On the Security of Linear Secret Sharing with General Noisy Side-Channel Leakage
摘要
Secret sharing is a foundational cryptographic primitive for sharing keys in distributed systems. In a classical (n, t)-threshold setting, it involves a dealer who has a secret, a set of n users to whom shares of the secret are sent, and a threshold t which is the minimum number of shares required to recover the secret. These schemes offer an all-or-nothing security approach where less than t shares reveal no information about the secret. But these guarantees are threatened by side-channel attacks which can leak partial information from each share. Initiated by Benhamouda et al. (Crypto’18), the security of linear secret sharing schemes has been studied for bounded leakage attack models, which assume that the adversary can leak bounded functions of each share. However, this model does not translate into real-world attacks, as physical side-channels are inherently noisy. The \(\delta \) -noisy channel model, proposed by Prouff and Rivain (Eurocrypt’13), is a general leakage framework which captures the noisy behavior of side-channels. In this work, we study the security of linear secret sharing schemes with \(\delta \) -noisy leakage, and show bounds on the mutual information (MI) and statistical bias ( \(\Delta ^{\textrm{TV}}\) ) security metrics. Our results are based on the Fourier analytical framework, first used by Benhamouda et al. (Crypto’18), adapted to the \(\delta \) -noisy leakage model. To give security bounds, we introduce a security parameter \(\eta \le \min {\{1,2\delta \}}\) , determined by the Fourier linear biases of the posterior distributions of the leaked secret shares. Then, the Poisson summation formula enables us to bound the ratio between the observed leakage for some given secret, and leakage under independence as \((1\pm \eta ^t)\) . This is then used to show a) \((n,t \ge \tau (n+1))\) -threshold schemes over \(\mathbb {F}_q\) have at most \(\mathcal {O}(q^{-t(\gamma +1-1/\tau )})\) leakage, given \(\eta \le q^{-\gamma }\) ; and consequently b) for (n, n)-threshold schemes the guessing advantage is at most \((q-1) \cdot \eta ^n \le (q-1)\cdot (2 \delta )^n\) . This work can be viewed as a next step towards closing the gap between theory and practice in leakage resilient cryptography.