 Hello, my name is Mark Simkin and in this talk I'm presenting a joint work with Jesper Bruce Nielsen, which is called Lower Bounds for Leakage Resilient Secret Sharing. In a threshold secret sharing scheme, a dealer who has some secret, which is depicted here by a blue file, can split this secret into a bunch of shares such that any number of shares that is above the reconstruction threshold can reconstruct a secret, whereas any number of shares that is below the reconstruction threshold, there is no information about the secret whatsoever. Classical secret sharing notions such as plain secret sharing or verifiable secret sharing or robust secret sharing, they all consider all or nothing adversaries that get full access to some of the shares and no access to some other subset of the shares. A more recent line of works considered a so-called Leakage Resilient Secret Sharing Scheme where the adversary is given some form of leakage from every single share. So here the adversary does not see any of the shares in full, but he obtains some limited amount of information from every single share. And the security requirement that we would like to have from such Leakage Resilient Secret Sharing Scheme is that if I have a blue secret and I have a different green secret and then I secret share both of those independently and then I produce the blue leakage vector or the green leakage vector and give one of those two vector to an adversary, the adversary should not be able to tell which of those two vectors he or she obtained. So more concretely, the distribution of the blue leakage vectors and the distribution of the green leakage vectors should be indistinguishable. And as mentioned before, over the past three years there has been a lot of works that have focused on constructing more and more efficient leakage-resilient secret sharing schemes for slightly different notions of what exactly leakage-resilient means. A somewhat orthogonal question was asked by Ben Amouda et al. at Crypto 2018. Here the authors asked, to what extent do existing popular secret sharing schemes such as some Shamir secret sharing already provide leakage-resilient? And interestingly, the authors showed that T out of N Shamir secret sharing is one with leakage-resilient if the reconstruction threshold is a large fraction of the total number of shares. So if the reconstruction threshold requires 90% of the shares, then Shamir secret sharing is secure against an adversary who obtains one bit of leakage from every single share. And based on this positive result, the authors conjectured that more generally T out of N Shamir secret sharing is always one bit leakage-resilient if the reconstruction threshold is some constant fraction of the total number of shares. In this work we asked the question, to what extent we will have to pay a price for having this additional property of leakage-resilient? Can we hope to obtain leakage-resilient secret sharing schemes that are as efficient as standard secret sharing schemes, or is there an inherent cost that we will always have to pay? So before talking about any form of an inherent cost, let us first define what are the parameters that we actually care about. So we will denote the number of parties or the number of shares by N. We will denote the reconstruction threshold by small t, so t or more shares can reconstruct the secret, less than t shares learn no information about the secret. We will consider leakages from the shares which are arbitrary functions of the shares. And the only restriction we impose on those functions is that the outputs are bounded by L bits, so every leakage function is applied independently to the shares, and the outputs of those leakage functions are L bit strings. We will denote the share size by small p, and then we would like to kind of measure the amount of randomness that is needed to construct a secret sharing, and this we will measure in a very crude way by a randomness complexity capital T, where capital T shares not only define the secret, but capital T shares uniquely define the remaining shares of this particular secret sharing. So small t shares are needed to reconstruct the secret, capital T shares are needed to reconstruct the whole vector of shares. In other words capital T shares contain all of the randomness, and the remaining shares are just deterministic functions thereof. So if we have a large randomness complexity, then we need a lot of randomness to create a secret sharing. If we have a small randomness complexity, then we need less randomness to generate a secret sharing. So the results in our paper hours follows. We present a lower bound which puts all of those parameters into relation, and roughly speaking it gives us a lower bound on the share size, which depends on the number of bits we leak and on the randomness complexity of the secret sharing scheme. So if we have a secret sharing scheme with a very small randomness complexity, then the share size will potentially have to be very large, for example if the reconstruction threshold small t is 2, then the share size will be linear in l times n, whereas the randomness complexity if it's large, then the share size can potentially be much smaller. For example if we consider a secret sharing scheme where any constant number of parties can reconstruct the secret, then for such a scheme to be leakage resilient, we have either very large shares, or we require a lot of randomness during share generation. Using our lower bound, we show that for a reconstruction threshold of c times n divided by log n, Shamir's secret sharing is not one bit leakage resilient. So in particular this tells us that the conjecture postulated by Ben Amouda et al. is the best we could possibly hope for. In addition we present an upper bound which basically tells us that in the random oracle model against the computationally bounded adversary, this lower bound does not hold. Here I should mention that in our lower bound we focus on information theoretically secure secret sharing schemes and the lower bound also holds in the random oracle model against computationally unbounded adversaries. So what we show is that if we bound the number of queries that an adversary can make to the random oracle, then the lower bound does not hold anymore and we can actually construct more efficiently leakage resilient secret sharing schemes. So because we want to prove a lower bound, we make our results stronger by considering a weak security notion because if we manage to prove a lower bound for a very weak security notion then this lower bound holds for any stronger security notion as well. So the security notion that we consider here is one way leakage resilience which is defined as follows. The adversary is given capital L bit long leakages from each share and from those leakages the adversary would then like to reconstruct the original secret value. So previously I have mentioned an indistinguishability based notion and here we will focus on a weaker notion which only requires one wayness of this secret sharing scheme. The general proof strategy that we will follow to obtain our lower bound is as follows. We will define leakage functions f1 to fn which as mentioned before will be applied to the shares. We will define an adversary that will somehow use those leakage functions to reconstruct the original secret and we will then show that the adversary and the leakage functions that we defined will always be successful if we have a secret sharing scheme that violates our lower bound. So for a scheme to be one way leakage resilient at the very least it has to satisfy our lower bound. More concretely the leakage functions that we will use for our adversary are simply uniformly random functions. So they will get as input a share and they will produce a uniformly random value. So how does our lower bound proof work? Let us start and consider two arbitrary but fixed secrets, a blue secret and a green secret and we will have a corresponding blue secret sharing and a green secret sharing. Now the first question you can ask is what is the probability that if we apply the leakage functions to the blue secret sharing and we apply the leakage function to the green secret sharing with what probability will do those two vectors of leakages be the same? For understanding this we will make two simple observations. The first observation is that our reconstruction threshold is t so this means that if I take any t of the blue shares then these t shares allow me to reconstruct correctly the blue secret. If I take any of the green shares then they allow me to reconstruct the green secret. So by correctness we know that in the blue vector of shares and in the green vector of shares we have at least n minus t plus 1 shares that must be different. Now the second observation that we make is that let's say we look at the i'th share and we know that the i'th blue share is different from the i'th green share. So the probability that those two shares produce the same leakage output is 2 to the minus l because f i is a random function which produces an l bit string as its output. When combining those two observations together we can get a bound on the probability that these two different secret shareings would produce the same leakage vector. Now let us consider a slightly different setting. Let's say we have an arbitrary but fixed blue secret sharing and we obtain a leakage vector from that. What is the probability that there exists any other green secret and green secret sharing that would produce the same leakage vector? Well we know that the randomness complexity of our secret sharing scheme that we look at is capital T and we know that the share size is p bits. So we know that there are 2 to the p times t possible secret shareings. So by union bound together over all the possible secret shareings together with the inequality in the top we basically obtain this bound for the probability that for a given leakage vector from the blue secret there exists any other green secret that could have produced the same leakage vector. Conversely we can basically now bound the probability that there exists no green secret, no other secret that would produce this blue leakage vector. So now we have kind of bound this quantity but what is this quantity actually and how does this help us? Well if this condition happens then this means that our adversary is actually successful. Remember that our adversary is against an information theoretically secret sharing scheme so it does not have to be efficient. So in particular if it obtains this leakage vector from the blue secret sharing and there exists no other green secret that could have produced this vector of leakages then the adversary can simply try all of the possible secrets with all of the possible leakages and reconstruct the blue secret from the leakage vector. Now if we say we would like to have an adversary that is successful with the probability of at least one half then we obtain this inequality and by rearranging the terms we basically get something that already looks very similar to the bound. So this inequality has to hold if the adversary should be successful with probability at least one half so the opposite inequality has to hold if we want the adversary to be at least not successful with probability one half. So this is how we obtain our lower bound on a high level. Now for the upper bound I will only provide a high level idea here but to understand how one could approach constructing a secret sharing scheme that breaks our lower bound we make the following observation. Let's say we look at our inequality for a reconstruction threshold of two so we consider a two out of N leakage resilience secret sharing scheme. What our lower bound now tells us is that if the randomness complexity is very small then the share size will have to be very large in particular linear and N basically however if the randomness complexity is large then this enables us to have a small share size. So if t is small p must be large if t is large then p can potentially be small. So the main idea behind our construction is to construct a secret sharing scheme where the shares are so to speak de-randomized. So more concretely we will construct a secret sharing scheme where all of the authorized sets so even if we just have the two parties that reconstruct a secret these parties will be able to reconstruct all of the shares. However from the perspective of an adversary it will look like t is still large because of an appropriate use of the random oracle. And a little bit more concretely what we will do is we will basically construct a somewhat artificial secret sharing scheme where any authorized set will not only reconstruct the secret but any authorized set will also reconstruct a seed which was used to generate all of the shares. And what we then do is we prove that the secret sharing scheme is leakage resilient against the computationally bounded adversary and at the same time because all of the shares are generated from the seed this means that two parties can reconstruct the full vector which means that t will be large but then we also show basically that the shares as of our leakage resilient secret sharing scheme is also small which then breaks the lower bound. For more details on this you're welcome to read the construction and the proof in more detail in our paper. Thank you for your attention and goodbye.