 So I am Akshay Degwecker. This talk is about the local leakage resilience of linear secret sharing schemes. It's joint work with Fabrice Benhamouda, Yuval Ishai, and Tal Rabin. So let's get started. So we know that leakage attacks can be devastating. And Specter and Meltdown are the most recent instantiations of this phenomena. And one proposed solution to this has been to use secret sharing to protect data and multi-party computation to protect computation. So in this, what you do is you have a dealer who splits his information across multiple servers. And then what you hope is that this makes it harder for an adversary to attack and leak your data. So the formerly the guarantee secret sharing provides us is the following, that if we leak the complete data from some of the servers, this does not reveal your information. So even then your information is still safe. How about if we reveal data from all the servers? So in this case clearly all hope is lost. All the data is known to the adversary and the adversary can recover what was stored. So the question we are concerned about in this talk is what about partial leakage from all of the servers? So this is the question we would focus on. So there is a large body of work, beautiful work on leakage resilient cryptography. And I'm not going to try to summarize all of it. So there are two features of this body of work. So first of all they consider strong leakage models, like very strong leakage models. And they design schemes which satisfy these notions of leakage. So in this talk we are going to tire hands behind our back. So we are not going to allow ourselves to design new schemes. The question we want to ask is that are standard secret sharing schemes leakage resilient? So we are not going to construct a new scheme. We would like to ask what happens to schemes which already exist. So now I have to tell you two things. The first thing I have to tell you is with schemes. And the second thing is under what model of leakage? So we'll come to these questions next. So when it comes to with schemes, in this talk we are going to focus on additive secret sharing and semi secret sharing. I'll leave you what these two are in a few minutes. So why do we want to pick these two? So first of all these are very classical schemes. They have existed for a really long time. They're used as building blocks to many fundamental MPC protocols like GMW and BGW. And finally we also know that these schemes have very nice properties like homomorphisms and linearity which specially designed schemes often don't have. So this is the question we would focus on. Before telling you which model of leakage we would be working on, let me tell you that there are some results known which are which say that secret sharing your data across servers generically protects you from some forms of leakage. So to give you an example, the second work by Bogdanov et al shows that if the adversary was going to apply a low approximate degree function to the leakage then this is something which would be protected by secret sharing your data. And in this talk we want to focus on adversaries who have more power. So these results don't really apply here. Okay, so let me tell you what the model of leakage is. So as the title mentions it's this notion of local leakage. So what do we want here, right? So there is an adversary. What the adversary is allowed to do is that the adversary can specify a leakage function for each of the servers on which we have secret shared the data. And after this, the adversary gets back from all the servers, the output of this leakage function applied to the state of the server. So the adversary can view the, like the function can view the entire state before returning an output. Now the properties we want from these functions are the following. So as said before, the adversary can leak any partial information about the state. The restriction we place on this is that the output of each of these functions should be short, it should be bounded. Like if the adversary was allowed to leak all of it, then clearly we cannot protect if the function was the identity function and was going to leak the whole state. So we want it to be short. So this is a restricted form of the only computation leaks models and the bounded communication model. Good, so the question you should ask yourself is, is this model of leakage reasonable? So let me try to justify it. So the first property of this model is that it is local, that the adversary cannot correlate the output of one, the tampering on one function, server with the output of another leakage. And this could be justified by physical separation. So if the servers were far apart, then you would expect that the adversary isn't able to first tamper. One of them then leaked from the second. The second thing we ask is that this is shrinking. So this was more of a modeling choice. So we know that most of these attacks give limited amount of information on the state. And the way we model this here is that the output is short. Our techniques do seem to extend to the case where you only ask for limited mutual information between the internal state and the data leaked. And finally, we say that the leakage is adversarial. So the adversary gets to pick which function is leaked. And usually when it comes to leakage, the adversary has some control on what leakage the adversary gets. And so this is modeled as the adversary gets to pick what function the adversary applies to the state. Okay. So having said this, now I'll quickly review the two secret sharing schemes we would be focusing on. So additive secret sharing is fairly simple. You have a secret S. It gets split into N parts. Each of these parts is individually random. Even N minus one of these parts are completely random. But when you combine all of them together, they should add up to the original message. So this is typically done over some Abelian group or a field. The second secret sharing scheme we would consider with Shamir secret sharing. So in this scheme, it's an algebraic scheme. What you do is you pick a random polynomial such that the polynomial at zero evaluates the secret. And then the shares for each of the individual parties are evaluations of this polynomial. So finally, this is a threshold secret sharing scheme. So what it means is that the degree of the polynomial plus one many parties are needed to reconstruct the secret. If you have less than that, then you know nothing about the underlying secret. Okay. Good. So this brings us to the question of the talk. Is additive secret sharing leakage resilient in this model? And so the answer is not necessarily. So if we consider additive secret sharing over a field F2 to the K. Usually you consider it over a group, but because I'm going to talk about Shamir next, let's consider it over a field. So if we consider additive secret sharing over this field, it's not leakage resilient. What can the adversary do? The field has a nice algebraic structure. The adversary leaks the least significant bit from each of these shares. And now you can combine these least significant bits to get one bit of the secret. So while additive secret sharing is very robust when it comes to corrupting full shares, like you could corrupt n minus one of the shares completely and you still learn nothing. In this model of local leakage, it's not necessarily leakage resilient. Okay. How about Shamir? So a similar phenomenon happens even when you consider Shamir secret sharing. So the key idea here is you just convert it to additive secret sharing first. So as it is, let's say that you had a secret S which was shared into S1 up to SN using Shamir secret sharing. So as we know that the standard way to decode Shamir secret sharing is to use a Lagrangian interpolation. So you first multiply it by these fixed linear constants and then you add it up. So in this case, now the adversary is straight forward. What do you do? You first multiply each share individually by the corresponding coefficient and then you leak the least significant bit. And this would again leak the least significant bit of the secret. Good. In fact, wait, there's more. So it turns out that if you went to Mary Wooter's talk in the workshop, you can actually reconstruct the whole secret in some regimes by leaking just one bit from each server. This is highly non-trivial, but you can do it. And so what's bad for cryptography tends out to be great for coding theory. This is a part of a very vibrant area of work on de-generating code. So the question here is this question of distributed storage that I have my data. I split it across many servers. One of the server goes down. And so at this point what I want to do is I want to reconstruct the data on this server by communicating as little as possible from all the other servers. And as you can see here, because of this property, you can do it quite efficiently. Good. So finally to summarize, what's happening here is that this field F2 to the K has a lot of small subgroups. And this existence of this small subgroup is what is enabling these attacks to happen. So the natural question is what happens in other fields? Okay, so with this we come to our results. So I'll talk about three sets of results. So the first one is about these secret sharing schemes, like what happens to additive and semi-secret sharing. Then I'll give an application to the leakage resilience of a variant of GMW. And if I have time, I'll talk about share conversion, which is without communicating, transform shares of a secret under one secret sharing scheme to secret under another secret sharing scheme without interacting. Okay, so let's begin. Good, so in case of additive secret sharing, what we show is that prime order fields are more leakage resilient than F2 to the K. So formally what we show is the following. That if I start with additive secret sharing over a prime order field FP, rather than over F2 to the K, then additive secret sharing is leakage resilient. So what you can do is you can leak a constant fraction of the bits from every share. And this would still not let you tell which secret was shared originally. So the distinguishing advantage degrades exponentially with the number of servers that are used. And we can show something similar for some secret sharing, although in a high threshold regime. So here what we can show is that if the degree of the polynomial used for some secret sharing was high, so roughly N minus log N, then Shamir secret sharing is also leakage resilient in this sense, that you can leak a constant fraction of the bits from every share and still the underlying secret is hidden. Okay, so just to point out that usually when we consider Shamir secret sharing in a cryptographic context, the degree of the polynomial is N over two, N over three, it's not N minus log N. So we don't know how to show it for that regime. Okay, so just to point out these results in picture and to put them in perspective. So over F2 to the K, this is what we know. So if you think that the degree of the polynomial is less than N over two, then we know that you can completely reconstruct the secret. So this is this really nice work of Kuroswami and Wutas, which was the inspiration for this paper. And furthermore, even in a higher degree, even if your degree was a bit high, you can at least leak one bit of the secret. So this picture is pointing to the case where I'm only leaking one bit from each of the servers. Okay, and what happens in the case? So interestingly, fast MPC implementations use F2 to the K. And it's very interesting that this algebraic structure, which enables fast computation on these fields, also lets you reconstruct the secret in this way. Okay, and secondly over Fp, we can show that it's leakage resilient in this limited regime. That when the degree is very high, then we know that the secret sharing scheme is resilient. In the middle, we don't know. We don't know any attacks either. And so we would like to conjecture that for large N, let's say N out of 100, N over 100 out of N chamele secret sharing is leakage resilient. So if you prove that N over 100 out of N is leakage resilient, you immediately do imply that say N over two or N over three out of N chamele secret sharing is also leakage resilient. Okay, good. So why do we need large N, right? So I'll quickly describe an attack. So even though, so the reason why these things work is because Fp does not have subgroups, but you can treat it to have subgroups approximately and this works if the number of servers is really small. So here we have let's say F7. What I'm going to do is I'm going to split it by the most significant bit in some sense. So if the input is one of zero, one and two, the leakage is going to say blue. If the input is one of three, four, five, six, it's going to say orange. If the colors look the same ones, yeah. And so we let's think of two servers and so we have these two servers here and a completely random secret is secret shared between the two. So now S1 and S2, the shares these two got are completely random. And let's say we heard the back that the first share was the leakage was blue, the second one was orange. So this tells me that the secret is, which is obtained by adding S1 and S2 is one of these elements in this subset. So it turns out that this distribution is not uniform. So this distribution is skewed to S5 and S6 and not really on two. So this gives me some information on what secret was encoded. And this kind of an attack can be generalized to any constant number of servers. So the dependence on the number of servers is actually necessary. Okay. Good, so the application. So here I'll say that honest but curious GMW. So I'll quickly call what that is. I'm not going to do it very formally. So we do need preprocessing. So in the preprocessing, what happens is every server gets a secret shared inputs and they also get a secret sharing of B by triple. So if you don't know what this is, it's okay. It's going to end shortly. So, and in terms of computation, this is the usual GMW protocol. So to add, you add shares locally and then multiplication you use B by triple. So you subtract the B by triple from your share, you broadcast this and then you recombine to get the output, okay. So we can show that this GMW protocol with preprocessing is leakage resilient to, so it tolerates corrupt fraction of the parties and then leak constant fraction from all the other parties. So this kind of leakage is tolerated, okay. Concentration of a share, sorry, I should have said that. Okay, and so, good. So since I have a few minutes, I'll talk about this. So another quick application is to local share conversion. So here, local share conversion is the following question that you have a bunch of, so you have secret sharing done under one scheme and you want to convert it to a related secret sharing done under another scheme, right? So we have seen one example of this in this topic now. So if I wanted to convert Shamir to additive, here you have evaluations and the polynomial. We know that the way to convert it would be using Lagrange coefficient. So what you do is that you individually multiply each secret by the corresponding Lagrange, each share by the corresponding Lagrange coefficient and then that's my secret sharing under the additive scheme, right? So this work of Boyle Gilbo and Ishaevich constructed homomorphic secret sharing at its heart had a similar local share conversion scheme. So what it did was you were given as input something in the exponent of a DDH group and then, so here what happened was there was a bit and this bit was secret shared in the exponent between two servers. So g to the x times g to the y was the bit and then they could convert it into usual, they could convert without interaction, this into bits. So as the output of the secret share conversion were two bits such that these two bits added up to the underlying result. One natural way of generalizing this to three-party homomorphic secret sharing would be the following. That you have three servers. The three servers hold a secret sharing of the input, again in the exponent. So g to the x times g to the y times g to the z is the bit and now what you want to output we are this non-interactive local share conversion. E are three bits, b1, b2, and b3 such that they should add up to the underlying bit b. We show that this is impossible. More so even if you were allowed to see these number exponents in the clear. So I give you the exponents, you don't have to solve this secret log. We give you the exponents in the clear even then this kind of a three-party share conversion is impossible. So the intuition here is somewhat clear that roughly we want to view the leak, roughly we want to view the output as the leakage on the underlying input. The input being the original secret share. And then the adversary actually here is limited in the sense that the adversary can only reconstruct by adding the input. And so this allows us to tighten the result. So originally we needed a large number of servers. Here you only need three. Like you can say that even with three servers this kind of a reconstruction doesn't happen. Good. So now I'll quickly talk about the techniques and conclude. So as we saw before, what we want to show is the following. That we have a number of servers, we saw leakage from these servers and we want to say that the underlying secret is still hidden, right? Okay, good. So we know here that the secret would come from some kind of a direct product of these sets in case of additive secret share. That the secret would be obtained by adding all these three sets together. And so here we saw that you leak some amount of information. So note that this is different from the case of F2 to the K where you would know that it lies in one subset. And instead here you know that it lies in, you have some information that it is not the uniform distribution but a different distribution but you still don't know if it lies in a particular subset or not. What you want is something stronger. We want to say that the secret hidden is actually close to random, right? So good. So the first thing to note is that because you are already doing better. So here if you take these two subsets and add them, we know that the output is actually larger. Like it's larger than the size of the, it's approximately at least the size of these two sets combined. So this is not the case of a field with subgroups because if you add elements from the subgroup to themselves, you still stay in the subgroups so the size doesn't grow at all. Here it at least grows a bit, right? So what we actually need here is that to show something that this a1 plus a2, if you think of it as a distribution is close to random. And as I showed before, we cannot show that a1 plus a2 is close to random because it's not actually true. But what you can actually show is that if you added a fairly large number of these subsets, then this is actually close to random. So roughly speaking, you want to say something of the form that addition is somehow extracting randomness from these subsets. And so the techniques used here are Fourier analysis over this field and that's about what I would say about it. So now I'll conclude. So in summary, prime order fields seem to offer better leakage resilience properties against better properties against leakage. So we showed two things. So first of all, we showed that additive secret sharing and semi secret sharing with high threshold are local leakage resilient. We showed an application of this to honest but curious GMW, a variant of GMW. And we also saw some impossibility results of shared conservation, which can be derived from these techniques. So there are many open questions here. The case of semi secret sharing lies in remains open. We would like to say that semi secret sharing when the threshold is n over two is also leakage resilient. So with that, I'll conclude. Thank you.