Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive”... more Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive” data in such a manner that when a codeword is tampered, the original data either remains completely intact or is essentially destroyed.
Side-channel attacks have repeatedly falsified the assumption that cryptosystems are black boxes.... more Side-channel attacks have repeatedly falsified the assumption that cryptosystems are black boxes. Leakage-resilient cryptography studies the robustness of cryptographic constructions when an unforeseen revelation of information occurs. In this context, recently, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) motivated the study of the local leakage resilience of secret-sharing schemes against an adversary who obtains independent leakage from each secret share. Motivated by applications in secure computation, Benhamouda et al. (CRYPTO–2018) initiated the study of the local leakage resilience of Shamir’s secret-sharing scheme, an essential primitive for nearly all threshold cryptography. The objective is to achieve local leakage resilience with as small a fractional reconstruction threshold as possible. Previously, Benhamouda et al. showed that the reconstruction threshold k being at least 0.907 times the number of parties n is sufficient for Shamir’s secret-sharing scheme to be...
Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic imple... more Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic implementations are opaque black-boxes. Therefore, it is essential to ensure cryptographic constructions’ security even when information leaks via unforeseen avenues. One such fundamental cryptographic primitive is the secret-sharing schemes, which underlies nearly all threshold cryptography. Our understanding of the leakage-resilience of secret-sharing schemes is still in its preliminary stage. This work studies locally leakage-resilient linear secret-sharing schemes. An adversary can leak m bits of arbitrary local leakage from each n secret shares. However, in a locally leakageresilient secret-sharing scheme, the leakage’s joint distribution reveals no additional information about the secret. For every constant m, we prove that the Massey secret-sharing scheme corresponding to a random linear code of dimension k (over sufficiently large prime fields) is locally leakage-resilient, where k/n ...
Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although thes... more Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, SC, may be suboptimal – there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential. There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC ’01) being among the first to demonstrate it. This motivates further study of non linear schemes. We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors ~s, ~r respectively over some finite field Fq. Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing. Some of the initial results we prove in this wor...
The security of cryptographic primitives typically relies on the storage of private secrets by ea... more The security of cryptographic primitives typically relies on the storage of private secrets by each participant in a perfect manner. However, increasingly, side-channel attacks are demonstrating the pitfalls of assuming these cryptographic entities as opaque monolithic objects over the entire duration the primitive remains alive. Motivated by such concerns, there is a significant interest in revisiting well-established cryptographic primitives and their implementations to identify whether their security continues to hold in the presence of such side-channel attacks. Although there are compilers to convert any secret sharing scheme into one that is robust to local leakage on each of their shares, it is not feasible to replace every instance of traditional secret sharing schemes in use with a leakage-resilient counterpart. Beyond efficiency considerations, there may be an appropriate structure in specific secret-sharing schemes that are fundamental to their usage in a particular conte...
We device a general secret sharing scheme for evolving access structures (following [KNY16]). Our... more We device a general secret sharing scheme for evolving access structures (following [KNY16]). Our scheme has (sub)exponentially smaller share complexity (share of i’th party) for certain access structures compared to the general scheme in [5]. We stress that unlike [5]’s scheme, our scheme requires that the entire evolving access structure is known in advance. Revising, [5]’s scheme (in its most optimized form) is based on a representation of the access structure by an ordered (possibly infinite) oblivious, read once decision tree. Each node is associated with an output of the function (0 or 1). The tree is augmented to cut paths that reach a node where f evaluates to 1 at that node (works for evolving access structures, in which the descendants of all 1-nodes must be 1). Each party Pi receives a (single-bit) share for each edge exiting a node labeled by xi. Generally, the scheme of [5] has share complexity O(wT (i)), where wT (i) is the width of layer i in a decision tree for the a...
We revisit the setting of coding for interactive communication, CIC, (initiated by Schulman 96... more We revisit the setting of coding for interactive communication, CIC, (initiated by Schulman 96') for non-threshold tampering functions. In a nutshell, in the (special case of) the communication complexity setting, Alice and Bob holding inputs x, y wish to compute a function g(x, y) on their inputs over the identity channel using an interactive protocol. The goal here is to minimize the total communication complexity (CC). A "code" for interactive communication is a compiler transforming any π0 working in the communication complexity setting into a protocol π evaluating the same function over any channel f picked from a family F . Here f is a function modifying the entire communication transcript. The goal here is to minimize the code's rate, which is the CC overhead CC(π)/CC(π0) incurred by the compiler. All previous work in coding for interactive communication considered error correction (that is, g(x, y) must be recovered correctly with high probability), which p...
Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive”... more Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive” data in such a manner that when a codeword is tampered, the original data either remains completely intact or is essentially destroyed.
Side-channel attacks have repeatedly falsified the assumption that cryptosystems are black boxes.... more Side-channel attacks have repeatedly falsified the assumption that cryptosystems are black boxes. Leakage-resilient cryptography studies the robustness of cryptographic constructions when an unforeseen revelation of information occurs. In this context, recently, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) motivated the study of the local leakage resilience of secret-sharing schemes against an adversary who obtains independent leakage from each secret share. Motivated by applications in secure computation, Benhamouda et al. (CRYPTO–2018) initiated the study of the local leakage resilience of Shamir’s secret-sharing scheme, an essential primitive for nearly all threshold cryptography. The objective is to achieve local leakage resilience with as small a fractional reconstruction threshold as possible. Previously, Benhamouda et al. showed that the reconstruction threshold k being at least 0.907 times the number of parties n is sufficient for Shamir’s secret-sharing scheme to be...
Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic imple... more Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic implementations are opaque black-boxes. Therefore, it is essential to ensure cryptographic constructions’ security even when information leaks via unforeseen avenues. One such fundamental cryptographic primitive is the secret-sharing schemes, which underlies nearly all threshold cryptography. Our understanding of the leakage-resilience of secret-sharing schemes is still in its preliminary stage. This work studies locally leakage-resilient linear secret-sharing schemes. An adversary can leak m bits of arbitrary local leakage from each n secret shares. However, in a locally leakageresilient secret-sharing scheme, the leakage’s joint distribution reveals no additional information about the secret. For every constant m, we prove that the Massey secret-sharing scheme corresponding to a random linear code of dimension k (over sufficiently large prime fields) is locally leakage-resilient, where k/n ...
Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although thes... more Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, SC, may be suboptimal – there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential. There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC ’01) being among the first to demonstrate it. This motivates further study of non linear schemes. We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors ~s, ~r respectively over some finite field Fq. Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing. Some of the initial results we prove in this wor...
The security of cryptographic primitives typically relies on the storage of private secrets by ea... more The security of cryptographic primitives typically relies on the storage of private secrets by each participant in a perfect manner. However, increasingly, side-channel attacks are demonstrating the pitfalls of assuming these cryptographic entities as opaque monolithic objects over the entire duration the primitive remains alive. Motivated by such concerns, there is a significant interest in revisiting well-established cryptographic primitives and their implementations to identify whether their security continues to hold in the presence of such side-channel attacks. Although there are compilers to convert any secret sharing scheme into one that is robust to local leakage on each of their shares, it is not feasible to replace every instance of traditional secret sharing schemes in use with a leakage-resilient counterpart. Beyond efficiency considerations, there may be an appropriate structure in specific secret-sharing schemes that are fundamental to their usage in a particular conte...
We device a general secret sharing scheme for evolving access structures (following [KNY16]). Our... more We device a general secret sharing scheme for evolving access structures (following [KNY16]). Our scheme has (sub)exponentially smaller share complexity (share of i’th party) for certain access structures compared to the general scheme in [5]. We stress that unlike [5]’s scheme, our scheme requires that the entire evolving access structure is known in advance. Revising, [5]’s scheme (in its most optimized form) is based on a representation of the access structure by an ordered (possibly infinite) oblivious, read once decision tree. Each node is associated with an output of the function (0 or 1). The tree is augmented to cut paths that reach a node where f evaluates to 1 at that node (works for evolving access structures, in which the descendants of all 1-nodes must be 1). Each party Pi receives a (single-bit) share for each edge exiting a node labeled by xi. Generally, the scheme of [5] has share complexity O(wT (i)), where wT (i) is the width of layer i in a decision tree for the a...
We revisit the setting of coding for interactive communication, CIC, (initiated by Schulman 96... more We revisit the setting of coding for interactive communication, CIC, (initiated by Schulman 96') for non-threshold tampering functions. In a nutshell, in the (special case of) the communication complexity setting, Alice and Bob holding inputs x, y wish to compute a function g(x, y) on their inputs over the identity channel using an interactive protocol. The goal here is to minimize the total communication complexity (CC). A "code" for interactive communication is a compiler transforming any π0 working in the communication complexity setting into a protocol π evaluating the same function over any channel f picked from a family F . Here f is a function modifying the entire communication transcript. The goal here is to minimize the code's rate, which is the CC overhead CC(π)/CC(π0) incurred by the compiler. All previous work in coding for interactive communication considered error correction (that is, g(x, y) must be recovered correctly with high probability), which p...
Uploads
Papers by Anat Paskin-Cherniavsky