On the Insecurity of Parallel Repetition for Leakage Resilience

A fundamental question in leakage-resilient cryptography is: can leakage resilience always be amplified by parallel repetition? It is natural to expect that if we have a leakage-resilient primitive tolerating ℓ bits of leakage, we can take n copies of it to form a system tolerating nℓ bits of leakage. In this paper, we show that this is not always true. We construct a public key encryption system which is secure when at most ℓ bits are leaked, but if we take n copies of the system and encrypt a share of the message under each using an n-out-of-n secret-sharing scheme, leaking nℓ bits renders the system insecure. Our results hold either in composite order bilinear groups under a variant of the subgroup decision assumption or in prime order bilinear groups under the decisional linear assumption. We note that the n copies of our public key systems share a common reference parameter.