Re-randomization and information leakage in MPC multiplication using Shamir secret sharing

(inspired by discussions with my colleagues Giorgos Zirdelis & Vishruti Ganesh; any mistakes are my own).

Consider the case of multiplication in 2-of-3 Shamir secret sharing. The goal is to compute the product of two secrets $a, b$ ; the parties should learn the product $a b$ , but learn nothing else about $a$ and $b$ than could already be deduced from $a b$ . After each party computes the product locally, they possess (in a sense) 3-of-3 Shamir shares of the product $a b$ . As we’ll see below, however, if the parties reveal their shares without first re-randomizing, then information about the original secrets is leaked. Indeed, one of the parties is guaranteed to be within one bit of full knowledge of $a$ and $b$ .

We wish to compute the product of two secrets $a, b$ in 2-of-3 Shamir. Write $α_{i}$ for the evaluation point corresponding to the $i$ th party for $i = 1, 2, 3$ . For simplicity, let’s store the secret as the constant term of the polynomial (so assume $0 \neq α_{i}$ for all $i$ ). So two random polynomials $p, q$ such that $p (0) = a, q (0) = b, deg (p) < 2, deg (q) < 2$ are chosen by the dealer. Note that, because of the degree bound, these polynomials have only one root each! For all $i$ , the $i$ th party takes its share $p (α_{i})$ of $p$ and $q (α_{i})$ of $q$ and multiplies them locally, obtaining $(p q) (α_{i})$ . Assume that the parties now reveal their shares $(p q) (α_{i})$ . Then the product polynomial $p q$ can be interpolated (since it is quadratic, and there are 3 parties, so 3 evaluations). So each of the parties now know $p q$ . Since $p q$ is a product of two linear polynomials, it has two roots, say $β$ and $γ$ (not necessarily distinct). Each party can compute these roots from $p q$ . By uniqueness of factorization, either $β$ is a root of $p$ and $γ$ a root of $q$ , or vice versa. Since there are 3 evaluation points and only two roots, we can choose $i$ such that $α_{i} \neq β, γ$ . Then party $i$ is only 1 bit of information away from full knowledge of the values of the secrets $a, b$ :

if $β$ is a root of $p$ , then party $i$ knows two distinct points $(β, 0)$ , $(α_{i}, p (α_{i}))$ on the graph of $p$ , and this fully determines $a$ ; $γ$ is then a root of $q$ , and in a similar fashion $b$ is also determined.
if instead $γ$ is a root of $p$ (and so $b e t a$ is a root of q) then the values of $a$ and $b$ are similarly fully determined.

It’s either one, or the other! That’s why party $i$ is “1-bit short” of full knowledge.

(Note that this can not be saved by the parties multiplying with the evaluation of their Lagrange polynomial before sharing, since these are public constants (and hence these multiplications can be undone)).

Leave a Reply Cancel reply