H. K. Maji, H. Nguyen, Anat Paskin-Cherniavsky, Tom Suad, Mingyuan Wang, Xiuyu Ye, Albert Yu
{"title":"Tight Estimate of the Local Leakage Resilience of the Additive Secret-Sharing Scheme & Its Consequences","authors":"H. K. Maji, H. Nguyen, Anat Paskin-Cherniavsky, Tom Suad, Mingyuan Wang, Xiuyu Ye, Albert Yu","doi":"10.4230/LIPIcs.ITC.2022.16","DOIUrl":null,"url":null,"abstract":"Innovative side-channel attacks have repeatedly exposed the secrets of cryptosystems. Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) introduced local leakage resilience of secret-sharing schemes to study some of these vulnerabilities. In this framework, the objective is to characterize the unintended information revelation about the secret by obtaining independent leakage from each secret share. This work accurately quantifies the vulnerability of the additive secret-sharing scheme to local leakage attacks and its consequences for other secret-sharing schemes. Consider the additive secret-sharing scheme over a prime field among k parties, where the secret shares are stored in their natural binary representation, requiring λ bits – the security parameter. We prove that the reconstruction threshold k = ω (log λ ) is necessary to protect against local physical-bit probing attacks, improving the previous ω (log λ/ log log λ ) lower bound. This result is a consequence of accurately determining the distinguishing advantage of the “parity-of-parity” physical-bit local leakage attack proposed by Maji, Nguyen, Paskin-Cherniavsky, Suad, and Wang (EUROCRYPT–2021). Our lower bound is optimal because the additive secret-sharing scheme is perfectly secure against any ( k − 1)-bit (global) leakage and (statistically) secure against (arbitrary) one-bit local leakage attacks when k = ω (log λ ). Any physical-bit local leakage (1) physical-bit local leakage attacks on the Shamir secret-sharing scheme with adversarially-chosen evaluation places, and (2) local leakage attacks on the Massey secret-sharing scheme corresponding to any linear code. In particular, for Shamir’s secret-sharing scheme, the reconstruction threshold k = ω (log λ ) is necessary when the number of parties is n = O ( λ log λ ). Our analysis of the “parity-of-parity” attack’s distinguishing advantage establishes it as the best-known local leakage attack in these scenarios. Our work employs Fourier-analytic techniques to analyze the “parity-of-parity” attack on the additive secret-sharing scheme. We accurately estimate an exponential sum that captures the vulnerability of this secret-sharing scheme to the parity-of-parity attack, a quantity that is also closely related to the “discrepancy” of the Irwin-Hall probability distribution. Any findings and conclusions or recommendations expressed in this are those of the author(s) and do not necessarily reflect the views of the United or DARPA.","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"38 1","pages":"16:1-16:19"},"PeriodicalIF":0.0000,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2022.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 7
Abstract
Innovative side-channel attacks have repeatedly exposed the secrets of cryptosystems. Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) introduced local leakage resilience of secret-sharing schemes to study some of these vulnerabilities. In this framework, the objective is to characterize the unintended information revelation about the secret by obtaining independent leakage from each secret share. This work accurately quantifies the vulnerability of the additive secret-sharing scheme to local leakage attacks and its consequences for other secret-sharing schemes. Consider the additive secret-sharing scheme over a prime field among k parties, where the secret shares are stored in their natural binary representation, requiring λ bits – the security parameter. We prove that the reconstruction threshold k = ω (log λ ) is necessary to protect against local physical-bit probing attacks, improving the previous ω (log λ/ log log λ ) lower bound. This result is a consequence of accurately determining the distinguishing advantage of the “parity-of-parity” physical-bit local leakage attack proposed by Maji, Nguyen, Paskin-Cherniavsky, Suad, and Wang (EUROCRYPT–2021). Our lower bound is optimal because the additive secret-sharing scheme is perfectly secure against any ( k − 1)-bit (global) leakage and (statistically) secure against (arbitrary) one-bit local leakage attacks when k = ω (log λ ). Any physical-bit local leakage (1) physical-bit local leakage attacks on the Shamir secret-sharing scheme with adversarially-chosen evaluation places, and (2) local leakage attacks on the Massey secret-sharing scheme corresponding to any linear code. In particular, for Shamir’s secret-sharing scheme, the reconstruction threshold k = ω (log λ ) is necessary when the number of parties is n = O ( λ log λ ). Our analysis of the “parity-of-parity” attack’s distinguishing advantage establishes it as the best-known local leakage attack in these scenarios. Our work employs Fourier-analytic techniques to analyze the “parity-of-parity” attack on the additive secret-sharing scheme. We accurately estimate an exponential sum that captures the vulnerability of this secret-sharing scheme to the parity-of-parity attack, a quantity that is also closely related to the “discrepancy” of the Irwin-Hall probability distribution. Any findings and conclusions or recommendations expressed in this are those of the author(s) and do not necessarily reflect the views of the United or DARPA.