New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme

Ohad Klein; Ilan Komargodski

doi:10.1007/978-3-031-38557-5_5

New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme

Ohad Klein, Ilan Komargodski

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

5 Scopus citations

Abstract

We study the local leakage resilience of Shamir’s secret sharing scheme. In Shamir’s scheme, a random polynomial f of degree t is sampled over a field of size p> n, conditioned on f(0 ) = s for a secret s. Any t shares (i, f(i)) can be used to fully recover f and thereby f(0). But, any t- 1 evaluations of f at non-zero coordinates are completely independent of f(0). Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each share, independently. This question is well motivated due to the wide range of applications of Shamir’s scheme. For instance, it is known that if Shamir’s scheme is leakage resilient in some range of parameters, then known secure computation protocols are secure in a local leakage model. Over characteristic-2 fields, the answer is known to be negative (e.g., Guruswami and Wootters, STOC ’16). Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO ’18) were the first to give a positive answer assuming computation is done over prime-order fields. They showed that if t≥ 0.907 n, then Shamir’s scheme is leakage resilient. Since then, there has been extensive efforts to improve the above threshold and after a series of works, the current record shows leakage resilience for t≥ 0.78 n (Maji et al., ISIT ’22). All existing analyses of Shamir’s leakage resilience for general leakage functions follow a single framework for which there is a known barrier for any t≤ 0.5 n. In this work, we a develop a new analytical framework that allows us to significantly improve upon the previous record and obtain additional new results. Specifically, we show: 1.Shamir’s scheme is leakage resilient for any t≥ 0.69 n.2.If the leakage functions are guaranteed to be “balanced” (i.e., splitting the domain of possible shares into 2 roughly equal-size parts), then Shamir’s scheme is leakage resilient for any t≥ 0.58 n.3.If the leakage functions are guaranteed to be “unbalanced” (i.e., splitting the domain of possible shares into 2 parts of very different sizes), then Shamir’s scheme is leakage resilient as long as t≥ 0.01 n. Such a result is provably impossible to obtain using the previously known technique. All of the above apply more generally to any MDS codes-based secret sharing scheme. Confirming leakage resilience is most important in the range t≤ n/ 2, as in many applications, Shamir’s scheme is used with thresholds t≤ n/ 2. As opposed to the previous approach, ours does not seem to have a barrier at t= n/ 2, as demonstrated by our third contribution.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings
Editors	Helena Handschuh, Anna Lysyanskaya
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	139-170
Number of pages	32
ISBN (Print)	9783031385568
DOIs	https://doi.org/10.1007/978-3-031-38557-5_5
State	Published - 2023
Externally published	Yes
Event	Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings - Santa Barbara, United States Duration: 20 Aug 2023 → 24 Aug 2023

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14081 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings
Country/Territory	United States
City	Santa Barbara
Period	20/08/23 → 24/08/23

Bibliographical note

Publisher Copyright:
© 2023, International Association for Cryptologic Research.

Funding

Acknowledgments. Anasuya Acharya and Carmit Hazay are supported by ISF grant No. 1316/18. Carmit Hazay is also supported by the Algorand Centres of Excellence programme managed by Algorand Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Algorand Foundation. The fourth author was supported by a JPMorgan Chase Faculty Research Award, Technology, and Humanity Fund from the McCourt School of Public Policy at Georgetown University, and a Google Research Award. Acknowledgements. Research supported in part by an Alon Young Faculty Fellowship, by a grant from the Israel Science Foundation (ISF Grant No. 1774/20), and by a grant from the US-Israel Binational Science Foundation and the US National Science Foundation (BSF-NSF Grant No. 2020643). 2055694. Vassilis Zikas’s research is supported in part by NSF grant no. 2055599 and by Sunday Group. The authors are also supported by the Algorand Centres of Excellence programme managed by Algorand Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Algorand Foundation. Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through Award HR00112020024. A. Srinivasan was supported in part by a SERB startup grant and Google India Research Award. Acknowledgment. Y. Ishai was supported in part by ERC Project NTSC (742754), BSF grant 2018393, ISF grant 2774/20, and a Google Faculty Research Award. D. Khu-rana was supported in part by NSF CAREER CNS-2238718 and DARPA SIEVE. A. Sahai was supported in part from a Simons Investigator Award, DARPA SIEVE award, NTT Research, NSF Frontier Award 1413955, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, and an Okawa Foundation Research tial privacy in the shuﬄe model and the anonymous reviewers for their comments. Y. Ishai and E. Kushilevitz were supported by ISF grant 2774/20 and BSF grant 2018393. Y. Ishai was additionally supported by ERC Project NTSC (742754). Acknowledgments. Ran Cohen’s research is supported in part by NSF grant no. 2055568. Juan Garay’s research is supported in part by NSF grants no. 2001082 and G. Garimella, M. Rosulek and J. Singh—Authors partially supported by NSF award S2356A. Acknowledgments. The research described in this paper received funding from: the Concordium Blockhain Research Center, Aarhus University, Denmark; the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 803096 (SPEC); the Danish Independent Research Council under Grant-ID DFF-0165-00107B (C3PO). Acknowledgements. D. Boneh is supported by NSF, the DARPA SIEVE program, the Simons Foundation, UBRI, and NTT Research. E. Boyle is supported by AFOSR Award FA9550-21-1-0046, ERC Project HSS (852952), and a Google Research Award. H. Corrigan-Gibbs is supported by Capital One, Facebook, Google, Mozilla, Seagate, MIT’s FinTech@CSAIL Initiative, and NSF Award CNS-2054869. N. Gilboa is supported by ISF grant 2951/20, ERC grant 876110, and a grant by the BGU Cyber Center. Y. Ishai is supported by ERC Project NTSC (742754), BSF grant 2018393, and ISF grant 2774/20. Opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA. Acknowledgements. We would like to thank Alin Tomescu, Kobi Gurkan, Julian Loss, and Renas Bacho for many insightful discussions. Gilad Stern was supported by the HUJI Federmann Cyber Security Research Center in conjunction with the Israel National Cyber Directorate (INCD) in the Prime Minister’s Office. ritos and quesadillas. He also thanks the Aarhus Crypto Group and the people at NTT Research for being amazing humans (independently of their success in research). The work of Damiano Abram was carried out during an internship funded by NTT Research. Acknowledgements. This work is supported in part by DARPA under Cooperative Agreement HR0011-20-2-0025, the Algorand Centers of Excellence programme managed by Algorand Foundation, NSF grants CNS-2246355, CCF-2220450 and CNS-2001096, US-Israel BSF grant 2015782, Amazon Faculty Award, Cisco Research Award and Sunday Group. Any views, opinions, findings, conclusions or recommendations contained herein are those of the author(s) and should not be interpreted as necessarily representing the official policies, either expressed or implied, of DARPA, the Department of Defense, the Algorand Foundation, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes not withstanding any copyright annotation therein. Acknowledgements. Pedro Branco was partially funded by the German Federal Ministry of Education and Research (BMBF) in the course of the 6GEM research hub under grant number 16KISK038. Nico Döttling: Funded by the European Union (ERC, LACONIC, 101041207). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Research Council. Neither the European Union nor the granting authority can be held responsible for them. Akshayaram Srinivasan was supported in part by a SERB startup grant and Google India Research Award. Acknowledgements. This work is funded in part by National Science Foundation award 2143058.

Funders	Funder number
Algorand Foundation
BSF-NSF	2020643
European Unions’s Horizon 2020 research and innovation programme	803096
Google India Research Award
JPMorgan
McCourt School of Public Policy
NTSC	742754
Sunday Group
UBRI
US-Israel BSF	2015782
National Science Foundation	2001082, CNS-2001096, CNS-2154174, 2055599, CCF-2220450, CNS-2238718, S2356A, CNS-2026774, 2055568, 2143058, CNS-2246355
Air Force Office of Scientific Research	FA9550-21-1-0046
Defense Advanced Research Projects Agency	HR0011-20-2-0025, HR00112020024
Simons Foundation
Microsoft
Cisco Systems
Google	CNS-2054869
Aarhus Universitet
Georgetown University
NTT Research	1413955, 2012378
European Commission	852952
United States-Israel Binational Science Foundation	2018393, 2774/20
Science and Engineering Research Board
Bundesministerium für Bildung und Forschung	16KISK038
Carlsbergfondet	CF18-112
Israel Science Foundation	1774/20, 876110, 2951/20, 1316/18
Okawa Foundation for Information and Telecommunications
Danmarks Frie Forskningsfond	DFF-0165-00107B
Ben-Gurion University of the Negev

Keywords

Secret sharing
Shamir’s scheme
local leakage resilience

Access to Document

10.1007/978-3-031-38557-5_5

Cite this

Klein, O., & Komargodski, I. (2023). New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme. In H. Handschuh, & A. Lysyanskaya (Eds.), Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings (pp. 139-170). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14081 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-38557-5_5

Klein, Ohad ; Komargodski, Ilan. / New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme. Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings. editor / Helena Handschuh ; Anna Lysyanskaya. Springer Science and Business Media Deutschland GmbH, 2023. pp. 139-170 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{16127e695be7415ca1be71f3d60a8612,

title = "New Bounds on the Local Leakage Resilience of Shamir{\textquoteright}s Secret Sharing Scheme",

abstract = "We study the local leakage resilience of Shamir{\textquoteright}s secret sharing scheme. In Shamir{\textquoteright}s scheme, a random polynomial f of degree t is sampled over a field of size p> n, conditioned on f(0 ) = s for a secret s. Any t shares (i, f(i)) can be used to fully recover f and thereby f(0). But, any t- 1 evaluations of f at non-zero coordinates are completely independent of f(0). Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each share, independently. This question is well motivated due to the wide range of applications of Shamir{\textquoteright}s scheme. For instance, it is known that if Shamir{\textquoteright}s scheme is leakage resilient in some range of parameters, then known secure computation protocols are secure in a local leakage model. Over characteristic-2 fields, the answer is known to be negative (e.g., Guruswami and Wootters, STOC {\textquoteright}16). Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO {\textquoteright}18) were the first to give a positive answer assuming computation is done over prime-order fields. They showed that if t≥ 0.907 n, then Shamir{\textquoteright}s scheme is leakage resilient. Since then, there has been extensive efforts to improve the above threshold and after a series of works, the current record shows leakage resilience for t≥ 0.78 n (Maji et al., ISIT {\textquoteright}22). All existing analyses of Shamir{\textquoteright}s leakage resilience for general leakage functions follow a single framework for which there is a known barrier for any t≤ 0.5 n. In this work, we a develop a new analytical framework that allows us to significantly improve upon the previous record and obtain additional new results. Specifically, we show: 1.Shamir{\textquoteright}s scheme is leakage resilient for any t≥ 0.69 n.2.If the leakage functions are guaranteed to be “balanced” (i.e., splitting the domain of possible shares into 2 roughly equal-size parts), then Shamir{\textquoteright}s scheme is leakage resilient for any t≥ 0.58 n.3.If the leakage functions are guaranteed to be “unbalanced” (i.e., splitting the domain of possible shares into 2 parts of very different sizes), then Shamir{\textquoteright}s scheme is leakage resilient as long as t≥ 0.01 n. Such a result is provably impossible to obtain using the previously known technique. All of the above apply more generally to any MDS codes-based secret sharing scheme. Confirming leakage resilience is most important in the range t≤ n/ 2, as in many applications, Shamir{\textquoteright}s scheme is used with thresholds t≤ n/ 2. As opposed to the previous approach, ours does not seem to have a barrier at t= n/ 2, as demonstrated by our third contribution.",

keywords = "Secret sharing, Shamir{\textquoteright}s scheme, local leakage resilience",

author = "Ohad Klein and Ilan Komargodski",

note = "Publisher Copyright: {\textcopyright} 2023, International Association for Cryptologic Research.; Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings ; Conference date: 20-08-2023 Through 24-08-2023",

year = "2023",

doi = "10.1007/978-3-031-38557-5_5",

language = "אנגלית",

isbn = "9783031385568",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "139--170",

editor = "Helena Handschuh and Anna Lysyanskaya",

booktitle = "Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings",

address = "גרמניה",

}

Klein, O & Komargodski, I 2023, New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme. in H Handschuh & A Lysyanskaya (eds), Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14081 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 139-170, Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings, Santa Barbara, United States, 20/08/23. https://doi.org/10.1007/978-3-031-38557-5_5

New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme. / Klein, Ohad; Komargodski, Ilan.
Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings. ed. / Helena Handschuh; Anna Lysyanskaya. Springer Science and Business Media Deutschland GmbH, 2023. p. 139-170 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14081 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme

AU - Klein, Ohad

AU - Komargodski, Ilan

PY - 2023

Y1 - 2023

N2 - We study the local leakage resilience of Shamir’s secret sharing scheme. In Shamir’s scheme, a random polynomial f of degree t is sampled over a field of size p> n, conditioned on f(0 ) = s for a secret s. Any t shares (i, f(i)) can be used to fully recover f and thereby f(0). But, any t- 1 evaluations of f at non-zero coordinates are completely independent of f(0). Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each share, independently. This question is well motivated due to the wide range of applications of Shamir’s scheme. For instance, it is known that if Shamir’s scheme is leakage resilient in some range of parameters, then known secure computation protocols are secure in a local leakage model. Over characteristic-2 fields, the answer is known to be negative (e.g., Guruswami and Wootters, STOC ’16). Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO ’18) were the first to give a positive answer assuming computation is done over prime-order fields. They showed that if t≥ 0.907 n, then Shamir’s scheme is leakage resilient. Since then, there has been extensive efforts to improve the above threshold and after a series of works, the current record shows leakage resilience for t≥ 0.78 n (Maji et al., ISIT ’22). All existing analyses of Shamir’s leakage resilience for general leakage functions follow a single framework for which there is a known barrier for any t≤ 0.5 n. In this work, we a develop a new analytical framework that allows us to significantly improve upon the previous record and obtain additional new results. Specifically, we show: 1.Shamir’s scheme is leakage resilient for any t≥ 0.69 n.2.If the leakage functions are guaranteed to be “balanced” (i.e., splitting the domain of possible shares into 2 roughly equal-size parts), then Shamir’s scheme is leakage resilient for any t≥ 0.58 n.3.If the leakage functions are guaranteed to be “unbalanced” (i.e., splitting the domain of possible shares into 2 parts of very different sizes), then Shamir’s scheme is leakage resilient as long as t≥ 0.01 n. Such a result is provably impossible to obtain using the previously known technique. All of the above apply more generally to any MDS codes-based secret sharing scheme. Confirming leakage resilience is most important in the range t≤ n/ 2, as in many applications, Shamir’s scheme is used with thresholds t≤ n/ 2. As opposed to the previous approach, ours does not seem to have a barrier at t= n/ 2, as demonstrated by our third contribution.

AB - We study the local leakage resilience of Shamir’s secret sharing scheme. In Shamir’s scheme, a random polynomial f of degree t is sampled over a field of size p> n, conditioned on f(0 ) = s for a secret s. Any t shares (i, f(i)) can be used to fully recover f and thereby f(0). But, any t- 1 evaluations of f at non-zero coordinates are completely independent of f(0). Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each share, independently. This question is well motivated due to the wide range of applications of Shamir’s scheme. For instance, it is known that if Shamir’s scheme is leakage resilient in some range of parameters, then known secure computation protocols are secure in a local leakage model. Over characteristic-2 fields, the answer is known to be negative (e.g., Guruswami and Wootters, STOC ’16). Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO ’18) were the first to give a positive answer assuming computation is done over prime-order fields. They showed that if t≥ 0.907 n, then Shamir’s scheme is leakage resilient. Since then, there has been extensive efforts to improve the above threshold and after a series of works, the current record shows leakage resilience for t≥ 0.78 n (Maji et al., ISIT ’22). All existing analyses of Shamir’s leakage resilience for general leakage functions follow a single framework for which there is a known barrier for any t≤ 0.5 n. In this work, we a develop a new analytical framework that allows us to significantly improve upon the previous record and obtain additional new results. Specifically, we show: 1.Shamir’s scheme is leakage resilient for any t≥ 0.69 n.2.If the leakage functions are guaranteed to be “balanced” (i.e., splitting the domain of possible shares into 2 roughly equal-size parts), then Shamir’s scheme is leakage resilient for any t≥ 0.58 n.3.If the leakage functions are guaranteed to be “unbalanced” (i.e., splitting the domain of possible shares into 2 parts of very different sizes), then Shamir’s scheme is leakage resilient as long as t≥ 0.01 n. Such a result is provably impossible to obtain using the previously known technique. All of the above apply more generally to any MDS codes-based secret sharing scheme. Confirming leakage resilience is most important in the range t≤ n/ 2, as in many applications, Shamir’s scheme is used with thresholds t≤ n/ 2. As opposed to the previous approach, ours does not seem to have a barrier at t= n/ 2, as demonstrated by our third contribution.

KW - Secret sharing

KW - Shamir’s scheme

KW - local leakage resilience

UR - http://www.scopus.com/inward/record.url?scp=85172355279&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-38557-5_5

DO - 10.1007/978-3-031-38557-5_5

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85172355279

SN - 9783031385568

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 139

EP - 170

BT - Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings

A2 - Handschuh, Helena

A2 - Lysyanskaya, Anna

PB - Springer Science and Business Media Deutschland GmbH

T2 - Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings

Y2 - 20 August 2023 through 24 August 2023

ER -

Klein O, Komargodski I. New Bounds on the Local Leakage Resilience of Shamir’s Secret Sharing Scheme. In Handschuh H, Lysyanskaya A, editors, Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings. Springer Science and Business Media Deutschland GmbH. 2023. p. 139-170. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-38557-5_5