Advertisement

Randomness Complexity of Private Circuits for Multiplication

  • Sonia BelaïdEmail author
  • Fabrice BenhamoudaEmail author
  • Alain PasselègueEmail author
  • Emmanuel ProuffEmail author
  • Adrian ThillardEmail author
  • Damien VergnaudEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)

Abstract

Many cryptographic algorithms are vulnerable to side channel analysis and several leakage models have been introduced to better understand these flaws. In 2003, Ishai, Sahai and Wagner introduced the d-probing security model, in which an attacker can observe at most d intermediate values during a processing. They also proposed an algorithm that securely performs the multiplication of 2 bits in this model, using only \(d(d+1)/2\) random bits to protect the computation. We study the randomness complexity of multiplication algorithms secure in the d-probing model. We propose several contributions: we provide new theoretical characterizations and constructions, new practical constructions and a new efficient algorithmic tool to analyze the security of such schemes.

We start with a theoretical treatment of the subject: we propose an algebraic model for multiplication algorithms and exhibit an algebraic characterization of the security in the d-probing model. Using this characterization, we prove a linear (in d) lower bound and a quasi-linear (non-constructive) upper bound for this randomness cost. Then, we construct a new generic algorithm to perform secure multiplication in the d-probing model that only uses \(d + d^2/4\) random bits.

From a practical point of view, we consider the important cases \(d \le 4\) that are actually used in current real-life implementations and we build algorithms with a randomness complexity matching our theoretical lower bound for these small-order cases. Finally, still using our algebraic characterization, we provide a new dedicated verification tool, based on information set decoding, which aims at finding attacks on algorithms for fixed order d at a very low computational cost.

Keywords

Side-channel analysis Probing model Randomness complexity Constructions Lower bounds Probabilistic method Information set decoding Algorithmic tool 

1 Introduction

Most commonly used cryptographic algorithms are now considered secure against classical black-box attacks, when the adversary has only knowledge of their inputs or outputs. Today, it is however well known that their implementations are vulnerable to side-channel attacks, as revealed in the academic community by Kocher in 1996 [16]. These attacks exploit the physical emanations of the underlying device such as the execution time, the device temperature, or the power consumption during the algorithm execution.

To thwart side-channel attacks, many countermeasures have been proposed by the community. Among them, the most widely deployed one is probably masking (a.k.a. secret/processing sharing) [8, 13], which has strong links with techniques usually applied in secure multi-party computation (see e.g., [5, 28]) or private circuits theory [15]. For many kinds of real-life implementations, this countermeasure indeed demonstrated its effectiveness when combined with noise and processing jittering. The idea of the masking approach is to split every single sensitive variable/processing, which depends on the secret and on known variables, into several shares. Each share is generated uniformly at random except the last one which ensures that the combination of all the shares is equal to the initial sensitive value. This technique aims at making the physical leakage of one variable independent of the secret and thus useless for the attacker. The tuple of shares still brings information about the shared data but, in practice, the leakages are noisy and the complexity of extracting useful information increases exponentially with the number of shares, the basis of the exponent being related to the amount of noise [8].

In order to formally prove the security of masking schemes, the community has made important efforts to define leakage models that accurately capture the leakage complexity and simultaneously enable to build security arguments. In 2003, Ishai, Sahai, and Wagner introduced the \(d\)-probing model in which the attacker can observe at most \(d\) exact intermediate values [15]. This model is very convenient to make security proofs but does not fit the reality of embedded devices which leak noisy functions of all their intermediate variables. In 2013, Prouff and Rivain extended the noisy leakage model [23], initially introduced by Chari et al. [8], to propose a new one more accurate than [15] but not very convenient for security proofs. The two models [15, 23] were later unified by Duc, Dziembowski, and Faust [10] and Duc, Faust, and Standaert [11] who showed that a security proof in the noisy leakage model can be deduced from security proofs in the d-probing model. This sequence of works shows that proving the security of implementations in the d-probing model makes sense both from a theoretical and practical point of view. An implementation secure in the d-probing model is said to satisfy the d-privacy property or equivalently to be d-private [15] (or secure at order d).

It is worth noting that there is a tight link between sharing techniques, Multi Party Computation (MPC) and also threshold implementations [6, 7, 21]. In particular, the study in the classical d-probing security model can be seen as a particular case of MPC with honest players. Furthermore, the threshold implementations manipulate sharing techniques with additional restrictions to thwart further hardware attacks resulting from the leakage of electronic glitches. This problem can itself be similarly seen as a particular case of MPC, with Byzantine players [17].

1.1 Our Problem

Since most symmetric cryptographic algorithms manipulate Boolean values, the most practical way to protect them is generally to implement Boolean sharing (a.k.a. high-order masking): namely, each sensitive intermediate result x is shared into several pieces, say \(d+1\), which are manipulated by the algorithm and whose parity is equal to x. To secure the processing of a function f on a shared data, one must design a so-called masking scheme (or formally a private circuit) that describes how to build a sharing of f(x) from that of x while maintaining the \(d\)-probing security.

In the context of Boolean sharing, we usually separate the protection of linear functions from that of non-linear ones. In particular, at the hardware level, any circuit can be implemented using only two gates: the linear XOR gate and the non-linear AND gate. While the protection of linear operations (e.g., XOR) is straightforward since the initial function f can be applied to each share separately, it becomes more difficult for non-linear operations (e.g., AND). In these cases, the shares cannot be manipulated separately and must generally be processed all together to compute the correct result. These values must then be further protected using additional random bits which results in an important timing overhead.

State-of-the-art solutions to implement Boolean sharing on non-linear functions [9, 25] have focused on optimizing the computation complexity. Surprisingly, the amount of necessary random bits has only been in the scope of the seminal paper of Ishai, Sahai and Wagner [15]. In this work, the authors proposed and proved a clever construction (further referred to as ISW multiplication) allowing to compute the multiplication of two shared bits by using \(d(d+1)/2\) random bits, that is, half as many random bits as the straightforward solution uses. Their construction has since become a cornerstone of secure implementations [10, 12, 24, 25]. Even if this result is very important, the quantity of randomness remains very expensive to generate in embedded cryptographic implementations. Indeed, such a generation is usually performed using a physical generator followed by a deterministic random bit generator (DRBG). In addition of being a theoretical “chicken-and-egg” problem for this DRBG protection, in practice the physical generator has often a low throughput and the DRBG is also time-consuming. In general, for a DRBG based on a 128-bit block cipher, one call to this block cipher enables to generate 128 pseudorandom bits1 (see [2]). However, one invocation of the standard AES-128 block cipher with the ISW multiplication requires as much as 30,720 random bits (6 random bytes per multiplication, 4 multiplications per S-box [25]) to protect the multiplications when masked at the low order \(d=3\), which corresponds to 240 preliminary calls to the DRBG.

1.2 Our Contributions

We analyze the quantity of randomness required to define a d-private multiplication algorithm at any order \(d\). Given the sharings \(\varvec{a}={(a_i)}_{0\le i \le d}\), \(\varvec{b}={(b_i)}_{0 \le i \le d}\) of two bits a and b, the problem we tackle out is to find the minimal number of random bits necessary to securely compute a sharing \({(c_i)}_{0 \le i\le d}\) of the bit \(c = ab\) with a d-private algorithm. We limit our scope to the construction of a multiplication based on the sum of shares’ products. That is, as in [15], we start with the pairwise products of a’s and b’s shares and we work on optimizing their sum into \(d+1\) shares with as few random bits as possible. We show that this reduces to studying the randomness complexity of some particular d-private compression algorithm that securely transforms the \((d+1)^2\) shares’ products into \(d+1\) shares of c. In our study we make extensive use of the following theorem that gives an alternative characterization of the d-privacy:

Theorem 7 (informal) . A compression algorithm is \(d\)-private if and only if there does not exist a set of \(\ell \) intermediate results \(\{p_1,\dots ,p_\ell \}\) such that \(\ell \le d\) and \(\sum _{i=1}^\ell p_i\) can be written as \(\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) with \({\varvec{M}}\) being some matrix such that the all-ones vector is in the row space or in the column space of \({\varvec{M}}\).

From this theorem, we deduce the following lower bound on the randomness complexity:

Theorems 1314 (informal) . If \(d\ge 3\) (resp. \(d=2\)), then a d-private compression algorithm for multiplication must involve at least \(d+1\) random bits (resp. 2).

This theorem shows that the randomness complexity is in \(\varOmega (d)\). Following the probabilistic method, we additionally prove the following theorem which claims that there exists a d-private multiplication algorithm with randomness complexity \(O(d \cdot \log d)\). This provides a quasi-linear upper bound \(O(d \cdot \log d)\) for the randomness complexity, when \(d \rightarrow \infty \).

Theorem 16 (informal) . There exists a d-private multiplication algorithm with randomness complexity \(O(d \cdot \log d)\), when \(d\rightarrow \infty \).

This upper bound is non-constructive: we show that a randomly chosen multiplication algorithm (in some carefully designed family of multiplication algorithms using \(O(d \cdot \log d)\) random bits) is d-private with non-zero probability. This means that there exists one algorithm in this family which is d-private.

In order to explicitly construct private algorithms with low randomness, we analyze the ISW multiplication to bring out necessary and sufficient conditions on the use of the random bits. In particular, we identify necessary chainings and we notice that some random bits may be used several times at several locations to protect more shares’ products, while in the ISW multiplication, each random bit is only used twice. From this analysis, we deduce a new d-private multiplication algorithm requiring \(\lfloor d^2/4 \rfloor +d\) random bits instead of \(d(d+1)/2\). As a positive side-effect, our new construction also reduces the algorithmic complexity of ISW multiplication (i.e., its number of operations).

Based on this generic construction, we then try to optimize some widely used small order instances. In particular, we bring out new multiplication algorithms, for the orders \(d=2\), 3 and 4, which exactly achieve our proven linear lower bound while maintaining the d-privacy. Namely, we present the optimal multiplication algorithms for orders 2, 3 and 4 when summing the shares’ products into \(d+1\) shares. We formally verify their security using the tool provided in [4]. Figure 1 illustrates the randomness complexity of our constructions (for general orders d and small orders) and our lower bound. Note that while the ISW algorithm was initially given for multiplications of bits, it was later extended by Rivain and Prouff in [25] for any multiplication in \(\mathbb {F}_{2^n}\). In the following, for the sake of simplicity, we refer to binary multiplications (\(n=1\)) for our constructions, but note that all of them can also be adapted to multiplication in \(\mathbb {F}_{2^n}\).
Fig. 1.

Randomness complexity of d-private multiplication algorithms

Contrary to the ISW algorithm, our new constructions are not directly composable — in the sense of Strong Non-Interferent (SNI) in [3] — at any order. Fortunately, they can still be used in compositions instead of the ISW algorithms at carefully chosen locations. In this paper, we thus recall the different security properties related to compositions and we show that in the AES example, our new constructions can replace half the ISW ones while preserving the \(d\)-privacy of the whole algorithm.

Finally, while the tool provided in [4] — which is based on Easycrypt — is able to reveal potential attack paths and formally prove security in the \(d\)-probing model with full confidence, it is limited to the verification of small orders (\(d=6\) in our case). Therefore, we propose a new dedicated probabilistic verification tool, which aims at finding attacks in fixed order private circuits (or equivalently masking schemes) at a very low cost. The tool [1] is developed in Sage (Python) [27] and though less generic than [4] it is order of magnitudes faster. It relies on some heuristic assumption (i.e. it cannot be used to actually prove the security) but it usually finds attacks very swiftly for any practical order d. It makes use of information set decoding (a technique from coding theory introduced to the cryptographic community for the security analysis of the McEliece cryptosystem in [20, 22]).

2 Preliminaries

This section defines the notations and basic notions that we use in this paper, but also some elementary constructions we refer to. In particular, we introduce the notion of \(d\)-private compression algorithm for multiplication and we present its only concrete instance which was proposed by Ishai, Sahai, and Wagner [15].

2.1 Notation

For a set S, we denote by \(\vert S \vert \) its cardinality, and by \(s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}S\) the operation of picking up an element s of S uniformly at random. We denote by \(\mathbb {F}_{q}\) the finite field with q elements. Vectors are denoted by lower case bold font letters, and matrices are denoted by upper case bold font letters. All vectors are column vectors unless otherwise specified. The kernel (resp. the image) of the linear map associated to a matrix \({\varvec{M}}\) is denoted by \(\ker ({\varvec{M}})\) (resp. \({{\mathrm{im}}}({\varvec{M}})\)). For a vector \(\varvec{x}\), we denote by \(x_i\) its i-th coordinate and by \(\mathsf {hw}(\varvec{x})\) its Hamming weight (i.e., the number of its coordinates that are different from 0).

For any fixed \(n \ge 1\), let \({\varvec{U}}_{n} \in \mathbb {F}_{2}^{n \times n}\) denote the matrix whose coefficients \(u_{i,j} \) equal 1 for all \(1 \le i,j \le n\). Let \(\mathbf 0 _{n,\ell } \in \mathbb {F}_{2}^{n \times \ell }\) denote the matrix whose coefficients are all 0. Let \(\varvec{u}_{n} \in \mathbb {F}_{2}^n\) denote the vector \((1,\dots ,1)^\intercal \) and \(\varvec{0}_{n} \in \mathbb {F}_{2}^n\) denote the vector \((0,\dots ,0)^\intercal \). For vectors \(\varvec{x}_1,\dots ,\varvec{x}_t\) in \(\mathbb {F}_{2}^n\) we denote \(\langle \varvec{x}_1,\dots ,\varvec{x}_t \rangle \) the vector space generated by the set \(\{\varvec{x}_1,\dots ,\varvec{x}_t\}\).

We say that an expression \(f(x_1,\dots ,x_n,r)\) functionally depends on the variable r if there exists \(a_1, \dots , a_n\) such that the function \(r \mapsto f(a_1,\dots ,a_n,r)\) is not constant.

For an algorithm \(\mathcal {A}\), we denote by \(y \leftarrow \mathcal {A}(x_1,x_2,\dots )\) the operation of running \(\mathcal {A}\) on inputs \((x_1,x_2,\dots )\) and letting y denote the output. Moreover, if \(\mathcal {A}\) is randomized, we denote by \(y \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal {A}(x_1,x_2,\dots ;r)\) the operation of running \(\mathcal {A}\) on inputs \((x_1,x_2,\dots )\) and with uniform randomness r (or with fresh randomness if r is not specified) and letting y denote the output. The probability density function associated to a discrete random variable X defined over S (e.g., \(\mathbb {F}_{2}\)) is the function which maps \(x \in S\) to \({\Pr \left[ \,X=x\,\right] }\). It is denoted by \(\{X\}\) or by \(\{X\}_r\) if there is a need to precise the randomness source r over which the distribution is considered.

2.2 Private Circuits

We examine the privacy property in the setting of Boolean circuits and start with the definition of circuit and randomized circuit given in [15]. A deterministic circuit C is a directed acyclic graph whose vertices are Boolean gates and whose edges are wires. A randomized circuit is a circuit augmented with random-bit gates. A random-bit gate is a gate with fan-in 0 that produces a random bit and sends it along its output wire; the bit is selected uniformly and independently of everything else afresh for each invocation of the circuit. From the two previous notions, we may deduce the following definition of a private circuit inspired from [14].

Definition 1

[14]. A private circuit for \(f {:\;\;}\mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{m}\) is defined by a triple (ICO), where
  • \(I {:\;\;}\mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n'}\) is a randomized circuit with uniform randomness \(\rho \) and called input encoder;

  • C is a randomized boolean circuit with input in \(\mathbb {F}_{2}^{n'}\), output in \(\mathbb {F}_{2}^{m'}\), and uniform randomness \(r \in \mathbb {F}_{2}^t\);

  • \(O {:\;\;}\mathbb {F}_{2}^{m'} \rightarrow \mathbb {F}_{2}^{m}\) is a circuit, called output decoder.

We say that C is a \(d\)-private implementation of f with encoder I and decoder O if the following requirements hold:
  • Correctness: for any input \(w \in \mathbb {F}_{2}^{n}\), \({\Pr \left[ \,O(C(I(w;\rho );r)) = f(w)\,\right] } = 1\), where the probability is over the randomness \(\rho \) and r;

  • Privacy: for any \(w,w' \in \mathbb {F}_{2}^{n}\) and any set P of \(d\) wires in C, the distributions \({\{C_P(I(w;\rho );r)\}}_{\rho ,r}\) and \({\{C_P(I(w';\rho );r)\}}_{\rho ,r}\) are identical, where \(C_P(I(w;\rho );r)\) denotes the list of the \(d\) values on the wires from P.

Remark 2

It may be noticed that the notions of d-privacy and of security in the d-probing model used, e.g., in [4] are perfectly equivalent.

Unless noted otherwise, we assume I and O to be the following canonical encoder and decoder: I encodes each bit-coordinate b of its input w by a block \({(b_{j})}_{0 \le j \le d}\) of \(d+1\) random bits with parity b, and O takes the parity of each block of \(d+1\) bits. Each block \({(b_{j})}_{0 \le j \le d}\) is called a sharing of b and each \(b_{j}\) is called a share of b.

From now on, the wires in a set P used to attack an implementation are referred as the probes and the corresponding values in \(C_P(I(w;\rho );r)\) as the intermediate results. To simplify the descriptions, a probe p is sometimes used to directly denote the corresponding result. A set of probes P such that the distributions \({\{C_P(I(w;\rho );r)\}}_{\rho ,r}\) and \({\{C_P(I(w';\rho );r)\}}_{\rho ,r}\) are not identical for some inputs \(w,w' \in \mathbb {F}_{2}^n\) shall be called an attack. When the inputs w are clear from the context, the distribution \({\{C_P(I(w;\rho );r)\}}_{\rho ,r}\) is simplified to \(\{(p)_{p \in P}\}\).

We now introduce the notions of multiplication algorithm and of d-compression algorithm for multiplication. In this paper, we deeply study d-private multiplication algorithms and d-private compression algorithms for multiplication.

Definition 3

A multiplication algorithm is a circuit for the multiplication of 2 bits (i.e., with f being the function \(f {:\;\;}(a,b) \in \mathbb {F}_{2}^2 \mapsto a\cdot b \in \mathbb {F}_{2}\)), using the canonical encoder and decoder.

Before moving on to the next notion, let us first introduce a new particular encoder, called multiplicative, which has been used in all the previous attempts to build a d-private multiplication algorithm. This encoder takes as input two bits \((a,b) \in \mathbb {F}_{2}^2\), runs the canonical encoder on these two bits to get \(d+1\) random bits \((a_0,\dots ,a_d)\) and \((b_0,\dots ,b_d)\) with parity a and b respectively, and outputs the \((d+1)^2\) bits \({(\alpha _{i,j})}_{0 \le i,j \le d}\) with \(\alpha _{i,j} = a_i \cdot b_j\). Please note that, in particular, we have \(a \cdot b = (\sum _{i = 0}^{d} a_i) \cdot (\sum _{i = 0}^{d} b_i) = \sum _{0\le i,j \le d} \alpha _{i,j}\).

Definition 4

A d-compression algorithm for multiplication is a circuit for the multiplication of 2 bits (i.e., with f being the function \(f {:\;\;}(a,b) \in \mathbb {F}_{2}^2 \mapsto a\cdot b \in \mathbb {F}_{2}\)), using the canonical decoder and the multiplicative encoder. Moreover, we restrict the circuit C to only perform additions in \(\mathbb {F}_{2}\).

When clear from the context, we often omit the parameter d and simply say “a compression algorithm for multiplication”.

Remark 5

Any d-compression algorithm for multiplication yields a multiplication algorithm, as the algorithm can start by computing \(\alpha _{i,j}\) given its inputs \((a_0,\dots ,a_d,b_0,\dots ,b_d)\).

Proposition 6

A multiplication algorithm \(\mathcal {B}\) constructed from a d-compression algorithm for multiplication \(\mathcal {A}\) (as in Remark 5) is d-private if and only if the compression algorithm \(\mathcal {A}\) is d-private.

Clearly if \(\mathcal {B}\) is d-private, so is \(\mathcal {A}\). However, the converse is not straightforward, as an adversary can also probe the input shares \(a_i\) and \(b_i\) in \(\mathcal {B}\), while it cannot in \(\mathcal {A}\). The full proof is given in the full version of this paper and is surprisingly hard: we actually use a stronger version of our algebraic characterization (Theorem 7). In the remaining of the paper, we focus on compression algorithms and we do not need to consider probes of the input shares \(a_i\) and \(b_i\), which makes notation much simpler.

In the sequel, a d-compression algorithm for multiplication is denoted by \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) with \(\varvec{r}\) denoting the tuple of uniform random bits used by the algorithm and with \(\varvec{a}\) (resp. \(\varvec{b}\)) denoting the vector of \(d+1\) shares of the multiplication operand a (resp. b).

The purpose of the rest of this paper is to investigate how much randomness is needed for such an algorithm to satisfy the d-privacy and to propose efficient or optimal constructions with respect to the consumption of this resource. The number of bits involved in an algorithm \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) (i.e., the size of \(\varvec{r}\)) is called its randomness complexity or randomness cost.

2.3 ISW Algorithm

The first occurrence of a d-private compression circuit for multiplication in the literature is the ISW algorithm, introduced by Ishai, Sahai, and Wagner in [15]. It is described in Algorithm 1. Its randomness cost is \(d(d+1)/2\).
To better understand this algorithm, let us first write it explicitly for \(d=3\):
$$\begin{aligned} c_0&\leftarrow \alpha _{0,0} + r_{0,1} + r_{0,2} + r_{0,3} \\ c_1&\leftarrow \alpha _{1,1} + (r_{0,1} + \alpha _{0,1} + \alpha _{1,0}) + r_{1,2} + r_{1,3} \\ c_2&\leftarrow \alpha _{2,2} + (r_{0,2} + \alpha _{0,2} + \alpha _{2,0}) + (r_{1,2} + \alpha _{1,2} + \alpha _{2,1}) + r_{2,3} \\ c_3&\leftarrow \alpha _{3,3} + (r_{0,3} + \alpha _{0,3} + \alpha _{3,0}) + (r_{1,3} + \alpha _{1,3} + \alpha _{3,1}) + (r_{2,3} + \alpha _{2,3} + \alpha _{3,2}) \end{aligned}$$
where, for the security to hold, the terms are added from left to right and where the brackets indicate the order in which the operations must be performed (from d-privacy point of view, the addition is not commutative). In particular, when the brackets gather three terms (e.g., \((r_{0,1} + \alpha _{0,1} + \alpha _{1,0})\)), the attacker is allowed to probe two values from left to right (e.g., \(r_{0,1} + \alpha _{0,1}\) and \((r_{0,1} + \alpha _{0,1} + \alpha _{1,0})\)).
Let us now simplify the description by removing all the \(+\) symbols, the assignments \(c_i \leftarrow \), and defining Open image in new window as \(\alpha _{i,j} + \alpha _{j,i}\) if \(i \ne j\) and \(\alpha _{i,i}\) if \(i = j\). The ISW algorithm for \(d=3\) can then be rewritten as:Please note that the expression of Open image in new window with \(i\ne j\) (i.e. \(\alpha _{i,j} + \alpha _{j,i}\)) is expanded before the actual evaluation, i.e., as in the previous representation, the sum \(\alpha _{i,j} + \alpha _{j,i}\) is not evaluated beforehand but evaluated during the processing of Open image in new window .

3 Algebraic Characterization

In order to reason about the required quantity of randomness in \(d\)-private compression algorithms for multiplication, we define an algebraic condition on the security and we prove that an algorithm is \(d\)-private if and only if there is no set of probes which satisfies it.

3.1 Matrix Notation

As our condition is algebraic, it is practical to introduce some matrix notation for our probes. We write \(\varvec{a} = (a_0,\dots ,a_d)^\intercal \) and \(\varvec{b}=(b_0,\dots ,b_d)^\intercal \) the vectors corresponding to the shares of the inputs a and b respectively. We also denote by \(\varvec{r} = (r_1,\dots ,r_R)^\intercal \) the vector of the random bits.

We remark that, for any probe p on a compression algorithm for multiplication, p is always an expression that can be written as a sum of \(\alpha _{i,j}\)’s (with \(\alpha _{i,j} = a_i \cdot b_j\)) and \(r_k\)’s, and possibly a constant \(c_p \in \mathbb {F}_{2}\). In other word, we can write p as
$$\begin{aligned} p = \varvec{a}^\intercal \cdot {\varvec{M}}_{{\varvec{p}}} \cdot \varvec{b} + \varvec{s_p}^t \cdot \varvec{r} + c_p, \end{aligned}$$
with \({\varvec{M}}_{{\varvec{p}}}\) being a matrix in \(\mathbb {F}_{2}^{(d+1)\times (d+1)}\) and \(\varvec{s_p}\) being a vector in \(\mathbb {F}_{2}^{R}\). This matrix \({\varvec{M}}_{{\varvec{p}}}\) and this vector \(\varvec{s_p}\) are uniquely defined. In addition, any sum of probes can also be written that way.

Furthermore, if \(c_p = 1\), we can always sum the probe with 1 and consider \(p+1\) instead of p. This does not change anything on the probability distribution we consider. Therefore, for the sake of simplicity, we always assume \(c_p=0\) in all the paper.

3.2 Algebraic Condition

We now introduce our algebraic condition:

Condition 1

A set of probes \(P = \{p_1,\dots ,p_\ell \}\) on a d-compression algorithm for multiplication satisfies Condition 1 if and only if the expression \(f = \sum _{i=1}^\ell p_i\) can be written as \(f = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) with \({\varvec{M}}\) being some matrix such that \(\varvec{u}_{d+1}\) is in the row space or the column space of \({\varvec{M}}\).

As seen previously, the expression f can always be written as
$$\begin{aligned} f = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b} + \varvec{s}^\intercal \cdot \varvec{r}, \end{aligned}$$
for some matrix \({\varvec{M}}\) and some vector \(\varvec{s}\). Therefore, what the condition enforces is that \(\varvec{s}=\varvec{0}_{R}\) (or in other words, f does not functionally depend on any random bit) and the column space or the row space of \({\varvec{M}}\) contains the vector \(\varvec{u}_{d+1}\).

A Weaker Condition. To better understand Condition 1, let us introduce a weaker condition which is often easier to deal with:

Condition 2

(Weak Condition). A set of probes \(P = \{p_1,\dots ,p_\ell \}\) on a d-compression algorithm for multiplication satisfies Condition 2 if and only if the expression \(f = \sum _{i = 1}^\ell p_i\) does not functionally depend on any \(r_k\) and there exists a map \(\gamma {:\;\;}\{0,\dots ,d\} \rightarrow \{0,\dots ,d\}\) such that f does functionally depend on every \({(\alpha _{i,\gamma (i)})}_{0 \le i \le d}\) or on every \({(\alpha _{\gamma (i),i})}_{0 \le i \le d}\).

This condition could be reformulated as \(f = \sum _{i=1}^\ell p_i\) functionally depends on either all the \(a_i\)’s or all the \(b_i\)’s and does not functionally depend on any \(r_k\). It is easy to see that any set P verifying Condition 1 also verifies Condition 2.

3.3 Algebraic Characterization

Theorem 7

Let \(\mathcal {A}\) be a d-compression algorithm for multiplication. Then, \(\mathcal {A}\) is \(d\)-private if and only if there does not exist a set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \le d\) probes that satisfies Condition 1. Furthermore any set \(P = \{p_1,\dots ,p_\ell \}\) satisfying Condition 1 is an attack.

Please note that Theorem 7 would not be valid with Condition 2 (instead of Condition 1). A counterexample is given in the full version of this paper.

Proof

(Theorem 7 ).

Direction 1: Left to right. We prove hereafter that if \(\mathcal {A}\) is \(d\)-private, then there does not exist a set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \le d\) probes that satisfies Condition 1.

By contrapositive, let us assume that there exists a set \(P = \{p_1,\dots ,p_\ell \}\) of at most \(d\) probes that satisfies Condition 1. Let \({\varvec{M}}\) be the matrix such that \(f = \sum _{i = 1}^\ell p_i = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) and let us assume, without loss of generality, that \(\varvec{u}_{d+1}\) is in the vector subspace generated by the columns of \({\varvec{M}}\). We remark that, for any \(\varvec{v} \in \mathbb {F}_{2}^{d+1}\):
$$ {\Pr \left[ \,\varvec{a}^\intercal \cdot \varvec{v} = a\,\right] } = {\left\{ \begin{array}{ll} 1 &{}\text {when } \varvec{v} = \varvec{u}_{d+1}\\ \textstyle \frac{1}{2} &{}\text {when } \varvec{v} \ne \varvec{u}_{d+1}\\ \end{array}\right. } $$
by definition of the sharing \(\varvec{a}\) of a (probability is taken over \(\varvec{a}\)). Thus we have, when \(a=0\) (assuming that b is uniformly random)
$$\begin{aligned}&\textstyle {\Pr \left[ \,f = 0 \mid a = 0\,\right] }\\&\quad = \textstyle {\Pr \left[ \,\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b} = 0 \mid \varvec{a}^\intercal \cdot \varvec{u}_{d+1} = 0\,\right] } \\&\quad = \textstyle {\Pr \left[ \,\varvec{a}^\intercal \cdot \varvec{u}_{d+1} = 0 \mid a = 0 \text { and } {\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] } \cdot {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] }\\&\qquad + \textstyle \sum _{\varvec{v} \in \mathbb {F}_{2}^{d+1} \setminus \{\varvec{u}_{d+1}\}} {\Pr \left[ \,\varvec{a}^\intercal \cdot \varvec{v} = 0 \mid a = 0 \text { and } {\varvec{M}}\cdot \varvec{b} = \varvec{v}\,\right] } \cdot {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{v}\,\right] } \\&\quad = \textstyle 1 \cdot {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] } + \sum _{\varvec{v} \in \mathbb {F}_{2}^{d+1} \setminus \{\varvec{u}_{d+1}\}} \frac{1}{2} \cdot {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{v}\,\right] } \\&\quad = \textstyle 1 \cdot {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] } + \frac{1}{2} (1-{\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] }) \\&\quad = \textstyle \frac{1}{2} + \frac{1}{2} {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] }. \end{aligned}$$
Similarly, when \(a=1\), we have
$$\begin{aligned} \textstyle {\Pr \left[ \,f = 0 \mid a = 1\,\right] } = \frac{1}{2} - \frac{1}{2} {\Pr \left[ \,{\varvec{M}}\cdot \varvec{b} = \varvec{u}_{d+1}\,\right] }. \end{aligned}$$
As \(\varvec{u}_{d+1}\) is in the column space of \({\varvec{M}}\), the distribution of \(\{f\}\) is not the same when \(a=0\) and when \(a=1\). This implies that the distribution \(\{(p_1,\dots ,p_\ell )\}\) is also different when \(a=0\) and \(a=1\). Hence \(\mathcal {A}\) is not d-private.

This concludes the proof of the first implication and the fact that any set \(P = \{p_1,\dots ,p_\ell \}\) satisfying Condition 1 is an attack.

Direction 2: Right to left. Let us now prove by contradiction that if there does not exist a set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \le d\) probes that satisfies Condition 1, then \(\mathcal {A}\) is \(d\)-private.

Let us assume that \(\mathcal {A}\) is not d-private. Then there exists an attack using a set of probes \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\). This is equivalent to say that there exists two inputs \((a^{(0)},b^{(0)}) \ne (a^{(1)},b^{(1)})\) such that the distribution \(\{(p_1,\dots ,p_\ell )\}\) is not the same whether \((a,b) = (a^{(0)},b^{(0)})\) or \((a,b) = (a^{(1)},b^{(1)})\).

We first remark that we can consider \(0 = a^{(0)} \ne a^{(1)} = 1\), without loss of generality as the \(a^{(i)}\)’s and the \(b^{(i)}\)’s play a symmetric role (and \((a^{(0)},b^{(0)}) \ne (a^{(1)}, b^{(1)})\)). Furthermore, we can always choose \(b^{(0)}=b^{(1)}\), as if the distribution \(\{(p_1,\dots ,p_\ell )\}\) is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(1)})\), with \(b^{(0)} \ne b^{(1)}\), then:
  • it is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(0)})\) (in which case, we could have taken \(b^{(1)} = b^{(0)}\)), or

  • it is not the same whether \((a,b) = (1,b^{(0)})\) or \((a,b) = (1,b^{(1)})\) (in which case, we can just exchange the a’s and the b’s roles).

To summarize, there exists \(b^{(0)}\) such that the distribution \(\{(p_1,\dots ,p_\ell )\}\) is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(0)})\).

In the sequel \(b^{(0)}\) is fixed and we call a tuple \((p_1,\dots ,p_\ell )\) satisfying the previous property an attack tuple.

We now remark that if \(\ell =1\) or if even the distribution \(\{(\sum _{i=1}^\ell p_i)\}\) is not the same whether \((a,b) = (0,b^{(0)})\) or \((a,b) = (1,b^{(0)})\) (i.e., \((\sum _{i=1}^\ell p_i)\) is an attack tuple), then it follows easily from the probability analysis of the previous proof for the other direction of the theorem, that the set P satisfies Condition 1. The main difficulty is that it is not necessarily the case that \(\ell =1\) or \((\sum _{i=1}^\ell p_i)\) is an attack tuple. To overcome it, we use linear algebra.

But first, let us introduce some useful notations and lemmas. We write \(\varvec{p}\) the vector \((p_1,\dots ,p_\ell )^\intercal \) and we say that \(\varvec{p}\) is an attack vector if and only if \((p_1,\dots ,p_\ell )\) is an attack tuple. Elements of \(\varvec{p}\) are polynomials in the \(a_i\)’s, the \(b_j\)’s and the \(r_k\)’s.

Lemma 8

If \(\varvec{p}\) is an attack vector and \({\varvec{N}}\) is an invertible matrix in \(\mathbb {F}_{2}^{\ell \times \ell }\), then \({\varvec{N}}\cdot \varvec{p}\) is an attack vector.

Proof

This is immediate from the fact that \({\varvec{N}}\) is invertible. Indeed, as a matrix over \({{\mathbb F}}_2\), \({\varvec{N}}^{-1}\) is also a matrix over \({{\mathbb F}}_2\). Hence, multiplying the set of probes \(\{{\varvec{N}}\cdot \varvec{p}\}\) by \({\varvec{N}}^{-1}\) (which leads to the first set of probes \(\{\varvec{p}\}\)) can be done by simply computing sums of elements in \(\{{\varvec{N}}\cdot \varvec{p}\}\). Hence, as the distribution of \(\{\varvec{p}\}\) differs when \((a,b)=(0,b^{(0)})\) and \((a,b)=(1,b^{(0)})\), the same is true for the distribution \(\{{\varvec{N}}\cdot \varvec{p}\}\).    \(\square \)

We also use the following straightforward lemma.

Lemma 9

If \((p_1,\dots ,p_\ell )\) is an attack tuple such that the \(\ell -t+1\) random variables \((p_1, \dots , p_t)\), \(p_{t+1}\), ..., and \(p_\ell \) are mutually independent, and the distributions of \((p_{t+1}, \dots , p_\ell )\) is the same for all the values of the inputs (ab), then \((p_{1},\dots ,p_t)\) is an attack tuple.

Let us consider the matrix \({\varvec{S}}\in \mathbb {F}_{2}^{\ell \times R}\) whose coefficients \(s_{i,j}\) are defined as \(s_{i,j} = 1\) if and only if the expression \(p_i\) functionally depends on \(r_j\). In other words, if we write \(p_i = \varvec{a}^\intercal \cdot {\varvec{M}}_{{\varvec{p}}_{{\varvec{i}}}} \cdot \varvec{b} + \varvec{s_{p_i}}^\intercal \cdot \varvec{r}\), the i-th row of \({\varvec{S}}\) is \(\varvec{s_{p_i}}^\intercal \). We can permute the random bits (i.e., the columns of \({\varvec{S}}\) and the rows of \(\varvec{r}\)) such that a row reduction on the matrix \({\varvec{S}}\) yields a matrix of the form:
$$ {\varvec{S}}' = \begin{pmatrix} \mathbf 0 _{t,t} &{} \mathbf 0 _{t,\ell -t} \\ {\varvec{I}}_{t} &{} {\varvec{S}}'' \\ \end{pmatrix}\!. $$
Let \({\varvec{N}}\) be the invertible matrix in \(\mathbb {F}_{2}^{\ell \times \ell }\) such that \({\varvec{N}}\cdot {\varvec{S}}= {\varvec{S}}'\). And we write \(\varvec{p'} = (p'_1, \dots , p'_\ell )^\intercal = {\varvec{N}}\cdot \varvec{p}\). Then, \(\varvec{p'}\) is also an attack vector according to Lemma 8. In addition, for \(t < i \le \ell \), \(p'_i\) does functionally depend on \(r_i\) and no other \(p'_j\) does functionally depend on \(r_j\) (due to the shape of \({\varvec{S}}'\)). Therefore, according to Lemma 9, \((p'_1,\dots ,p'_t)\) is an attack tuple.
We remark that \((p'_1,\dots ,p'_t)\) does not functionally depend on any random bit, due to the shape of \({\varvec{S}}'\). Therefore, for each \(1 \le i \le t\), we can write:
$$\begin{aligned} p'_i = \varvec{a}^\intercal \cdot {\varvec{M}}_{{\varvec{i}}}' \cdot \varvec{b}, \end{aligned}$$
for some matrix \({{\varvec{M}}}_{{\varvec{i}}}'\).

We now need a final lemma to be able to conclude.

Lemma 10

If \((p'_1,\dots ,p'_t)\) is an attack tuple, then there exists a vector \(\varvec{b^*} \in \mathbb {F}_{2}^{d+1}\) such that \(\varvec{u}_{d+1}\) is in the vector space \(\langle {\varvec{M}}_\mathbf{1}' \cdot \varvec{b^*}, \dots , {\varvec{M}}_{{\varvec{t}}}' \cdot \varvec{b^*} \rangle \).

Proof

This lemma can be seen as a generalization of the probability analysis in the proof of the first direction of the theorem.

We suppose by contradiction that \((p'_1,\dots ,p'_t)\) is an attack vector but there does not exist a vector \(\varvec{b^*} \in \mathbb {F}_{2}^{d+1}\) such that \(\varvec{u}_{d+1}\) is in the vector space \(\langle {\varvec{M}}_\mathbf{1}' \cdot \varvec{b^*}, \dots , {\varvec{M}}_{{\varvec{t}}}' \cdot \varvec{b^*} \rangle \). Then, for any value \(a^{(0)}\), any vector \(\varvec{b^{(0)}} \in \mathbb {F}_{2}^{d+1}\), and any vector \(\varvec{x} = (x_1,\dots ,x_t)^\intercal \in \mathbb {F}_{2}^t\):
$$\begin{aligned}&{\Pr \left[ \,(p'_1,\dots ,p'_t) = (x_1,\dots ,x_t) \mid a = a^{(0)} \text { and } \varvec{b}=\varvec{b^{(0)}}\,\right] } \\&\quad = {\Pr \left[ \,(\varvec{a}^\intercal \cdot {\varvec{M}}_\mathbf{1}' \cdot \varvec{b^{(0)}}, \dots , \varvec{a}^\intercal \cdot {\varvec{M}}_{{\varvec{t}}}' \cdot \varvec{b^{(0)}}) = (x_1,\dots ,x_t) \mid \varvec{a}^\intercal \cdot \varvec{u}_{d+1} = a^{(0)} \,\right] } \\&\quad = {\Pr \left[ \,\varvec{a}^\intercal \cdot {\varvec{B}}= \varvec{x}^\intercal \mid \varvec{a}^\intercal \cdot \varvec{u}_{d+1} = a^{(0)} \,\right] }, \end{aligned}$$
where \({\varvec{B}}\) is the matrix whose i-th column is the vector \({\varvec{M}}_{{\varvec{i}}}' \cdot \varvec{b^{(0)}}\). To conclude, we just need to remark that
$$ {\Pr \left[ \,\varvec{a}^\intercal \cdot {\varvec{B}}= \varvec{x}^\intercal \mid \varvec{a}^\intercal \cdot \varvec{u}_{d+1} = 0 \,\right] } = {\Pr \left[ \,\varvec{a}^\intercal \cdot {\varvec{B}}= \varvec{x}^\intercal \mid \varvec{a}^\intercal \cdot \varvec{u}_{d+1} = 1 \,\right] }, $$
which implies that the probability distribution of \((p'_1,\dots ,p'_t)\) is independent of the value of a, which contradicts the fact the \((p'_1,\dots ,p'_t)\) is an attack tuple.

To prove the previous equality, we use the fact that \(\varvec{u}_{d+1}\) is not in the column space of \({\varvec{B}}\) and therefore the value of \(\varvec{a}^\intercal \cdot \varvec{u}_{d+1}\) is uniform and independent of the value of \(\varvec{a}^\intercal \cdot {\varvec{B}}\) (when \(\varvec{a}\) is a uniform vector in \(\mathbb {F}_{2}^{d+1}\)).    \(\square \)

Thanks to Lemma 10, there exists a vector \(\varvec{\sigma } = (\sigma _1,\dots ,\sigma _t)^\intercal \in \mathbb {F}_{2}^{t}\) and a vector \(\varvec{b^*} \in \mathbb {F}_{2}^{d+1}\) such that
$$\begin{aligned} \left( \sum _{i=1}^t \sigma _i \cdot {\varvec{M}}_{{\varvec{i}}}' \right) \cdot \varvec{b^*} = \varvec{u}_{d+1}. \end{aligned}$$
(1)
Let \(\varvec{\sigma '}\) be the vector in \(\mathbb {F}_{2}^{\ell }\) defined by \( \varvec{\sigma '}^\intercal = \begin{pmatrix} \varvec{\sigma }^\intercal&\varvec{0}_{\ell - t}^\intercal \end{pmatrix} \cdot {\varvec{N}}\). We have:
$$\begin{aligned} \varvec{\sigma '}^\intercal \cdot \varvec{p} = \sum _{i=1}^t \sigma _i \cdot p'_i = \sum _{i=1}^t \sigma _i \cdot \varvec{a}^\intercal \cdot {\varvec{M}}_{{\varvec{i}}}' \cdot \varvec{b} = \varvec{a}^\intercal \cdot \left( \sum _{i=1}^t \sigma _i \cdot {\varvec{M}}_{{\varvec{i}}}'\right) \cdot \varvec{b}. \end{aligned}$$
(2)
Therefore, we can define the set \(P' = \{ p_i \mid \sigma _i = 1 \}\). This set satisfies Condition 1, according to Eqs. (1) and (2).

This concludes the proof.   \(\square \)

4 Theoretical Lower and Upper Bounds

In this section, we exhibit lower and upper bounds for the randomness complexity of a d-private compression algorithm for multiplication. We first prove an algebraic result and an intermediate lemma that we then use to show that at least \(d+1\) random bits are required to construct a d-private compression algorithm for multiplication, for any \(d \ge 3\) (and 2 random bits are required for \(d = 2\)). Finally, we provide a (non-constructive) proof that for large enough d, there exists a d-private multiplication algorithm with a randomness complexity \(O(d \cdot \log d)\).

4.1 A Splitting Lemma

We first prove an algebraic result, stated in the lemma below, that we further use to prove Lemma 12. The latter allows us to easily exhibit attacks in order to prove our lower bounds.

Lemma 11

Let \(n \ge 1\). Let \({\varvec{M}}_0,{\varvec{M}}_1 \in \mathbb {F}_{2}^{n \times n}\) such that \({\varvec{M}}_0 + {\varvec{M}}_1 = {\varvec{U}}_{n}\). Then, there exists a vector \(\varvec{v} \in \mathbb {F}_{2}^n\) such that:
$$\begin{aligned} {\varvec{M}}_0 \cdot \varvec{v} = \varvec{u}_{n} \quad \text {or}\quad {\varvec{M}}_1 \cdot \varvec{v} = \varvec{u}_{n}\quad \text {or}\quad {\varvec{M}}_0^\intercal \cdot \varvec{v} = \varvec{u}_{n}\quad \text {or}\quad {\varvec{M}}_1^\intercal \cdot \varvec{v} = \varvec{u}_{n}. \end{aligned}$$

Proof

(Lemma 11 ). We show the above lemma by induction on n.

Base Case: for \(n = 1\), \({\varvec{M}}_0, {\varvec{M}}_1, {\varvec{U}}\in \mathbb {F}_{2}\), so \({\varvec{M}}_0 + {\varvec{M}}_1 = 1\), which implies \({\varvec{M}}_0 = 1\) or \({\varvec{M}}_1 = 1\) and the claim immediately follows.

Inductive Case: let us assume that the claim holds for a fixed \(n \ge 1\). Let us consider two matrices \({\varvec{M}}_0,{\varvec{M}}_1 \in \mathbb {F}_{2}^{(n+1) \times (n+1)}\) such that \({\varvec{M}}_0 + {\varvec{M}}_1 = {\varvec{U}}_{n+1}\).

Clearly, if \({\varvec{M}}_0\) (or \({\varvec{M}}_1\)) is invertible, then the claim is true (as \(\varvec{u}_{n+1}\) is in its range). Then, let us assume that \({\varvec{M}}_0\) is not invertible. Then, there exists a non-zero vector \(\varvec{x} \in \ker ({\varvec{M}}_\mathbf{0 })\). Now, as \({{\mathrm{im}}}({\varvec{U}}_{n+1}) = \{\varvec{0}_{n+1},\varvec{u}_{n+1}\}\), if \({\varvec{U}}_{n+1} \cdot \varvec{x} = \varvec{u}_{n+1}\), then \({\varvec{M}}_1 \cdot \varvec{x} = \varvec{u}_{n+1}\) and the claim is true. Hence, clearly, the claim is true if \(\ker ({\varvec{M}}_0) \ne \ker ({\varvec{M}}_1)\) (with the symmetric remark). The same remarks hold when considering matrices \({\varvec{M}}_0^\intercal \) and \({\varvec{M}}_1^\intercal \).

Hence, the only remaining case to consider is when \(\ker ({\varvec{M}}_0) \ne \{\varvec{0}_{n+1}\}\), \(\ker ({\varvec{M}}_0^\intercal ) \ne \{\varvec{0}_{n+1}\}\) and when \(\ker ({\varvec{M}}_0) = \ker ({\varvec{M}}_1)\) and \(\ker ({\varvec{M}}_0^\intercal ) = \ker ({\varvec{M}}_1^\intercal )\). In particular, we have \(\ker ({\varvec{M}}_0) \subseteq \ker ({\varvec{U}}_{n+1})\) and \(\ker ({\varvec{M}}_0^\intercal ) \subseteq \ker ({\varvec{U}}_{n+1})\).

Let \(\varvec{x} \in \ker ({\varvec{M}}_0)\) (and then \(\varvec{x} \in \ker ({\varvec{M}}_1)\) as well) be a non-zero vector. Up to some rearrangement of the columns of \({\varvec{M}}_0\) and \({\varvec{M}}_1\) (by permuting some columns), we can assume without loss of generality that \(\varvec{x} = (1,\dots ,1,0,\dots ,0)^\intercal \). Let \({\varvec{X}}\) denote the matrix \((\varvec{x},\varvec{e}_2,\dots ,\varvec{e}_{n+1})\) where \(\varvec{e}_i = (0,\dots ,0,1,0,\dots ,0)^\intercal \) is the i-th canonical vector of length \(n+1\), so that it has a 1 in the i-th position and 0’s everywhere else.

Now, let \(\varvec{y} \in \ker ({\varvec{M}}_0^\intercal )\) (and then \(\varvec{y} \in \ker ({\varvec{M}}_1^\intercal )\) as well) be a non-zero vector, so \(\varvec{y}^\intercal \cdot {\varvec{M}}_0^\intercal = \varvec{0}_{n+1}^\intercal \). Moreover, up to some rearrangement of the rows of \({\varvec{M}}_0\) and \({\varvec{M}}_1\), we can assume that \(\varvec{y} = (1,\dots ,1,0,\dots ,0)^\intercal \). Let \({\varvec{Y}}\) denote the matrix \((\varvec{y},\varvec{e}_2,\dots ,\varvec{e}_{n+1})\).

Please note that rearrangements apply to the columns in the first case and to the rows in the second case, so we can assume without loss of generality that there exists both \(\varvec{x} \in \ker ({\varvec{M}}_0)\) and \(\varvec{y} \in \ker ({\varvec{M}}_0^\intercal )\) with the above form and matrices \({\varvec{X}}\) and \({\varvec{Y}}\) are well defined.

We now define the matrices \({\varvec{M}}_0' = {\varvec{Y}}^\intercal \cdot {\varvec{M}}_0 \cdot {\varvec{X}}\) and \({\varvec{M}}_1' = {\varvec{Y}}^\intercal \cdot {\varvec{M}}_1 \cdot {\varvec{X}}\). We have:where \({\varvec{M}}_0^{(1)}\) is the matrix extracted from \({\varvec{M}}_0\) by removing its first column. Hence:
$$ {\varvec{M}}_0' = \begin{pmatrix} 0 &{} \varvec{0}_{n}^\intercal \\ \varvec{0}_{n} &{} {\varvec{M}}_0^{(1,1)} \end{pmatrix} $$
where \({\varvec{M}}_0^{(1,1)}\) is the matrix extracted from \({\varvec{M}}_0\) by removing its first column and its first row. Similar equation holds for \({\varvec{M}}_1'\) as well. Thus, it is clear that:
$$ {\varvec{M}}_0' + {\varvec{M}}_1' = \begin{pmatrix} 0 &{} \varvec{0}_{n}^\intercal \\ \varvec{0}_{n} &{} {\varvec{U}}_{n} \end{pmatrix} . $$
Let us consider the matrices \({\varvec{M}}_0''\) and \({\varvec{M}}_1''\) in \(\mathbb {F}_{2}^{n \times n}\) that are extracted from matrices \({\varvec{M}}_0'\) and \({\varvec{M}}_1'\) by removing their first row and their first column (i.e., \({\varvec{M}}_i'' = {\varvec{M}}_i'^{(1,1)}\) with the previous notation). Then, it is clear that \({\varvec{M}}_0'' + {\varvec{M}}_1'' = {\varvec{U}}_{n}\). As matrices in \(\mathbb {F}_{2}^{n \times n}\), by induction hypothesis, there exists \(\varvec{v}'' \in \mathbb {F}_{2}^n\) such that at least one of the 4 propositions from Lemma 11 holds. We can assume without loss of generality that \({\varvec{M}}_0'' \cdot \varvec{v}'' = \varvec{u}_{n}\).
Let \(\varvec{v}' = \begin{pmatrix} 0 \\ \varvec{v}'' \end{pmatrix} \in \mathbb {F}_{2}^{n+1}\). Then, we have:
$$ {\varvec{M}}_0' \cdot \varvec{v}' = \begin{pmatrix} 0 &{} \varvec{0}_{n}^\intercal \\ \varvec{0}_{n} &{} {\varvec{M}}_0'' \end{pmatrix} \cdot \begin{pmatrix} 0 \\ \varvec{v}'' \end{pmatrix} = \begin{pmatrix} \varvec{0}_{n} \cdot \varvec{v}'' \\ {\varvec{M}}_0'' \cdot \varvec{v}'' \end{pmatrix} = \begin{pmatrix} 0 \\ \varvec{u}_{n} \end{pmatrix}. $$
Now, let \(\varvec{v} = {\varvec{X}}\cdot \varvec{v'}\) and \(\varvec{w} = {\varvec{M}}_0 \cdot \varvec{w}\), so \({\varvec{Y}}^\intercal \cdot \varvec{w} = {\varvec{Y}}^\intercal \cdot {\varvec{M}}_0 {\varvec{X}}\cdot \varvec{v}' = {\varvec{M}}_0' \cdot \varvec{v}' = \begin{pmatrix} 0 \\ \varvec{u}_{n} \end{pmatrix}\). Moreover, as \({\varvec{Y}}\) is invertible, \(\varvec{w}\) is the unique vector such that \({\varvec{Y}}^\intercal \cdot \varvec{w} = \begin{pmatrix} 0 \\ \varvec{u}_{n} \end{pmatrix}\). Finally, as the vector \(\varvec{u}_{n+1}\) satisfies \({\varvec{Y}}^\intercal \cdot \varvec{u}_{n+1} = \begin{pmatrix} 0 \\ \varvec{u}_{n} \end{pmatrix}\), then \(\varvec{w} = \varvec{u}_{n+1}\), and the claim follows for \(n+1\), since \(\varvec{v}\) satisfies \({\varvec{M}}_0 \cdot \varvec{v} = \varvec{w} = \varvec{u}_{n+1}\).

Conclusion: The claim follows for any \(n \ge 1\), and so does Lemma 11.    \(\square \)

We can now easily prove the following statement that is our main tool for proving our lower bounds, as explained after its proof.

Lemma 12

Let \(\mathcal {A}\) be a d-compression algorithm for multiplication. If there exists two sets \(S_1\) and \(S_2\) of at most d probes such that \(s_i = \sum _{p \in S_i} p\) does not functionally depend on any of the random bits, for \(i \in \{0,1\}\), and such that \(s_0 + s_1 = a \cdot b\), then \(\mathcal {A}\) is not d-private.

Proof

(Lemma 12 ). Let \(\mathcal {A}\), \(S_0\), \(S_1\), \(s_0\) and \(s_1\) defined in the above statement. Then, there exists \({\varvec{M}}_i \in \mathbb {F}_{2}^{(d+1)\times (d+1)}\) such that \(s_i = \varvec{a}^\intercal \cdot {\varvec{M}}_i \cdot \varvec{b}\), for \(i \in \{0,1\}\). Furthermore, as \(s_0 + s_1 = a \cdot b = \varvec{a}^\intercal \cdot {\varvec{U}}_{d+1} \cdot \varvec{b}\), we have \({\varvec{M}}_0 + {\varvec{M}}_1 = {\varvec{U}}_{d+1}\). Hence, via Lemma 11, there exists \(\varvec{v} \in \mathbb {F}_{2}^{d+1}\) and \(i \in \{0,1\}\) such that \({\varvec{M}}_i \cdot \varvec{v} = \varvec{u}_{d+1}\) or \({\varvec{M}}_i^\intercal \cdot \varvec{v} = \varvec{u}_{d+1}\). This means that \(\varvec{u}_{d+1}\) is in the row subspace or in the column subspace of \({\varvec{M}}_i\), and therefore, \({\varvec{M}}_{{\varvec{i}}}\) satisfies Condition 1. Therefore, as \(\vert S_i \vert \le d\), applying Theorem 7, \(\mathcal {A}\) is not d-private. Lemma 12 follows.    \(\square \)

We use the above lemma to prove our lower bounds as follows: for proving that at least R(d) random bits are required in order to achieve d-privacy for a compression algorithm for multiplication, we prove that any algorithm with a lower randomness complexity is not d-private by exhibiting two sets of probes \(S_0\) and \(S_1\) that satisfy the requirements of Lemma 12.

4.2 Simple Linear Lower Bound

As a warm-up, we show that at least d random bits are required, for \(d \ge 2\).

Theorem 13

Let \(d \ge 2\). Let us consider a d-compression algorithm for multiplication \(\mathcal {A}\). If \(\mathcal {A}\) uses only \(d-1\) random bits, then \(\mathcal {A}\) is not \(d\)-private.

Proof

(Theorem 13 ). Let \(r_1,\dots ,r_{d-1}\) denote the random bits used by \(\mathcal {A}\). Let \(c_0,\dots ,c_d\) denote the outputs of \(\mathcal {A}\). Let us define \({\varvec{N}}\in \mathbb {F}_{2}^{(d-1)\times d}\) as the matrix whose coefficients \(n_{i,j}\) are equal to 1 if and only if \(c_j\) functionally depends on \(r_i\), for \(1 \le i \le d-1\) and \(1 \le j \le d\). Please note in particular that \({\varvec{N}}\) does not depend on \(c_0\).

As a matrix over \(\mathbb {F}_{2}\) with d columns and \(d-1\) rows, there is necessarily a vector \(\varvec{w} \in \mathbb {F}_{2}^{d}\) with \(\varvec{w} \ne \varvec{0}_{d}\) such that \({\varvec{N}}\cdot \varvec{w} = \varvec{0}_{d-1}\).

The latter implies that the expression \(s_0 = \sum _{i = 1}^d w_i \cdot c_i\) does not functionally depend on any of the \(r_k\)’s. Furthermore, by correctness, we also have that \(s_1 = c_0 + \sum _{i = 1}^d (1-w_i) \cdot c_i\) does not functionally depend on any of the \(r_k\)’s, and \(s_0 + s_1 = \sum _{i=0}^d c_i = a \cdot b\). Then, the sets of probes \(S_0 = \{ c_i \mid w_i = 1 \}\) and \(S_1 = \{ c_0 \} \cup \{ c_i \mid w_i = 0 \}\) (whose cardinalities are at most d) satisfy the requirements of Lemma 12, and then, \(\mathcal {A}\) is not d-private. Theorem 13 follows.    \(\square \)

4.3 Better Linear Lower Bound

We now show that at least \(d+1\) random bits are actually required if \(d \ge 3\).

Theorem 14

Let \(d \ge 3\). Let us consider a d-compression algorithm for multiplication \(\mathcal {A}\). If \(\mathcal {A}\) uses only d random bits, then \(\mathcal {A}\) is not d-private.

The proof is given in the full version of this paper.

4.4 (Non-constructive) Quasi-Linear Upper Bound

We now construct a d-private compression algorithm for multiplication which requires a quasi-linear number of random bits. More precisely, we show that with non-zero probability, a random algorithm in some family of algorithms (using a quasi-linear number of random bits) is secure, which directly implies the existence of such an algorithm. Note that it is an interesting open problem (though probably difficult) to derandomize this construction.

Concretely, let \(d\) be some masking order and R be some number of random bits (used in the algorithm), to be fixed later. For \(i = 0,\dots ,d-1\) and \(j = i+1,\ldots ,d\), let us define \(\rho (i,j)\) as:
$$ \textstyle \rho (i,j) = \sum _{k = 1}^R X_{i,j,k} \cdot r_k $$
with \(X_{i,j,k} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\{0,1\}\) for \(i = 0,\dots ,d-1\), \(j = i+1,\ldots ,d\) and \(k = 1,\dots ,R\), so that \(\rho (i,j)\) is a random sum of all the random bits \(r_1,\dots ,r_R\) where each bit appears in \(\rho (i,j)\) with probability 1 / 2. We also define \(X_{d,d,k} = \sum _{i=0}^{d-1} \sum _{j=i+1}^{d} X_{i,j,k}\) and \(\rho (d,d)\) as:
$$ \textstyle \rho (d,d) = \sum _{k = 1}^R X_{d,d,k} \cdot r_k. $$
We generate a (random) algorithm as in Algorithm 2. This algorithm is correct because the sum of all \(\rho (i,j)\) is equal to 0.

We point out that we use two kinds of random which should not be confused: the R fresh random bits \(r_1, \dots , r_R\) used in the algorithm to ensure its d-privacy (R is what we really want to be as low as possible), and the random variables \(X_{i,j,k}\) used to define a random family of such algorithms (which are “meta”-random bits). In a concrete implementation or algorithm, these latter values are fixed.

Lemma 15

Algorithm 2 is d-private with probability at least
$$\begin{aligned} 1- \left( {\begin{array}{c}(R+3) \cdot d \cdot (d+1) /2\\ d\end{array}}\right) \cdot 2^{-R} \end{aligned}$$
over the values of the \(X_{i,j,k}\)’s.

Proof

(Lemma 15 ). In order to simplify the proof, we are going to show that, with non-zero probability, there is no set of probes \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\) that satisfies Condition 2. In particular, this implies that, with non-zero probability, there is no set of probes \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\) that satisfies Condition 1, which, via Theorem 7, is equivalent to the algorithm being d-private.

One can only consider sets of exactly d probes as if there is a set of \(\ell < d\) probes \(P'\) that satisfies Condition 2, one can always complete \(P'\) into a set P with exactly d probes by adding \(d - \ell \) times the same probe on some input \(\alpha _{i,j}\) such that \(P'\) initially does not depend on \(\alpha _{i,j}\). That is, if \({\varvec{M}}'\) denotes the matrix such that \(\sum _{p'\in P'} p' = \varvec{a} \cdot {\varvec{M}}'\cdot \varvec{b}\), one could complete \(P'\) with any \(\alpha _{i,j}\) such that \(m'_{i,j} = 0\), so that P, with \(\sum _{p \in P} p = \varvec{a}\cdot {\varvec{M}}\cdot \varvec{b}\) still satisfies Condition 2 if \(P'\) initially satisfied the condition.

Thus, let us consider an arbitrary set of d probes \(P = \{p_1,\dots ,p_d\}\) and let us bound the probability that P satisfies Condition 2. Let \(f = \sum _{i=1}^d p_i\). Let us first show that f has to contain at least one \(\rho (i,j)\) (meaning that it appears an odd number of times in the sum). Let us assume the contrary, so f does not contain any \(\rho (i,j)\). Every \(\rho (i,j)\) appears only once in the shares (in the share \(c_i\) precisely). Then, one can assume that every probe is made on the same share. Let us assume (without loss of generality) that every probe is made on \(c_0\). If no probe contains any \(\rho (0,j)\), then clearly P cannot satisfy Condition 2 as this means that each probe contain at most one \(\alpha _{0,j}\), to P cannot contain more than d different \(\alpha _{0,j}\). Hence, at least one (so at least two) probe contains at least one \(\rho (0,j)\). We note that every probe has one of the following form: either it is exactly a random \(r_k\), a share \(\alpha _{0,j}\), a certain \(\rho (0,j)\), a certain \(\rho (0,j) + \alpha _{0,j}\) or \(\rho (0,j) + \alpha _{0,j} + \alpha _{j,0}\), or a subsum (starting from \(\alpha _{0,0}\)) of \(c_0\). Every form gives at most one \(\alpha _{0,j}\) with a new index j except probes on subsums. However, in any subsum, there is always a random \(\rho (i,j)\) between \(\alpha _{0,j}\) and \(\alpha _{0,j+1}\) and one needs to get all the \(d+1\) indices to get a set satisfying Condition 2. Then, it is clear that one cannot achieve this unless there is a \(\rho (i,j)\) that does not cancel out in the sum, which is exactly what we wanted to show. Now, let \(1 \le k \le R\) be an integer and let us compute the probability (over the \(X_{i,j,k}\)’s) that f contains \(r_k\). There exists some set S of pairs (ij), such that f is the sum of \(\sum _{(i,j) \in S} X_{i,j,k} \cdot r_k\) and some other expression not containing any \(X_{i,j,k} \cdot r_k\). From the previous point, S is not empty. Furthermore, as there are \(d+1\) outputs \(c_0,\dots ,c_d\) and as there are only d probes, S cannot contain all the possible pairs (ij), and therefore, all the random variables \(X_{i,j,k}\) for \((i,j) \in S\) are mutually independent. Therefore, \(\sum _{(i,j) \in S} X_{i,j,k}\) is 1 with probability 1 / 2 and f functionally depends on the random \(r_k\) with probability 1 / 2. As there are R possible randoms, f does not functionally depend on any \(r_k\) (and then P satisfies Condition 2) with probability \((1/2)^R\).

There are N possibles probes with
$$\begin{aligned} N \le \frac{d \cdot (d+1)}{2} + R + (R+2) \cdot \frac{d \cdot (d-1)}{2} \le (R+3) \cdot \frac{d \cdot (d+1)}{2}, \end{aligned}$$
as every \(\rho \) contains at most R random bits \(r_k\). Also, there are \(\left( {\begin{array}{c}N\\ d\end{array}}\right) \) possible sets \(P = \{p_1,\dots ,p_d\}\). Therefore, by union bound, the above algorithm is not secure (so there is an attack) with probability at most
$$\begin{aligned} \left( {\begin{array}{c}N\\ d\end{array}}\right) / 2^R \le \left( {\begin{array}{c}(R+3) \cdot d \cdot (d+1) /2\\ d\end{array}}\right) \cdot 2^{-R} \end{aligned}$$
which concludes the proof of Lemma 15.    \(\square \)

Theorem 16

For some \(R = O(d \cdot \log d)\), there exists a choice of \(\rho (i,j)\) such that Algorithm 2 is a d-private d-compression algorithm for multiplication, when \(d\rightarrow \infty \).

We just need to remark that for some \(R = O(d \cdot \log d)\), the probability that Algorithm 2 is d-private, according to Lemma 15 is non-zero.

The full proof is given in the full version of this paper.

5 New Construction

The goal of this section is to propose a new d-private multiplication algorithm. Compared to the construction in [15], our construction halves the number of required random bits. It is therefore the most efficient existing construction of a d-private multiplication.

Some rationales behind our new construction may be found in the two following necessary conditions deduced from a careful study of the original work of Ishai, Sahai and Wagner [15].

Lemma 17

Let \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) be a d-compression algorithm for multiplication. Let f be an intermediate result taking the form \(f=\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b} + \varvec{s}^\intercal \cdot \varvec{r}\). Let t denote the greatest Hamming weight of an element in the vector subspace generated by the rows of \({\varvec{M}}\) or by the columns of \({\varvec{M}}\). If \(\mathsf {hw}(\varvec{s})<t-1\), then \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) is not d-private.

Proof

By definition of \(\varvec{s}\), the value \(\varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) can be recovered by probing f and then each of the \(\mathsf {hw}(\varvec{s})<t-1\) random bits on which \(\varvec{s}^\intercal \cdot \varvec{r}\) functionally depends and by summing all these probes. Let \(P_1 = \{f,p_1,\dots ,p_j\}\) with \(j < t-1\) denote the set of these at most \(t-1\) probes. Then, we just showed that \(f + \sum _{i = 1}^j p_i = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\).

To conclude the proof, we want to argue that there is a set of at most \(d-(t-1)\) probes \(P_2 = \{p_1',\dots ,p_k'\}\) such that \(f + \sum _{i = 1}^j p_i + \sum _{\ell = 1}^k p'_\ell = \varvec{a}^\intercal \cdot {\varvec{M}}' \cdot \varvec{b}\), where \({\varvec{M}}'\) is a matrix such that \(\varvec{u}_{d+1}\) is in its row space or in its column space. If such a set \(P_2\) exists, then the set of probes \(P_1 \cup P_2\) (whose cardinality is at most d) satisfies Condition 1, and then \(\mathcal {A}\) is not d-private, via Theorem 7.

We now use the fact that there is a vector of Hamming weight t in the row space or in the column space of \({\varvec{M}}\). We can assume (without loss of generality) that there exists a vector \(\varvec{w} \in \mathbb {F}_{2}^{d+1}\) of Hamming weight t in the column subspace of \({\varvec{M}}\), so that \(\varvec{w} = \sum _{j \in J} \varvec{m}_j\), with \(J \subseteq \{0,\dots ,d\}\) and \(\varvec{m}_j\) the j-th column vector of \({\varvec{M}}\). Let \(i_1,\dots ,i_{d+1-t}\) denote the indices i of \(\varvec{w}\) such that \(w_i = 0\). Then, let \(j \in J\), we claim that \(P_2 = \{\alpha _{i_1,j},\dots ,\alpha _{i_{d+1-t},j}\}\) allows us to conclude the proof. Please note that all these values are probes of intermediate values of \(\mathcal {A}\).

Indeed, we have \(f + \sum _{i = 1}^j p_i + \sum _{k = 1}^{d+1-t} \alpha _{i_k,j} = \varvec{a}^\intercal \cdot {\varvec{M}}{M'} \cdot \varvec{b}\) where all coefficients of \({\varvec{M}}'\) are the same as coefficients of \({\varvec{M}}\) except for coefficients in positions \((i_1,j),\dots ,(i_{d+1-t},j)\) which are the opposite, and now \(\sum _{j \in J} \varvec{m}'_j = \varvec{u}_{d+1}\), where \(\varvec{m}'_j\) is the j-th column vector of \({\varvec{M}}'\). Lemma 17 easily follows.    \(\square \)

In our construction, we satisfy the necessary condition in Lemma 17 by ensuring that any intermediate result that functionally depends on t shares of a (resp. of b) also functionally depends on at least \(t-1\) random bits.

The multiplication algorithm of Ishai, Sahai and Wagner is the starting point of our construction. Before exhibiting it, we hence start by giving the basic ideas thanks to an illustration in the particular case \(d=6\). In Fig. 2 we recall the description of ISW already introduced in Sect. 2.3.
Fig. 2.

ISW construction for \(d=6\), with Open image in new window

The first step of our construction is to order the expressions Open image in new window differently. Precisely, to compute the output share \(c_i\) (which corresponds, in ISW, to the sum Open image in new window from left to right), we process Open image in new window from left to right. Of course, we also put particular care to satisfy the necessary condition highlighted by Lemma 17. This leads to the construction illustrated in Fig. 3.
Fig. 3.

First step of our new construction for \(d=6\), with Open image in new window

Then, the core idea is to decrease the randomness cost by reusing some well chosen random bit to protect different steps of the processing. Specifically, for any even positive number k, we show that replacing all the random bits \(r_{i,j}\) such that \(k=j-i\) with a fixed random bit \(r_k\) preserves the d-privacy of ISW algorithm. Note, however, that the computations then have to be performed with a slightly different bracketing in order to protect the intermediate variables which involve the same random bits. The obtained construction is illustrated in Fig. 4.
Fig. 4.

Second step of our new construction for \(d=6\), with Open image in new window

Finally, we suppress from our construction the useless repetitions of random bits that appear at the end of certain computations. Hence, we obtain our new construction, illustrated in Fig. 5.
Fig. 5.

Application of our new construction for \(d=6\), with Open image in new window

Before proving that this scheme is indeed d-private, we propose a formal description in Algorithm 3. As can be seen, this new scheme involves \(3d^2/2 +d(d+2)/4 + 2d\) sums if \(d\) is even and \(3(d^2-1)/2 + (d+1)^2/4 + 3(d+1)/2\) if \(d\) is odd. In every case, it also involves \((d+1)^2\) multiplications and requires the generation of \(d^2/4 + d\) random values in \(\mathbb {F}_{2}\) if \(d\) is even and \((d^2-1)/4 + d\) otherwise (see Table 1 for values at several orders and comparison with ISW).
Table 1.

Complexities of ISW, our new \(d\)-private compression algorithm for multiplication and our specific algorithms at several orders

Complexities

Algorithm ISW

Algorithm 3

Algorithms 4, 5 and 6

Second-Order Masking

Sums

12

12

10

Products

9

9

9

Random bits

3

3

2

Third-Order Masking

Sums

24

22

20

Products

16

16

16

Random bits

6

5

4

Fourth-Order Masking

Sums

40

38

30

Products

25

25

25

Random bits

10

8

5

\(d^{th}\)-Order Masking

Sums

\(2d(d+1)\)

\(\left\{ \begin{aligned} d(7d+10)/4~~~~(d~\text {even})\\(7d+1)(d+1)/4~~~(d~\text {odd}) \\\end{aligned} \right. \)

-

Products

\((d+1)^2\)

\((d+1)^2\)

-

Random bits

\(d(d+1)/2\)

\(\left\{ \begin{aligned} d^2/4 + d~~~~(d~\text {even})\\(d^2-1)/4 + d~~~(d~\text {odd}) \\\end{aligned} \right. \)

-

Proposition 18

Algorithm 3 is \(d\)-private.

Algorithm 3 was proven to be \(d\)-private with the verifier built by Barthe et al. [4] up to order \(d=6\). Furthermore, a pen-and-paper proof for any order \(d\) is given in the full version of this paper.

6 Optimal Small Cases

We propose three secure compression algorithms using less random bits than the generic solution given by ISW and than our new solution for the specific small orders \(d=2\), 3 and 4. These algorithms actually use only the optimal numbers of random bits for these small quantity of probes, as proven in Sect. 4. Furthermore, since they all are dedicated to a specific order \(d\) (among 2, 3, and 4), we got use of the verifier proposed by Barthe et al. in [4] to formally prove their correctness and their \(d\)-privacy.

Proposition 19

Algorithms 4, 5, and 6 are correct and respectively 2, 3 and 4-private.

Table 1 (Sect. 5) compares the amount of randomness used by the new construction proposed in Sect. 5 and by our optimal small algorithms. We recall that each of them attains the lower bound proved in Sect. 4.

7 Composition

Our new algorithms are all \(d\)-private, when applied on the outputs of a multiplicative encoder parameterized at order \(d\). We now aim to show how they can be involved in the design of larger functions (e.g., block ciphers) to achieve a global \(d\)-privacy. In [3], Barthe et al. introduce and formally prove a method to compose small \(d\)-private algorithms (a.k.a., gadgets) into \(d\)-private larger functions. The idea is to carefully refresh the sharings when necessary, according to the security properties of the gadgets. Before going further into the details of this composition, we recall some security properties used in [3].

7.1 Compositional Security Notions

Before stating the new security definitions, we first need to introduce the notion of simulatability. For the sake of simplicity, we only state this notion for multiplication algorithm, but this can easily be extended to more general algorithms.

Definition 20

A set \(P = \{p_1,\dots ,p_\ell \}\) of \(\ell \) probes of a multiplication algorithm can be simulated with at most t shares of each input, if there exists two sets \(I = \{i_1,\dots ,i_t\}\) and \(J=\{j_1,\dots ,j_t\}\) of t indices from \(\{0,\dots ,d\}\) and a random function f taking as input 2t bits and outputting \(\ell \) bits such that for any fixed bits \({(a_i)}_{0 \le i \le d}\) and \({(b_j)}_{0 \le j \le d}\), the distributions \(\{p_1,\dots ,p_\ell \}\) (which implicitly depends on \({(a_i)}_{0\le i \le d}\), \({(b_j)}_{0 \le j \le d}\), and the random coins used in the multiplication algorithm) and \(\{f(a_{i_1},\dots ,a_{i_t},b_{j_1},\dots ,b_{j_t})\}\) are identical.

We write \(f(a_{i_1},\dots ,a_{i_t},b_{j_1},\dots ,b_{j_t}) = f(a_I,b_J)\).

Definition 21

An algorithm is \(d\)-non-interferent (or \(d\)-NI) if and only if every set of at most \(d\) probes can be simulated with at most \(d\) shares of each input.

While this notion might be stronger than the notion of security we used, all our concrete constructions in Sects. 5 and 6 satisfy it. The proof of Algorithm 3 is indeed a proof by simulation, while the small cases in Sect. 6 are proven using the verifier by Barthe et al. in [4], which directly proves NI.

Definition 22

An algorithm is \(d\)-tight non-interferent (or \(d\)-TNI) if and only if every set of \(t \le d\) probes can be simulated with at most t shares of each input.

While this notion of \(d\)-tight non-interference was assumed to be stronger than the notion of \(d\)-non-interference in [3], we show hereafter that these two security notions are actually equivalent. In particular, this means that all our concrete constructions are also TNI.

Proposition 23

( \(d\) -NI \(\Leftrightarrow \) \(d\) -TNI) . An algorithm is \(d\)-non-interferent if and only if it is \(d\)-tight non-interferent.

Proof

The right-to-left implication is straightforward from the definitions. Let us thus consider the left-to-right direction.

For that purpose, we first need to introduce a technical lemma. Again, for the sake of simplicity, we only consider multiplication algorithm, with only two inputs, but the proof can easily be generalized to any algorithm.    \(\square \)

Lemma 24

Let \(P= \{p_1,\dots ,p_\ell \}\) be a set of \(\ell \) probes which can be simulated by the sets (IJ) and also by the sets \((I',J')\). Then it can also be simulated by \((I \cap I', J \cap J')\).

Proof

Let f the function corresponding to IJ and \(f'\) the function corresponding to \(I',J'\). We have that for any bits \({(a_i)}_{0 \le i \le d}\) and \({(b_j)}_{0 \le j \le d}\), the distributions \(\{p_1,\dots ,p_\ell \}\), \(\{f(a_{I},b_{J})\}\), and \(\{f'(a_{I'},b_{J'})\}\) are identical. Therefore, f does not depend on \(a_i\) nor \(b_j\) for \(i \in I \setminus I'\) and \(j \in J \setminus J'\), since \(f'\) does not depend on them. Thus, P can be simulated by only shares from \(I \cap I', J \cap J'\) (using the function f where the inputs corresponding to \(a_i\) and \(b_j\) for \(i \in I \setminus I'\) and \(j \in J \setminus J'\) are just set to zero, for example).    \(\square \)

We now assume that an algorithm \(\mathcal {A}\) is \(d\)-NI, that is, every set of at most \(d\) probes can be simulated with at most \(d\) shares of each input. Now, by contradiction, let us consider a set P with minimal cardinality \(t < d\) of probes on \(\mathcal {A}\), such that it cannot be simulated by at most t shares of each input. Let us consider the sets IJ corresponding to the intersection of all sets \(I',J'\) (respectively) such that the set P can be simulated by \(I',J'\). The sets IJ also simulate P thanks to Lemma 24. Furthermore, by hypothesis, \(t < |I| \le d\) or \(t < |J| \le d\). Without loss of generality, let us suppose that \(|I| > t\).

Let \(i^*\) be an arbitrary element of \(\{0,\dots ,d\} \setminus I\) (which is not an empty set as \(|I| \le d\)). Let us now consider the set of probes \(P' = P \cup \{ a_{i^*} \}\). By hypothesis, \(P'\) can be simulated by at most \(|P'| = t+1\) shares of each input. Let \(I',J'\) two sets of size at most \(t+1\) simulating \(P'\). These two sets also simulate \(P \subseteq P'\), therefore, \(I \cap I', J \cap J'\) also simulate P. Furthermore, \(i^* \in I\), as all the shares \(a_i\) are independent. Since \(i^* \notin I\), \(|I \cap I'| \le t\) and \(I \cap I' \subsetneq I\), which contradicts the fact that I and J were the intersection of all sets \(I'',J''\) simulating P.   \(\square \)

Definition 25

An algorithm \(\mathcal {A}\) is \(d\) -strong non-interferent (or \(d\)-SNI) if and only if for every set \(\mathcal {I}\) of \(t_1\) probes on intermediate variables (i.e., no output wires or shares) and every set \(\mathcal {O}\) of \(t_2\) probes on output shares such that \(t_1+t_2\le d\), the set \(\mathcal {I} \cup \mathcal {O}\) of probes can be simulated by only \(t_1\) shares of each input.

The composition of two \(d\)-SNI algorithms is itself \(d\)-SNI, while that of \(d\)-TNI algorithms is not necessarily \(d\)-TNI. This implies that \(d\)-SNI gadgets can be directly composed while maintaining the \(d\)-privacy property, whereas a so-called refreshing gadget must sometimes be involved before the composition of \(d\)-TNI algorithms. Since the latter refreshing gadgets consume the same quantity of random values as ISW, limiting their use is crucial if the goal is to reduce the global amount of randomness.

7.2 Building Compositions with Our New Algorithms

In [3], the authors show that the ISW multiplication is \(d\)-SNI and use it to build secure compositions. Unfortunately, our new multiplication algorithms are \(d\)-TNI but not \(d\)-SNI. Therefore, as discussed in the previous section, they can replace only some of the ISW multiplications in secure compositions. Let us take the example of the AES inversion that is depicted in [3]. We can prove that replacing the first (\(\mathcal {A}^7\)) and the third (\(\mathcal {A}^2\)) ISW multiplications by \(d\)-TNI multiplications (e.g., our new constructions) and moving the refreshing algorithm R in different locations preserves the strong non-interference of the inversion, while benefiting from our reduction of the randomness consumption.

The tweaked inversion is given in Fig. 6. \(\otimes \) denotes the \(d\)-SNI ISW multiplication, \(\cdot ^\alpha \) denotes the exponentiation to the power \(\alpha \), \(\mathcal {A}^i\) refers to the i-th algorithm or gadget (indexed from left to right), R denotes the \(d\)-SNI refreshing gadget, \(\mathcal {I}^i\) denotes the set of internal probes in the i-th algorithm, \(\mathcal {S}^i_{j}\) denotes the set of shares from the j inputs of algorithm \(\mathcal {A}^i\) used to simulate all further probes. Finally, x denotes the inversion input and \(\mathcal {O}\) denotes the set of probes at the output of the inversion. The global constraint for the inversion to be \(d\)-SNI (and thus itself composable) is that: \( |\mathcal {S}^8 \cup \mathcal {S}^9| \le \sum _{1 \le i \le 9} |\mathcal {I}^i| \), i.e., all the internal probes can be perfectly simulated with at most \(\sum _{1 \le i \le 9} |\mathcal {I}^i|\) shares of x.
Fig. 6.

AES \(\cdot ^{254}\)

Proposition 26

The AES inversion given in Fig. 6 with \(\mathcal {A}^1\) and \(\mathcal {A}^4\) being \(d\)-SNI multiplications and \(\mathcal {A}^2\) and \(\mathcal {A}^7\) being \(d\)-TNI multiplications is \(d\)-SNI.

Proof

From the \(d\)-probing model, we assume that the total number of probes used to attack the inversion is limited to \(d\), that is \(\sum _{1 \le i \le 9} |\mathcal {I}^i| + |\mathcal {O}| \le d\). As in [3], we build the proof from right to left by simulating each algorithm. Algorithm \(\mathcal {A}^1\) is \(d\)-SNI, thus \(|\mathcal {S}_1^1|,|\mathcal {S}_2^1| \le |\mathcal {I}^1|\). Algorithm \(\mathcal {A}^2\) is \(d\)-TNI, thus \(|\mathcal {S}_1^2|,|\mathcal {S}_2^2| \le |\mathcal {I}^1 + \mathcal {I}^2|\). As explained in [3], since Algorithm \(\mathcal {A}^3\) is affine, then \(|\mathcal {S}^3| \le |\mathcal {S}_1^2 + \mathcal {I}^3| \le |\mathcal {I}^1 + \mathcal {I}^2+ \mathcal {I}^3|\). Algorithm \(\mathcal {A}^4\) is \(d\)-SNI, thus \(|\mathcal {S}_1^4|,|\mathcal {S}_2^4| \le |\mathcal {I}^4|\). Algorithm \(\mathcal {A}^5\) is \(d\)-SNI, thus \(|\mathcal {S}^5| \le |\mathcal {I}^5|\). Algorithm \(\mathcal {A}^6\) is affine, thus \(|\mathcal {S}^6| \le |\mathcal {S}^5 + \mathcal {I}^6| \le |\mathcal {I}^5 + \mathcal {I}^6|\). Algorithm \(\mathcal {A}^7\) is \(d\)-TNI, thus \(|\mathcal {S}_1^7|,|\mathcal {S}_2^7| \le |\mathcal {S}^6 + \mathcal {S}_1^4 + \mathcal {I}^7| \le |\mathcal {I}^4 + \mathcal {I}^5 + \mathcal {I}^6 + \mathcal {I}^7|\). Algorithm \(\mathcal {A}^8\) is \(d\)-SNI, thus \(|\mathcal {S}^8| \le |\mathcal {I}^8|\). Algorithm \(\mathcal {A}^9\) is affine, thus \(|\mathcal {S}^9| \le |\mathcal {I}^9 +\mathcal {S}^8| \le |\mathcal {I}^8 + \mathcal {I}^9 |\). Finally, all the probes of this inversion can be perfectly simulated from \(|\mathcal {S}^9 \cup \mathcal {S}_1^7| \le |\mathcal {I}^4 + \mathcal {I}^5 + \mathcal {I}^6 + \mathcal {I}^7 + \mathcal {I}^8 + \mathcal {I}^9|\) shares of x, which proves that the inversion is still \(d\)-SNI.    \(\square \)

From Proposition 26, our new constructions can be used to build \(d\)-SNI algorithms. In the case of the AES block cipher, half of the \(d\)-SNI ISW multiplications can be replaced by ours while preserving the whole \(d\)-SNI security.

8 New Automatic Tool for Finding Attacks

In this section, we describe a new automatic tool for finding attacks on compression algorithms for multiplication which is developed in Sage (Python) [27]. Compared to the verifier developed by Barthe et al. [4] and based on Easycrypt, to find attacks in practice, our tool is not as generic as it focuses on compression algorithms for multiplication and its soundness is not perfect (and relies on some heuristic assumption). Nevertheless, it is order of magnitudes faster.

A non-perfect soundness means that the algorithm may not find an attack and can only guarantee that there does not exist an attack except with probability \(\varepsilon \). We believe that, in practice, this limitation is not a big issue as if \(\varepsilon \) is small enough (e.g., \(2^{-20}\)), a software bug is much more likely than an attack on the scheme. Furthermore, the running time of the algorithm depends only linearly on \(\log (1/\varepsilon )\). Concretely, for all the schemes we manually tested for \(d=3,4,5\) and 6, attacks on invalid schemes were found almost immediately. If not used to formally prove schemes, our tool can at least be used to quickly eliminate (most) incorrect schemes, and enables to focus efforts on trying to prove “non-trivially-broken” schemes.

8.1 Algorithm of the Tool

From Theorem 7, in order to find an attack \(P = \{p_1,\dots ,p_\ell \}\) with \(\ell \le d\), we just need to find a set \(P = \{p_1,\dots ,p_\ell \}\) satisfying Condition 1. If no such set P exists, the compression algorithm for multiplication is \(d\)-private.

A naive way to check the existence of such a set P is to enumerate all the sets of d probes. However, there are \(\left( {\begin{array}{c}N\\ d\end{array}}\right) \) such sets, with N being the number of intermediate variables of the algorithm. For instance, to achieve 4-privacy, our construction (see Sect. 6) uses \(N=81\) intermediate variables, which makes more than \(2^{20}\) sets of four variables to test. In [4], the authors proposed a faster way of enumerating these sets by considering larger sets which are still independent from the secret. However, their method falls short for the compression algorithms in our paper as soon as \(d > 6\), as shown in Sect. 8.4. Furthermore even for \(d = 3,4,5\), their tool takes several minutes to prove security (around 5 min to check security of Algorithm 3 with \(d=5\)) or to find an attack for incorrect schemes, which prevent people from quickly checking the validity of a newly designed scheme.

To counteract this issue, we design a new tool which is completely different and which borrows ideas from coding theory to enumerate the sets of d or less intermediate variables. Let \({\gamma _{1}}, \dots , {\gamma _{\nu }}\) be all the intermediate results whose expression functionally depends on at least one random and \({\gamma '_{1}},\dots ,{\gamma '_{\nu '}}\) be the other intermediate results that we refer to as deterministic intermediate results (\(\nu + \nu ' = N\)). We remark that all the \(\alpha _{i,j} = a_i b_j\) are intermediate results and that no intermediate result can functionally depend on more than one shares’ product \(\alpha _{i,j} = a_i b_j\) without also depending on a random bit. Otherwise, the compression algorithm would not be \(d\)-private, according to Lemma 17. As this condition can be easily tested, we now assume that the only deterministic intermediate results are the \(\alpha _{i,j} = a_i b_j\) that we refer to as \({\gamma '_{k}}\) in the following. As an example, intermediate results of Algorithm 4 are depicted in Table 2.
Table 2.

Intermediate results of Algorithm 4

Non-deterministic (\(\nu =12\))

Deterministic (\(\nu '=9\))

\({\gamma _{1}} = a_0 b_0 + r_0\)

\({\gamma _{7}} = c_1\)

\({\gamma '_{1}} = a_0 b_0\)

\({\gamma '_{6}} = a_1 b_0\)

\({\gamma _{2}} = a_0 b_0 + r_0 + a_0 b_2\)

\({\gamma _{8}} = r_1\)

\({\gamma '_{2}} = a_0 b_2\)

\({\gamma '_{7}} = a_2 b_2\)

\({\gamma _{3}} = c_0\)

\({\gamma _{9}} = a_2 b_2 + r_1\)

\({\gamma '_{3}} = a_2 b_0\)

\({\gamma '_{8}} = a_1 b_2\)

\({\gamma _{4}} = r_0\)

\({\gamma _{10}} = a_2 b_2 + r_1 + r_0\)

\({\gamma '_{4}} = a_1 b_1\)

\({\gamma '_{9}} = a_2 b_1\)

\({\gamma _{5}} = a_1 b_1 + r_1\)

\({\gamma _{11}} = a_2 b_2 + r_1 + r_0 + a_1 b_2\)

\({\gamma '_{5}} = a_0 b_1\)

\({\gamma _{6}} = a_1 b_1 + r_1 + a_0 b_1\)

\({\gamma _{12}} = c_2\)

An attack set \(P=\{p_1,\dots ,p_\ell \}\) can then be separated into two sets \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) and \(Q' = \{{\gamma _{i'_1}},\dots ,{\gamma _{i'_{\delta '}}}\}\), with \(\ell =\delta +\delta ' \le d\). We remark that necessarily \(\sum _{p \in Q} p\) does not functionally depend on any random value. Actually, we even have the following lemma:

Lemma 27

Let \(\mathcal {A}(\varvec{a},\varvec{b};\varvec{r})\) be a compression algorithm for multiplication. Then \(\mathcal {A}\) is \(d\)-private if and only if there does not exist a set of non-deterministic probes \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) with \(\delta \le d\) such that \(\sum _{p \in Q} p = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) where the column space or the row space of \({\varvec{M}}\) contains a vector of Hamming weight at least \(\delta +1\).

Furthermore, if such a set Q exists, there exists a set \(\{{\gamma _{i'_1}},\dots ,{\gamma _{i'_{\delta '}}}\}\), with \(\delta +\delta ' \le d\), such that \(P = Q \cup Q'\) is an attack.

Moreover, the lemma is still true when we restrict ourselves to sets Q such that there exists no proper subset \(\hat{Q} \subsetneq Q\) such that \(\sum _{p \in \hat{Q}} p\) does not functionally depend on any random.

Proof

The two first paragraphs of the lemma can be proven similarly to Lemma 17. Thus, we only need to prove its last part.

By contradiction, let us suppose that there exists a set Q of non-deterministic probes \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) such that \(\sum _{p \in Q} p = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) and the column space (without loss of generality, by symmetry of the \(a_i\)’s and \(b_i\)’s) of \({\varvec{M}}\) contains a vector of Hamming weight at least \(\delta +1\), but such that any subset \(\hat{Q} \subsetneq Q\) where \(\sum _{p \in \hat{Q}} p\) that does not functionally depend on any random. Consequently, the sum \(\sum _{p \in \hat{Q}} p = \varvec{a}^\intercal \cdot \hat{{\varvec{M}}} \cdot \varvec{b}\), is such that the column space (still without loss of generality) of \(\hat{{\varvec{M}}}\) does not contain any vector of Hamming weight at least \(\vert \hat{Q} \vert + 1\).

First, let us set \(\bar{{\varvec{M}}} = \hat{{\varvec{M}}} + {\varvec{M}}\) (over \({{\mathbb F}}_2\)), so \(\sum _{p \in Q \setminus \hat{Q}} p = \varvec{a}^\intercal \cdot \bar{{\varvec{M}}} \cdot \varvec{b}\), as \(\sum _{p \in \hat{Q}} p + \sum _{p \in Q \setminus \hat{Q}} =\sum _{p \in Q} p = \varvec{a}^\intercal \cdot {\varvec{M}}\cdot \varvec{b}\) and let \(\hat{\delta } = | \hat{Q} |\) and \(\bar{\delta } = | Q \setminus \hat{Q} | = \delta - \hat{\delta }\). Let also \(\omega \), \(\hat{\omega }\), and \(\bar{\omega }\) be the maximum Hamming weights of the vectors in the column space of \({\varvec{M}}\), \(\hat{{\varvec{M}}}\), and \(\bar{{\varvec{M}}}\), respectively. Since \({\varvec{M}}= \hat{{\varvec{M}}}+\bar{{\varvec{M}}}\), then \(\omega \le \hat{\omega } + \bar{\omega }\) and since \(\omega > \delta +1\), and \(\delta = \hat{\delta } + \bar{\delta }\), then \(\hat{\omega } > \hat{\delta }\) or \(\bar{\omega } > \bar{\delta }\). We set \(\tilde{Q} = \hat{Q}\) if \(\hat{\omega } > \hat{\delta }\), and \(\tilde{Q} = Q \setminus \hat{Q}\) otherwise. According to the definitions of \(\hat{\delta }\) and \(\bar{\omega }\), we have that \(\tilde{Q} \subsetneq Q\) is such that \(\sum _{p \in Q} p = \varvec{a}^\intercal \cdot \tilde{{\varvec{M}}} \cdot \varvec{b}\) where the column space of \(\tilde{{\varvec{M}}}\) contains a vector of Hamming weight at least \(|\tilde{Q}|+1\). This contradicts the definition of Q and concludes the proof of the lemma.    \(\square \)

To quickly enumerate all the possible attacks, we first enumerate the sets \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\) of size \(\delta \le d\) such that \(\sum _{p \in Q} p\) does not functionally depend on any random bit (and no proper subset of \(\hat{Q} \subsetneq Q\) is such that \(\sum _{p \in \hat{Q}} p \) does not functionally depend on any random bit), using information set decoding, recalled in the next section. Then, for each possible set Q, we check if the column space or the row space of \({\varvec{M}}\) (as defined in the previous lemma) contains a vector of Hamming weight at least \(\delta +1\). A naive approach would consist in enumerating all the vectors in the row space and the column space of \({\varvec{M}}\). Our tool however uses the two following facts to perform this test very quickly in most cases:
  • when \({\varvec{M}}\) contains at most \(\delta \) non-zero rows and at most \(\delta \) non-zero columns, Q does not yield an attack;

  • when \({\varvec{M}}\) contains exactly \(\delta +1\) non-zero rows (resp. columns), that we assume to be the first \(\delta +1\) (without loss of generality), Q yields an attack if and only if the vector \((\varvec{u}_{\delta +1}^\intercal ,\varvec{0}_{d-\delta }^\intercal )\) is in the row space (resp. \((\varvec{u}_{\delta +1},\varvec{0}_{d-\delta })\) is in the column space) of \({\varvec{M}}\) (this condition can be checked in polynomial time in d).

8.2 Information Set Decoding and Error Probability

We now explain how to perform the enumeration step of our algorithm using information set decoding. Information set decoding was introduced in the original security analysis of the McEliece cryptosystem in [20, 22] as a way to break the McEliece cryptosystem by finding small code words in a random linear code. It was further explored by Lee and Brickell in [18]. We should point out that since then, many improvements were proposed, e.g., in [19, 26]. However, for the sake of simplicity and because it already gives very good results, we use the original information set decoding algorithm. Furthermore, it is not clear that the aforementioned improvements also apply in our case, as the codes we consider are far from the Singleton bound.

We assume that random bits are denoted \(r_1,\dots ,r_R\). For each intermediate \({\gamma _{k}}\) containing some random bit, we associate the vector \(\varvec{\tau } \in {{\mathbb Z}}_2^R\), where \(\tau _i = 1\) if and only if \({\gamma _{k}}\) functionally depends on the random bit \(r_i\). We then consider the matrix \(\varGamma \in {{\mathbb Z}}_2^{R \times \nu }\) whose k-th column is \(\varvec{\tau }\). For instance, for Algorithm 4, we have:For every \(\delta \le d\), enumerating the sets \(Q = \{{\gamma _{i_1}},\dots ,{\gamma _{i_\delta }}\}\), such that \(\sum _{p \in Q} p\) does not functionally depend on any random, consists in enumerating the vectors \(\varvec{x}\) of Hamming weight \(\delta \) such that \(\varGamma \cdot \varvec{x} = \varvec{0}\) (specifically, \(\{i_1,\dots ,i_\delta \}\) are the coordinates of the non-zero components of \(\varvec{x}\)). Furthermore, we can restrict ourselves to vector \(\varvec{x}\) such that no vector \(\varvec{\hat{x}} < \varvec{x}\) satisfies \(\varGamma \cdot \varvec{\hat{x}} = \varvec{0}\) (where \(\varvec{\hat{x}} < \varvec{x}\) means that \(\varvec{\hat{x}} \ne \varvec{x}\) and for any \(1 \le i \le \nu \), if \(x_i = 0\) then \(\hat{x}_i = 0\)), since we can restrict ourselves to sets Q such that no proper subset \(\hat{Q} \subsetneq Q\) is such that \(\sum _{p \in \hat{Q}} p\) does not functionally depend on any random bit. This is close to the problem of finding code words \(\varvec{x}\) of small Hamming weight for the linear code of parity matrix \(\varGamma \) and we show this can be solved using information set decoding.

The basic idea is the following one. We first apply a row-reduction to \(\varGamma \). Let us call the resulting matrix \(\varGamma '\). We remark that, for any vector \(\varvec{x}\), \(\varGamma \cdot \varvec{x} = 0\) if and only if \(\varGamma ' \cdot \varvec{x} = 0\) and thus we can use \(\varGamma '\) instead of \(\varGamma \) in our problem. We assume in a first time that the first R columns of \(\varGamma \) are linearly independent (recall that the number \(\nu \) of columns of \(\varGamma \) is much larger than its number R of rows), so that the R first columns of \(\varGamma '\) forms an identity matrix. Then, for any \(k^* > R\), if the \(k^*\)-th column of \(\varGamma '\) has Hamming weight at most \(d-1\), we can consider the vector \(\varvec{x}\) defined as \(x_{k^*} = 1\), \(x_k = 1\) when \(\varGamma '_{k,k^*}=1\), and \(x_k = 0\) otherwise; and this vector satisfies the conditions we were looking for: its Hamming weight is at most \(d\) and \(\varGamma ' \cdot \varvec{x} = 0\). That way, we have quickly enumerated all the vectors \(\varvec{x}\) of Hamming weight at most \(d\) such that \(\varGamma ' \cdot \varvec{x}= 0\) and with the additional property that \(x_k = 0\) for all \(k > R\) except for at most2 one index \(k^*\). Without the condition \(\varGamma ' \cdot \varvec{x} = 0\), there are \((\nu - R + 1) \cdot \sum _{i=0}^{d-1} \left( {\begin{array}{c}R\\ i\end{array}}\right) + \left( {\begin{array}{c}R\\ d\end{array}}\right) \) such vectors, as there are \(\sum _{i=0}^d \left( {\begin{array}{c}R\\ i\end{array}}\right) \) vectors \(\varvec{x}\) such that \(\mathrm {HW}(\varvec{x})\le d\) and \(x_k=0\) for every \(k>R\), and there are \((\nu -R)\cdot \sum _{i=0}^{d-1} \left( {\begin{array}{c}R\\ i\end{array}}\right) \) vectors \(\varvec{x}\) such that \(\mathrm {HW}(\varvec{x})\le d\) and \(x_k=1\), for a single \(k > R\). In other words, using row-reduction, we have been able to check \((\nu - R + 1) \cdot \sum _{i=0}^{d-1} \left( {\begin{array}{c}R\\ i\end{array}}\right) + \left( {\begin{array}{c}R\\ d\end{array}}\right) \) possible vectors \(\varvec{x}\) among at most \(\sum _{i=1}^d \left( {\begin{array}{c}\nu \\ i\end{array}}\right) \) vectors which could be used to mount an attack, by testing at most \(\nu - R\) vectors.3

Then, we can randomly permute the columns of \(\varGamma \) and repeat this algorithm. Each iteration would find an attack (if there was one attack) with probability at least \({\left( (\nu - R + 1) \cdot \sum _{i=0}^{d-1} \left( {\begin{array}{c}R\\ i\end{array}}\right) + \left( {\begin{array}{c}R\\ d\end{array}}\right) \right) }{\sum _{i=1}^d \left( {\begin{array}{c}\nu \\ i\end{array}}\right) }\). Therefore, after K iterations, the error probability is only
$$\begin{aligned} \varepsilon \le \left( 1 - \frac{(\nu - R + 1) \cdot \sum _{i=0}^{d-1} \left( {\begin{array}{c}R\\ i\end{array}}\right) + \left( {\begin{array}{c}R\\ d\end{array}}\right) }{\sum _{i=1}^d \left( {\begin{array}{c}\nu \\ i\end{array}}\right) } \right) ^K, \end{aligned}$$
and the required number of iterations is linear with \(\log (1/\varepsilon )\), which is what we wanted.

Now, we just need to handle the case when the first R columns of \(\varGamma \) are not linearly independent, for some permuted matrix \(\varGamma \) at some iteration. We can simply redraw the permutation or taking the pivots in the row-reduction instead of taking the first R columns of \(\varGamma \). In both cases, this may slightly bias the probability. We make the heuristic assumption that the bias is negligible. To support this heuristic assumption, we remark that if we iterate the algorithm for all the permutations for which the first R columns of \(\varGamma \) are not linearly independent, then we would enumerate all the vectors \(\varvec{x}\) we are interested in, thanks to the additional condition that there is no vector \(\varvec{\hat{x}} < \varvec{x}\) such that \(\varGamma \cdot \varvec{\hat{x}} = \varvec{0}\).

8.3 The Tool

The tool takes as input a description of a compression algorithm for multiplication similar to the ones we used in this paper (see Fig. 2 for instance) and the maximum error probability \(\varepsilon \) we allow, and tries to find an attack. If no attack is found, then the scheme is secure with probability \(1-\varepsilon \). The tool can also output a description of the scheme which can be fed off into the tool in [4].

The source code of the tool and its documentation are provided in [1].
Table 3.

Complexities of exhibiting an attack at several orders

Time to find an attack

Order

Target algorithm

Verifier [4]

New tool

\(d=2\)

Tweaked Algorithm 4

less than 1 ms

less than 10 ms

\(d=3\)

Tweaked Algorithm 5

36 ms

less than 10 ms

\(d=4\)

Tweaked Algorithm 6

108 ms

less than 10 ms

\(d=5\)

Tweaked Algorithm 3

6.264 s

less than 100 ms

\(d=6\)

Tweaked Algorithm 3

26 min

less than 300 ms

8.4 Complexity Comparison

It is difficult to compare the complexity of our new tool to the complexity of the tool proposed in [4] since it strongly depends on the tested algorithm. Nevertheless, we try to give some values for the verification time of both tools when we intentionally modify our constructions to yield an attack. From order 2 to 4, we start with our optimal constructions and we just invert two random bits in an output share \(c_i\). Similarly, for orders 5 and 6, we use our generic construction and apply the same small modification. The computations were performed on a Intel(R) Core(TM) i5-2467M CPU @ 1.60 GHz and the results are given in Table 3. We can see that in all the considered cases, our new tool reveals the attack in less than 300 ms while the generic verifier of Barthe et al. needs up to 26 min for order \(d=6\).

Footnotes

  1. 1.

    Actually, the generation of pseudorandom bits roughly corresponds to the execution of a block cipher but we should also consider the regular internal state update.

  2. 2.

    We have seen that for one index \(k^*\), but it is easy to see that, as the first R columns of \(\varGamma '\) form an identity matrix, there does not exist such vector \(\varvec{x}\) so that \(x_k=0\) for all \(k > R\) anyway.

  3. 3.

    There are exactly \(\sum _{i=1}^d \left( {\begin{array}{c}\nu \\ i\end{array}}\right) \) vectors of Hamming weight at most d, but here we recall that we only consider vectors \(\varvec{x}\) satisfying the following additional condition: there is no vector \(\varvec{\hat{x}} < \varvec{x}\) such that \(\varGamma \cdot \varvec{\hat{x}} = \varvec{0}\). We also remark that the vectors \(\varvec{x}\) generated by the described algorithm all satisfy this additional condition.

Notes

Acknowledgments

The authors thank the anonymous reviewers for their constructive comments. This work was supported in part by the French ANR Project ANR-12-JS02-0004 ROMAnTIC, the Direction Générale de l’Armement (DGA), the CFM Foundation.

References

  1. 1.
  2. 2.
    Barker, E.B., Kelsey, J.M.: Sp 800–90a. recommendation for random number generation using deterministic random bit generators. Technical report, Gaithersburg, MD, USA (2012)Google Scholar
  3. 3.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B.: Compositional verification of higher-order masking: Application to a verifying masking compiler. Cryptology ePrint Archive, Report 2015/506 (2015). http://eprint.iacr.org/2015/506
  4. 4.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015)Google Scholar
  5. 5.
    Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: How to remove intractability assumptions. In: 20th ACM STOC, pp. 113–131. ACM Press, May 1988Google Scholar
  6. 6.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higher-order threshold implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014)Google Scholar
  7. 7.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: A more efficient AES threshold implementation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 267–284. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  8. 8.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)Google Scholar
  9. 9.
    Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014)Google Scholar
  10. 10.
    Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  11. 11.
    Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015)Google Scholar
  12. 12.
    Dziembowski, S., Faust, S., Skorski, M.: Noisy leakage revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 159–188. Springer, Heidelberg (2015)Google Scholar
  13. 13.
    Goubin, L., Patarin, J.: DES and differential power analysis the “duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  14. 14.
    Ishai, Y., Kushilevitz, E., Li, X., Ostrovsky, R., Prabhakaran, M., Sahai, A., Zuckerman, D.: Robust pseudorandom generators. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013, Part I. LNCS, vol. 7965, pp. 576–588. Springer, Heidelberg (2013)Google Scholar
  15. 15.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Lamport, L., Shostak, R.E., Pease, M.C.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982)CrossRefzbMATHGoogle Scholar
  18. 18.
    Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988)Google Scholar
  19. 19.
    Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theor. 34(5), 1354–1359 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42(44), 114–116 (1978)Google Scholar
  21. 21.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptology 24(2), 292–321 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theor. 8(5), 5–9 (1962)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  24. 24.
    Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  25. 25.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Stern, J.: A method for finding codewords of small weight. In: Cohen, G.D., Wolfmann, J. (eds.) Coding Theory and Applications. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  27. 27.
    The Sage Developers: Sage Mathematics Software (Version 6.8) (2015). http://www.sagemath.org
  28. 28.
    Yao, A.C.C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.ENS, CNRS, INRIA, and PSLParisFrance
  2. 2.Thales Communications and SecurityGennevilliersFrance
  3. 3.ANSSIParisFrance
  4. 4.UPMC, POLSYS, LIP6ParisFrance

Personalised recommendations