Abstract
In the context of side-channel attacks against cryptographic circuits, t-probing security characterizes the amount of information derivable about sensitive values (e.g., keys) by observing t output/internal values. Non-interference is a useful mathematical tool used by researchers to assess the probing security of a circuit which employs Boolean masking to protect itself from attacks. However, reasoning about non-interference still requires either difficult ratiocination or complex automatic tools. In this work, we propose a novel point of view to reason about non-interference, by exploiting the Walsh transform of a Boolean function. To this end, we introduce a calculus for mechanically reasoning about the shares of a variable and show that this formalism provides a lean algebraic explanation of known compositional patterns allowing for the discovery of new ones. Eventually, we show how this formalism can be applied to study the probing security of known cryptographic gadgets.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
An attacker can mount a side-channel attack against a cryptographic circuit by probing its internal nodes to derive information correlated with the secret. The first countermeasure against this type of attack appeared almost two decades ago [1] and it officially gave birth to a branch of research known today as t-probing security. Since then, it became clear that, while proving the security for small gadgets required a small effort, reasoning about their composition was (and still is) not trivial. In fact, one of the main problems addressed is the composability of security properties, i.e., determining, given two t-probingFootnote 1 secure gadgetsFootnote 2, if their functional composition is still t-probing secure.
Over the years, it has been observed that composability depends on the amount of refreshingFootnote 3 that is used [2] and on the non-interference property [3] of the circuit’s implementation, which ensures that the probabilistic distribution of the probed values does not depend on any secret [4]. Subsequent research has shown that a stronger type of non-interference property, which dictates that such probabilistic distribution might vary only with the number of internal probes, could be useful [3].
Since its introduction, the cryptographic research community has worked toward putting non-interference to work in proof mechanization and optimization [3,4,5]. Later developments concerned the realistic application to circuits that might leak more than one share per probe [6] and proposed some new categorization (e.g., pseudo-\(t\)-NI/\(t\)-SNI [7]) to be able to reason about them. Among these, one of the most studied is the nonlinear part of the Advanced Encryption Standard (AES) [8, 9], which is also one of the target applications of the current work.
1.1 Our contribution
Reasoning about non-interference still needs either difficult ratiocination or complex automatic tools [3, 4]. In this work, we investigate an alternative formalization which, we argue, is simpler to reason with; in fact, it allowed us to prove some new properties of probing security (see Theorem 4). Our approach is based on the spectral theory of Boolean functions and correlation matrices [10, 11], and represents, to some extent, an extension of the work presented in [12]. However, while the latter only addressed single output Boolean functions, we are the first to formalize multiple dependencies between outputs and inputs of a vector function, with the added benefit of being supported by matrix-based toolboxes. Note that the use of these tools in our area is not new; for example, in [13] the authors exploit the correlation matrix of shared functions to estimate some security bounds and define correlation between probed values, while other works use linear algebra to investigate resiliency against side-channel attacks [14] [15]. These works, however, address either monovariate attacks or other sharing schemes (inner product masking) while we aim at providing a larger and stronger foundational contribution allowing to concisely explain known general compositional patterns and potentially discover new ones.
This work is organized as follows: we present our new mathematical approach in Sect. 2 by introducing the concept of shares’ relation matrix, which is a compact matrix representation of the (cor-)relation between a Boolean function’s inputs and outputs. Methodologically, this new formalism allows to create a linear algebra view of t-probing security which we present in Sect. 3. This approach brings several benefits among which the ability to prove general probing security composition theorems through linear algebra. To this end, in Sect. 4 we put to work our formalism by proving the t-SNI property of the AES nonlinear part. We conclude by sketching the possible evolution of this work (Sect. 5) and by providing relevant mathematical background and proofs supporting our argument (Appendix).
2 A relation calculus for shares
Let us consider a circuit implementing a function:
where the values \(x_i\) are sensitive (i.e., they have been computed using a secret). A side-channel attack consists of measuring the power consumption of internal nodes of the circuit (through probes) and by searching through a set of guesses of the secret for the one that maximizes the correlation.
To design a mitigation against a side-channel attack, designers split each sensitive value \(x_i\) into d values \(\alpha _i = \{\alpha _{i,j}\}_{j \in 1 \ldots d}\) such that \(\sum _j \alpha _{i,j}= x_i\); these d values are called shares. In principle, this is done by using \(d-1\) auxiliary, uniformly distributed random values (aka masks) and, unless one obtains all d shares \(\alpha _{i,j}\), the correlation of each share with the sensitive value \(x_i\) is negligible [1]. The implementation of f must be changed so as to provide the result as a set of shares much like the original sensitive values. The computation of each output \(f_i\) is thus split into a set of d vector functions \(\omega _i = \{\omega _{i,j}\}_{j \in 1 \ldots d}\) such that:
where each \(\omega _{i,j}\) is called the j-th output share of \(f_i\) and it must be impossible to obtain information about \(f_i\) unless one obtains all d output shares.
In the probing security attack model, aside from regular output shares \(\omega _i\), attackers can observe (through probes) a group of the internal values of the circuit as additional outputs:
where each \(\pi _i\) is a function of the input shares. A mitigation against a probing attack ensures that none of the \(\pi _i\) are correlated with the original sensitive values. To design such countermeasures, besides the shares of the original sensitive values, designers use an additional group of inputs \(P=\{ \rho _1 \ldots \rho _{|P|}\}\) which are uniformly random. These values are used to “refresh” the internally computed values of the function so as to make each \(\pi \) and \(\omega \) not correlated with the sensitive values.
It is clear that correlation between each \(\omega \) and \(\pi \) with any \(\alpha \) and \(\rho \) is critical to determine whether the circuit is probing secure. A possible way to encode this information is to have a multi-dimensional matrixFootnote 4 called the shares’ relation matrix:
Definition 1
(Shares’ relation matrix) Given a Boolean function \(f: \mathbb {F}_2^{|A|+|P|}\rightarrow \mathbb {F}_2^{|\Omega |+|\Pi |}\), where A is the set of the function’s input shares \(\alpha _k\), \(\Omega \) is the set of output shares \(\omega _k\), we define the shares’ relation matrix of f as a multi-dimensional matrix F where each element:
is indexed by:
-
\(j_{\alpha _k} \in \{0,\dots ,d\}, k \in \{ 1, \dots , |A|\}\)
-
\(j_{\rho } \in \{ 0, \dots , |P| \}\)
-
\(i_{\omega _p} \in \{0,\dots ,d\}, p \in \{ 1, \dots , |\Omega | \}\)
-
\(i_{\pi } \in \{0, \dots , |\Pi |\}\)
and it is equal to 1 only if there exist a nonzero correlation between \(j_{\alpha _k}\) shares of \(\alpha _k\) and \(j_\rho \) randoms with \(i_{\omega _p}\) output shares of \(\omega _p\) and \(i_{\pi }\) probes, for all k, p.
A formal definition of such type of matrices is presented in Appendix B where, in particular, we consider multiple random \(P_l\) and probe \(\Pi _z\) groups instead of a single P and \(\Pi \) as above; however, for the rest of the paper, it is only necessary to get an intuitive understanding of it which we will develop in the following paragraphs. A practical way to compute a shares’ relation matrix for a function f is deriving it from the Walsh matrix of f. Indeed, correlation matrices are useful to determine whether a set of output shares is vulnerable, i.e., correlated with one or more sensitive variables [16,17,18]. In particular, for a circuit f, any combination of outputs (encoded with the spectral coordinate \(\phi \)) is correlated with a set of inputs (encoded with the spectral coordinate \(\psi \)) if \(W_f(\phi , \psi ) \ne 0\). It is possible to see a correlation matrix as an incidence matrix which encodes a dependency relation between the inputs and outputs of f. Such relation matrices (which are built over a Boolean semiring \(K = \{ (0,1), \vee , \wedge \}\)) are the fundamental building block for the calculus of relationsFootnote 5, an algorithmic device that allows the substitution of computation for a sometimes difficult ratiocination [19]. We can derive a relation matrix \(\widetilde{W}_f\) from the correlation matrix \(W_f\) of a vectorial Boolean function element-wise:Footnote 6:
Once a relation matrix \(\widetilde{W}_f\) has been found, one can derive easily the shares’ relation matrix in Eq. 1 by inspection. Thus, we derive the shares’ relation matrix in a two-step process by starting from the correlation matrix of f:
Example 1
(Taken from [20] and reported here for simplicity) Consider a function \(f: \mathbb {F}_2^{4}\rightarrow \mathbb {F}_2^{3}\)
such that
-
\(a_0\) and \(a_1\) are two shares of a single sensitive input a,
-
\(r_0\) and \(r_1\) are two random values,
-
\(f_0\) and \(f_1\) are two shares of a single output o, and
-
\(f_2\) is the value associated with a potential internal probe p within the circuit realization of f.
From its correlation matrix, we can derive through Eq. 2 the following relation matrix \(\widetilde{W}_f(\phi ,\psi )\) (\(\phi =[\gamma _{f_2}\gamma _{f_1}\gamma _{f_0}], \psi =[\gamma _{r_1}\gamma _{r_0}\gamma _{a_1}\gamma _{a_0}]\)):
Note that we have labeled columns (rows) with the corresponding combination of inputs (outputs) in binary form. For example, element \(\widetilde{W}_f([011],[0011])\) (which is 1) represents an existing dependency between \(f_0 \oplus f_1\) and \(a_0 \oplus a_1\); note that in this specific case \(W_f=\widetilde{W}_f=1\) but in general \(\widetilde{W}_f(i,j)\) is 1 whenever \(W_f(i,j)\) is different from zero.
From the original correlation matrix \(\widetilde{W}_f\) (Eq. 3), it is thus possible to derive the corresponding shares’ relation matrix F which accounts only for the amount of shares of the output and probes whose combination is correlated with a specified amount of shares of the input and of randoms:
Note that the coordinates of this new relation matrix are computed by the Hamming weights of the spectral coordinates of \(\widetilde{W}_f\) split by their type (r the randoms, a the inputs, o the outputs, p the probes). This allows us to index in an alternative way any element F(i, j):
where \(i_p, i_o, j_r, j_a\) are exactly the mixed-radix representation of i, j and carry additional information, i.e., the distinction between the related input-random (output-probe) composition. The mixed-radix representation \(mr_{\rho }(n)\) of a number n over the vector of parts \(\varvec{\rho } = [{\rho }_{N}, \ldots , {\rho }_{1}]\) is a vector \(b = [{b}_{N+1}, \ldots , {b}_{1}]\) such that:
The vector \([i_p, i_o]\) (resp., \([j_r, j_a]\)) is just the mixed-radix representation of i (resp. j) over the vector of parts \([f_p, f_o]\) (resp. \([f_r,f_a]\)) where \(f_a\) is the number of shares of the input of function f, \(f_r\) is the number of refresh values, \(f_o\) is the number of shares for function f’s outputs and \(f_p\) is the number of probes:
Example 2
The fifth row with index i = 4 of the matrix in Eq. (4) has a mixed-radix representation \([i_p, i_o] = [1,1]\) over the vector of parts \([f_p, f_o] = [1,2]\) because:
Same reasoning goes for column index 3 which corresponds to the representation [1, 0] over the vector of parts \([f_r, f_a] = [2,2]\), i.e.,
Thus, we have that \(F_{1,1}^{1,0}\) is the element (4, 3) of matrix F and its indexes carries the fact that it corresponds the correlation of both probes and outputs (\([i_p, i_o] = [1,1]\)) with one of the random values (\([j_r, j_a]=[1,0]\)).
This work concerns itself with deriving security properties associated with the composition of functions. In the following we consider the function \(h(x) = g(f(x))\) as a horizontal composition of g with f while the vector function:
as the vertical composition of f and g. We will show that the shares’ relation matrix of a function distributes over vertical composition while, concerning horizontal composition, we can assert a weaker rule (see below) which will be still valid for inferring probing security. With regard to the proofs of following theorems, the reader is invited to refer to Appendix B.1.
Note that the definition of the shares’ relation matrix is different from the Probe Distribution Table (PDT) introduced in [21] because the latter does not account for the potential compression of information that is obtained by encoding the Hamming weights of the spectral coordinates. With respect to [21], we show that it is possible to work with such minimal objects without resorting to encoding explicitly all possible input/output relationships. Note also that the goal of our work is more related to explaining how the composition of primitive gadgets works rather than determining inner properties for such primitives through their correlation matrices. However, other work [20] provides some deduction on the complexity required for deriving from scratch the above shares’ relation matrix matrices.
Theorem 1
(Identity) Given \(id: \mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{n}\) the identity function, its shares’ relation matrix is \({\mathbf {I}}_{n+1}\), where \({\mathbf {I}}\) is the identity matrix (see Appendix for the proof).
The horizontal compositionality of the shares’ relation matrices is determined by a weaker rule with respect to the conventional correlation matrix (see Theorem 7); in particular, as long as we look at the constituent parts of a horizontal composition of shares’ relation matrices, their product will be always conservatively more than the original shares’ relation matrix, as stated in the following theorem:
Theorem 2
(Shares’ relation matrices pseudo-horizontal composition) Given two functions f and g, and F, G, FG the shares’ relation matrices of f, g and \(g\circ f\), respectively, the following dominance holds:
(see Appendix for the proof).
Practically speaking, if the product of two shares’ relation matrices does not imply a dependency between variables, this will be absent from the whole shares’ relation matrix as well. Vertical composition, however, still holds as the following theorems show:
Theorem 3
(Shares’ relation matrices pseudo-distributivity over tensor product) Given two functions f and g, and F, G, F|G the shares’ relation matrices of f, g and the vertical juxtaposition of g above f, respectively, the following holds:
where \(\otimes \) is the Kronecker (or tensor) product, see Appendix for the proof.
Corollary 1
(Tensor product with identity) From the previous theorems, it follows that the following equalities hold:
where \(\delta \) is the Kronecker’s delta.
3 Application to t-probing security
In this section, we revisit and enhance known theorems about t-probing security by showing how they naturally descend from the relation calculus of shares based on shares’ relation matrices. We recall that t-probing security centers around the concept of t-non-interfering function. A function f is \(t\)-NI if, when given a total of s outputs and internal probes, \(s \le t\) implies a dependency with maximum s input shares. A function f is \(t\)-SNI if \(s \le t\) implies a dependency with maximum i input shares, where i is the number of internal probes.
Much has been said about the composition rules of such functions and, unfortunately, their proofs are complex, long or require much expertise in type theoretical or formal validation area [3]; we will show that the relation calculus of shares allows to revisit and extend these proofs with conventional linear algebra tools, broadening the potential audience.
To talk about t-probing security, we’ve found useful to follow this general pattern: (i) we explicitly include random refresh values as inputsFootnote 7 and (ii) we include in the signature of the function also the probes considered. This creates a natural subdivision of the shares’ relation matrix for the considered function. Before introducing some general results that can be derived with our formalism, however, we introduce an additional example that shows how one could identify a violation of compositionality in an existing gadget with our formalism.
Example 3
(Extended from [20]). In this example, we revisit through our formalism a case discovered in [2] that proves that, in general, the composition of \(t\)-NI and \(t\)-SNI functions is not \(t\)-NI.
Figure 1 shows the structure of a function h(a) which is a composition of two functions f and g; the assumptions are that f is \(t\)-NI and g is \(t\)-SNI. In particular, f refreshes its input a with two random bits \(r_f\):
and it is assumed to have been probed at location \(p_f = a_0 \oplus r_0\). On the other hand, \(g(a,b,r_g)\) is the ISW multiplication [1] which consumes 3 random bits \(r_g\) for the secret computation. Also in this case, it is assumed a single probe \(p_g = a_2 \wedge b_1\). We will show that our method provides a sufficient precision to individuate the vulnerability spotted in [2]. To fit into our formalism however, we must consider the underlying correlation matrices that include explicitly i) the random values both f and g consume to refresh the data and ii) the probes that are present. The string diagram in Fig. 5 describes the composition pattern of correlation matrices as a mapping from the space of the Fourier transform of the input distribution \({\mathbb {A}} \otimes {\mathbb {R}}_f \otimes {\mathbb {R}}_g\) (i.e., the actual inputs plus the random values) to the one of the output distribution \({\mathbb {O}}_g \otimes {\mathbb {P}}_g \otimes {\mathbb {P}}_f\) (i.e., the actual output of g and the probes in both f and g). Still considering the string diagram of Fig. 5, one can derive one of the equivalent expressions of the correlation matrix of h as:
where \(W_{s}\) is the correlation matrix of the duplication function \(s = (x) \mapsto (x,x)\) and \(W_{q}\) is the correlation matrix of function \(q = (x,y) \mapsto (y,x)\). We are interested in computing the potential dependencies between any combination of output/probes and inputs that are not masked by random values. Thus, computing the shares’ relation matrices from all the previous correlation matrices, by Theorems 2 and 3, the following holds:
where H, F, G, S and Q are the shares’ relation matrices computed for functions h, f, g, s and q, respectively.
The value of the right-hand side of Eq. 8 is shown in Fig. 2. First of all, we are interested only in the first 4 columns, as these are the ones that represent relationships between the outputs and the shares of a not masked by any random value. We note that there is a potential dependency in row [1, 1, 0], column [0, 0, 3], exactly the one found in [2], which says that one needs only two probe values to get three shares; h is thus not even 2-NI, showing that \(t\)-NI and \(t\)-SNI do not compose into a \(t\)-NI function. This example shows that the proposed calculus of shares has sufficient precision to discover these cases. On one hand, these could be false positives because of the dominance relation in Eq. (8); on the other hand, however, this formalism rules out any false negative. We will show that the stronger concept of \(t\)-SNI naturally emerges, in our relation calculus, as a fundamental property to ensure compositionality.
3.1 Proving general patterns of compositional security
The shares’ relation matrix can be a reasonable way for exploring t-probing security, but there is more. In fact, it is possible to demonstrate that in order to rule out dependencies similar to Example 3, both f and g must be \(t\)-SNI. In this section, we will revisit some known composition patterns (e.g., Theorem 5 and Corollaries 2 and 3 appeared in [4]) and introduce a new one not known in literature (Theorem 4).
Here, we restate what it means for a function f to be \(t\)-NI/\(t\)-SNI in terms of the shares’ relation matrix F:
Definition 2
f is \(t\)-SNI iff, for any set of probes that could be introduced in it, the following predicate is true for any element (i, j) of its shares’ relation matrix:
Definition 3
f is \(t\)-NI iff, for any set of probes that could be introduced in it, the following predicate is true for any element (i, j) of its shares’ relation matrix:
where it is evident that \(t\)-NI corresponds to a weaker version of \(t\)-SNI.
Example 4
The Coron’s linear-space variant [22] of the ISW multiplication [1] is \(t\)-SNI [3] and this can be easily seen through the shares’ relation matrix. Let us consider its form for \(t=1\); in this case we have two shares for two inputs a and b, one random value r, two output shares o and six possible internal probes p:
where
Part of the corresponding shares’ relation matrix is shown in Fig. 3; it can be seen that for \(\pi +\omega \le 1\), \(\rho =0\) and \(\alpha , \beta > 1\) (white areas) we have a null dependency, i.e., the function is 1-SNI. Note that, for this ISW implementation, the number of outputs and probes varies with t with the following law:
where \(t+1\) of these correspond to outputs while the others are internal probes.
The simplest composition pattern for which we can derive general rules is \(l = g \circ f\). The corresponding map between the Fourier transforms of distributions is shown in Fig. 4. The question we address is if l (with the associated shares’ relation matrix L) is t-SNI/t-NI according to Definitions 2 and 3, by making assumptions on the probing security of the underlying functions f and g (whose shares’ relation matrices are called F and G, respectively). Note that, to fit within our formalism, we need to explicitly route the refresh values for g and probed value of f with a function q that just swaps those values. Note that, since matrix Q is the shares’ relation matrix of \(q: (x,y)\mapsto (y,x)\) function, it can be shown that the following holds:
Besides, by Theorem 2, we know that L is dominated by the product:
where \(n_{\pi _f}\) (\(n_{\omega _f}\), \(n_{\rho _g}\)) is the number of probes in f (output’s shares of f, randoms needed to refresh g) plus 1 (see Theorem 1).
The following lemma can be proved
Lemma 1
The product ABC is such that:
For a proof, see Appendix.
We are now able to derive formally whether and when l is \(t\)-SNI/\(t\)-NI.
Theorem 4
If f is \(t\)-SNI and g is \(t\)-NI, then \(l(x) = g(f(x))\) is \(t\)-SNI. Formally, the following three axioms:
- A 1:
-
\(r + |i_{\pi _f}| \le t \wedge v > |i_{\pi _f}| \implies \lnot F_{i_{\pi _f}, r}^{0,v}\)
- A 2:
-
\(|i_{\omega _g}| + |i_{\pi _g}| \le t \wedge r > |i_{\pi _g}|+|i_{\omega _g}| \implies \lnot G_{i_{\pi _g}, i_{\omega _g}}^{0,r}\)
- A 3:
-
\((|i_{\pi _g}| + |i_{\pi _f}| + |i_{\omega _g}| \le t) \wedge (j_{\alpha }> |i_{\pi _g}| + |i_{\pi _f}|)\)
entail \((ABC)^{0,0,j_{\alpha }}_{i_{\pi _f}i_{\pi _g}i_{\omega _g}}=0\)
Proof
Exploiting above axioms and Lemma 1 we can derive that:
\(\square \)
Corollary 2
If f and g are \(t\)-SNI functions then also \(l(x) = g(f(x))\) is \(t\)-SNI.
Proof
Assuming g is \(t\)-SNI, then it is also \(t\)-NI and the thesis follows from Theorem 4. \(\square \)
We already saw an example of another composition pattern studied in the literature, whose circuit diagram is shown in Fig. 1. The diagram associated with its correlation matrices is the one shown in Fig. 5. With our formalism, it is possible to identify some general rules to determine if such a composed function is \(t\)-NI/\(t\)-SNI (according to Definitions 2 and 3) by making assumptions on the probing security of the underlying functions f and g. Note that, to reconcile with our model of function, we explicitly split the whole function l into a composition \(a \circ b \circ c \circ d\). In particular, d contains the duplication function s that sends a copy of the shared input to both f and g, while b contains q as in the pattern that we previously studied. The shares relation matrix S associated with \(s: x \mapsto (x,x)\) function is characterized by the following lemma:
Lemma 2
For any \(i_{\alpha _1},i_{\alpha _2},j_\alpha \) indices, the following holds:
For a proof, see Appendix.
From the point of view of the shares’ relation matrix involved, we know that whole function is dominated by the product (see Theorem 2):
where \(n_{\alpha _1}\) (\(n_{\rho _f}\)) is the number of shares of the first g’s input (randoms needed to refresh f) plus 1.
Lemma 3
The complete relation matrix ABCD computed in Figure 5 is such that:
For a proof, see Appendix.
We are now able to derive formally when l is \(t\)-SNI/\(t\)-NI.
Theorem 5
If f is \(t\)-SNI function and g is \(t\)-NI, then \(l(x) = g(f(x), x)\) is \(t\)-NI. Formally, the following three axioms:
- A 4:
-
\(r + |i_{\pi _f}| \le t \wedge v > |i_{\pi _f}| \implies \lnot F_{i_{\pi _f}, r}^{0,v}\)
- A 5:
-
\(|i_{\omega _g}| + |i_{\pi _g}| \le t \wedge (r> |i_{\pi _g}|+|i_{\omega _g}| \vee z > |i_{\pi _g}|+|i_{\omega _g}|) \implies \lnot G_{i_{\pi _g}, i_{\omega _g}}^{0,r,z}\)
- A 6:
-
\((|i_{\pi _g}| + |i_{\pi _f}| + |i_{\omega _g}| \le t) \wedge (|j_{\alpha }| > |i_{\pi _g}| + |i_{\pi _f}|+|i_{\omega _g}|)\)
entail \((ABCD)^{0,0,j_{\alpha }}_{i_{\pi _f}i_{\pi _g}i_{\omega _g}}=0\)
Proof
Exploiting above axioms and Lemmas 2 and 3:
. \(\square \)
Remark 1
Note that the case handled in Theorem 5 concerns f \(t\)-SNI and g \(t\)-NI; vice versa, Example 3 concerns the inverted case f \(t\)-NI and g \(t\)-SNI.
Corollary 3
If f and g are \(t\)-SNI functions then also \(l(x) = g(f(x), x)\) is \(t\)-SNI. Formally, the following three axioms:
- A 7:
-
\(r + |i_{\pi _f}| \le t \wedge v > |i_{\pi _f}| \implies \lnot F_{i_{\pi _f}, r}^{0,v}\)
- A 8:
-
\(|i_{\omega _g}| + |i_{\pi _g}| \le t \wedge (r> |i_{\pi _g}| \vee z > |i_{\pi _g}|) \implies \lnot G_{i_{\pi _g}, i_{\omega _g}}^{0,r,z}\)
- A 9:
-
\((|i_{\pi _g}| + |i_{\pi _f}| + |i_{\omega _g}| \le t) \wedge (|j_{\alpha }| > |i_{\pi _g}| + |i_{\pi _f}|)\)
entail \((ABCD)^{0,0,j_{\alpha }}_{i_{\pi _f}i_{\pi _g}i_{\omega _g}}=0\)
Proof
The initial part of the proof is the same of Theorem 5 up to Equation ( 13); then the different axioms apply:
. \(\square \)
4 Extending the approach to \({\mathbb {F}}_{2^k}^{n}\): the AES inversion
In this section, we present an extension of the proposed formalism to address the case where shares encode values over k bits, i.e., they belong to \({\mathbb {F}}_{2^k}^{n}\). Let us thus consider a function \(f: {\mathbb {F}}_{2^k}^{n} \rightarrow {\mathbb {F}}_{2^k}^{m}\); we can extend Eq. 2 as follows:
where \(u^{(k,n) \triangleright n}\) is a reduction operation over the binary encoding of the spectral coordinate u (see Fig. 6). It can be shown that the shares’ relation matrix for the relation matrices computed as in Eq. 15 still complies with Definitions 2 and 3 and Theorems 2 and 3. In this setting, affine functions have a nice representation that will be useful to extend the application of previous theorems.
Definition 4
A function \(f:\mathbb {F}_{2^k}^n \rightarrow {\mathbb {F}}_{2^k}^n\) is a (multi-share) affine function if:
where g is an affine function, \(x_i\) is the i-th share of x and \(f(x)_i\) is the i-th share of f(x) (see [4]). For conciseness, we will refer to f as an affine function as well.
The relation matrix of an affine function (as well as its shares’ relation matrix) is an identity, as the following lemma shows.
Lemma 4
Let \(f:{\mathbb {F}}_{2^k}^n \rightarrow {\mathbb {F}}_{2^k}^n\) be an affine function; then \(\widetilde{W_f}=I_{2^n}\).
Proof
The affine function f can be seen as the parallel application of n functions \(g_i\) such that \(f(x)_i = g_i(x_i)\) with \(0 \le i \le n-1\); this implies that:
Since each \(g_i\) is an affine (and balanced) function, then \(\widetilde{W}_{g_i}=I_2\) and:
\(\square \)
When using our formalism to determine if a function over \({\mathbb {F}}_{2^k}^n\) is \(t\)-NI/\(t\)-SNI, we can thus treat affine functions as identities because their shares’ relation matrix is the same as the one of an identity function.
4.1 AES inversion function
A function that has been widely studied in the probing security framework is the inversion function in AES algorithm; finding a gadget that implements it in a probing secure way, also when it is composed with previous and following gadgets, is an important research cornerstone.
Let us consider the \(t\)-SNI gadget proposed in [9] as the AES inversion in \(\mathbb {F}_{2^8}\). A formal demonstration for the strong security of this implementation has been introduced in [4]. Here we show how this could be proven with our formalism, exploiting only patterns that we have presented and proved in this work.
We report the inversion gadget in Fig. 7b. Note that we have slightly modified the algorithm presented in [9] by moving two power computation blocks across duplication points; semantically it is always the same circuit but it is easier to see how previously introduced patterns can still be used to show that it is \(t\)-SNI.
First of all, we note that there is a recurring pattern in that particular algorithm, i.e., the circuit in Fig. 7a. The block is composed of a mask refresh Refresh (\(t\)-SNI), the ISW multiplication SecMult (\(t\)-SNI), and \(\cdot ^x\), an affine power function parameterized over the exponent x (which is a multiple of two). It is possible to demonstrate that \(m_x\) is \(t\)-SNI following the same line of reasoning of Theorem 3 because, by Lemma 4, the relation matrix of the power function can be interpreted as an identity, thus the same case as the one shown in Fig. 5 applies. Considering the overall algorithm in Fig. 7b, we observe that this is \(t\)-SNI if \(b \circ m_2\) is \(t\)-SNI (by Theorem 3). By Corollary 2, \(b \circ m_2\) is \(t\)-SNI if b is \(t\)-SNI and the latter is true by Theorem 3 and by Lemma 4.
5 Conclusion
We originally started this research to extend our understanding of t-probing security. We have discovered a new relation calculus of shares which exploits the conventional Walsh transform. This calculus is precise enough to prove and extend known compositional properties without much semi-formal or verbal ratiocination. We believe that the underlying linear algebra, while providing a more intuitive understanding, but will allow for an easier mechanization of probing security proofs.
We also believe that a similar approach can be used to address vulnerabilities associated with circuit glitches. In this sense, we have made a preliminary proposal that shows that the approach is viable [20]. Indeed, more work must still be done toward a unifying approach that encompasses circuit glitches and new composability definitions such as the t-PINI condition [23].
Notes
With probing, we mean a useful technique through which one can recover information from a subset of nodes of a circuit, e.g., measuring power consumption or EM emissions.
These are secure in the sense that given t probes, it is impossible to derive information about the secret values encoded in the masks/shares.
The term refresh indicates a procedure that aims to bring back the secret’s shares into a uniformly random state, after a series of operations that might have invalidated uniformity.
Perhaps the most appropriate name for this type of object would be tensor but this name implies also some additional properties that are not used in this paper.
A relation matrix element \(R_{i,j} \in K\) represents the absence (0) or presence (1) of a relationship iRj between entities encoded through row index i and column index j and the logic composition of relations can be encoded into a linear algebra expression and analyzed with conventional tools. In particular, logical disjunction is represented as matrix sum (\((R + S)_{i,j} = R_{i,j} \vee S_{i,j}\)), logical conjunction as the Hadamard product (\((R \circ S)_{i,j} = R_{i,j} \wedge S_{i,j}\)), and “Relative product” as conventional matrix multiplication (\((RS)_{i,j} = \exists k R_{i,k} \wedge S_{k,j}\)).
In this paper, we consider all indices starting from 0.
After all, these are values generated independently by a separated random number generator so it makes sense to include them in the signature of the function itself.
Note that these are not sub-spaces as the set \({\mathbb {P}}_n\) is not closed under addition.
By compatible, we mean that the set of parts sums up to the specified size, e.g., \(\sum _{\omega _i \in \underline{\Omega }} \omega _i = \Omega \).
References
Ishai, Y., Sahai, A., Wagner, D.: Private Circuits: Securing Hardware against Probing Attacks. In: Boneh, D. (ed.) Advances in Cryptology-CRYPTO 2003. Lecture Notes in Computer Science, pp. 463–481. Springer, Berlin Heidelberg (2003)
Coron, J., Prouff, E., Rivain, M., Roche, T.: Higher-Order Side Channel Security and Mask Refreshing. In: Moriai, S. (ed.) Fast Software Encryption. Lecture Notes in Computer Science, pp. 410–424. Springer, Berlin Heidelberg (2014)
Barthe, G., Belaïd , S., Dupressoir , F., Fouque P. A., Grégoire, B., Strub, P. Y., Zucchini R.: Strong Non-Interference and Type-Directed Higher-Order Masking. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 116–129, New York, NY, USA, (2016). ACM
Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B.: Compositional verification of higher-order masking: application to a verifying masking compiler. IACR Cryptol. ePrint Arch. 2015, 506 (2015)
Belaïd, S., Dahmun G., and Matthieu R.: Tight private circuits: achieving probing security with the least refreshing. Technical Report 439, (2018)
Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F.X., Strub, P.Y.: Parallel implementations of masking schemes and the bounded moment leakage model. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 10210 LNCS:535–566, (2017)
Faust, S., Grosso, V., Del Pozo, S. M., Paglialonga, C., Standaert, F. X: Composable Masking Schemes in the Presence of Physical Defaults and the Robust Probing Model. Technical Report 711, (2017). B
Schmidt, J. M., Kim, C.: A probing attack on AES. pages 256–265, 02 (2009)
Rivain, M., Prouff, E.: Provably Secure Higher-Order Masking of AES. Technical Report 441, (2010)
Daemen, J., Govaerts, R., Vandewalle, J.: Correlation matrices. In: Preneel, B. (ed.) Fast Software Encryption. Lecture Notes in Computer Science, pp. 275–285. Springer, Berlin Heidelberg (1995)
Parriaux, J., Guillot, P., Millérioux, G.: Towards a spectral approach for the design of self-synchronizing stream ciphers. Cryptogr. Commun. 3(4), 259–274 (2011)
Bloem, R., Gross, H., Iusupov, R., Könighofer, B., Mangard, S., Winter, J.: Formal Verification of Masked Hardware Implementations in the Presence of Glitches. In: Nielsen, J.B. and Rijmen, V., editors, Advances in Cryptology - EUROCRYPT 2018, Lecture Notes in Computer Science, pages 321–353. Springer International Publishing, (2018)
Beyne, T., Dhooghe, S. and Zhenda, Z.: A not so random idea, Cryptanalysis of masked ciphers (2020)
Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal direct sum masking. In David, N. and Damien, S., editors, Information Security Theory and Practice. Securing the Internet of Things, pages 40–56, Berlin, Heidelberg, 2014. Springer Berlin Heidelberg
Cheng, W., Guilley, S., Carlet, C., Mesnager, S., Danger, J.L.: Optimizing inner product masking scheme by a coding theory approach. IEEE Trans. Inf. Forensics Secur. 16, 220–235 (2021)
Zaccaria, V., Melzani, F., Bertoni, G.: Spectral features of higher-order side-channel countermeasures. IEEE Trans. Comput. 67(4), 596–603 (2018)
Xiao, G.Z., Massey, J.L.: A spectral characterization of correlation-immune combining functions. IEEE Trans. Inf. Theory 34(3), 569–571 (1988)
Carlet, C.: Boolean Functions for Cryptography and Error-Correcting Codes, pp 257–397. Encyclopedia of Mathematics and its Applications. Cambridge University Press, (2010)
Copilowish, I.M.: Matrix development of the calculus of relations. J. Symbol. Logic 13(04), 193–203 (1948)
Chiara, M. M., Zaccaria, V.: On the spectral features of robust probing security. IACR Transactions on Cryptographic Hardware and Embedded Systems, pp 24–48, August (2020)
Cassiers, G., Faust, S., Maximilian, O., and Standaert, F.-X.: Towards tight random probing security. Technical Report 880, (2021)
Coron, J.: Higher Order Masking of Look-Up Tables. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology – EUROCRYPT 2014. Lecture Notes in Computer Science, pp. 441–458. Springer, Berlin Heidelberg (2014)
Cassiers, G., Standaert, F.X.: Towards globally optimized masking: from low randomness to low noise rate: or probe isolating multiplications with reduced randomness and security against horizontal attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 162–198 (2019)
Carlet, C.: Vectorial Boolean Functions for Cryptography. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics. Computer Science, and Engineering, pp. 398–470. Cambridge University Press, Cambridge (2010)
Dravie, B., Parriaux, J., Guillot, P., Millérioux, G.: Matrix representations of vectorial Boolean functions and eigenanalysis. Cryptogr. Commun. Discret. Struct. Boolean Funct. Seq. 8(4), 555–577 (2016)
Jérémy, P., Philippe, G., Gilles, M.: Towards a spectral approach for the design of self-synchronizing stream ciphers. Cryptogr. Commun. 3(4), 259–274 (2011)
Beyne, T.: Block cipher invariants as eigenvectors of correlation matrices (full version). Cryptology ePrint Archive, Report 2018/763, (2018)
Funding
Not applicable.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
A Properties of the Walsh transform
This section recaps the important properties of the Walsh transform of a vectorial Boolean function and introduces the concept of tensor product for the resulting matrices [24].
Definition 5
(Walsh transform of a vectorial function) Given a vectorial Boolean function \(f: \mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{m}\), we define its Walsh transform as a \(2^{m}\times 2^{n}\) matrix \(\widehat{f}\) whose elements are:
\(\omega \in \mathbb {F}_2^{m}, \alpha \in \mathbb {F}_2^{n}\) being the binary encoding of the row and column indices, called spectral coordinates (or sometimes masks).
These matrices encode the correlation information between input variables’ xor-combinations and the corresponding output ones. For this reason, they sometimes appear in the literature, scaled by a coefficient \(2^{-n}\), as correlation matrices [10]:
For correlation matrices, the following theorem holds:
Theorem 6
(Correlation matrix as a map of probability distributions) Given a function \(f: \mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{m}\) and a probability distribution \(p_X: \mathbb {F}_2^{n} \rightarrow \mathbb {R}\) for its input variable, the following relation holds:
where \(p_Y\) is the distribution of the output values while \(T_{g}\) is the Fourier transform of any pseudo-Boolean function \(g: \mathbb {F}_2^{n} \rightarrow \mathbb {R}\) and defined as the following:
Interpreting the Fourier transform of a probability distribution of a variable in \(\mathbb {F}_2^{n}{}\) as a vector in a subsetFootnote 8\({\mathbb {P}}_n\) of \({\mathbb {R}}^{2^n}\), we find that the correlation matrix \(W_{f}\) of a function \(f: \mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{m}\) is just a linear map \({\mathbb {P}}_n \rightarrow {\mathbb {P}}_m\). These maps are endowed with composition:
Theorem 7
(Composition of correlation matrices) Given two functions \(f: \mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{m}\) and \(g: \mathbb {F}_2^{m}\rightarrow \mathbb {F}_2^{q}\), the following holds:
Moreover, if f is a bijection, \(W_{f^{-1}}=W_{f}^{-1}\). For a proof, see [24, 26].
Given two independent variables \(x_f \in \mathbb {F}_2^{n_f}\) and \(x_g \in \mathbb {F}_2^{n_g}\), one can form the probability distribution of the vector \([x_f,x_g]\) with the product of distributions. From the point of view of its Fourier transform, this is a mapping \({\mathbb {P}}_{n_f} \times {\mathbb {P}}_{n_g} \rightarrow {\mathbb {P}}_{n_f + n_g}\). The following theorem holds:
Theorem 8
(Tensor product of correlation matrices) Given two functions \(f: \mathbb {F}_2^{n_f}\rightarrow \mathbb {F}_2^{m_f}\) and \(g: \mathbb {F}_2^{n_g}\rightarrow \mathbb {F}_2^{m_g}\), the correlation matrix of the function \(h([x_f,x_g]) = [ f(x_f), g(x_g) ]\) is \(W_{h} = W_{g} \otimes W_{f}\) where the symbol \(\otimes \) is the Kronecker product (or tensor product) of matrices (proof in the appendix). It is customary to say that \(W_h\) is a mapping from the space \({\mathbb {P}}_{n_f} \otimes {\mathbb {P}}_{n_g}\) to the space \({\mathbb {P}}_{m_f} \otimes {\mathbb {P}}_{m_g}\).
Theorem 8 is informally proven in [10] and it is applied in several works, as in [27]; taking this into account, in this appendix we try to give to it a formal proof. For this scope, we define the quotient and remainder operators as follows, to remind ourselves of the structure of the indices:
When \(p = 2^n\) and i is a number that can be encoded over \(k>n\) bit, \(i_{\uparrow p}\) corresponds to the value encoded by the upper \(k-n\) bits, while \(i_{\downarrow p}\) corresponds to the value encoded by the lower n bits.
Definition 6
(Kronecker product of matrices) The tensor product of two matrices. X (of \(n\times m\) elements) and Y (of \(p\times q\) elements) can be defined as:
Proof
(Theorem 8)
Note that \(\omega \) (\(\alpha \)) can be treated as a decimal number or as the corresponding (vector) binary encoding; moreover, the encoding of \(\omega \) (\(\alpha \)) can in turn be decomposed into two parts \([\omega _g,\omega _f]\) (\([\alpha _g, \alpha _f]\)) of \(m_g\) (\(n_g\)) and \(m_f\) (\(n_f\)) bits, respectively. We start by rewriting the definition of \(\widehat{h}\):
and conclude (using Definition 6) that the last equation represents the generic element in position \((\omega ,\alpha )\) of the Kronecker product \(\widehat{g}\otimes \widehat{f}\). \(\square \)
Reasonings on the effect of composing correlation matrices can be intuitively allowed through diagrams. Each correlation matrix is drawn as a box (except for identities which are drawn as simple wires), composition is the horizontal juxtaposition while tensor product is the vertical one (see Fig. 8 for an example). We note that there is a remarkable correspondence between a diagram and the underlying circuit diagram to the point that we could talk about “the” diagram of the circuit. Moreover, there always exist two mappings \(B_{a,b}: {\mathbb {P}}_a \otimes {\mathbb {P}}_b \rightarrow {\mathbb {P}}_b \otimes {\mathbb {P}}_a\) and \(B_{b,a}\) such that \(B_{a,b}B_{b,a} = I\). \(B_{a,b}\) is exactly the Walsh transform of a function that permutes variables a and b (this is typically drawn with crossing wires, such as block Q in Fig. 5).
B Formal definition of shares’ relation matrix
To produce precise proofs of the theorems introduced in this appendix, we need to slightly modify the notation given in Eqs. 5 and 6, to show the actual vector of parts over which the multi-radix representation is computed. For the sake of generality, we will consider a generic vector of parts \(\underline{\Omega }\) (\(\underline{A}\)) for the matrix rows (columns). Given a function f, we thus talk about a shares’ relation matrix in the following form:
With the understanding that each element (i, j) of \(H_{\begin{array}{c} \underline{\Omega } \end{array},\begin{array}{c} \underline{A} \end{array}}[\widetilde{W_f}]\) is such that
We will also use \(|i_{\xi }|\) to indicate \(\sum _k i_{\xi _k}\), i.e., the sum of the mixed-radix components of index i associated with the vector of parts \(\Xi \). With this notation, \(|i_{\pi }|\) practically means the number of probes associated with a specific value of index i.
Example 5
Considering Example 2, we have the following notational equivalence
The shares’ relation matrix can be seen as the encoding of a predicate over the original relation matrix; this fact will be used to prove the remaining theorems in this appendix and corresponds to an equivalent definition of the matrix itself, as the following theorem shows.
Alternative Definition 1
(Shares’ relation matrix)The shares’ relation matrix computed from a relation matrix \(\widetilde{Q} \in K^{2^{\Omega } \times 2^A}\) is a matrix \(H_{\underline{\Omega },\underline{A}}[\widetilde{Q}] \in K^{\pi _{\underline{\Omega }} \times \pi _{\underline{A}}}\) where
and such that each element \(H[\widetilde{Q}]_{i,j}\) is 1 iff:
where \(wt_V: {\mathbb {N}} \rightarrow {\mathbb {N}}^v\) is the hamming weight of each of the v binary parts according to the vector of parts V.
Remark 2
(Compact definition) We will sometimes use the notation \(r \sim _{\underline{\Omega }} i\) to indicate the predicate \(wt_{\underline{\Omega }}(r) = mr_{\underline{\Omega }{}}(i)\) (read r is a valid encoding for i). By construction the following predicate is thus true:
1.1 B.1 Relevant theorems and proofs: Section 2
Proof
(Theorem1) With the new notations, Theorem 1 can be rewritten as follows:
Given a vector of parts composed of a single part \(\underline{\Pi }= [ \pi ]\) we have that \( H_{\begin{array}{c} \underline{\Pi } \end{array},\begin{array}{c} \underline{\Pi } \end{array}}[I_{2^{\pi }}] = I_{\pi + 1}\).
To prove it, we elaborate the predicate in Eq. (20):
and note that the implied condition means exactly that it must be an identity matrix. \(\square \)
Proof
(Theorem 2) With the new notations, Theorem 2 can be rewritten as follows:
Given two correlation matrices \(X \in K^{2^{\Omega } \times 2^Z}\) and \(Y \in K^{2^{Z} \times 2^{A}}\), the following dominance holds between the shares’ relation matrices:
for any choice of compatibleFootnote 9parts \(\underline{\Omega }, \underline{Z}\) and \(\underline{A}\).
To prove it, note that
represents the following implication (assuming \(\sum _{z_i \in \underline{Z}} z_i = Z\)):
which follows directly from the definition in Eq. (20) (note that once we have t, \(\zeta \) exists since we assume Z is compatible):
where, in the second step, we applied the following axiom:
Note that the converse (\(\Leftarrow \)) does not hold since matrix multiplication between Walsh matrices is done over rational numbers which might have different signs so it may cancel out. \(\square \)
Proof
(Theorem 3) With the new notations, Theorem 3 can be rewritten as follows:
Given two correlation matrices \(X \in K^{2^{\Phi } \times 2^{\Psi }}\) and \(Y \in K^{2^{\Omega } \times 2^{A}}\), the following holds:
where \(\begin{array}{c} \underline{\Omega }\\ \underline{\Phi } \end{array} = \underline{\Phi }\Vert \underline{\Omega }= \{\phi _{N_\Phi }, \dots , \phi _{1}, \omega _{N_\Omega }, \dots \omega _{1}\}\), i.e., the concatenation of parts \(\underline{\Phi }\) and \(\underline{\Omega }\)
Before proceeding with the proof, we need to introduce the following lemma:
Lemma 5
(Equivalences over concatenations of vector of parts) When dealing with a concatenation of parts \({\begin{array}{c} \underline{\Omega } \\ \underline{\Phi } \end{array}}\), both the extended Hamming weight and the multi-radix representation comply with the following equivalences:
where \(\Vert \) is the vector concatenation while \(\pi _{\underline{\Omega }} = \prod _i (\omega _i + 1)\). This means that we can split \(r \sim _{\begin{array}{c} \underline{\Omega } \\ \underline{\Phi } \end{array}} i\) in the conjunction of two sub conditions:
Theorem 3 is easily proved by expanding \(H_{\begin{array}{c} \underline{\Omega }\\ \underline{\Phi } \end{array},\begin{array}{c} \underline{A}\\ \underline{\Psi } \end{array}}[\widetilde{X \otimes Y}]\) through the definition in Eq. (20), and apply successively Lemma 5 and Definition 6:
\(\square \)
Proof
(Corollary 1) With the new notations, Corollary 1 can be rewritten as follows:
For the first equality:
The second equality can be deduced in the same way. \(\square \)
C Relevant theorems and proofs: Section 3
Proof
(Lemma 1) The complete relation matrix ABC computed in Fig. 4 is such that
\(\square \)
Proof
(Lemma 2) S is the shares’ relation matrix computed from the relation matrix \(\widetilde{W}_{s}\) of the duplication function \(s = x\mapsto (x,x)\). It can be shown that elements of this relation matrix are such that:
To prove Lemma 2, we proceed with a reduction ad absurdum, i.e., we show that
is a contradiction. To derive it we expand in it the definition of shares’ relation matrix S:
the latter judgment is absurd because for all binary vectors a, b holds that \( wt(a) \oplus wt(b) \ge wt(a\oplus b)\). \(\square \)
Proof
(Lemma 3) The complete relation matrix ABCD computed in Fig. 5 is such that
where we used the following:
Lemma 6
.
\(\square \)
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Molteni, M.C., Zaccaria, V. A relation calculus for reasoning about t-probing security. J Cryptogr Eng 12, 1–14 (2022). https://doi.org/10.1007/s13389-022-00286-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-022-00286-x