TY - GEN
T1 - Leakage-Resilience of the Shamir Secret-Sharing Scheme Against Physical-Bit Leakages
AU - Maji, Hemanta K.
AU - Nguyen, Hai H.
AU - Paskin-Cherniavsky, Anat
AU - Suad, Tom
AU - Wang, Mingyuan
N1 - Publisher Copyright:
© 2021, International Association for Cryptologic Research.
PY - 2021
Y1 - 2021
N2 - Efficient Reed-Solomon code reconstruction algorithms, for example, by Guruswami and Wootters (STOC–2016), translate into local leakage attacks on Shamir secret-sharing schemes over characteristic-2 fields. However, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) showed that the Shamir secret sharing scheme over prime-fields is leakage resilient to one-bit local leakage if the reconstruction threshold is roughly 0.87 times the total number of parties. In several application scenarios, like secure multi-party multiplication, the reconstruction threshold must be at most half the number of parties. Furthermore, the number of leakage bits that the Shamir secret sharing scheme is resilient to is also unclear. Towards this objective, we study the Shamir secret-sharing scheme’s leakage-resilience over a prime-field F. The parties’ secret-shares, which are elements in the finite field F, are naturally represented as λ -bit binary strings representing the elements { 0, 1, ⋯, p- 1 }. In our leakage model, the adversary can independently probe m bit-locations from each secret share. The inspiration for considering this leakage model stems from the impact that the study of oblivious transfer combiners had on general correlation extraction algorithms, and the significant influence of protecting circuits from probing attacks has on leakage-resilient secure computation. Consider arbitrary reconstruction threshold k⩾ 2, physical bit-leakage parameter m⩾ 1, and the number of parties n⩾ 1. We prove that Shamir’s secret-sharing scheme with random evaluation places is leakage-resilient with high probability when the order of the field F is sufficiently large; ignoring polylogarithmic factors, one needs to ensure that log | F| ⩾ n/ k. Our result, excluding polylogarithmic factors, states that Shamir’s scheme is secure as long as the total amount of leakage m· n is less than the entropy k· λ introduced by the Shamir secret-sharing scheme. Note that our result holds even for small constant values of the reconstruction threshold k, which is essential to several application scenarios. To complement this positive result, we present a physical-bit leakage attack for m= 1 physical bit-leakage from n= k secret shares and any prime-field F satisfying |F|=1modk. In particular, there are (roughly) | F| n-k+1 such vulnerable choices for the n-tuple of evaluation places. We lower-bound the advantage of this attack for small values of the reconstruction threshold, like k= 2 and k= 3, and any |F|=1modk. In general, we present a formula calculating our attack’s advantage for every k as | F| → ∞. Technically, our positive result relies on Fourier analysis, analytic properties of proper rank-r generalized arithmetic progressions, and Bézout ’s theorem to bound the number of solutions to an equation over finite fields. The analysis of our attack relies on determining the “discrepancy” of the Irwin-Hall distribution. A probability distribution’s discrepancy is a new property of distributions that our work introduces, which is of potential independent interest.
AB - Efficient Reed-Solomon code reconstruction algorithms, for example, by Guruswami and Wootters (STOC–2016), translate into local leakage attacks on Shamir secret-sharing schemes over characteristic-2 fields. However, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) showed that the Shamir secret sharing scheme over prime-fields is leakage resilient to one-bit local leakage if the reconstruction threshold is roughly 0.87 times the total number of parties. In several application scenarios, like secure multi-party multiplication, the reconstruction threshold must be at most half the number of parties. Furthermore, the number of leakage bits that the Shamir secret sharing scheme is resilient to is also unclear. Towards this objective, we study the Shamir secret-sharing scheme’s leakage-resilience over a prime-field F. The parties’ secret-shares, which are elements in the finite field F, are naturally represented as λ -bit binary strings representing the elements { 0, 1, ⋯, p- 1 }. In our leakage model, the adversary can independently probe m bit-locations from each secret share. The inspiration for considering this leakage model stems from the impact that the study of oblivious transfer combiners had on general correlation extraction algorithms, and the significant influence of protecting circuits from probing attacks has on leakage-resilient secure computation. Consider arbitrary reconstruction threshold k⩾ 2, physical bit-leakage parameter m⩾ 1, and the number of parties n⩾ 1. We prove that Shamir’s secret-sharing scheme with random evaluation places is leakage-resilient with high probability when the order of the field F is sufficiently large; ignoring polylogarithmic factors, one needs to ensure that log | F| ⩾ n/ k. Our result, excluding polylogarithmic factors, states that Shamir’s scheme is secure as long as the total amount of leakage m· n is less than the entropy k· λ introduced by the Shamir secret-sharing scheme. Note that our result holds even for small constant values of the reconstruction threshold k, which is essential to several application scenarios. To complement this positive result, we present a physical-bit leakage attack for m= 1 physical bit-leakage from n= k secret shares and any prime-field F satisfying |F|=1modk. In particular, there are (roughly) | F| n-k+1 such vulnerable choices for the n-tuple of evaluation places. We lower-bound the advantage of this attack for small values of the reconstruction threshold, like k= 2 and k= 3, and any |F|=1modk. In general, we present a formula calculating our attack’s advantage for every k as | F| → ∞. Technically, our positive result relies on Fourier analysis, analytic properties of proper rank-r generalized arithmetic progressions, and Bézout ’s theorem to bound the number of solutions to an equation over finite fields. The analysis of our attack relies on determining the “discrepancy” of the Irwin-Hall distribution. A probability distribution’s discrepancy is a new property of distributions that our work introduces, which is of potential independent interest.
KW - Bézout ’s theorem
KW - Discrete Fourier analysis
KW - Exponential sums
KW - Irwin-Hall distribution
KW - Local leakage resilience
KW - Physical-bit leakage
KW - Random punctured Reed-Solomon codes
KW - Rank-r generalized arithmetic progression
UR - http://www.scopus.com/inward/record.url?scp=85111456458&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-77886-6_12
DO - 10.1007/978-3-030-77886-6_12
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85111456458
SN - 9783030778859
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 344
EP - 374
BT - Advances in Cryptology – EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Canteaut, Anne
A2 - Standaert, François-Xavier
PB - Springer Science and Business Media Deutschland GmbH
T2 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2021
Y2 - 17 October 2021 through 21 October 2021
ER -