• sharei ← ai, bi

𝖳𝗂𝖻𝗌𝖿(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r
• a ← 𝖦(a1, …, ap+1)
• b1, …, bp+1 ← 𝖸𝖯𝖲p+1

p+1(m ⊕ a)

• sharei ← ai, bi

𝖳𝗂𝖻𝗌𝖿(m) 𝖲𝖿𝖽(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r
• a ← 𝖦(a1, …, ap+1)
• b1, …, bp+1 ← 𝖸𝖯𝖲p+1

p+1(m ⊕ a)

• sharei ← ai, bi

𝖳𝗂𝖻𝗌𝖿(m)

• a ← 𝖦(a1, …, ap+1)

𝖲𝖿𝖽(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r
• a ← 𝖦(a1, …, ap+1)
• b1, …, bp+1 ← 𝖸𝖯𝖲p+1

p+1(m ⊕ a)

• sharei ← ai, bi

𝖳𝗂𝖻𝗌𝖿(m)

• a ← 𝖦(a1, …, ap+1)
• m ← a ⊕ b1 ⊕ … ⊕ bp+1

𝖲𝖿𝖽(m)

Phase 1:

• LRSS

(p, p + 1,p + 1)

Leakage-Resilience: 
 Not resilient NOF protocol for

→ 𝖦

• 𝖲𝖻𝗈𝖾𝗉𝗇 a1, …, ap+1 ∈ {0,1}r

a ← 𝖦(a1, …, ap+1) b1, …, bp+1 ← 𝖸𝖯𝖲p+1

p+1(m ⊕ a)

sharei ← ai, bi

𝖳𝗂𝖻𝗌𝖿(m)

• ‘hard’ for 


NOF protocols with communication.

𝖦 : ({0,1}r)p+1 → {0,1} ϵ μ

Phase 2: Lifting 
 to

(p, p + 1,p + 1) (p, p + 1,n)

Naive: For every subset of parties, create an instance of scheme

p + 1 (p, p + 1,p + 1)

Share length: 
 Inefficient for

𝖯𝗆𝖾 ⋅ np p = ω(1)

Scatter and Reuse Shares

independent instances of

• LRSS

M (p, p + 1,p + 1)

s1

1, …, s1 p+1

s2

1, …, s2 p+1

sM

1 , …, sM p+1

⋮ parties

n

3 2 1 1 p p + 1 p 1 2

→

Scattering Matrix [Kurosawa and Stinson 90s]

instances

M

Scatter and Reuse Shares

independent instances of

• LRSS

M (p, p + 1,p + 1)

s1

1, …, s1 p+1

s2

1, …, s2 p+1

sM

1 , …, sM p+1

⋮ parties

n

3 2 1 1 p p + 1 p 1 2

→

Scattering Matrix [Kurosawa and Stinson 90s] s1

3

s1

2

s1

1

s2

1

s2

p

s2

p+1

sM

p

sM

1

sM

2

→

Scattered Shares

n M

Scatter and Reuse Shares

independent instances of

• LRSS

M (p, p + 1,p + 1)

s1

1, …, s1 p+1

s2

1, …, s2 p+1

sM

1 , …, sM p+1

⋮ parties

n

3 2 1 1 p p + 1 p 1 2

→

Scattering Matrix [Kurosawa and Stinson 90s] s1

3

s1

2

s1

1

s2

1

s2

p

s2

p+1

sM

p

sM

1

sM

2

→

Scattered Shares

n

Final share of party i ← 𝖽𝗉𝗆𝗏𝗇𝗈i

M

M n

3 2 1 1 p p + 1 p 1 2

Any parties 
 can reconstruct

p + 1 ↓

Scatter and Reuse Shares

columns row 
 containing

∀ p + 1 ∃ {1,…, p + 1}

What property of scattering matrix?

columns row 
 containing

∀ p + 1 ∃ {1,…, p + 1}

Perfect hash functions:

M = 2p log n

[Fredman, Komlos, and Szemeredi 84] [Alon, Yuster and Zwick 95] [Naor, Schulman and Srinivasan 95]

↑

How to construct such a matrix?

Scatter and Reuse Shares

M n

3 2 1 1 p p + 1 p 1 2

Phase 2: Lifting 
 to

(p, p + 1,p + 1) (p, p + 1,n)

• Share length:

• Secrecy: Immediate


• Leakage-resilience: Hybrid argument

𝖯𝗆𝖾 ⋅ (2p ⋅ log n)

Disjoint subsets?

Handling overlapping collusions in base scheme
 is crucial for scattering. Weaker adversary:

• Partition into disjoint subsets of size
• Non-adaptively leak from each subset

p

Don’t know how to handle without NOF .

p = ω(1)

Phase 3: Lifting 
 to

(p, p + 1,n) (p, t, n)

• Secrecy: From

• Leakage-resilience: From

𝖳𝗂𝖻𝗇𝗃𝗌t

n

𝖬𝖲𝖳𝗂𝖻𝗌𝖿p+1

n

• a, b ← 𝖸𝖯𝖲𝟥

𝟥(m)

a1, …, an ← 𝖳𝗂𝖻𝗇𝗃𝗌t

n(a)

b1, …, bn ← 𝖬𝖲𝖳𝗂𝖻𝗌𝖿p+1

n

(b) sharei ← ai, bi

Phase 3: Lifting 
 to

(p, p + 1,n) (p, t, n)

• Secrecy: From

• Leakage-resilience: From

𝖳𝗂𝖻𝗇𝗃𝗌t

n

𝖬𝖲𝖳𝗂𝖻𝗌𝖿p+1

n

• a, b ← 𝖸𝖯𝖲𝟥

𝟥(m)

a1, …, an ← 𝖳𝗂𝖻𝗇𝗃𝗌t

n(a)

b1, …, bn ← 𝖬𝖲𝖳𝗂𝖻𝗌𝖿p+1

n

(b) sharei ← ai, bi

∎

Agenda

Leakage-Resilience Non-Malleability

s1 s2 s3

What if a party tampers?

s4

secret

What if a party tampers?

s1 s2 s3 s4

What if a party tampers?

secret

s1 s2 s3 s4

Error Correction: Only 1 set of collinear triples

What if a party tampers?

secret

s1 s2 s3 s4

Error Correction: Only 1 set of collinear triples How about 3 parties?

What if a party tampers?

s1 s2 s3

secret

s1 s2 s3

What if a party tampers?

s1 s2 s3

What if a party tampers?

s1 s2 s3

Cannot correct an error with only 3 parties.

What if a party tampers?

s1 s2 s3

Cannot correct an error with only 3 parties.

What if a party tampers?

Can achieve weaker guarantee of
 Error Detection: Non-collinear points

What if everyone tampers?

s1 s2 s3

secret

What if everyone tampers?

s1 s2 s3

Overwrites
 with 0

What if everyone tampers?

s1 s2 s3

Overwrites
 with 0

What if everyone tampers?

s1 s2 s3

Cannot even detect errors!

Overwrites
 with 0

What if everyone tampers?

s1 s2 s3

Cannot even detect errors!

Overwrites
 with 0

But notice: Original secret was ‘destroyed’.

Modeling ‘Destruction’

s1 sn s2 … ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m

Inspired from Non-Malleable Codes:

[Dziembowski, Pietrzak, Wichs 10]

Modeling ‘Destruction’

s1 sn s2 … ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m s1 sn s2 … 1 ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m

≠

Inspired from Non-Malleable Codes:

[Dziembowski, Pietrzak, Wichs 10]

Modeling ‘Destruction’

s1 sn s2 … ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m s1 sn s2 … 1 ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m

≠ ≈ϵ

Inspired from Non-Malleable Codes:

[Dziembowski, Pietrzak, Wichs 10]

Non-Malleable Secret Sharing

s1 sn s2 … m ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m

NMSS:
 
 The distribution of tampered
 secret is either identical or
 statistically independent of the original secret.

[Goyal-K 18]

Non-Malleable Secret Sharing

s1 sn s2 … m ˜ s1 ˜ sn ˜ s2 …

Any t

˜ m

NMSS:
 
 The distribution of tampered
 secret is either identical or
 statistically independent of the original secret.

[Goyal-K 18]

Intuition: Secret hidden even after learning tampered secret.

Shamir’s scheme is Malleable

s1 s2 s3 𝗍𝖿𝖽𝗌𝖿𝗎

Shamir’s scheme is Malleable

s1 s2 s3 𝗍𝖿𝖽𝗌𝖿𝗎 s1 + 1 s2 + 1 s3 + 1

Shamir’s scheme is Malleable

s1 s2 s3 𝗍𝖿𝖽𝗌𝖿𝗎 s1 + 1 s2 + 1 s3 + 1 𝗍𝖿𝖽𝗌𝖿𝗎 + 1

Shamir’s scheme is Malleable

s1 s2 s3 𝗍𝖿𝖽𝗌𝖿𝗎 s1 + 1 s2 + 1 s3 + 1 𝗍𝖿𝖽𝗌𝖿𝗎 + 1

In fact, all linear schemes are malleable.

Our Results for NMSS

Theorem [Goyal-K 18]: Compile any scheme into 
 non-malleable one against individual tampering.

Our Results for NMSS

Theorem [Goyal-K 18]: Compile any scheme into 
 non-malleable one against individual tampering. Theorem [K, Meka, Sahai 19]: Allow tampering 
 to depend on individual leakage.

Our Results for NMSS

Theorem [Goyal-K 18]: Compile any scheme into 
 non-malleable one against individual tampering.

• out-of- NMSS 


studied as NM Codes

2 2 Theorem [K, Meka, Sahai 19]: Allow tampering 
 to depend on individual leakage.

Joint Tampering?

[Goyal-K 18]

Joint Tampering?

[Goyal-K 18]

Theorem: -out-of- scheme that is non-malleable
 against joint tampering in two subsets
 (except equal sized subsets).

t n

Outline for NMSS

• Ingredient 1: -out-of- NMSS

2 2

Non-Malleable Codes

↓

Outline for NMSS

• Ingredient 1: -out-of- NMSS

2 2

• Ingredient 2: A pair of ‘unfriendly’ SS schemes

Non-Malleable Codes

↓

Outline for NMSS

• Ingredient 1: -out-of- NMSS

2 2

• Ingredient 2: A pair of ‘unfriendly’ SS schemes

↓

Non-Malleable Codes

↓

Outline for NMSS

• Ingredient 1: -out-of- NMSS

2 2

• Ingredient 2: A pair of ‘unfriendly’ SS schemes

↓

Our Compiler for NMSS Non-Malleable Codes

↓

l r m ˜ l ˜ r ˜ m

• out-of- NMSS

2 2

l r m ˜ l ˜ r ˜ m

Follows from split-state 
 non-malleable codes

2

• out-of- NMSS

2 2

l r m ˜ l ˜ r ˜ m

Follows from split-state 
 non-malleable codes

2

• out-of- NMSS

2 2

[Dziembowski, Pietrzak, Wichs 10] [Liu, Lysyanskaya 12] [Dziembowski, Kazana, Obremski 13] [Aggarwal, Dodis, Lovett 14] …

• out-of- NMSS?

3 n

𝖳𝗂𝖻𝗌𝖿(m)

• out-of- NMSS?

3 n

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

𝖳𝗂𝖻𝗌𝖿(m)

• out-of- NMSS?

3 n

l r m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

• l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

𝖳𝗂𝖻𝗌𝖿(m)

• out-of- NMSS?

3 n

l1 l2 l3

…

l r m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

• l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

• r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

𝖳𝗂𝖻𝗌𝖿(m)

• out-of- NMSS?

3 n

l1 l2 l3 r1 r2 r3

…

l r m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

• l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

• r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

• sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿(m)

• out-of- NMSS?

3 n

l1 l2 l3 r1 r2 r3

…

l r m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

• l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

• r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

• sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿(m)

• out-of- NMSS?

3 n

l1 l2 l3 r1 r2 r3

…

Secrecy: Both and hidden given shares

l r 2

l r m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

…

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

˜ l ˜ r

…

˜ m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

To show: uncorrelated with

˜ m m

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

˜ l ˜ r

…

˜ m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

To show: uncorrelated with

˜ m m

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

˜ l ˜ r

…

˜ m Lets rely on 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

˜ l ˜ r

…

˜ m

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

˜ l ˜ r

…

˜ m Problem: and are not tampered independently

l r

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

l1 l2 l3 r1 r2 r3

l r

…

m

Non-Malleability?

˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

˜ l ˜ r

…

˜ m Problem: and are not tampered independently

l r

Root cause: Schemes sharing are are ‘friendly’

l r

‘Unfriendly’ SS schemes

Idea: Use different thresholds for and

l r

‘Unfriendly’ SS schemes

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌2

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿

Idea: Use different thresholds for and

l r

‘Unfriendly’ SS schemes

• li, ri ← sharei

l ← 𝖲𝖿𝖽3

n(l1, l2, l3)

r ← 𝖲𝖿𝖽2

n(r1, r2)

m ← 𝖮𝖭𝖲𝖿𝖽2

2(l, r)

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌2

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿 𝖲𝖿𝖽

Idea: Use different thresholds for and

l r

‘Unfriendly’ SS schemes

• li, ri ← sharei

l ← 𝖲𝖿𝖽3

n(l1, l2, l3)

r ← 𝖲𝖿𝖽2

n(r1, r2)

m ← 𝖮𝖭𝖲𝖿𝖽2

2(l, r)

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖳𝗂𝖻𝗇𝗃𝗌2

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿 𝖲𝖿𝖽

Secrecy: still hidden

l

Idea: Use different thresholds for and

l r

Non-Malleability?

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• fixed given

and

˜ r ˜ r1 ˜ r2

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• fixed given

and

˜ r ˜ r1 ˜ r2

• can depend on and

l1 l2

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• fixed given

and

˜ r ˜ r1 ˜ r2

• can depend on and

l1 l2

• two shares hides l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• fixed given

and

˜ r ˜ r1 ˜ r2

• can depend on and

l1 l2

• two shares hides l
• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• fixed given

and

˜ r ˜ r1 ˜ r2

• can depend on and

l1 l2

• two shares hides l
• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• fixed given

and

˜ r ˜ r1 ˜ r2

• can depend on and

l1 l2

• two shares hides l
• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

• Problem: not independent of

˜ l r

• fixed given

and

˜ r ˜ r1 ˜ r2

• can depend on and

l1 l2

• two shares hides l
• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Use Leakage-Resilience

• li, ri ← sharei

l ← 𝖲𝖿𝖽3

n(l1, l2, l3)

r ← 𝖬𝖲𝖲𝖿𝖽2

n(r1, r2)

m ← 𝖮𝖭𝖲𝖿𝖽2

2(l, r)

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗇𝗃𝗌3

n(l)

r1, …, rn ← 𝖬𝖲𝖳𝗂𝖻𝗌𝖿2

n(r)

sharei ← li, ri

𝖳𝗂𝖻𝗌𝖿 𝖲𝖿𝖽

Secrecy: same as before

Non-Malleability?

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Non-Malleability?

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

Non-Malleability?

• independent of

˜ l1, ˜ l2, ˜ l3 r

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

Non-Malleability?

• independent of

˜ l1, ˜ l2, ˜ l3 r

• depends on

˜ l ˜ l1, ˜ l2, ˜ l3

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

Non-Malleability?

• independent of

˜ l1, ˜ l2, ˜ l3 r

• depends on

˜ l ˜ l1, ˜ l2, ˜ l3

• independent of

˜ l r

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

Non-Malleability?

• independent of

˜ l1, ˜ l2, ˜ l3 r

• depends on

˜ l ˜ l1, ˜ l2, ˜ l3

• independent of

˜ l r

• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

Non-Malleability?

• independent of

˜ l1, ˜ l2, ˜ l3 r

• depends on

˜ l ˜ l1, ˜ l2, ˜ l3

• independent of

˜ l r

• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

Can now rely on 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2

Non-Malleability?

• independent of

˜ l1, ˜ l2, ˜ l3 r

• depends on

˜ l ˜ l1, ˜ l2, ˜ l3

• independent of

˜ l r

• independent of

˜ r l

l1 l2 l3 r1 r2 r3 ˜ l1 ˜ l2 ˜ l3 ˜ r1 ˜ r2 ˜ r3

l r ˜ l ˜ r

… …

Idea: Think of as leakage from

˜ li ri

∎*

Can now rely on 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2

Compiler for NMSS

• li, ri ← sharei

l ← 𝖲𝖿𝖽(l1, …) r ← 𝖬𝖲𝖲𝖿𝖽2

n(r1, r2)

m ← 𝖮𝖭𝖲𝖿𝖽2

2(l, r)

• l, r ← 𝖮𝖭𝖳𝗂𝖻𝗌𝖿2

2(m)

l1, …, ln ← 𝖳𝗂𝖻𝗌𝖿(l) r1, …, rn ← 𝖬𝖲𝖳𝗂𝖻𝗌𝖿2

n(r)

sharei ← li, ri

𝖮𝖭𝖳𝗂𝖻𝗌𝖿 𝖮𝖭𝖲𝖿𝖽

Separately take care of authorized pairs.

Open Problems

Open Problems

Leakage from disjoint subsets?

Open Problems

Leakage from disjoint subsets?

Open Problems

Leakage from disjoint subsets? Tampering in overlapping subsets?

Open Problems

Leakage from disjoint subsets? Tampering in overlapping subsets?

Open Problems

Leakage from disjoint subsets? Tampering in overlapping subsets? Leakage-resilient multi-party computation?
 


Open Problems

Leakage from disjoint subsets? Tampering in overlapping subsets? Leakage-resilient multi-party computation?
 
 Joint-leakage in non-malleable schemes?

Thank you.

Questions?