Randomness Complexity of Private Circuits for Multiplication
 22 Citations
 1.8k Downloads
Abstract
Many cryptographic algorithms are vulnerable to side channel analysis and several leakage models have been introduced to better understand these flaws. In 2003, Ishai, Sahai and Wagner introduced the dprobing security model, in which an attacker can observe at most d intermediate values during a processing. They also proposed an algorithm that securely performs the multiplication of 2 bits in this model, using only \(d(d+1)/2\) random bits to protect the computation. We study the randomness complexity of multiplication algorithms secure in the dprobing model. We propose several contributions: we provide new theoretical characterizations and constructions, new practical constructions and a new efficient algorithmic tool to analyze the security of such schemes.
We start with a theoretical treatment of the subject: we propose an algebraic model for multiplication algorithms and exhibit an algebraic characterization of the security in the dprobing model. Using this characterization, we prove a linear (in d) lower bound and a quasilinear (nonconstructive) upper bound for this randomness cost. Then, we construct a new generic algorithm to perform secure multiplication in the dprobing model that only uses \(d + d^2/4\) random bits.
From a practical point of view, we consider the important cases \(d \le 4\) that are actually used in current reallife implementations and we build algorithms with a randomness complexity matching our theoretical lower bound for these smallorder cases. Finally, still using our algebraic characterization, we provide a new dedicated verification tool, based on information set decoding, which aims at finding attacks on algorithms for fixed order d at a very low computational cost.
Keywords
Sidechannel analysis Probing model Randomness complexity Constructions Lower bounds Probabilistic method Information set decoding Algorithmic tool1 Introduction
Most commonly used cryptographic algorithms are now considered secure against classical blackbox attacks, when the adversary has only knowledge of their inputs or outputs. Today, it is however well known that their implementations are vulnerable to sidechannel attacks, as revealed in the academic community by Kocher in 1996 [16]. These attacks exploit the physical emanations of the underlying device such as the execution time, the device temperature, or the power consumption during the algorithm execution.
To thwart sidechannel attacks, many countermeasures have been proposed by the community. Among them, the most widely deployed one is probably masking (a.k.a. secret/processing sharing) [8, 13], which has strong links with techniques usually applied in secure multiparty computation (see e.g., [5, 28]) or private circuits theory [15]. For many kinds of reallife implementations, this countermeasure indeed demonstrated its effectiveness when combined with noise and processing jittering. The idea of the masking approach is to split every single sensitive variable/processing, which depends on the secret and on known variables, into several shares. Each share is generated uniformly at random except the last one which ensures that the combination of all the shares is equal to the initial sensitive value. This technique aims at making the physical leakage of one variable independent of the secret and thus useless for the attacker. The tuple of shares still brings information about the shared data but, in practice, the leakages are noisy and the complexity of extracting useful information increases exponentially with the number of shares, the basis of the exponent being related to the amount of noise [8].
In order to formally prove the security of masking schemes, the community has made important efforts to define leakage models that accurately capture the leakage complexity and simultaneously enable to build security arguments. In 2003, Ishai, Sahai, and Wagner introduced the \(d\)probing model in which the attacker can observe at most \(d\) exact intermediate values [15]. This model is very convenient to make security proofs but does not fit the reality of embedded devices which leak noisy functions of all their intermediate variables. In 2013, Prouff and Rivain extended the noisy leakage model [23], initially introduced by Chari et al. [8], to propose a new one more accurate than [15] but not very convenient for security proofs. The two models [15, 23] were later unified by Duc, Dziembowski, and Faust [10] and Duc, Faust, and Standaert [11] who showed that a security proof in the noisy leakage model can be deduced from security proofs in the dprobing model. This sequence of works shows that proving the security of implementations in the dprobing model makes sense both from a theoretical and practical point of view. An implementation secure in the dprobing model is said to satisfy the dprivacy property or equivalently to be dprivate [15] (or secure at order d).
It is worth noting that there is a tight link between sharing techniques, Multi Party Computation (MPC) and also threshold implementations [6, 7, 21]. In particular, the study in the classical dprobing security model can be seen as a particular case of MPC with honest players. Furthermore, the threshold implementations manipulate sharing techniques with additional restrictions to thwart further hardware attacks resulting from the leakage of electronic glitches. This problem can itself be similarly seen as a particular case of MPC, with Byzantine players [17].
1.1 Our Problem
Since most symmetric cryptographic algorithms manipulate Boolean values, the most practical way to protect them is generally to implement Boolean sharing (a.k.a. highorder masking): namely, each sensitive intermediate result x is shared into several pieces, say \(d+1\), which are manipulated by the algorithm and whose parity is equal to x. To secure the processing of a function f on a shared data, one must design a socalled masking scheme (or formally a private circuit) that describes how to build a sharing of f(x) from that of x while maintaining the \(d\)probing security.
In the context of Boolean sharing, we usually separate the protection of linear functions from that of nonlinear ones. In particular, at the hardware level, any circuit can be implemented using only two gates: the linear XOR gate and the nonlinear AND gate. While the protection of linear operations (e.g., XOR) is straightforward since the initial function f can be applied to each share separately, it becomes more difficult for nonlinear operations (e.g., AND). In these cases, the shares cannot be manipulated separately and must generally be processed all together to compute the correct result. These values must then be further protected using additional random bits which results in an important timing overhead.
Stateoftheart solutions to implement Boolean sharing on nonlinear functions [9, 25] have focused on optimizing the computation complexity. Surprisingly, the amount of necessary random bits has only been in the scope of the seminal paper of Ishai, Sahai and Wagner [15]. In this work, the authors proposed and proved a clever construction (further referred to as ISW multiplication) allowing to compute the multiplication of two shared bits by using \(d(d+1)/2\) random bits, that is, half as many random bits as the straightforward solution uses. Their construction has since become a cornerstone of secure implementations [10, 12, 24, 25]. Even if this result is very important, the quantity of randomness remains very expensive to generate in embedded cryptographic implementations. Indeed, such a generation is usually performed using a physical generator followed by a deterministic random bit generator (DRBG). In addition of being a theoretical “chickenandegg” problem for this DRBG protection, in practice the physical generator has often a low throughput and the DRBG is also timeconsuming. In general, for a DRBG based on a 128bit block cipher, one call to this block cipher enables to generate 128 pseudorandom bits^{1} (see [2]). However, one invocation of the standard AES128 block cipher with the ISW multiplication requires as much as 30,720 random bits (6 random bytes per multiplication, 4 multiplications per Sbox [25]) to protect the multiplications when masked at the low order \(d=3\), which corresponds to 240 preliminary calls to the DRBG.
1.2 Our Contributions
We analyze the quantity of randomness required to define a dprivate multiplication algorithm at any order \(d\). Given the sharings \(\varvec{a}={(a_i)}_{0\le i \le d}\), \(\varvec{b}={(b_i)}_{0 \le i \le d}\) of two bits a and b, the problem we tackle out is to find the minimal number of random bits necessary to securely compute a sharing \({(c_i)}_{0 \le i\le d}\) of the bit \(c = ab\) with a dprivate algorithm. We limit our scope to the construction of a multiplication based on the sum of shares’ products. That is, as in [15], we start with the pairwise products of a’s and b’s shares and we work on optimizing their sum into \(d+1\) shares with as few random bits as possible. We show that this reduces to studying the randomness complexity of some particular dprivate compression algorithm that securely transforms the \((d+1)^2\) shares’ products into \(d+1\) shares of c. In our study we make extensive use of the following theorem that gives an alternative characterization of the dprivacy:
Theorem 7 (informal) . A compression algorithm is \(d\)private if and only if there does not exist a set of \(\ell \) intermediate results \(\{p_1,\dots ,p_\ell \}\) such that \(\ell \le d\) and \(\sum _{i=1}^\ell p_i\) can be written as \(\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) with \({\varvec{M}}\) being some matrix such that the allones vector is in the row space or in the column space of \({\varvec{M}}\).
From this theorem, we deduce the following lower bound on the randomness complexity:
Theorems 13–14 (informal) . If \(d\ge 3\) (resp. \(d=2\)), then a dprivate compression algorithm for multiplication must involve at least \(d+1\) random bits (resp. 2).
This theorem shows that the randomness complexity is in \(\varOmega (d)\). Following the probabilistic method, we additionally prove the following theorem which claims that there exists a dprivate multiplication algorithm with randomness complexity \(O(d \cdot \log d)\). This provides a quasilinear upper bound \(O(d \cdot \log d)\) for the randomness complexity, when \(d \rightarrow \infty \).
Theorem 16 (informal) . There exists a dprivate multiplication algorithm with randomness complexity \(O(d \cdot \log d)\), when \(d\rightarrow \infty \).
This upper bound is nonconstructive: we show that a randomly chosen multiplication algorithm (in some carefully designed family of multiplication algorithms using \(O(d \cdot \log d)\) random bits) is dprivate with nonzero probability. This means that there exists one algorithm in this family which is dprivate.
In order to explicitly construct private algorithms with low randomness, we analyze the ISW multiplication to bring out necessary and sufficient conditions on the use of the random bits. In particular, we identify necessary chainings and we notice that some random bits may be used several times at several locations to protect more shares’ products, while in the ISW multiplication, each random bit is only used twice. From this analysis, we deduce a new dprivate multiplication algorithm requiring \(\lfloor d^2/4 \rfloor +d\) random bits instead of \(d(d+1)/2\). As a positive sideeffect, our new construction also reduces the algorithmic complexity of ISW multiplication (i.e., its number of operations).
Contrary to the ISW algorithm, our new constructions are not directly composable — in the sense of Strong NonInterferent (SNI) in [3] — at any order. Fortunately, they can still be used in compositions instead of the ISW algorithms at carefully chosen locations. In this paper, we thus recall the different security properties related to compositions and we show that in the AES example, our new constructions can replace half the ISW ones while preserving the \(d\)privacy of the whole algorithm.
Finally, while the tool provided in [4] — which is based on Easycrypt — is able to reveal potential attack paths and formally prove security in the \(d\)probing model with full confidence, it is limited to the verification of small orders (\(d=6\) in our case). Therefore, we propose a new dedicated probabilistic verification tool, which aims at finding attacks in fixed order private circuits (or equivalently masking schemes) at a very low cost. The tool [1] is developed in Sage (Python) [27] and though less generic than [4] it is order of magnitudes faster. It relies on some heuristic assumption (i.e. it cannot be used to actually prove the security) but it usually finds attacks very swiftly for any practical order d. It makes use of information set decoding (a technique from coding theory introduced to the cryptographic community for the security analysis of the McEliece cryptosystem in [20, 22]).
2 Preliminaries
This section defines the notations and basic notions that we use in this paper, but also some elementary constructions we refer to. In particular, we introduce the notion of \(d\)private compression algorithm for multiplication and we present its only concrete instance which was proposed by Ishai, Sahai, and Wagner [15].
2.1 Notation
For a set S, we denote by \(\vert S \vert \) its cardinality, and by \(s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}S\) the operation of picking up an element s of S uniformly at random. We denote by \(\mathbb {F}_{q}\) the finite field with q elements. Vectors are denoted by lower case bold font letters, and matrices are denoted by upper case bold font letters. All vectors are column vectors unless otherwise specified. The kernel (resp. the image) of the linear map associated to a matrix \({\varvec{M}}\) is denoted by \(\ker ({\varvec{M}})\) (resp. \({{\mathrm{im}}}({\varvec{M}})\)). For a vector \(\varvec{x}\), we denote by \(x_i\) its ith coordinate and by \(\mathsf {hw}(\varvec{x})\) its Hamming weight (i.e., the number of its coordinates that are different from 0).
For any fixed \(n \ge 1\), let \({\varvec{U}}_{n} \in \mathbb {F}_{2}^{n \times n}\) denote the matrix whose coefficients \(u_{i,j} \) equal 1 for all \(1 \le i,j \le n\). Let \(\mathbf 0 _{n,\ell } \in \mathbb {F}_{2}^{n \times \ell }\) denote the matrix whose coefficients are all 0. Let \(\varvec{u}_{n} \in \mathbb {F}_{2}^n\) denote the vector \((1,\dots ,1)^\intercal \) and \(\varvec{0}_{n} \in \mathbb {F}_{2}^n\) denote the vector \((0,\dots ,0)^\intercal \). For vectors \(\varvec{x}_1,\dots ,\varvec{x}_t\) in \(\mathbb {F}_{2}^n\) we denote \(\langle \varvec{x}_1,\dots ,\varvec{x}_t \rangle \) the vector space generated by the set \(\{\varvec{x}_1,\dots ,\varvec{x}_t\}\).
We say that an expression \(f(x_1,\dots ,x_n,r)\) functionally depends on the variable r if there exists \(a_1, \dots , a_n\) such that the function \(r \mapsto f(a_1,\dots ,a_n,r)\) is not constant.
For an algorithm \(\mathcal {A}\), we denote by \(y \leftarrow \mathcal {A}(x_1,x_2,\dots )\) the operation of running \(\mathcal {A}\) on inputs \((x_1,x_2,\dots )\) and letting y denote the output. Moreover, if \(\mathcal {A}\) is randomized, we denote by \(y \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal {A}(x_1,x_2,\dots ;r)\) the operation of running \(\mathcal {A}\) on inputs \((x_1,x_2,\dots )\) and with uniform randomness r (or with fresh randomness if r is not specified) and letting y denote the output. The probability density function associated to a discrete random variable X defined over S (e.g., \(\mathbb {F}_{2}\)) is the function which maps \(x \in S\) to \({\Pr \left[ \,X=x\,\right] }\). It is denoted by \(\{X\}\) or by \(\{X\}_r\) if there is a need to precise the randomness source r over which the distribution is considered.
2.2 Private Circuits
We examine the privacy property in the setting of Boolean circuits and start with the definition of circuit and randomized circuit given in [15]. A deterministic circuit C is a directed acyclic graph whose vertices are Boolean gates and whose edges are wires. A randomized circuit is a circuit augmented with randombit gates. A randombit gate is a gate with fanin 0 that produces a random bit and sends it along its output wire; the bit is selected uniformly and independently of everything else afresh for each invocation of the circuit. From the two previous notions, we may deduce the following definition of a private circuit inspired from [14].
Definition 1

\(I {:\;\;}\mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n'}\) is a randomized circuit with uniform randomness \(\rho \) and called input encoder;

C is a randomized boolean circuit with input in \(\mathbb {F}_{2}^{n'}\), output in \(\mathbb {F}_{2}^{m'}\), and uniform randomness \(r \in \mathbb {F}_{2}^t\);

\(O {:\;\;}\mathbb {F}_{2}^{m'} \rightarrow \mathbb {F}_{2}^{m}\) is a circuit, called output decoder.

Correctness: for any input \(w \in \mathbb {F}_{2}^{n}\), \({\Pr \left[ \,O(C(I(w;\rho );r)) = f(w)\,\right] } = 1\), where the probability is over the randomness \(\rho \) and r;

Privacy: for any \(w,w' \in \mathbb {F}_{2}^{n}\) and any set P of \(d\) wires in C, the distributions \({\{C_P(I(w;\rho );r)\}}_{\rho ,r}\) and \({\{C_P(I(w';\rho );r)\}}_{\rho ,r}\) are identical, where \(C_P(I(w;\rho );r)\) denotes the list of the \(d\) values on the wires from P.
Remark 2
It may be noticed that the notions of dprivacy and of security in the dprobing model used, e.g., in [4] are perfectly equivalent.
Unless noted otherwise, we assume I and O to be the following canonical encoder and decoder: I encodes each bitcoordinate b of its input w by a block \({(b_{j})}_{0 \le j \le d}\) of \(d+1\) random bits with parity b, and O takes the parity of each block of \(d+1\) bits. Each block \({(b_{j})}_{0 \le j \le d}\) is called a sharing of b and each \(b_{j}\) is called a share of b.
From now on, the wires in a set P used to attack an implementation are referred as the probes and the corresponding values in \(C_P(I(w;\rho );r)\) as the intermediate results. To simplify the descriptions, a probe p is sometimes used to directly denote the corresponding result. A set of probes P such that the distributions \({\{C_P(I(w;\rho );r)\}}_{\rho ,r}\) and \({\{C_P(I(w';\rho );r)\}}_{\rho ,r}\) are not identical for some inputs \(w,w' \in \mathbb {F}_{2}^n\) shall be called an attack. When the inputs w are clear from the context, the distribution \({\{C_P(I(w;\rho );r)\}}_{\rho ,r}\) is simplified to \(\{(p)_{p \in P}\}\).
We now introduce the notions of multiplication algorithm and of dcompression algorithm for multiplication. In this paper, we deeply study dprivate multiplication algorithms and dprivate compression algorithms for multiplication.
Definition 3
A multiplication algorithm is a circuit for the multiplication of 2 bits (i.e., with f being the function \(f {:\;\;}(a,b) \in \mathbb {F}_{2}^2 \mapsto a\cdot b \in \mathbb {F}_{2}\)), using the canonical encoder and decoder.
Before moving on to the next notion, let us first introduce a new particular encoder, called multiplicative, which has been used in all the previous attempts to build a dprivate multiplication algorithm. This encoder takes as input two bits \((a,b) \in \mathbb {F}_{2}^2\), runs the canonical encoder on these two bits to get \(d+1\) random bits \((a_0,\dots ,a_d)\) and \((b_0,\dots ,b_d)\) with parity a and b respectively, and outputs the \((d+1)^2\) bits \({(\alpha _{i,j})}_{0 \le i,j \le d}\) with \(\alpha _{i,j} = a_i \cdot b_j\). Please note that, in particular, we have \(a \cdot b = (\sum _{i = 0}^{d} a_i) \cdot (\sum _{i = 0}^{d} b_i) = \sum _{0\le i,j \le d} \alpha _{i,j}\).
Definition 4
A dcompression algorithm for multiplication is a circuit for the multiplication of 2 bits (i.e., with f being the function \(f {:\;\;}(a,b) \in \mathbb {F}_{2}^2 \mapsto a\cdot b \in \mathbb {F}_{2}\)), using the canonical decoder and the multiplicative encoder. Moreover, we restrict the circuit C to only perform additions in \(\mathbb {F}_{2}\).
When clear from the context, we often omit the parameter d and simply say “a compression algorithm for multiplication”.
Remark 5
Any dcompression algorithm for multiplication yields a multiplication algorithm, as the algorithm can start by computing \(\alpha _{i,j}\) given its inputs \((a_0,\dots ,a_d,b_0,\dots ,b_d)\).
Proposition 6
A multiplication algorithm \(\mathcal {B}\) constructed from a dcompression algorithm for multiplication \(\mathcal {A}\) (as in Remark 5) is dprivate if and only if the compression algorithm \(\mathcal {A}\) is dprivate.
Clearly if \(\mathcal {B}\) is dprivate, so is \(\mathcal {A}\). However, the converse is not straightforward, as an adversary can also probe the input shares \(a_i\) and \(b_i\) in \(\mathcal {B}\), while it cannot in \(\mathcal {A}\). The full proof is given in the full version of this paper and is surprisingly hard: we actually use a stronger version of our algebraic characterization (Theorem 7). In the remaining of the paper, we focus on compression algorithms and we do not need to consider probes of the input shares \(a_i\) and \(b_i\), which makes notation much simpler.
In the sequel, a dcompression algorithm for multiplication is denoted by \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) with \(\varvec{r}\) denoting the tuple of uniform random bits used by the algorithm and with \(\varvec{a}\) (resp. \(\varvec{b}\)) denoting the vector of \(d+1\) shares of the multiplication operand a (resp. b).
The purpose of the rest of this paper is to investigate how much randomness is needed for such an algorithm to satisfy the dprivacy and to propose efficient or optimal constructions with respect to the consumption of this resource. The number of bits involved in an algorithm \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) (i.e., the size of \(\varvec{r}\)) is called its randomness complexity or randomness cost.
2.3 ISW Algorithm
3 Algebraic Characterization
In order to reason about the required quantity of randomness in \(d\)private compression algorithms for multiplication, we define an algebraic condition on the security and we prove that an algorithm is \(d\)private if and only if there is no set of probes which satisfies it.
3.1 Matrix Notation
As our condition is algebraic, it is practical to introduce some matrix notation for our probes. We write \(\varvec{a} = (a_0,\dots ,a_d)^\intercal \) and \(\varvec{b}=(b_0,\dots ,b_d)^\intercal \) the vectors corresponding to the shares of the inputs a and b respectively. We also denote by \(\varvec{r} = (r_1,\dots ,r_R)^\intercal \) the vector of the random bits.
Furthermore, if \(c_p = 1\), we can always sum the probe with 1 and consider \(p+1\) instead of p. This does not change anything on the probability distribution we consider. Therefore, for the sake of simplicity, we always assume \(c_p=0\) in all the paper.
3.2 Algebraic Condition
We now introduce our algebraic condition:
Condition 1
A set of probes \(P = \{p_1,\dots ,p_\ell \}\) on a dcompression algorithm for multiplication satisfies Condition 1 if and only if the expression \(f = \sum _{i=1}^\ell p_i\) can be written as \(f = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) with \({\varvec{M}}\) being some matrix such that \(\varvec{u}_{d+1}\) is in the row space or the column space of \({\varvec{M}}\).
A Weaker Condition. To better understand Condition 1, let us introduce a weaker condition which is often easier to deal with:
Condition 2
(Weak Condition). A set of probes \(P = \{p_1,\dots ,p_\ell \}\) on a dcompression algorithm for multiplication satisfies Condition 2 if and only if the expression \(f = \sum _{i = 1}^\ell p_i\) does not functionally depend on any \(r_k\) and there exists a map \(\gamma {:\;\;}\{0,\dots ,d\} \rightarrow \{0,\dots ,d\}\) such that f does functionally depend on every \({(\alpha _{i,\gamma (i)})}_{0 \le i \le d}\) or on every \({(\alpha _{\gamma (i),i})}_{0 \le i \le d}\).
This condition could be reformulated as \(f = \sum _{i=1}^\ell p_i\) functionally depends on either all the \(a_i\)’s or all the \(b_i\)’s and does not functionally depend on any \(r_k\). It is easy to see that any set P verifying Condition 1 also verifies Condition 2.
3.3 Algebraic Characterization
Theorem 7
Let \(\mathcal {A}\) be a dcompression algorithm for multiplication. Then, \(\mathcal {A}\) is \(d\)private if and only if there does not exist a set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \le d\) probes that satisfies Condition 1. Furthermore any set \(P = \{p_1,\dots ,p_\ell \}\) satisfying Condition 1 is an attack.
Please note that Theorem 7 would not be valid with Condition 2 (instead of Condition 1). A counterexample is given in the full version of this paper.
Proof
(Theorem 7 ).
Direction 1: Left to right. We prove hereafter that if \(\mathcal {A}\) is \(d\)private, then there does not exist a set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \le d\) probes that satisfies Condition 1.
This concludes the proof of the first implication and the fact that any set \(P = \{p_1,\dots ,p_\ell \}\) satisfying Condition 1 is an attack.
Direction 2: Right to left. Let us now prove by contradiction that if there does not exist a set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \le d\) probes that satisfies Condition 1, then \(\mathcal {A}\) is \(d\)private.
Let us assume that \(\mathcal {A}\) is not dprivate. Then there exists an attack using a set of probes \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\). This is equivalent to say that there exists two inputs \((a^{(0)},b^{(0)}) \ne (a^{(1)},b^{(1)})\) such that the distribution \(\{(p_1,\dots ,p_\ell )\}\) is not the same whether \((a,b) = (a^{(0)},b^{(0)})\) or \((a,b) = (a^{(1)},b^{(1)})\).

it is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(0)})\) (in which case, we could have taken \(b^{(1)} = b^{(0)}\)), or

it is not the same whether \((a,b) = (1,b^{(0)})\) or \((a,b) = (1,b^{(1)})\) (in which case, we can just exchange the a’s and the b’s roles).
To summarize, there exists \(b^{(0)}\) such that the distribution \(\{(p_1,\dots ,p_\ell )\}\) is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(0)})\).
In the sequel \(b^{(0)}\) is fixed and we call a tuple \((p_1,\dots ,p_\ell )\) satisfying the previous property an attack tuple.
We now remark that if \(\ell =1\) or if even the distribution \(\{(\sum _{i=1}^\ell p_i)\}\) is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(0)})\) (i.e., \((\sum _{i=1}^\ell p_i)\) is an attack tuple), then it follows easily from the probability analysis of the previous proof for the other direction of the theorem, that the set P satisfies Condition 1. The main difficulty is that it is not necessarily the case that \(\ell =1\) or \((\sum _{i=1}^\ell p_i)\) is an attack tuple. To overcome it, we use linear algebra.
But first, let us introduce some useful notations and lemmas. We write \(\varvec{p}\) the vector \((p_1,\dots ,p_\ell )^\intercal \) and we say that \(\varvec{p}\) is an attack vector if and only if \((p_1,\dots ,p_\ell )\) is an attack tuple. Elements of \(\varvec{p}\) are polynomials in the \(a_i\)’s, the \(b_j\)’s and the \(r_k\)’s.
Lemma 8
If \(\varvec{p}\) is an attack vector and \({\varvec{N}}\) is an invertible matrix in \(\mathbb {F}_{2}^{\ell \times \ell }\), then \({\varvec{N}}\cdot \varvec{p}\) is an attack vector.
Proof
This is immediate from the fact that \({\varvec{N}}\) is invertible. Indeed, as a matrix over \({{\mathbb F}}_2\), \({\varvec{N}}^{1}\) is also a matrix over \({{\mathbb F}}_2\). Hence, multiplying the set of probes \(\{{\varvec{N}}\cdot \varvec{p}\}\) by \({\varvec{N}}^{1}\) (which leads to the first set of probes \(\{\varvec{p}\}\)) can be done by simply computing sums of elements in \(\{{\varvec{N}}\cdot \varvec{p}\}\). Hence, as the distribution of \(\{\varvec{p}\}\) differs when \((a,b)=(0,b^{(0)})\) and \((a,b)=(1,b^{(0)})\), the same is true for the distribution \(\{{\varvec{N}}\cdot \varvec{p}\}\). \(\square \)
We also use the following straightforward lemma.
Lemma 9
If \((p_1,\dots ,p_\ell )\) is an attack tuple such that the \(\ell t+1\) random variables \((p_1, \dots , p_t)\), \(p_{t+1}\), ..., and \(p_\ell \) are mutually independent, and the distributions of \((p_{t+1}, \dots , p_\ell )\) is the same for all the values of the inputs (a, b), then \((p_{1},\dots ,p_t)\) is an attack tuple.
We now need a final lemma to be able to conclude.
Lemma 10
If \((p'_1,\dots ,p'_t)\) is an attack tuple, then there exists a vector \(\varvec{b^*} \in \mathbb {F}_{2}^{d+1}\) such that \(\varvec{u}_{d+1}\) is in the vector space \(\langle {\varvec{M}}_\mathbf{1}' \cdot \varvec{b^*}, \dots , {\varvec{M}}_{{\varvec{t}}}' \cdot \varvec{b^*} \rangle \).
Proof
This lemma can be seen as a generalization of the probability analysis in the proof of the first direction of the theorem.
To prove the previous equality, we use the fact that \(\varvec{u}_{d+1}\) is not in the column space of \({\varvec{B}}\) and therefore the value of \(\varvec{a}^\intercal \cdot \varvec{u}_{d+1}\) is uniform and independent of the value of \(\varvec{a}^\intercal \cdot {\varvec{B}}\) (when \(\varvec{a}\) is a uniform vector in \(\mathbb {F}_{2}^{d+1}\)). \(\square \)
This concludes the proof. \(\square \)
4 Theoretical Lower and Upper Bounds
In this section, we exhibit lower and upper bounds for the randomness complexity of a dprivate compression algorithm for multiplication. We first prove an algebraic result and an intermediate lemma that we then use to show that at least \(d+1\) random bits are required to construct a dprivate compression algorithm for multiplication, for any \(d \ge 3\) (and 2 random bits are required for \(d = 2\)). Finally, we provide a (nonconstructive) proof that for large enough d, there exists a dprivate multiplication algorithm with a randomness complexity \(O(d \cdot \log d)\).
4.1 A Splitting Lemma
We first prove an algebraic result, stated in the lemma below, that we further use to prove Lemma 12. The latter allows us to easily exhibit attacks in order to prove our lower bounds.
Lemma 11
Proof
(Lemma 11 ). We show the above lemma by induction on n.
Base Case: for \(n = 1\), \({\varvec{M}}_0, {\varvec{M}}_1, {\varvec{U}}\in \mathbb {F}_{2}\), so \({\varvec{M}}_0 + {\varvec{M}}_1 = 1\), which implies \({\varvec{M}}_0 = 1\) or \({\varvec{M}}_1 = 1\) and the claim immediately follows.
Inductive Case: let us assume that the claim holds for a fixed \(n \ge 1\). Let us consider two matrices \({\varvec{M}}_0,{\varvec{M}}_1 \in \mathbb {F}_{2}^{(n+1) \times (n+1)}\) such that \({\varvec{M}}_0 + {\varvec{M}}_1 = {\varvec{U}}_{n+1}\).
Clearly, if \({\varvec{M}}_0\) (or \({\varvec{M}}_1\)) is invertible, then the claim is true (as \(\varvec{u}_{n+1}\) is in its range). Then, let us assume that \({\varvec{M}}_0\) is not invertible. Then, there exists a nonzero vector \(\varvec{x} \in \ker ({\varvec{M}}_\mathbf{0 })\). Now, as \({{\mathrm{im}}}({\varvec{U}}_{n+1}) = \{\varvec{0}_{n+1},\varvec{u}_{n+1}\}\), if \({\varvec{U}}_{n+1} \cdot \varvec{x} = \varvec{u}_{n+1}\), then \({\varvec{M}}_1 \cdot \varvec{x} = \varvec{u}_{n+1}\) and the claim is true. Hence, clearly, the claim is true if \(\ker ({\varvec{M}}_0) \ne \ker ({\varvec{M}}_1)\) (with the symmetric remark). The same remarks hold when considering matrices \({\varvec{M}}_0^\intercal \) and \({\varvec{M}}_1^\intercal \).
Hence, the only remaining case to consider is when \(\ker ({\varvec{M}}_0) \ne \{\varvec{0}_{n+1}\}\), \(\ker ({\varvec{M}}_0^\intercal ) \ne \{\varvec{0}_{n+1}\}\) and when \(\ker ({\varvec{M}}_0) = \ker ({\varvec{M}}_1)\) and \(\ker ({\varvec{M}}_0^\intercal ) = \ker ({\varvec{M}}_1^\intercal )\). In particular, we have \(\ker ({\varvec{M}}_0) \subseteq \ker ({\varvec{U}}_{n+1})\) and \(\ker ({\varvec{M}}_0^\intercal ) \subseteq \ker ({\varvec{U}}_{n+1})\).
Let \(\varvec{x} \in \ker ({\varvec{M}}_0)\) (and then \(\varvec{x} \in \ker ({\varvec{M}}_1)\) as well) be a nonzero vector. Up to some rearrangement of the columns of \({\varvec{M}}_0\) and \({\varvec{M}}_1\) (by permuting some columns), we can assume without loss of generality that \(\varvec{x} = (1,\dots ,1,0,\dots ,0)^\intercal \). Let \({\varvec{X}}\) denote the matrix \((\varvec{x},\varvec{e}_2,\dots ,\varvec{e}_{n+1})\) where \(\varvec{e}_i = (0,\dots ,0,1,0,\dots ,0)^\intercal \) is the ith canonical vector of length \(n+1\), so that it has a 1 in the ith position and 0’s everywhere else.
Now, let \(\varvec{y} \in \ker ({\varvec{M}}_0^\intercal )\) (and then \(\varvec{y} \in \ker ({\varvec{M}}_1^\intercal )\) as well) be a nonzero vector, so \(\varvec{y}^\intercal \cdot {\varvec{M}}_0^\intercal = \varvec{0}_{n+1}^\intercal \). Moreover, up to some rearrangement of the rows of \({\varvec{M}}_0\) and \({\varvec{M}}_1\), we can assume that \(\varvec{y} = (1,\dots ,1,0,\dots ,0)^\intercal \). Let \({\varvec{Y}}\) denote the matrix \((\varvec{y},\varvec{e}_2,\dots ,\varvec{e}_{n+1})\).
Please note that rearrangements apply to the columns in the first case and to the rows in the second case, so we can assume without loss of generality that there exists both \(\varvec{x} \in \ker ({\varvec{M}}_0)\) and \(\varvec{y} \in \ker ({\varvec{M}}_0^\intercal )\) with the above form and matrices \({\varvec{X}}\) and \({\varvec{Y}}\) are well defined.
Conclusion: The claim follows for any \(n \ge 1\), and so does Lemma 11. \(\square \)
We can now easily prove the following statement that is our main tool for proving our lower bounds, as explained after its proof.
Lemma 12
Let \(\mathcal {A}\) be a dcompression algorithm for multiplication. If there exists two sets \(S_1\) and \(S_2\) of at most d probes such that \(s_i = \sum _{p \in S_i} p\) does not functionally depend on any of the random bits, for \(i \in \{0,1\}\), and such that \(s_0 + s_1 = a \cdot b\), then \(\mathcal {A}\) is not dprivate.
Proof
(Lemma 12 ). Let \(\mathcal {A}\), \(S_0\), \(S_1\), \(s_0\) and \(s_1\) defined in the above statement. Then, there exists \({\varvec{M}}_i \in \mathbb {F}_{2}^{(d+1)\times (d+1)}\) such that \(s_i = \varvec{a}^\intercal \cdot {\varvec{M}}_i \cdot \varvec{b}\), for \(i \in \{0,1\}\). Furthermore, as \(s_0 + s_1 = a \cdot b = \varvec{a}^\intercal \cdot {\varvec{U}}_{d+1} \cdot \varvec{b}\), we have \({\varvec{M}}_0 + {\varvec{M}}_1 = {\varvec{U}}_{d+1}\). Hence, via Lemma 11, there exists \(\varvec{v} \in \mathbb {F}_{2}^{d+1}\) and \(i \in \{0,1\}\) such that \({\varvec{M}}_i \cdot \varvec{v} = \varvec{u}_{d+1}\) or \({\varvec{M}}_i^\intercal \cdot \varvec{v} = \varvec{u}_{d+1}\). This means that \(\varvec{u}_{d+1}\) is in the row subspace or in the column subspace of \({\varvec{M}}_i\), and therefore, \({\varvec{M}}_{{\varvec{i}}}\) satisfies Condition 1. Therefore, as \(\vert S_i \vert \le d\), applying Theorem 7, \(\mathcal {A}\) is not dprivate. Lemma 12 follows. \(\square \)
We use the above lemma to prove our lower bounds as follows: for proving that at least R(d) random bits are required in order to achieve dprivacy for a compression algorithm for multiplication, we prove that any algorithm with a lower randomness complexity is not dprivate by exhibiting two sets of probes \(S_0\) and \(S_1\) that satisfy the requirements of Lemma 12.
4.2 Simple Linear Lower Bound
As a warmup, we show that at least d random bits are required, for \(d \ge 2\).
Theorem 13
Let \(d \ge 2\). Let us consider a dcompression algorithm for multiplication \(\mathcal {A}\). If \(\mathcal {A}\) uses only \(d1\) random bits, then \(\mathcal {A}\) is not \(d\)private.
Proof
(Theorem 13 ). Let \(r_1,\dots ,r_{d1}\) denote the random bits used by \(\mathcal {A}\). Let \(c_0,\dots ,c_d\) denote the outputs of \(\mathcal {A}\). Let us define \({\varvec{N}}\in \mathbb {F}_{2}^{(d1)\times d}\) as the matrix whose coefficients \(n_{i,j}\) are equal to 1 if and only if \(c_j\) functionally depends on \(r_i\), for \(1 \le i \le d1\) and \(1 \le j \le d\). Please note in particular that \({\varvec{N}}\) does not depend on \(c_0\).
As a matrix over \(\mathbb {F}_{2}\) with d columns and \(d1\) rows, there is necessarily a vector \(\varvec{w} \in \mathbb {F}_{2}^{d}\) with \(\varvec{w} \ne \varvec{0}_{d}\) such that \({\varvec{N}}\cdot \varvec{w} = \varvec{0}_{d1}\).
The latter implies that the expression \(s_0 = \sum _{i = 1}^d w_i \cdot c_i\) does not functionally depend on any of the \(r_k\)’s. Furthermore, by correctness, we also have that \(s_1 = c_0 + \sum _{i = 1}^d (1w_i) \cdot c_i\) does not functionally depend on any of the \(r_k\)’s, and \(s_0 + s_1 = \sum _{i=0}^d c_i = a \cdot b\). Then, the sets of probes \(S_0 = \{ c_i \mid w_i = 1 \}\) and \(S_1 = \{ c_0 \} \cup \{ c_i \mid w_i = 0 \}\) (whose cardinalities are at most d) satisfy the requirements of Lemma 12, and then, \(\mathcal {A}\) is not dprivate. Theorem 13 follows. \(\square \)
4.3 Better Linear Lower Bound
We now show that at least \(d+1\) random bits are actually required if \(d \ge 3\).
Theorem 14
Let \(d \ge 3\). Let us consider a dcompression algorithm for multiplication \(\mathcal {A}\). If \(\mathcal {A}\) uses only d random bits, then \(\mathcal {A}\) is not dprivate.
The proof is given in the full version of this paper.
4.4 (Nonconstructive) QuasiLinear Upper Bound
We now construct a dprivate compression algorithm for multiplication which requires a quasilinear number of random bits. More precisely, we show that with nonzero probability, a random algorithm in some family of algorithms (using a quasilinear number of random bits) is secure, which directly implies the existence of such an algorithm. Note that it is an interesting open problem (though probably difficult) to derandomize this construction.
We point out that we use two kinds of random which should not be confused: the R fresh random bits \(r_1, \dots , r_R\) used in the algorithm to ensure its dprivacy (R is what we really want to be as low as possible), and the random variables \(X_{i,j,k}\) used to define a random family of such algorithms (which are “meta”random bits). In a concrete implementation or algorithm, these latter values are fixed.
Lemma 15
Proof
(Lemma 15 ). In order to simplify the proof, we are going to show that, with nonzero probability, there is no set of probes \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\) that satisfies Condition 2. In particular, this implies that, with nonzero probability, there is no set of probes \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\) that satisfies Condition 1, which, via Theorem 7, is equivalent to the algorithm being dprivate.
One can only consider sets of exactly d probes as if there is a set of \(\ell < d\) probes \(P'\) that satisfies Condition 2, one can always complete \(P'\) into a set P with exactly d probes by adding \(d  \ell \) times the same probe on some input \(\alpha _{i,j}\) such that \(P'\) initially does not depend on \(\alpha _{i,j}\). That is, if \({\varvec{M}}'\) denotes the matrix such that \(\sum _{p'\in P'} p' = \varvec{a} \cdot {\varvec{M}}'\cdot \varvec{b}\), one could complete \(P'\) with any \(\alpha _{i,j}\) such that \(m'_{i,j} = 0\), so that P, with \(\sum _{p \in P} p = \varvec{a}\cdot {\varvec{M}}\cdot \varvec{b}\) still satisfies Condition 2 if \(P'\) initially satisfied the condition.
Thus, let us consider an arbitrary set of d probes \(P = \{p_1,\dots ,p_d\}\) and let us bound the probability that P satisfies Condition 2. Let \(f = \sum _{i=1}^d p_i\). Let us first show that f has to contain at least one \(\rho (i,j)\) (meaning that it appears an odd number of times in the sum). Let us assume the contrary, so f does not contain any \(\rho (i,j)\). Every \(\rho (i,j)\) appears only once in the shares (in the share \(c_i\) precisely). Then, one can assume that every probe is made on the same share. Let us assume (without loss of generality) that every probe is made on \(c_0\). If no probe contains any \(\rho (0,j)\), then clearly P cannot satisfy Condition 2 as this means that each probe contain at most one \(\alpha _{0,j}\), to P cannot contain more than d different \(\alpha _{0,j}\). Hence, at least one (so at least two) probe contains at least one \(\rho (0,j)\). We note that every probe has one of the following form: either it is exactly a random \(r_k\), a share \(\alpha _{0,j}\), a certain \(\rho (0,j)\), a certain \(\rho (0,j) + \alpha _{0,j}\) or \(\rho (0,j) + \alpha _{0,j} + \alpha _{j,0}\), or a subsum (starting from \(\alpha _{0,0}\)) of \(c_0\). Every form gives at most one \(\alpha _{0,j}\) with a new index j except probes on subsums. However, in any subsum, there is always a random \(\rho (i,j)\) between \(\alpha _{0,j}\) and \(\alpha _{0,j+1}\) and one needs to get all the \(d+1\) indices to get a set satisfying Condition 2. Then, it is clear that one cannot achieve this unless there is a \(\rho (i,j)\) that does not cancel out in the sum, which is exactly what we wanted to show. Now, let \(1 \le k \le R\) be an integer and let us compute the probability (over the \(X_{i,j,k}\)’s) that f contains \(r_k\). There exists some set S of pairs (i, j), such that f is the sum of \(\sum _{(i,j) \in S} X_{i,j,k} \cdot r_k\) and some other expression not containing any \(X_{i,j,k} \cdot r_k\). From the previous point, S is not empty. Furthermore, as there are \(d+1\) outputs \(c_0,\dots ,c_d\) and as there are only d probes, S cannot contain all the possible pairs (i, j), and therefore, all the random variables \(X_{i,j,k}\) for \((i,j) \in S\) are mutually independent. Therefore, \(\sum _{(i,j) \in S} X_{i,j,k}\) is 1 with probability 1 / 2 and f functionally depends on the random \(r_k\) with probability 1 / 2. As there are R possible randoms, f does not functionally depend on any \(r_k\) (and then P satisfies Condition 2) with probability \((1/2)^R\).
Theorem 16
For some \(R = O(d \cdot \log d)\), there exists a choice of \(\rho (i,j)\) such that Algorithm 2 is a dprivate dcompression algorithm for multiplication, when \(d\rightarrow \infty \).
We just need to remark that for some \(R = O(d \cdot \log d)\), the probability that Algorithm 2 is dprivate, according to Lemma 15 is nonzero.
The full proof is given in the full version of this paper.
5 New Construction
The goal of this section is to propose a new dprivate multiplication algorithm. Compared to the construction in [15], our construction halves the number of required random bits. It is therefore the most efficient existing construction of a dprivate multiplication.
Some rationales behind our new construction may be found in the two following necessary conditions deduced from a careful study of the original work of Ishai, Sahai and Wagner [15].
Lemma 17
Let \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) be a dcompression algorithm for multiplication. Let f be an intermediate result taking the form \(f=\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b} + \varvec{s}^\intercal \cdot \varvec{r}\). Let t denote the greatest Hamming weight of an element in the vector subspace generated by the rows of \({\varvec{M}}\) or by the columns of \({\varvec{M}}\). If \(\mathsf {hw}(\varvec{s})<t1\), then \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) is not dprivate.
Proof
By definition of \(\varvec{s}\), the value \(\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) can be recovered by probing f and then each of the \(\mathsf {hw}(\varvec{s})<t1\) random bits on which \(\varvec{s}^\intercal \cdot \varvec{r}\) functionally depends and by summing all these probes. Let \(P_1 = \{f,p_1,\dots ,p_j\}\) with \(j < t1\) denote the set of these at most \(t1\) probes. Then, we just showed that \(f + \sum _{i = 1}^j p_i = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\).
To conclude the proof, we want to argue that there is a set of at most \(d(t1)\) probes \(P_2 = \{p_1',\dots ,p_k'\}\) such that \(f + \sum _{i = 1}^j p_i + \sum _{\ell = 1}^k p'_\ell = \varvec{a}^\intercal \cdot {\varvec{M}}' \cdot \varvec{b}\), where \({\varvec{M}}'\) is a matrix such that \(\varvec{u}_{d+1}\) is in its row space or in its column space. If such a set \(P_2\) exists, then the set of probes \(P_1 \cup P_2\) (whose cardinality is at most d) satisfies Condition 1, and then \(\mathcal {A}\) is not dprivate, via Theorem 7.
We now use the fact that there is a vector of Hamming weight t in the row space or in the column space of \({\varvec{M}}\). We can assume (without loss of generality) that there exists a vector \(\varvec{w} \in \mathbb {F}_{2}^{d+1}\) of Hamming weight t in the column subspace of \({\varvec{M}}\), so that \(\varvec{w} = \sum _{j \in J} \varvec{m}_j\), with \(J \subseteq \{0,\dots ,d\}\) and \(\varvec{m}_j\) the jth column vector of \({\varvec{M}}\). Let \(i_1,\dots ,i_{d+1t}\) denote the indices i of \(\varvec{w}\) such that \(w_i = 0\). Then, let \(j \in J\), we claim that \(P_2 = \{\alpha _{i_1,j},\dots ,\alpha _{i_{d+1t},j}\}\) allows us to conclude the proof. Please note that all these values are probes of intermediate values of \(\mathcal {A}\).
Indeed, we have \(f + \sum _{i = 1}^j p_i + \sum _{k = 1}^{d+1t} \alpha _{i_k,j} = \varvec{a}^\intercal \cdot {\varvec{M}}{M'} \cdot \varvec{b}\) where all coefficients of \({\varvec{M}}'\) are the same as coefficients of \({\varvec{M}}\) except for coefficients in positions \((i_1,j),\dots ,(i_{d+1t},j)\) which are the opposite, and now \(\sum _{j \in J} \varvec{m}'_j = \varvec{u}_{d+1}\), where \(\varvec{m}'_j\) is the jth column vector of \({\varvec{M}}'\). Lemma 17 easily follows. \(\square \)
In our construction, we satisfy the necessary condition in Lemma 17 by ensuring that any intermediate result that functionally depends on t shares of a (resp. of b) also functionally depends on at least \(t1\) random bits.
Complexities of ISW, our new \(d\)private compression algorithm for multiplication and our specific algorithms at several orders
Complexities  Algorithm ISW  Algorithm 3  Algorithms 4, 5 and 6 

SecondOrder Masking  
Sums  12  12  10 
Products  9  9  9 
Random bits  3  3  2 
ThirdOrder Masking  
Sums  24  22  20 
Products  16  16  16 
Random bits  6  5  4 
FourthOrder Masking  
Sums  40  38  30 
Products  25  25  25 
Random bits  10  8  5 
\(d^{th}\)Order Masking  
Sums  \(2d(d+1)\)  \(\left\{ \begin{aligned} d(7d+10)/4~~~~(d~\text {even})\\(7d+1)(d+1)/4~~~(d~\text {odd}) \\\end{aligned} \right. \)   
Products  \((d+1)^2\)  \((d+1)^2\)   
Random bits  \(d(d+1)/2\)  \(\left\{ \begin{aligned} d^2/4 + d~~~~(d~\text {even})\\(d^21)/4 + d~~~(d~\text {odd}) \\\end{aligned} \right. \)   
Proposition 18
Algorithm 3 is \(d\)private.
Algorithm 3 was proven to be \(d\)private with the verifier built by Barthe et al. [4] up to order \(d=6\). Furthermore, a penandpaper proof for any order \(d\) is given in the full version of this paper.
6 Optimal Small Cases
Proposition 19
Algorithms 4, 5, and 6 are correct and respectively 2, 3 and 4private.
Table 1 (Sect. 5) compares the amount of randomness used by the new construction proposed in Sect. 5 and by our optimal small algorithms. We recall that each of them attains the lower bound proved in Sect. 4.
7 Composition
Our new algorithms are all \(d\)private, when applied on the outputs of a multiplicative encoder parameterized at order \(d\). We now aim to show how they can be involved in the design of larger functions (e.g., block ciphers) to achieve a global \(d\)privacy. In [3], Barthe et al. introduce and formally prove a method to compose small \(d\)private algorithms (a.k.a., gadgets) into \(d\)private larger functions. The idea is to carefully refresh the sharings when necessary, according to the security properties of the gadgets. Before going further into the details of this composition, we recall some security properties used in [3].
7.1 Compositional Security Notions
Before stating the new security definitions, we first need to introduce the notion of simulatability. For the sake of simplicity, we only state this notion for multiplication algorithm, but this can easily be extended to more general algorithms.
Definition 20
A set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \) probes of a multiplication algorithm can be simulated with at most t shares of each input, if there exists two sets \(I = \{i_1,\dots ,i_t\}\) and \(J=\{j_1,\dots ,j_t\}\) of t indices from \(\{0,\dots ,d\}\) and a random function f taking as input 2t bits and outputting \(\ell \) bits such that for any fixed bits \({(a_i)}_{0 \le i \le d}\) and \({(b_j)}_{0 \le j \le d}\), the distributions \(\{p_1,\dots ,p_\ell \}\) (which implicitly depends on \({(a_i)}_{0\le i \le d}\), \({(b_j)}_{0 \le j \le d}\), and the random coins used in the multiplication algorithm) and \(\{f(a_{i_1},\dots ,a_{i_t},b_{j_1},\dots ,b_{j_t})\}\) are identical.
We write \(f(a_{i_1},\dots ,a_{i_t},b_{j_1},\dots ,b_{j_t}) = f(a_I,b_J)\).
Definition 21
An algorithm is \(d\)noninterferent (or \(d\)NI) if and only if every set of at most \(d\) probes can be simulated with at most \(d\) shares of each input.
While this notion might be stronger than the notion of security we used, all our concrete constructions in Sects. 5 and 6 satisfy it. The proof of Algorithm 3 is indeed a proof by simulation, while the small cases in Sect. 6 are proven using the verifier by Barthe et al. in [4], which directly proves NI.
Definition 22
An algorithm is \(d\)tight noninterferent (or \(d\)TNI) if and only if every set of \(t \le d\) probes can be simulated with at most t shares of each input.
While this notion of \(d\)tight noninterference was assumed to be stronger than the notion of \(d\)noninterference in [3], we show hereafter that these two security notions are actually equivalent. In particular, this means that all our concrete constructions are also TNI.
Proposition 23
( \(d\) NI \(\Leftrightarrow \) \(d\) TNI) . An algorithm is \(d\)noninterferent if and only if it is \(d\)tight noninterferent.
Proof
The righttoleft implication is straightforward from the definitions. Let us thus consider the lefttoright direction.
For that purpose, we first need to introduce a technical lemma. Again, for the sake of simplicity, we only consider multiplication algorithm, with only two inputs, but the proof can easily be generalized to any algorithm. \(\square \)
Lemma 24
Let \(P= \{p_1,\dots ,p_\ell \}\) be a set of \(\ell \) probes which can be simulated by the sets (I, J) and also by the sets \((I',J')\). Then it can also be simulated by \((I \cap I', J \cap J')\).
Proof
Let f the function corresponding to I, J and \(f'\) the function corresponding to \(I',J'\). We have that for any bits \({(a_i)}_{0 \le i \le d}\) and \({(b_j)}_{0 \le j \le d}\), the distributions \(\{p_1,\dots ,p_\ell \}\), \(\{f(a_{I},b_{J})\}\), and \(\{f'(a_{I'},b_{J'})\}\) are identical. Therefore, f does not depend on \(a_i\) nor \(b_j\) for \(i \in I \setminus I'\) and \(j \in J \setminus J'\), since \(f'\) does not depend on them. Thus, P can be simulated by only shares from \(I \cap I', J \cap J'\) (using the function f where the inputs corresponding to \(a_i\) and \(b_j\) for \(i \in I \setminus I'\) and \(j \in J \setminus J'\) are just set to zero, for example). \(\square \)
We now assume that an algorithm \(\mathcal {A}\) is \(d\)NI, that is, every set of at most \(d\) probes can be simulated with at most \(d\) shares of each input. Now, by contradiction, let us consider a set P with minimal cardinality \(t < d\) of probes on \(\mathcal {A}\), such that it cannot be simulated by at most t shares of each input. Let us consider the sets I, J corresponding to the intersection of all sets \(I',J'\) (respectively) such that the set P can be simulated by \(I',J'\). The sets I, J also simulate P thanks to Lemma 24. Furthermore, by hypothesis, \(t < I \le d\) or \(t < J \le d\). Without loss of generality, let us suppose that \(I > t\).
Let \(i^*\) be an arbitrary element of \(\{0,\dots ,d\} \setminus I\) (which is not an empty set as \(I \le d\)). Let us now consider the set of probes \(P' = P \cup \{ a_{i^*} \}\). By hypothesis, \(P'\) can be simulated by at most \(P' = t+1\) shares of each input. Let \(I',J'\) two sets of size at most \(t+1\) simulating \(P'\). These two sets also simulate \(P \subseteq P'\), therefore, \(I \cap I', J \cap J'\) also simulate P. Furthermore, \(i^* \in I\), as all the shares \(a_i\) are independent. Since \(i^* \notin I\), \(I \cap I' \le t\) and \(I \cap I' \subsetneq I\), which contradicts the fact that I and J were the intersection of all sets \(I'',J''\) simulating P. \(\square \)
Definition 25
An algorithm \(\mathcal {A}\) is \(d\) strong noninterferent (or \(d\)SNI) if and only if for every set \(\mathcal {I}\) of \(t_1\) probes on intermediate variables (i.e., no output wires or shares) and every set \(\mathcal {O}\) of \(t_2\) probes on output shares such that \(t_1+t_2\le d\), the set \(\mathcal {I} \cup \mathcal {O}\) of probes can be simulated by only \(t_1\) shares of each input.
The composition of two \(d\)SNI algorithms is itself \(d\)SNI, while that of \(d\)TNI algorithms is not necessarily \(d\)TNI. This implies that \(d\)SNI gadgets can be directly composed while maintaining the \(d\)privacy property, whereas a socalled refreshing gadget must sometimes be involved before the composition of \(d\)TNI algorithms. Since the latter refreshing gadgets consume the same quantity of random values as ISW, limiting their use is crucial if the goal is to reduce the global amount of randomness.
7.2 Building Compositions with Our New Algorithms
In [3], the authors show that the ISW multiplication is \(d\)SNI and use it to build secure compositions. Unfortunately, our new multiplication algorithms are \(d\)TNI but not \(d\)SNI. Therefore, as discussed in the previous section, they can replace only some of the ISW multiplications in secure compositions. Let us take the example of the AES inversion that is depicted in [3]. We can prove that replacing the first (\(\mathcal {A}^7\)) and the third (\(\mathcal {A}^2\)) ISW multiplications by \(d\)TNI multiplications (e.g., our new constructions) and moving the refreshing algorithm R in different locations preserves the strong noninterference of the inversion, while benefiting from our reduction of the randomness consumption.
Proposition 26
The AES inversion given in Fig. 6 with \(\mathcal {A}^1\) and \(\mathcal {A}^4\) being \(d\)SNI multiplications and \(\mathcal {A}^2\) and \(\mathcal {A}^7\) being \(d\)TNI multiplications is \(d\)SNI.
Proof
From the \(d\)probing model, we assume that the total number of probes used to attack the inversion is limited to \(d\), that is \(\sum _{1 \le i \le 9} \mathcal {I}^i + \mathcal {O} \le d\). As in [3], we build the proof from right to left by simulating each algorithm. Algorithm \(\mathcal {A}^1\) is \(d\)SNI, thus \(\mathcal {S}_1^1,\mathcal {S}_2^1 \le \mathcal {I}^1\). Algorithm \(\mathcal {A}^2\) is \(d\)TNI, thus \(\mathcal {S}_1^2,\mathcal {S}_2^2 \le \mathcal {I}^1 + \mathcal {I}^2\). As explained in [3], since Algorithm \(\mathcal {A}^3\) is affine, then \(\mathcal {S}^3 \le \mathcal {S}_1^2 + \mathcal {I}^3 \le \mathcal {I}^1 + \mathcal {I}^2+ \mathcal {I}^3\). Algorithm \(\mathcal {A}^4\) is \(d\)SNI, thus \(\mathcal {S}_1^4,\mathcal {S}_2^4 \le \mathcal {I}^4\). Algorithm \(\mathcal {A}^5\) is \(d\)SNI, thus \(\mathcal {S}^5 \le \mathcal {I}^5\). Algorithm \(\mathcal {A}^6\) is affine, thus \(\mathcal {S}^6 \le \mathcal {S}^5 + \mathcal {I}^6 \le \mathcal {I}^5 + \mathcal {I}^6\). Algorithm \(\mathcal {A}^7\) is \(d\)TNI, thus \(\mathcal {S}_1^7,\mathcal {S}_2^7 \le \mathcal {S}^6 + \mathcal {S}_1^4 + \mathcal {I}^7 \le \mathcal {I}^4 + \mathcal {I}^5 + \mathcal {I}^6 + \mathcal {I}^7\). Algorithm \(\mathcal {A}^8\) is \(d\)SNI, thus \(\mathcal {S}^8 \le \mathcal {I}^8\). Algorithm \(\mathcal {A}^9\) is affine, thus \(\mathcal {S}^9 \le \mathcal {I}^9 +\mathcal {S}^8 \le \mathcal {I}^8 + \mathcal {I}^9 \). Finally, all the probes of this inversion can be perfectly simulated from \(\mathcal {S}^9 \cup \mathcal {S}_1^7 \le \mathcal {I}^4 + \mathcal {I}^5 + \mathcal {I}^6 + \mathcal {I}^7 + \mathcal {I}^8 + \mathcal {I}^9\) shares of x, which proves that the inversion is still \(d\)SNI. \(\square \)
From Proposition 26, our new constructions can be used to build \(d\)SNI algorithms. In the case of the AES block cipher, half of the \(d\)SNI ISW multiplications can be replaced by ours while preserving the whole \(d\)SNI security.
8 New Automatic Tool for Finding Attacks
In this section, we describe a new automatic tool for finding attacks on compression algorithms for multiplication which is developed in Sage (Python) [27]. Compared to the verifier developed by Barthe et al. [4] and based on Easycrypt, to find attacks in practice, our tool is not as generic as it focuses on compression algorithms for multiplication and its soundness is not perfect (and relies on some heuristic assumption). Nevertheless, it is order of magnitudes faster.
A nonperfect soundness means that the algorithm may not find an attack and can only guarantee that there does not exist an attack except with probability \(\varepsilon \). We believe that, in practice, this limitation is not a big issue as if \(\varepsilon \) is small enough (e.g., \(2^{20}\)), a software bug is much more likely than an attack on the scheme. Furthermore, the running time of the algorithm depends only linearly on \(\log (1/\varepsilon )\). Concretely, for all the schemes we manually tested for \(d=3,4,5\) and 6, attacks on invalid schemes were found almost immediately. If not used to formally prove schemes, our tool can at least be used to quickly eliminate (most) incorrect schemes, and enables to focus efforts on trying to prove “nontriviallybroken” schemes.
8.1 Algorithm of the Tool
From Theorem 7, in order to find an attack \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\), we just need to find a set \(P = \{p_1,\dots ,p_\ell \}\) satisfying Condition 1. If no such set P exists, the compression algorithm for multiplication is \(d\)private.
A naive way to check the existence of such a set P is to enumerate all the sets of d probes. However, there are \(\left( {\begin{array}{c}N\\ d\end{array}}\right) \) such sets, with N being the number of intermediate variables of the algorithm. For instance, to achieve 4privacy, our construction (see Sect. 6) uses \(N=81\) intermediate variables, which makes more than \(2^{20}\) sets of four variables to test. In [4], the authors proposed a faster way of enumerating these sets by considering larger sets which are still independent from the secret. However, their method falls short for the compression algorithms in our paper as soon as \(d > 6\), as shown in Sect. 8.4. Furthermore even for \(d = 3,4,5\), their tool takes several minutes to prove security (around 5 min to check security of Algorithm 3 with \(d=5\)) or to find an attack for incorrect schemes, which prevent people from quickly checking the validity of a newly designed scheme.
Intermediate results of Algorithm 4
Nondeterministic (\(\nu =12\))  Deterministic (\(\nu '=9\))  

\({\gamma _{1}} = a_0 b_0 + r_0\)  \({\gamma _{7}} = c_1\)  \({\gamma '_{1}} = a_0 b_0\)  \({\gamma '_{6}} = a_1 b_0\) 
\({\gamma _{2}} = a_0 b_0 + r_0 + a_0 b_2\)  \({\gamma _{8}} = r_1\)  \({\gamma '_{2}} = a_0 b_2\)  \({\gamma '_{7}} = a_2 b_2\) 
\({\gamma _{3}} = c_0\)  \({\gamma _{9}} = a_2 b_2 + r_1\)  \({\gamma '_{3}} = a_2 b_0\)  \({\gamma '_{8}} = a_1 b_2\) 
\({\gamma _{4}} = r_0\)  \({\gamma _{10}} = a_2 b_2 + r_1 + r_0\)  \({\gamma '_{4}} = a_1 b_1\)  \({\gamma '_{9}} = a_2 b_1\) 
\({\gamma _{5}} = a_1 b_1 + r_1\)  \({\gamma _{11}} = a_2 b_2 + r_1 + r_0 + a_1 b_2\)  \({\gamma '_{5}} = a_0 b_1\)  
\({\gamma _{6}} = a_1 b_1 + r_1 + a_0 b_1\)  \({\gamma _{12}} = c_2\) 
An attack set \(P=\{p_1,\dots ,p_\ell \}\) can then be separated into two sets \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) and \(Q' = \{{\gamma _{i'_1}},\dots ,{\gamma _{i'_{\delta '}}}\}\), with \(\ell =\delta +\delta ' \le d\). We remark that necessarily \(\sum _{p \in Q} p\) does not functionally depend on any random value. Actually, we even have the following lemma:
Lemma 27
Let \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) be a compression algorithm for multiplication. Then \(\mathcal {A}\) is \(d\)private if and only if there does not exist a set of nondeterministic probes \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) with \(\delta \le d\) such that \(\sum _{p \in Q} p = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) where the column space or the row space of \({\varvec{M}}\) contains a vector of Hamming weight at least \(\delta +1\).
Furthermore, if such a set Q exists, there exists a set \(\{{\gamma _{i'_1}},\dots ,{\gamma _{i'_{\delta '}}}\}\), with \(\delta +\delta ' \le d\), such that \(P = Q \cup Q'\) is an attack.
Moreover, the lemma is still true when we restrict ourselves to sets Q such that there exists no proper subset \(\hat{Q} \subsetneq Q\) such that \(\sum _{p \in \hat{Q}} p\) does not functionally depend on any random.
Proof
The two first paragraphs of the lemma can be proven similarly to Lemma 17. Thus, we only need to prove its last part.
By contradiction, let us suppose that there exists a set Q of nondeterministic probes \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) such that \(\sum _{p \in Q} p = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) and the column space (without loss of generality, by symmetry of the \(a_i\)’s and \(b_i\)’s) of \({\varvec{M}}\) contains a vector of Hamming weight at least \(\delta +1\), but such that any subset \(\hat{Q} \subsetneq Q\) where \(\sum _{p \in \hat{Q}} p\) that does not functionally depend on any random. Consequently, the sum \(\sum _{p \in \hat{Q}} p = \varvec{a}^\intercal \cdot \hat{{\varvec{M}}} \cdot \varvec{b}\), is such that the column space (still without loss of generality) of \(\hat{{\varvec{M}}}\) does not contain any vector of Hamming weight at least \(\vert \hat{Q} \vert + 1\).
First, let us set \(\bar{{\varvec{M}}} = \hat{{\varvec{M}}} + {\varvec{M}}\) (over \({{\mathbb F}}_2\)), so \(\sum _{p \in Q \setminus \hat{Q}} p = \varvec{a}^\intercal \cdot \bar{{\varvec{M}}} \cdot \varvec{b}\), as \(\sum _{p \in \hat{Q}} p + \sum _{p \in Q \setminus \hat{Q}} =\sum _{p \in Q} p = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) and let \(\hat{\delta } =  \hat{Q} \) and \(\bar{\delta } =  Q \setminus \hat{Q}  = \delta  \hat{\delta }\). Let also \(\omega \), \(\hat{\omega }\), and \(\bar{\omega }\) be the maximum Hamming weights of the vectors in the column space of \({\varvec{M}}\), \(\hat{{\varvec{M}}}\), and \(\bar{{\varvec{M}}}\), respectively. Since \({\varvec{M}}= \hat{{\varvec{M}}}+\bar{{\varvec{M}}}\), then \(\omega \le \hat{\omega } + \bar{\omega }\) and since \(\omega > \delta +1\), and \(\delta = \hat{\delta } + \bar{\delta }\), then \(\hat{\omega } > \hat{\delta }\) or \(\bar{\omega } > \bar{\delta }\). We set \(\tilde{Q} = \hat{Q}\) if \(\hat{\omega } > \hat{\delta }\), and \(\tilde{Q} = Q \setminus \hat{Q}\) otherwise. According to the definitions of \(\hat{\delta }\) and \(\bar{\omega }\), we have that \(\tilde{Q} \subsetneq Q\) is such that \(\sum _{p \in Q} p = \varvec{a}^\intercal \cdot \tilde{{\varvec{M}}} \cdot \varvec{b}\) where the column space of \(\tilde{{\varvec{M}}}\) contains a vector of Hamming weight at least \(\tilde{Q}+1\). This contradicts the definition of Q and concludes the proof of the lemma. \(\square \)

when \({\varvec{M}}\) contains at most \(\delta \) nonzero rows and at most \(\delta \) nonzero columns, Q does not yield an attack;

when \({\varvec{M}}\) contains exactly \(\delta +1\) nonzero rows (resp. columns), that we assume to be the first \(\delta +1\) (without loss of generality), Q yields an attack if and only if the vector \((\varvec{u}_{\delta +1}^\intercal ,\varvec{0}_{d\delta }^\intercal )\) is in the row space (resp. \((\varvec{u}_{\delta +1},\varvec{0}_{d\delta })\) is in the column space) of \({\varvec{M}}\) (this condition can be checked in polynomial time in d).
8.2 Information Set Decoding and Error Probability
We now explain how to perform the enumeration step of our algorithm using information set decoding. Information set decoding was introduced in the original security analysis of the McEliece cryptosystem in [20, 22] as a way to break the McEliece cryptosystem by finding small code words in a random linear code. It was further explored by Lee and Brickell in [18]. We should point out that since then, many improvements were proposed, e.g., in [19, 26]. However, for the sake of simplicity and because it already gives very good results, we use the original information set decoding algorithm. Furthermore, it is not clear that the aforementioned improvements also apply in our case, as the codes we consider are far from the Singleton bound.
The basic idea is the following one. We first apply a rowreduction to \(\varGamma \). Let us call the resulting matrix \(\varGamma '\). We remark that, for any vector \(\varvec{x}\), \(\varGamma \cdot \varvec{x} = 0\) if and only if \(\varGamma ' \cdot \varvec{x} = 0\) and thus we can use \(\varGamma '\) instead of \(\varGamma \) in our problem. We assume in a first time that the first R columns of \(\varGamma \) are linearly independent (recall that the number \(\nu \) of columns of \(\varGamma \) is much larger than its number R of rows), so that the R first columns of \(\varGamma '\) forms an identity matrix. Then, for any \(k^* > R\), if the \(k^*\)th column of \(\varGamma '\) has Hamming weight at most \(d1\), we can consider the vector \(\varvec{x}\) defined as \(x_{k^*} = 1\), \(x_k = 1\) when \(\varGamma '_{k,k^*}=1\), and \(x_k = 0\) otherwise; and this vector satisfies the conditions we were looking for: its Hamming weight is at most \(d\) and \(\varGamma ' \cdot \varvec{x} = 0\). That way, we have quickly enumerated all the vectors \(\varvec{x}\) of Hamming weight at most \(d\) such that \(\varGamma ' \cdot \varvec{x}= 0\) and with the additional property that \(x_k = 0\) for all \(k > R\) except for at most^{2} one index \(k^*\). Without the condition \(\varGamma ' \cdot \varvec{x} = 0\), there are \((\nu  R + 1) \cdot \sum _{i=0}^{d1} \left( {\begin{array}{c}R\\ i\end{array}}\right) + \left( {\begin{array}{c}R\\ d\end{array}}\right) \) such vectors, as there are \(\sum _{i=0}^d \left( {\begin{array}{c}R\\ i\end{array}}\right) \) vectors \(\varvec{x}\) such that \(\mathrm {HW}(\varvec{x})\le d\) and \(x_k=0\) for every \(k>R\), and there are \((\nu R)\cdot \sum _{i=0}^{d1} \left( {\begin{array}{c}R\\ i\end{array}}\right) \) vectors \(\varvec{x}\) such that \(\mathrm {HW}(\varvec{x})\le d\) and \(x_k=1\), for a single \(k > R\). In other words, using rowreduction, we have been able to check \((\nu  R + 1) \cdot \sum _{i=0}^{d1} \left( {\begin{array}{c}R\\ i\end{array}}\right) + \left( {\begin{array}{c}R\\ d\end{array}}\right) \) possible vectors \(\varvec{x}\) among at most \(\sum _{i=1}^d \left( {\begin{array}{c}\nu \\ i\end{array}}\right) \) vectors which could be used to mount an attack, by testing at most \(\nu  R\) vectors.^{3}
Now, we just need to handle the case when the first R columns of \(\varGamma \) are not linearly independent, for some permuted matrix \(\varGamma \) at some iteration. We can simply redraw the permutation or taking the pivots in the rowreduction instead of taking the first R columns of \(\varGamma \). In both cases, this may slightly bias the probability. We make the heuristic assumption that the bias is negligible. To support this heuristic assumption, we remark that if we iterate the algorithm for all the permutations for which the first R columns of \(\varGamma \) are not linearly independent, then we would enumerate all the vectors \(\varvec{x}\) we are interested in, thanks to the additional condition that there is no vector \(\varvec{\hat{x}} < \varvec{x}\) such that \(\varGamma \cdot \varvec{\hat{x}} = \varvec{0}\).
8.3 The Tool
The tool takes as input a description of a compression algorithm for multiplication similar to the ones we used in this paper (see Fig. 2 for instance) and the maximum error probability \(\varepsilon \) we allow, and tries to find an attack. If no attack is found, then the scheme is secure with probability \(1\varepsilon \). The tool can also output a description of the scheme which can be fed off into the tool in [4].
Complexities of exhibiting an attack at several orders
Time to find an attack  

Order  Target algorithm  Verifier [4]  New tool 
\(d=2\)  Tweaked Algorithm 4  less than 1 ms  less than 10 ms 
\(d=3\)  Tweaked Algorithm 5  36 ms  less than 10 ms 
\(d=4\)  Tweaked Algorithm 6  108 ms  less than 10 ms 
\(d=5\)  Tweaked Algorithm 3  6.264 s  less than 100 ms 
\(d=6\)  Tweaked Algorithm 3  26 min  less than 300 ms 
8.4 Complexity Comparison
It is difficult to compare the complexity of our new tool to the complexity of the tool proposed in [4] since it strongly depends on the tested algorithm. Nevertheless, we try to give some values for the verification time of both tools when we intentionally modify our constructions to yield an attack. From order 2 to 4, we start with our optimal constructions and we just invert two random bits in an output share \(c_i\). Similarly, for orders 5 and 6, we use our generic construction and apply the same small modification. The computations were performed on a Intel(R) Core(TM) i52467M CPU @ 1.60 GHz and the results are given in Table 3. We can see that in all the considered cases, our new tool reveals the attack in less than 300 ms while the generic verifier of Barthe et al. needs up to 26 min for order \(d=6\).
Footnotes
 1.
Actually, the generation of pseudorandom bits roughly corresponds to the execution of a block cipher but we should also consider the regular internal state update.
 2.
We have seen that for one index \(k^*\), but it is easy to see that, as the first R columns of \(\varGamma '\) form an identity matrix, there does not exist such vector \(\varvec{x}\) so that \(x_k=0\) for all \(k > R\) anyway.
 3.
There are exactly \(\sum _{i=1}^d \left( {\begin{array}{c}\nu \\ i\end{array}}\right) \) vectors of Hamming weight at most d, but here we recall that we only consider vectors \(\varvec{x}\) satisfying the following additional condition: there is no vector \(\varvec{\hat{x}} < \varvec{x}\) such that \(\varGamma \cdot \varvec{\hat{x}} = \varvec{0}\). We also remark that the vectors \(\varvec{x}\) generated by the described algorithm all satisfy this additional condition.
Notes
Acknowledgments
The authors thank the anonymous reviewers for their constructive comments. This work was supported in part by the French ANR Project ANR12JS020004 ROMAnTIC, the Direction Générale de l’Armement (DGA), the CFM Foundation.
References
 1.
 2.Barker, E.B., Kelsey, J.M.: Sp 800–90a. recommendation for random number generation using deterministic random bit generators. Technical report, Gaithersburg, MD, USA (2012)Google Scholar
 3.Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B.: Compositional verification of higherorder masking: Application to a verifying masking compiler. Cryptology ePrint Archive, Report 2015/506 (2015). http://eprint.iacr.org/2015/506
 4.Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B., Strub, P.Y.: Verified proofs of higherorder masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015)Google Scholar
 5.BenOr, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multiprover interactive proofs: How to remove intractability assumptions. In: 20th ACM STOC, pp. 113–131. ACM Press, May 1988Google Scholar
 6.Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higherorder threshold implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014)Google Scholar
 7.Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: A more efficient AES threshold implementation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 267–284. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 8.Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract poweranalysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)Google Scholar
 9.Coron, J.S., Prouff, E., Rivain, M., Roche, T.: Higherorder side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014)Google Scholar
 10.Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 11.Duc, A., Faust, S., Standaert, F.X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015)Google Scholar
 12.Dziembowski, S., Faust, S., Skorski, M.: Noisy leakage revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 159–188. Springer, Heidelberg (2015)Google Scholar
 13.Goubin, L., Patarin, J.: DES and differential power analysis the “duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 14.Ishai, Y., Kushilevitz, E., Li, X., Ostrovsky, R., Prabhakaran, M., Sahai, A., Zuckerman, D.: Robust pseudorandom generators. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013, Part I. LNCS, vol. 7965, pp. 576–588. Springer, Heidelberg (2013)Google Scholar
 15.Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 16.Kocher, P.C.: Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
 17.Lamport, L., Shostak, R.E., Pease, M.C.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982)CrossRefzbMATHGoogle Scholar
 18.Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s publickey cryptosystem. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988)Google Scholar
 19.Leon, J.S.: A probabilistic algorithm for computing minimum weights of large errorcorrecting codes. IEEE Trans. Inf. Theor. 34(5), 1354–1359 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
 20.McEliece, R.J.: A publickey cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42(44), 114–116 (1978)Google Scholar
 21.Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptology 24(2), 292–321 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theor. 8(5), 5–9 (1962)MathSciNetCrossRefGoogle Scholar
 23.Prouff, E., Rivain, M.: Masking against sidechannel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 24.Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 25.Rivain, M., Prouff, E.: Provably secure higherorder masking of AES. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 26.Stern, J.: A method for finding codewords of small weight. In: Cohen, G.D., Wolfmann, J. (eds.) Coding Theory and Applications. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1988)CrossRefGoogle Scholar
 27.The Sage Developers: Sage Mathematics Software (Version 6.8) (2015). http://www.sagemath.org
 28.Yao, A.C.C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982Google Scholar