A relation calculus for reasoning about t-probing security

In the context of side-channel attacks against cryptographic circuits, t-probing security characterizes the amount of information derivable about sensitive values (e.g., keys) by observing t output/internal values. Non-interference is a useful mathematical tool used by researchers to assess the probing security of a circuit which employs Boolean masking to protect itself from attacks. However, reasoning about non-interference still requires either difficult ratiocination or complex automatic tools. In this work, we propose a novel point of view to reason about non-interference, by exploiting the Walsh transform of a Boolean function. To this end, we introduce a calculus for mechanically reasoning about the shares of a variable and show that this formalism provides a lean algebraic explanation of known compositional patterns allowing for the discovery of new ones. Eventually, we show how this formalism can be applied to study the probing security of known cryptographic gadgets.


Introduction
An attacker can mount a side-channel attack against a cryptographic circuit by probing its internal nodes to derive information correlated with the secret. The first countermeasure against this type of attack appeared almost two decades ago [1] and it officially gave birth to a branch of research known today as t-probing security. Since then, it became clear that, while proving the security for small gadgets required a small effort, reasoning about their composition was (and still is) not trivial. In fact, one of the main problems addressed is the composability of security proper-B Vittorio Zaccaria vittorio.zaccaria@polimi.it Maria Chiara Molteni maria.molteni@unimi.it ied is the nonlinear part of the Advanced Encryption Standard (AES) [8,9], which is also one of the target applications of the current work.

Our contribution
Reasoning about non-interference still needs either difficult ratiocination or complex automatic tools [3,4]. In this work, we investigate an alternative formalization which, we argue, is simpler to reason with; in fact, it allowed us to prove some new properties of probing security (see Theorem 4). Our approach is based on the spectral theory of Boolean functions and correlation matrices [10,11], and represents, to some extent, an extension of the work presented in [12]. However, while the latter only addressed single output Boolean functions, we are the first to formalize multiple dependencies between outputs and inputs of a vector function, with the added benefit of being supported by matrixbased toolboxes. Note that the use of these tools in our area is not new; for example, in [13] the authors exploit the correlation matrix of shared functions to estimate some security bounds and define correlation between probed values, while other works use linear algebra to investigate resiliency against side-channel attacks [14] [15]. These works, however, address either monovariate attacks or other sharing schemes (inner product masking) while we aim at providing a larger and stronger foundational contribution allowing to concisely explain known general compositional patterns and potentially discover new ones.
This work is organized as follows: we present our new mathematical approach in Sect. 2 by introducing the concept of shares' relation matrix, which is a compact matrix representation of the (cor-)relation between a Boolean function's inputs and outputs. Methodologically, this new formalism allows to create a linear algebra view of t-probing security which we present in Sect. 3. This approach brings several benefits among which the ability to prove general probing security composition theorems through linear algebra. To this end, in Sect. 4 we put to work our formalism by proving the t-SNI property of the AES nonlinear part. We conclude by sketching the possible evolution of this work (Sect. 5) and by providing relevant mathematical background and proofs supporting our argument (Appendix).

A relation calculus for shares
Let us consider a circuit implementing a function: where the values x i are sensitive (i.e., they have been computed using a secret). A side-channel attack consists of measuring the power consumption of internal nodes of the circuit (through probes) and by searching through a set of guesses of the secret for the one that maximizes the correlation.
To design a mitigation against a side-channel attack, designers split each sensitive value x i into d values α i = {α i, j } j∈1...d such that j α i, j = x i ; these d values are called shares. In principle, this is done by using d −1 auxiliary, uniformly distributed random values (aka masks) and, unless one obtains all d shares α i, j , the correlation of each share with the sensitive value x i is negligible [1]. The implementation of f must be changed so as to provide the result as a set of shares much like the original sensitive values. The computation of each output f i is thus split into a set of d vector functions ω i = {ω i, j } j∈1...d such that: where each ω i, j is called the j-th output share of f i and it must be impossible to obtain information about f i unless one obtains all d output shares.
In the probing security attack model, aside from regular output shares ω i , attackers can observe (through probes) a group of the internal values of the circuit as additional outputs: where each π i is a function of the input shares. A mitigation against a probing attack ensures that none of the π i are correlated with the original sensitive values. To design such countermeasures, besides the shares of the original sensitive values, designers use an additional group of inputs P = {ρ 1 . . . ρ |P| } which are uniformly random. These values are used to "refresh" the internally computed values of the function so as to make each π and ω not correlated with the sensitive values.
It is clear that correlation between each ω and π with any α and ρ is critical to determine whether the circuit is probing secure. A possible way to encode this information is to have a multi-dimensional matrix 4 called the shares' relation matrix: , where A is the set of the function's input shares α k , is the set of output shares ω k , we define the shares' relation matrix of f as a multi-dimensional matrix F where each element: is indexed by: and it is equal to 1 only if there exist a nonzero correlation between j α k shares of α k and j ρ randoms with i ω p output shares of ω p and i π probes, for all k, p.
A formal definition of such type of matrices is presented in Appendix B where, in particular, we consider multiple random P l and probe z groups instead of a single P and as above; however, for the rest of the paper, it is only necessary to get an intuitive understanding of it which we will develop in the following paragraphs. A practical way to compute a shares' relation matrix for a function f is deriving it from the Walsh matrix of f . Indeed, correlation matrices are useful to determine whether a set of output shares is vulnerable, i.e., correlated with one or more sensitive variables [16][17][18]. In particular, for a circuit f , any combination of outputs (encoded with the spectral coordinate φ) is correlated with a set of inputs (encoded with the spectral coordinate ψ) if W f (φ, ψ) = 0. It is possible to see a correlation matrix as an incidence matrix which encodes a dependency relation between the inputs and outputs of f . Such relation matrices (which are built over a Boolean semiring K = {(0, 1), ∨, ∧}) are the fundamental building block for the calculus of relations 5 , an algorithmic device that allows the substitution of computation for a sometimes difficult ratiocination [19]. We can derive a relation matrix W f from the correlation matrix W f of a vectorial Boolean function element-wise: 6 : Once a relation matrix W f has been found, one can derive easily the shares' relation matrix in Eq. 1 by inspection. Thus, we derive the shares' relation matrix in a two-step process 5 A relation matrix element R i, j ∈ K represents the absence (0) or presence (1) of a relationship i R j between entities encoded through row index i and column index j and the logic composition of relations can be encoded into a linear algebra expression and analyzed with conventional tools. In particular, logical disjunction is represented as matrix sum ((R + S) i, j = R i, j ∨ S i, j ), logical conjunction as the Hadamard product ((R•S) i, j = R i, j ∧S i, j ), and "Relative product" as conventional matrix multiplication ((RS) i, j = ∃k R i,k ∧ S k, j ). 6 In this paper, we consider all indices starting from 0. by starting from the correlation matrix of f : Example 1 (Taken from [20] and reported here for simplicity) Consider a function f : a 0 and a 1 are two shares of a single sensitive input a, r 0 and r 1 are two random values, f 0 and f 1 are two shares of a single output o, and f 2 is the value associated with a potential internal probe p within the circuit realization of f .
From its correlation matrix, we can derive through Eq. 2 the following relation matrix From the original correlation matrix W f (Eq. 3), it is thus possible to derive the corresponding shares' relation matrix F which accounts only for the amount of shares of the output and probes whose combination is correlated with a specified amount of shares of the input and of randoms: Note that the coordinates of this new relation matrix are computed by the Hamming weights of the spectral coordinates of W f split by their type (r the randoms, a the inputs, o the outputs, p the probes). This allows us to index in an alternative way any element F(i, j): j a are exactly the mixed-radix representation of i, j and carry additional information, i.e., the distinction between the related input-random (output-probe) composition. The mixed-radix representation mr ρ (n) of a number n over the vector of parts ρ = [ρ N , . . . , The vector [i p , i o ] (resp., [ j r , j a ]) is just the mixed-radix representation of i (resp. j) over the vector of parts where f a is the number of shares of the input of function f , f r is the number of refresh values, f o is the number of shares for function f 's outputs and f p is the number of probes: This work concerns itself with deriving security properties associated with the composition of functions. In the following we consider the function h(x) = g( f (x)) as a horizontal composition of g with f while the vector function: as the vertical composition of f and g. We will show that the shares' relation matrix of a function distributes over vertical composition while, concerning horizontal composition, we can assert a weaker rule (see below) which will be still valid for inferring probing security. With regard to the proofs of following theorems, the reader is invited to refer to Appendix B.1.
Note that the definition of the shares' relation matrix is different from the Probe Distribution Table (PDT) introduced in [21] because the latter does not account for the potential compression of information that is obtained by encoding the Hamming weights of the spectral coordinates. With respect to [21], we show that it is possible to work with such minimal objects without resorting to encoding explicitly all possible input/output relationships. Note also that the goal of our work is more related to explaining how the composition of primitive gadgets works rather than determining inner properties for such primitives through their correlation matrices. However, other work [20] provides some deduction on the complexity required for deriving from scratch the above shares' relation matrix matrices.
Theorem 1 (Identity) Given id : F n 2 → F n 2 the identity function, its shares' relation matrix is I n+1 , where I is the identity matrix (see Appendix for the proof).
The horizontal compositionality of the shares' relation matrices is determined by a weaker rule with respect to the conventional correlation matrix (see Theorem 7); in particular, as long as we look at the constituent parts of a horizontal composition of shares' relation matrices, their product will be always conservatively more than the original shares' relation matrix, as stated in the following theorem: Theorem 2 (Shares' relation matrices pseudo-horizontal composition) Given two functions f and g, and F, G, F G the shares' relation matrices of f , g and g • f , respectively, the following dominance holds: Practically speaking, if the product of two shares' relation matrices does not imply a dependency between variables, this will be absent from the whole shares' relation matrix as well. Vertical composition, however, still holds as the following theorems show: Theorem 3 (Shares' relation matrices pseudo-distributivity over tensor product) Given two functions f and g, and F, G, F|G the shares' relation matrices of f , g and the vertical juxtaposition of g above f , respectively, the following holds: where ⊗ is the Kronecker (or tensor) product, see Appendix for the proof.
Corollary 1 (Tensor product with identity) From the previous theorems, it follows that the following equalities hold: where δ is the Kronecker's delta.

Application to t-probing security
In this section, we revisit and enhance known theorems about t-probing security by showing how they naturally descend from the relation calculus of shares based on shares' relation matrices. We recall that t-probing security centers around the concept of t-non-interfering function. A function f is t-NI if, when given a total of s outputs and internal probes, s ≤ t implies a dependency with maximum s input shares. A function f is t-SNI if s ≤ t implies a dependency with maximum i input shares, where i is the number of internal probes.
Much has been said about the composition rules of such functions and, unfortunately, their proofs are complex, long or require much expertise in type theoretical or formal validation area [3]; we will show that the relation calculus of shares allows to revisit and extend these proofs with conventional linear algebra tools, broadening the potential audience.
To talk about t-probing security, we've found useful to follow this general pattern: (i) we explicitly include random refresh values as inputs 7 and (ii) we include in the signature of the function also the probes considered. This creates a natural subdivision of the shares' relation matrix for the considered function. Before introducing some general results that can be derived with our formalism, however, we introduce an additional example that shows how one could identify a violation of compositionality in an existing gadget with our formalism. [20]). In this example, we revisit through our formalism a case discovered in [2] that proves that, in general, the composition of t-NI and t-SNI functions is not t-NI. Figure 1 shows the structure of a function h(a) which is a composition of two functions f and g; the assumptions are that f is t-NI and g is t-SNI. In particular, f refreshes its input a with two random bits r f :

Example 3 (Extended from
and it is assumed to have been probed at location p f = a 0 ⊕ r 0 . On the other hand, g(a, b, r g ) is the ISW multiplication [1] which consumes 3 random bits r g for the secret computation. Also in this case, it is assumed a single probe p g = a 2 ∧ b 1 . We will show that our method provides a sufficient precision to individuate the vulnerability spotted in [2]. To fit into our formalism however, we must consider the underlying correlation matrices that include explicitly i) the random values both f and g consume to refresh the data and ii) the probes that are present. The string diagram in Fig. 5 describes the composition pattern of correlation matrices as a mapping from the space of the Fourier transform of the input distribution A ⊗ R f ⊗ R g (i.e., the actual inputs plus the random values) to the one of the output distribution O g ⊗P g ⊗P f (i.e., the actual output of g and the probes in both f and g). Still considering the string diagram of Fig. 5, one can derive one of the equivalent expressions of the correlation matrix of h as: where W s is the correlation matrix of the duplication function s = (x) → (x, x) and W q is the correlation matrix of Fig. 1 The composition pattern of f (t-NI) and g (t-SNI) studied in Example 3 and derived from [2]. The composed function h(a) is not t-NI as can be easily checked with our formalism function q = (x, y) → (y, x). We are interested in computing the potential dependencies between any combination of output/probes and inputs that are not masked by random values. Thus, computing the shares' relation matrices from all the previous correlation matrices, by Theorems 2 and 3, the following holds: where H , F, G, S and Q are the shares' relation matrices computed for functions h, f , g, s and q, respectively.
The value of the right-hand side of Eq. 8 is shown in Fig. 2. First of all, we are interested only in the first 4 columns, as these are the ones that represent relationships between the outputs and the shares of a not masked by any random value. We note that there is a potential dependency in row [1, 1, 0], column [0, 0, 3], exactly the one found in [2], which says that one needs only two probe values to get three shares; h is thus not even 2-NI, showing that t-NI and t-SNI do not compose into a t-NI function. This example shows that the proposed calculus of shares has sufficient precision to discover these cases. On one hand, these could be false positives because of the dominance relation in Eq. (8); on the other hand, however, this formalism rules out any false negative. We will show that the stronger concept of t-SNI naturally emerges, in our relation calculus, as a fundamental property to ensure compositionality. Fig. 2 The shares' relation matrix of function h in Example 3 derived from [2] (we use Greek letters to indicate the spectral coordinate associated with each function variable, i.e., α is the spectral coordinate associated with variable a and so on). Gray areas indicate where h is allowed to have nonzero values in its shares' relation matrix to meet t-NI hypotheses. One can see that in row [1, 1, 0], column [0, 0, 3] there is a potential relation between two probes and the three shares of a, meaning that the composition is not even 2-NI

Proving general patterns of compositional security
The shares' relation matrix can be a reasonable way for exploring t-probing security, but there is more. In fact, it is possible to demonstrate that in order to rule out dependencies similar to Example 3, both f and g must be t-SNI. In this section, we will revisit some known composition patterns (e.g., Theorem 5 and Corollaries 2 and 3 appeared in [4]) and introduce a new one not known in literature (Theorem 4).
Here, we restate what it means for a function f to be t-NI/t-SNI in terms of the shares' relation matrix F: Definition 2 f is t-SNI iff, for any set of probes that could be introduced in it, the following predicate is true for any element (i, j) of its shares' relation matrix: Definition 3 f is t-NI iff, for any set of probes that could be introduced in it, the following predicate is true for any element (i, j) of its shares' relation matrix: where it is evident that t-NI corresponds to a weaker version of t-SNI.

Example 4
The Coron's linear-space variant [22] of the ISW multiplication [1] is t-SNI [3] and this can be easily seen through the shares' relation matrix. Let us consider its form for t = 1; in this case we have two shares for two inputs a and b, one random value r , two output shares o and six possible internal probes p: Fig. 3 Part of the shares' relation matrix of SecMult function [22] (only interesting rows for t-SNI are shown). Note that α, β and ρ are the spectral coordinates associated with inputs a, b and r , while ω and π are the spectral coordinates for o and p. Gray areas indicate where SecMult is allowed to have nonzero values in its shares' relation matrix to meet t-SNI hypotheses Part of the corresponding shares' relation matrix is shown in Fig. 3; it can be seen that for π +ω ≤ 1, ρ = 0 and α, β > 1 (white areas) we have a null dependency, i.e., the function is 1-SNI. Note that, for this ISW implementation, the number of outputs and probes varies with t with the following law: where t + 1 of these correspond to outputs while the others are internal probes.
The simplest composition pattern for which we can derive general rules is l = g • f . The corresponding map between the Fourier transforms of distributions is shown in Fig. 4. The question we address is if l (with the associated shares' relation matrix L) is t-SNI/t-NI according to Definitions 2 and 3, by making assumptions on the probing security of the underlying functions f and g (whose shares' relation matrices are called F and G, respectively). Note that, to fit Fig. 4 Map between Fourier transforms of probability distributions implied by a function composition l = g • f within our formalism, we need to explicitly route the refresh values for g and probed value of f with a function q that just swaps those values. Note that, since matrix Q is the shares' relation matrix of q : (x, y) → (y, x) function, it can be shown that the following holds: Besides, by Theorem 2, we know that L is dominated by the product: where n π f (n ω f , n ρ g ) is the number of probes in f (output's shares of f , randoms needed to refresh g) plus 1 (see Theorem 1).
The following lemma can be proved

Lemma 1
The product ABC is such that: For a proof, see Appendix.
We are now able to derive formally whether and when l is t-SNI/t-NI.

Theorem 4 If f is t-SNI and g is t-NI, then l(x) = g( f (x))
is t-SNI. Formally, the following three axioms: Proof Exploiting above axioms and Lemma 1 we can derive that:

Corollary 2 If f and g are t-SNI functions then also l(x) = g( f (x)) is t-SNI.
Proof Assuming g is t-SNI, then it is also t-NI and the thesis follows from Theorem 4.
We already saw an example of another composition pattern studied in the literature, whose circuit diagram is shown in Fig. 1. The diagram associated with its correlation matrices is the one shown in Fig. 5. With our formalism, it is possible to identify some general rules to determine if such a composed function is t-NI/t-SNI (according to Definitions 2 and 3) by making assumptions on the probing security of the underlying functions f and g. Note that, to reconcile with our model of function, we explicitly split the whole function l into a composition a • b • c • d. In particular, d contains the duplication function s that sends a copy of the shared input to both f and g, while b contains q as in the pattern that we previously studied. The shares relation matrix S associated with s : x → (x, x) function is characterized by the following lemma: Lemma 2 For any i α 1 , i α 2 , j α indices, the following holds: For a proof, see Appendix.
From the point of view of the shares' relation matrix involved, we know that whole function is dominated by the product (see Theorem 2): where n α 1 (n ρ f ) is the number of shares of the first g's input (randoms needed to refresh f ) plus 1.  Figure 5 is such that:

Lemma 3 The complete relation matrix ABC D computed in
For a proof, see Appendix.
We are now able to derive formally when l is t-SNI/t-NI.

Theorem 5 If f is t-SNI function and g is t-NI, then l(x)
Formally, the following three axioms: Proof Exploiting above axioms and Lemmas 2 and 3: A4 .

Corollary 3 If f and g are t-SNI functions then also l(x) = g( f (x), x) is t-SNI. Formally, the following three axioms:
Proof The initial part of the proof is the same of Theorem 5 up to Equation ( 13); then the different axioms apply:

Extending the approach to F n 2 k : the AES inversion
In this section, we present an extension of the proposed formalism to address the case where shares encode values over k bits, i.e., they belong to F n 2 k . Let us thus consider a function f : F n 2 k → F m 2 k ; we can extend Eq. 2 as follows: where u (k,n) n is a reduction operation over the binary encoding of the spectral coordinate u (see Fig. 6). It can be shown that the shares' relation matrix for the relation matrices computed as in Eq. 15 still complies with Definitions 2 and 3 and Theorems 2 and 3. In this setting, affine functions have a nice representation that will be useful to extend the application of previous theorems.

Definition 4 A function
where g is an affine function, x i is the i-th share of x and f (x) i is the i-th share of f (x) (see [4]). For conciseness, we will refer to f as an affine function as well.
The relation matrix of an affine function (as well as its shares' relation matrix) is an identity, as the following lemma shows.
Lemma 4 Let f : F n 2 k → F n 2 k be an affine function; then W f = I 2 n . The affine function f can be seen as the parallel application of n functions g i such that f (x) i = g i (x i ) with 0 ≤ i ≤ n − 1; this implies that: Since each g i is an affine (and balanced) function, then W g i = I 2 and: When using our formalism to determine if a function over F n 2 k is t-NI/t-SNI, we can thus treat affine functions as identities because their shares' relation matrix is the same as the one of an identity function.

AES inversion function
A function that has been widely studied in the probing security framework is the inversion function in AES algorithm; finding a gadget that implements it in a probing secure way, also when it is composed with previous and following gadgets, is an important research cornerstone.
Let us consider the t-SNI gadget proposed in [9] as the AES inversion in F 2 8 . A formal demonstration for the strong security of this implementation has been introduced in [4].
Here we show how this could be proven with our formalism, exploiting only patterns that we have presented and proved in this work. We report the inversion gadget in Fig. 7b. Note that we have slightly modified the algorithm presented in [9] by moving two power computation blocks across duplication points; semantically it is always the same circuit but it is easier to see how previously introduced patterns can still be used to show that it is t-SNI.
First of all, we note that there is a recurring pattern in that particular algorithm, i.e., the circuit in Fig. 7a. The block is composed of a mask refresh Refresh (t-SNI), the ISW multiplication SecMult (t-SNI), and · x , an affine power function parameterized over the exponent x (which is a multiple of two). It is possible to demonstrate that m x is t-SNI following the same line of reasoning of Theorem 3 because, by Lemma 4, the relation matrix of the power function can be interpreted as an identity, thus the same case as the one shown in Fig. 5 applies. Considering the overall algorithm in Fig. 7b, we observe that this is t-SNI if b • m 2 is t-SNI (by Theorem 3). By Corollary 2, b • m 2 is t-SNI if b is t-SNI and the latter is true by Theorem 3 and by Lemma 4.

Conclusion
We originally started this research to extend our understanding of t-probing security. We have discovered a new relation calculus of shares which exploits the conventional Walsh transform. This calculus is precise enough to prove and extend known compositional properties without much semiformal or verbal ratiocination. We believe that the underlying linear algebra, while providing a more intuitive understanding, but will allow for an easier mechanization of probing security proofs.
We also believe that a similar approach can be used to address vulnerabilities associated with circuit glitches. In this sense, we have made a preliminary proposal that shows that the approach is viable [20]. Indeed, more work must still be done toward a unifying approach that encompasses circuit glitches and new composability definitions such as the t-PINI condition [23].
Funding Not applicable.

Conflict of interest
The authors declare that they have no conflict of interest.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.

A Properties of the Walsh transform
This section recaps the important properties of the Walsh transform of a vectorial Boolean function and introduces the concept of tensor product for the resulting matrices [24].

Definition 5 (Walsh transform of a vectorial function)
Given a vectorial Boolean function f : F n 2 → F m 2 , we define its Walsh transform as a 2 m × 2 n matrix f whose elements are: ω ∈ F m 2 , α ∈ F n 2 being the binary encoding of the row and column indices, called spectral coordinates (or sometimes masks).
These matrices encode the correlation information between input variables' xor-combinations and the corresponding output ones. For this reason, they sometimes appear in the literature, scaled by a coefficient 2 −n , as correlation matrices [10]: For correlation matrices, the following theorem holds: Theorem 6 (Correlation matrix as a map of probability distributions) Given a function f : F n 2 → F m 2 and a probability distribution p X : F n 2 → R for its input variable, the following relation holds: where p Y is the distribution of the output values while T g is the Fourier transform of any pseudo-Boolean function g : F n 2 → R and defined as the following: For a proof, see [10,25].
Interpreting the Fourier transform of a probability distribution of a variable in F n 2 as a vector in a subset 8 P n of R 2 n , we find that the correlation matrix W f of a function f : F n 2 → F m 2 is just a linear map P n → P m . These maps are endowed with composition: Theorem 7 (Composition of correlation matrices) Given two functions f : F n 2 → F m 2 and g : F m 2 → F q 2 , the following holds: Moreover, if f is a bijection, W f −1 = W −1 f . For a proof, see [24,26].
Given two independent variables x f ∈ F n f 2 and x g ∈ F n g 2 , one can form the probability distribution of the vector [x f , x g ] with the product of distributions. From the point of view of its Fourier transform, this is a mapping P n f × P n g → P n f +n g . The following theorem holds:

where the symbol ⊗ is the Kronecker product (or tensor product) of matrices (proof in the appendix).
It is customary to say that W h is a mapping from the space P n f ⊗ P n g to the space P m f ⊗ P m g .
Theorem 8 is informally proven in [10] and it is applied in several works, as in [27]; taking this into account, in this appendix we try to give to it a formal proof. For this scope, we define the quotient and remainder operators as follows, to remind ourselves of the structure of the indices: When p = 2 n and i is a number that can be encoded over k > n bit, i ↑ p corresponds to the value encoded by the upper k − n bits, while i ↓ p corresponds to the value encoded by the lower n bits.
Definition 6 (Kronecker product of matrices) The tensor product of two matrices. X (of n × m elements) and Y (of p × q elements) can be defined as: Proof (Theorem 8) Note that ω (α) can be treated as a decimal number or as the corresponding (vector) binary encoding; moreover, the encoding of ω (α) can in turn be decomposed into two parts [ω g , ω f ] ([α g , α f ]) of m g (n g ) and m f (n f ) bits, respectively. We start by rewriting the definition of h: Fig. 8 Example of compositional equality derived through a string diagram. The diagram on the left corresponds to the product (W g ⊗ W f ) while the one on the right corresponds to (1 ⊗ W f )(W g ⊗ 1)(each factor is highlighted with a dotted box). The fact that the second can be derived simply by moving boxes without crossing wires implies (because we are in monoidal category) that the underlying formulas are equivalent, i.e., and conclude (using Definition 6) that the last equation represents the generic element in position (ω, α) of the Kronecker product g ⊗ f .
Reasonings on the effect of composing correlation matrices can be intuitively allowed through diagrams. Each correlation matrix is drawn as a box (except for identities which are drawn as simple wires), composition is the horizontal juxtaposition while tensor product is the vertical one (see Fig. 8 for an example). We note that there is a remarkable correspondence between a diagram and the underlying circuit diagram to the point that we could talk about "the" diagram of the circuit. Moreover, there always exist two mappings B a,b : P a ⊗ P b → P b ⊗ P a and B b,a such that B a,b B b,a = I .  B a,b is exactly the Walsh transform of a function that permutes variables a and b (this is typically drawn with crossing wires, such as block Q in Fig. 5).

B Formal definition of shares' relation matrix
To produce precise proofs of the theorems introduced in this appendix, we need to slightly modify the notation given in Eqs. 5 and 6, to show the actual vector of parts over which the multi-radix representation is computed. For the sake of generality, we will consider a generic vector of parts (A) for the matrix rows (columns). Given a function f , we thus talk about a shares' relation matrix in the following form: We will also use |i ξ | to indicate k i ξ k , i.e., the sum of the mixed-radix components of index i associated with the vector of parts . With this notation, |i π | practically means the number of probes associated with a specific value of index i.

Example 5
Considering Example 2, we have the following notational equivalence The shares' relation matrix can be seen as the encoding of a predicate over the original relation matrix; this fact will be used to prove the remaining theorems in this appendix and corresponds to an equivalent definition of the matrix itself, as the following theorem shows. Proof (Theorem 3) With the new notations, Theorem 3 can be rewritten as follows: Given two correlation matrices X ∈ K 2 ×2 and Y ∈ K 2 ×2 A , the following holds:

the concatenation of parts and
Before proceeding with the proof, we need to introduce the following lemma: where is the vector concatenation while π = i (ω i + 1). This means that we can split r ∼ i in the conjunction of two sub conditions: r ∼ i ⇐⇒ (r ↑π ∼ i ↑π ) ∧ (r ↓π ∼ i ↓π ).

C Relevant theorems and proofs: Section 3
Proof (Lemma 1) The complete relation matrix ABC computed in Fig. 4  Proof (Lemma 2) S is the shares' relation matrix computed from the relation matrix W s of the duplication function s = x → (x, x). It can be shown that elements of this relation matrix are such that: W s (l, m) ⇐⇒ l ↑2 n ⊕ l ↓2 n = m.
Proof (Lemma 3) The complete relation matrix ABC D computed in Fig. 5