Private Multiplication over Finite Fields

Belaïd, Sonia; Benhamouda, Fabrice; Passelègue, Alain; Prouff, Emmanuel; Thillard, Adrian; Vergnaud, Damien

doi:10.1007/978-3-319-63697-9_14

Sonia Belaïd¹⁵,
Fabrice Benhamouda¹⁶,
Alain Passelègue¹⁷,
Emmanuel Prouff^18,19,
Adrian Thillard²⁰ &
…
Damien Vergnaud^21,22

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10403))

Included in the following conference series:

Annual International Cryptology Conference

3638 Accesses
20 Citations

Abstract

The notion of privacy in the probing model, introduced by Ishai, Sahai, and Wagner in 2003, is nowadays frequently involved to assess the security of circuits manipulating sensitive information. However, provable security in this model still comes at the cost of a significant overhead both in terms of arithmetic complexity and randomness complexity. In this paper, we deal with this issue for circuits processing multiplication over finite fields. Our contributions are manifold. Extending the work of Belaïd, Benhamouda, Passelègue, Prouff, Thillard, and Vergnaud at Eurocrypt 2016, we introduce an algebraic characterization of the privacy for multiplication in any finite field and we propose a novel algebraic characterization for non-interference (a stronger security notion in this setting). Then, we present two generic constructions of multiplication circuits in finite fields that achieve non-interference in the probing model. Denoting by d the number of probes used by the adversary, the first proposal reduces the number of bilinear multiplications (i.e., of general multiplications of two non-constant values in the finite field) to only $2d+1$ whereas the state-of-the-art was $O(d^2)$. The second proposal reduces the randomness complexity to d random elements in the underlying finite field, hence improving the $O(d \log d)$ randomness complexity achieved by Belaïd et al. in their paper. This construction is almost optimal since we also prove that d / 2 is a lower bound. Eventually, we show that both algebraic constructions can always be instantiated in large enough finite fields. Furthermore, for the important cases $d \in \{2,3\}$, we illustrate that they perform well in practice by presenting explicit realizations for finite fields of practical interest.

You have full access to this open access chapter, Download conference paper PDF

Randomness Complexity of Private Circuits for Multiplication

Exploiting Algebraic Structures in Probing Security

Secure Multiparty Computation with Sublinear Preprocessing

Keywords

1 Introduction

While most symmetric cryptographic algorithms are now assumed to be secure against classical black-box attacks (e.g., when the attacker gets the knowledge of some inputs and/or outputs), their implementation can still be vulnerable to side-channel attacks. These attacks, revealed by Kocher in the 1990s [19], make additional use of the physical leakage of the underlying device (e.g., temperature, power consumption, execution time, ...) during the algorithm execution to recover the secret key.

These side-channel attacks are actually very powerful both against hardware and software implementations. In practice, keys from a classical block cipher can be recovered in a few minutes on many devices. Therefore, there is a huge need in efficient and secure countermeasures. Among the many ones proposed by the community, masking (a.k.a. splitting or sharing) [9, 16] is probably the most widely deployed. The main idea is to split each sensitive data, which depends both on the secret key and on known variables (e.g., inputs or outputs) into $d+1$ shares. The first $d$ shares are generated uniformly at random and the last one is computed so that the combination of the $d+1$ shares with some group law $*$ is equal to the initial value. With this technique, the attacker actually needs the whole set of $d+1$ shares to learn any information on the initial value. Since each share’s observation comes with noise, the higher the order $d$ is, the more complex the attack is [9, 21].

In order to evaluate the security of masking schemes, the cryptographic community has made important efforts to define leakage models which properly reflect the reality of embedded devices. In 2003 [18], Ishai, Sahai, and Wagner introduced the $d$-probing model in which the attacker can get access to the exact values of at most $d$ intermediate variables of its choice in the targeted implementation. While in practice, the attacker has access to the noisy values of all the manipulated variables, this model may still make sense, since recovering the exact value of $d$ variables from their noisy observations is exponentially hard in the order $d$. Furthermore, it is widely used for its convenience to realize security proofs. Ten years later [21], Prouff, and Rivain extended a model initially introduced by Chari et al. [9], referred to as the noisy leakage model. This time, the model fits the reality of embedded devices since the attacker is assumed to get the noisy observations of all the intermediate variables of the implementation. However, because it requires the manipulation of noisy data (i.e., real values), this model is not convenient to make security proofs. Fortunately, Duc, Dziembowski, and Faust [13] exhibited a reduction from the noisy leakage model to the $d$-probing model, later improved in practice by Duc, Faust, and Standaert [14]. In other words, they proved that if an implementation is secure in the $d$-probing model, then it is also secure in the realistic noisy leakage model for specific number of shares, level of noise and circuit sizes. This sequence of works makes the $d$-probing model both realistic and convenient to make security proofs of masking schemes. An implementation secure in the $d$-probing model is said to satisfy the $d$-privacy property or equivalently to be $d$-private [18].

1.1 Our Problem

For the large majority of symmetric cryptographic algorithms which manipulate Boolean values, we naturally protect their implementation using Boolean masking for which $* = \oplus $. Each sensitive data is thus split into $d+1$ shares whose Boolean addition returns the initial value.^{Footnote 1}

In this context, the protection of linear functions is trivial since they just need to be applied independently to each share. However, the protection of non-linear functions is more complicated since the shares cannot be manipulated independently from each other. Concretely, additional randomness is required to randomize the computations which manipulate several shares of the same data. In particular, it is not trivial to evaluate the best way to build such countermeasures while minimizing the quantity of additional randomness as well as the number of operations.

The first proposal to perform a $d$-private multiplication over the finite field $\mathbb {F}_{2}$ was made by Ishai, Sahai, and Wagner in their seminal paper [18] (further referred to as ISW multiplication). They achieved $d$-privacy with $d(d+1)/2$ additional random bits and ${(d+1)}^2$ products over $\mathbb {F}_{2}$. Their multiplication then became the cornerstone of a sequence of works to build more complex $d$-private implementations [3, 10, 13, 14, 24]. Their proposal was described to securely compute a $d$-private multiplication over $\mathbb {F}_{2}$, but it can actually be transposed to secure a multiplication over any finite field $\mathbb {F}_{q}$ (e.g. [15, 24]) (in which case it requires $d(d+1)/2$ random field elements and ${(d+1)}^2$ products over $\mathbb {F}_{q}$). Secure implementation of multiplications over larger finite fields $\mathbb {F}_{q}$ (in particular for finite fields of characteristic 2), is of utmost practical interest to evaluate an S-box expressed as a polynomial over a such a finite field. For instance, it has been shown in [24] and [12] respectively that the implementation of the AES S-box (resp. the DES S-boxes) may be done with 4 (resp. 3) multiplications over $\mathbb {F}_{2^8}$ (resp. $\mathbb {F}_{2^6}$), instead of several dozens of multiplications over $\mathbb {F}_{2}$. However, with the order $d$ growing up in practice for security reasons, this multiplication remains quite expensive. In particular, it consumes a large amount of randomness, which is generated by a physical source followed by a deterministic random bit generator, and it also requires a large number of multiplications, which are more expensive than linear operations.

That is why the community started to investigate more efficient $d$-private multiplications. Belaïd et al. [4] proposed a new $d$-private multiplication over the finite field $\mathbb {F}_{2}$ with twice as less randomness while preserving the number of multiplications. They also proved that any $d$-private multiplication over $\mathbb {F}_{2}$ requires at least $d$ random bits and they proved a $O(d\log d)$ quasi-linear (non-constructive) upper bound for this randomness complexity. Most of their results can be readily generalized to $d$-private multiplication over any finite field $\mathbb {F}_{2^n}$ of characteristic 2 (except for the lower bound which holds only in $\mathbb {F}_{2}$). While their multiplication is $d$-private, it offers less security than the ISW one since it does not compose necessarily securely with other private circuits (see below for formal security definitions). It still can be used in symmetric algorithms to improve their performances: for instance, in the S-box of the block cipher AES defined over $\mathbb {F}_{2^8}$, three of the four multiplications can be replaced by theirs. Nevertheless, the proposal remains expensive and there is still a huge need in more efficient $d$-private multiplications.

1.2 Related Work

Other methods of encoding have been proposed in the literature. The inner product masking, proposed by Balasch et al. [2] encodes, over any finite field $\mathbb {F}_{q}$, the secret as a pair of vectors (L, R) such that the secret equals the inner product of L and R. In [1], this construction was enhanced by fixing a public value for L, hence allowing to achieve $d$-privacy using $d+1$ shares. The subsequent randomness and computation complexities for the multiplication are however still quadratic in $d$. Another approach, proposed by Prouff, and Roche [22] uses polynomial masking. Based on Shamir’s secret sharing scheme, the secret is viewed as the constant coefficient of a certain polynomial, whose values when evaluated at some public points $(\alpha _i)_ {i\le d}$ constitute the shares.^{Footnote 2}. Though the complexity for the multiplication of the original proposal is cubic in $d$, Coron, Prouff, and Roche [11] achieved a complexity in ${O}(d^2 \text {log}^4 d)$ for fields of characteristic 2. The recent work [17], which aims at achieving higher-order security in the presence of so-called glitches, is based on ISW multiplication and therefore requires ${O}(d^2)$ random values and field multiplications. It may moreover be noticed that this work directly benefits from the improvement proposed in [4] and in this paper.

1.3 Our Contributions

In this work, we aim to go further in the research of efficient $d$-private multiplications over finite fields $\mathbb {F}_{q}$ (where q is some prime power). Given two sharings $\varvec{a}=(a_0, \dots , a_d) \in \mathbb {F}_{q}^{d+1}$ and $\varvec{b}=(b_0, \dots , b_d) \in \mathbb {F}_{q}^{d+1}$, we aim to exhibit an output sharing $\varvec{c}=(c_0, \dots , c_d) \in \mathbb {F}_{q}^{d+1}$ such that

$$\begin{aligned} \sum _{i=0}^dc_i = \left( \sum _{i=0}^da_i\right) \cdot \left( \sum _{i=0}^db_i\right) \end{aligned}$$

where the sum and product denote $\mathbb {F}_{q}$ operations. The computation of this sharing $\varvec{c}$ should achieve the $d$-privacy (and actually will achieve a stronger security notion) with the use of a minimal number of random $\mathbb {F}_{q}$ elements and a minimal number of products in $\mathbb {F}_{q}$.

Extending the work of Belaïd et al. [4], we first present an algebraic characterization for privacy in the $d$-probing model for multiplication in any finite field. Contrary to the work done in [4] in which the authors limited themselves to multiplications based on the sum of shares’ products, in this paper, we extend the possibilities by authorizing products of sums of shares.

As mentioned above, the scheme proposed by Belaïd et al. offers less security than the original ISW proposal since it does not compose necessarily securely with other private circuits. It is thus necessary to consider new security properties which strengthen the $d$-privacy. The introduction of such properties was made by Barthe, Belaïd, Dupressoir, Fouque, Grégoire, Strub, and Zucchini in [3], under the name of non-interference, tight non-interference, and strong non-interference (see Sect. 2 for formal definitions and for a comparison of these notions).

We then propose a novel algebraic characterization for non-interference in the $d$-probing model for multiplication in any finite field (and actually for any bivariate function over a finite field, as long as intermediate values are linear in the randomness and linear or bilinear in the inputs).

Theorem 3.5 (informal). A multiplication algorithm is non-interfering in the $d$-probing model if and only if there does not exist a set of $\ell \le d$ intermediate results $\{p_1,\dots ,p_\ell \}$ and a $\mathbb {F}_{q}$-linear combination of $\{p_1,\dots ,p_\ell \}$ that can be written as

$$\begin{aligned} \varvec{a}^\intercal \cdot {\varvec{M}} \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu } \;+\; \varvec{\nu }^\intercal \cdot \varvec{b} \;+\; \tau , \end{aligned}$$

where ${\varvec{M}} \in \mathbb {F}_{q}^{(d+1) \times (d+1)}$, $\varvec{\mu },\varvec{\nu } \in \mathbb {F}_{q}^{d+1}$, and $\tau \in \mathbb {F}_{q}$, and all the rows of the matrix $\begin{pmatrix} {\varvec{M}} \vert \varvec{\mu } \end{pmatrix} \in \mathbb {F}_{q}^{(d+1)\times (d+2)}$ or the matrix $\begin{pmatrix} {\varvec{M}}^\intercal \vert \varvec{\nu } \end{pmatrix} \in \mathbb {F}_{q}^{(d+1)\times (d+2)}$ are non-zero.

We then present two generic algebraic constructions of multiplication circuits in finite fields (based on this characterization) that achieve non-interference in the $d$-probing model. Both constructions are explicit and improve the complexity of previous proposals and their security is ensured as soon as some matrices satisfy some precise linear algebraic condition.

The first proposal (Algorithm 4) aims at reducing the number of bilinear multiplications (i.e., of general multiplications of two non-constant values in the finite field). The scheme requires only $2d+1$ bilinear multiplications whereas all previous proposals need $O(d^2)$ such multiplications (at the cost of increasing the number of linear multiplications, i.e. multiplications by some constant). This leads to an important efficiency improvement in practice since bilinear multiplications over $\mathbb {F}_{q}$ cannot be tabulated for $q\geqslant 2^6$ (such a tabulation indeed requires $\log _2 (q)q^2$ bits of ROM memory which is quickly too high for constrained devices), while multiplications by a constant can often be tabulated as long as $q\leqslant 2^{10}$ (such a tabulation indeed requires $\log _2 (q)q$ bits of ROM memory). When the processing cannot be tabulated, it must be computed on-the-fly, which implies a non-negligible timing penalty: for instance a multiplication over $\mathbb {F}_{2^8}$ based on log-alog tables^{Footnote 3} would take around 40 CPU cycles on a classical AVR 8-bit architecture, while a direct lookup table access only takes 2 cycles (see [6] for more details about the different time/memory trade-offs for the multiplication processing). Additionally, our new scheme (Algorithm 4) achieves the strong non-interference security notion (Theorem 4.3) and composes therefore securely with other private circuits.

The goal of the second construction (Algorithm 5) is to reduce the randomness complexity; it needs only $d$ random elements in the underlying finite field (improving the non-constructive upper bound $O(d\log d)$ proven in [4]). This constitutes an important improvement both from a theoretical and practical point of views since the generation of random values on a constrained device may be very time-consuming. Our second proposal achieves the non-interference security notion (which is stronger than the privacy notion achieved in [4]).

We show (using the probabilistic method) that both algebraic constructions can always be instantiated in large enough finite fields (Theorems 4.5 and 5.4). The second construction is almost optimal (for randomness complexity) since from our algebraic characterization, we can deduce the following lower bound on the randomness complexity:

Proposition 5.6 (informal). A non-interfering multiplication algorithm in the $d$-probing model uses more than $\lfloor (d-1) / 2 \rfloor $ random elements in $\mathbb {F}_{q}$.

With our upper-bound, this proposition shows that the randomness complexity is therefore in $\varTheta (d)$. These asymptotic results provide strong theoretical insights on the complexity of private multiplication. However, we also show that our constructions perform well in practice. In particular, for the important cases $d\in \{2,3\}$, that are used in real-world implementations, we present explicit realizations of our constructions for finite fields of practical interest (and in particular for $\mathbb {F}_{2^8}$ used by the AES).

In terms of performance, we also compared the efficiency of our proposed constructions with the state of the art [4], for the practical masking orders $d\in \{2,3\}$ and the finite field $\mathbb {F}_{2^8}$. The simulations have been done on a classical AVR 8-bit architecture; for different timing complexities of randomness generation^{Footnote 4} and of field multiplication, we measured the number of CPU cycles necessary to run the algorithms.

For $d=2$ and a field multiplication taking 45 CPU cycles,^{Footnote 5} the proposal of [4] is more efficient, as soon as the generation of a random byte takes more than 7 cycles. In the event where this generation is shorter, our Algorithm 4 (Sect. 4.1) is better. Algorithm 5 (Sect. 5.1) is, in this case, always worse than the state of the art proposal, but it still outperforms Algorithm 4 as soon as the generation of random takes more than 12 cycles.

When the masking order is $d=3$, Algorithm 4 is better when the random generation takes less than 16 cycles. Then, the algorithm of [4] is better when this number is lower than 60. Finally, Algorithm 5 outperforms both other constructions when the generation takes more than 60 cycles.

Similarly, we ran several simulations studying the impact of the complexity of the multiplication on our constructions. By fixing at 20 the number of cycles for the random generation, we observed that Algorithm 4 outperforms state of the art algorithms when the multiplication takes more than 6 cycles (resp. 93 cycles) for $d=2$ (resp. $d=3$). A comparison of the complexities of state of the art algorithms and our new proposals can be found in Table 1.

Table 1. Complexities of ISW, EC16, our new $d$-private compression gadget for multiplication and our specific gadgets at several orders

Full size table

2 Preliminaries

This section defines notation and basic notions that we use in this paper.

2.1 Notation

For a finite set S, we denote by $\vert S \vert $ its cardinality, and by $s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}S$ the operation of picking up an element s of S uniformly at random. We denote by $\mathbb {F}_{q}$ the finite field with q elements. Vectors are denoted by lower case bold font letters, and matrices are denoted by bold font letters. All vectors are column vectors unless otherwise specified. The image of the linear map associated to a matrix ${\varvec{M}}$ is denoted by ${{\mathrm{im}}}({\varvec{M}})$. For a vector $\varvec{x}$, we denote by $x_i$ its i-th coordinate and by $\mathsf {hw}(\varvec{x})$ its Hamming weight (i.e., the number of its coordinates that are different from 0). When double indexing will be needed, we shall denote by $x_{i,j}$ the j-th coordinate of the vector $\varvec{x}_i$. For vectors $\varvec{x}_1,\dots ,\varvec{x}_t$ in $\mathbb {F}_{q}^n$, we denote $\langle \varvec{x}_1,\dots ,\varvec{x}_t \rangle $ the vector space generated by the set $\{\varvec{x}_1,\dots ,\varvec{x}_t\}$.

The probability density function associated to a discrete random variable X defined over S (e.g., $\mathbb {F}_{q}$) is the function which maps $x \in S$ to ${\Pr \left[ \,X=x\,\right] }$. It is denoted by $\{X\}$ or by $\{X\}_r$ if there is a need to specify the randomness source r over which the distribution is considered.

Throughout the rest of this paper, when not specified, we consider the elements to belong to the finite field $\mathbb {F}_{q}$ for some prime power q. Some of our results require q to be larger than some lower bound that is then specified in the corresponding statements. We denote by $r \leftarrow \$$ the fact of sampling a fresh uniform element from $\mathbb {F}_{q}$ and assigning it to r.

2.2 Arithmetic Circuits and Privacy

An arithmetic circuit $C$ is a directed acyclic graph whose vertices are input gates, output gates, addition gates, multiplication gates, or constant-scalar gates (over $\mathbb {F}_{q}$) and whose edges are wires carrying the inputs/outputs of the operations performed by the vertices. A constant-scalar gate is parameterized by a scalar $\gamma \in \mathbb {F}_{q}$, has fan-in 0, and outputs $\gamma $. A randomized circuit is a circuit augmented with random-scalar gates. A random-scalar gate is a gate with fan-in 0 that produces a random scalar in $\mathbb {F}_{q}$ and sends it along its output wire; the scalar is selected uniformly and independently of everything else afresh for each invocation of the circuit.

For a circuit $C$, we denote by $(y_1,y_2,\dots ) \leftarrow C(x_1,x_2,\dots )$ the operation of running $C$ on inputs $(x_1,x_2,\dots )$ and letting $(y_1,y_2,\dots )$ denote the outputs. Moreover, if $C$ is randomized, we denote by $(y_1,y_2,\dots ) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}C(x_1,x_2,\dots )$ the operation of running $C$ on inputs $(x_1,x_2,\dots )$ and with uniform fresh randomness. When we will need to specify this randomness we shall use the notation $(y_1,y_2,\dots ) \leftarrow C(x_1,x_2,\dots ;r)$. Eventually, for any subset P of wires in $C$, we denote by $C_P(x_1,x_2,\dots ;r)$ (or $C_P(x_1,x_2,\dots )$ if the randomness is not specified) the list of values on the wires in P.

We hereafter give a formal definition of the notion of gadget used in prior works (e.g., [15]).

Definition 2.1

(gadget). Let n, m be two positive integers and f be a function from $\mathbb {F}_{q}^n$ to $\mathbb {F}_{q}^m$. Let u, v be two positive integers. A (u, v)-gadget for f is an arithmetic (randomized) circuit C such that for every tuple ${(\varvec{x}_1,\varvec{x}_2,\dots ,\varvec{x}_n)}^\intercal \in {(\mathbb {F}_{q}^u)}^n$ and every randomness r, ${(\varvec{y}_1,\varvec{y}_2,\dots ,\varvec{y}_m)}^\intercal \leftarrow C(\varvec{x}_1,\varvec{x}_2,\dots ,\varvec{x}_n;r)$ satisfies

$$\begin{aligned} {\left( \sum _{j=1}^v {y}_{1,j},\sum _{j=1}^v {y}_{2,j},\dots ,\sum _{j=1}^v {y}_{m,j}\right) }^\intercal = f\left( \sum _{j=1}^u {x}_{1,j},\sum _{j=1}^u {x}_{2,j},\dots ,\sum _{j=1}^u {x}_{n,j}\right) . \end{aligned}$$

We usually define $x_i = \sum _{j=1}^u x_{i,j}$ and $y_i = \sum _{j=i}^v y_{i,j}$. The element ${x}_{i,j}$ (resp. ${y}_{i,j}$) is called the j-th share of $x_i$ (resp. $y_i$).

Let us now define the notion of privacy for a gadget.

Definition 2.2

( $d$ -private gadget). Let n be a positive integer and let f be a function defined over $\mathbb {F}_{q}^n$. Let u and v be two positive integers. A (u, v)-gadget $C$ for f is $d$-private if and only if for any set P of $d$ wires in $C$, the distribution ${\{C_P(\varvec{x}_1,\varvec{x}_2,\dots ,\varvec{x}_n;r) \mid \forall i\in \{1,\dots ,n\},\; \sum _{j=1}^u x_{i,j} = x_i\}}_{\varvec{x}_1,\varvec{x}_2,\cdots ,\varvec{x}_n,r}$ is the same for every ${(x_1,x_2,\dots ,x_n)}^\intercal \in \mathbb {F}_{q}^n$.

Remark 2.3

In Definition 2.2, we recall that $x_i$ denotes the i-th input of f, while $\varvec{x}_i$ represents a sharing of $x_i$.

Remark 2.4

When there is no ambiguity, and for simplicity, the mention of the privacy order $d$ will sometimes be omitted.

From now on, and to clarify the link with the probing attack model introduced in [18], the wires in a set P used to attack an implementation are referred as the probes and the corresponding values in $C_P(\dots ;r)$ as the intermediate results. To simplify the descriptions, a probe p is sometimes used to directly denote the corresponding intermediate result. When the inputs w and the circuit $C$ are clear from the context, the distribution ${\{C_P(\varvec{x}_1,\dots ,\varvec{x}_n;r)\}}_{r}$ is simplified to $\{{(p)}_{p \in P}\}$.

2.3 Compositional Security Notions

A (u, w)-gadget for the function $f\circ f'$ can be obviously built by composing a (v, w)-gadget of f and a (u, v)-gadget of $f'$. However, the composition $C\circ C'$ of two $d$-private gadgets $C$ and $C'$ is not necessarily itself $d$-private. For the latter to hold, gadget $C'$ must satisfy a property which strengthens the privacy. The introduction of such a property has been made by Barthe et al. in [3]. Before recalling their definitions, we first need to introduce the notion of t-simulatability.

Definition 2.5

( t -simulatability). Let u and v be two positive integers. Let $C$ be a (u, v)-gadget for a function defined over $\mathbb {F}_{q}^n$. For some positive integers $\ell $ and t, a set $P = \{p_1,\dots ,p_\ell \}$ of $\ell $ probes on $C$ is t-simulatable, if there exist n sets $I_1$, $I_2$, ..., $I_n$ of at most t indices in $\{1,\dots ,u\}$ and a randomized function $\mathsf {sim}$ defined from ${(\mathbb {F}_{q}^t)}^n$ to $\mathbb {F}_{q}^{\ell }$ such that for any fixed tuple $(\varvec{x}_1,\varvec{x}_2,\dots ,\varvec{x}_n)\in {(\mathbb {F}_{q}^u)}^n$, the distributions $\{p_1,\dots ,p_\ell \}$ (which implicitly depends on $(\varvec{x}_1,\varvec{x}_2,\dots ,\varvec{x}_n)$, and the random values used by the gadget) and $\{\mathsf {sim}((x_{1,i})_{i\in I_1},(x_{2,i})_{i\in I_2},\dots ,(x_{n,i})_{i\in I_n})\}$ are identical.

Remark 2.6

The notation $\mathsf {sim}((x_{1,i})_{i\in I_1},(x_{2,i})_{i\in I_2},\dots ,(x_{n,i})_{i\in I_n})$ will be simplified to $\mathsf {sim}(\varvec{x}_{I_1},\varvec{x}_{I_2},\dots ,\varvec{x}_{I_n})$. Moreover, depending on the context, we will sometimes call a t-simulatable set of probes, a set of probes which can be simulated with at most t shares of each of the n inputs of the gadget (which is an equivalent definition).

We now provide the notions of security that we will be using throughout the rest of the paper.

Definition 2.7

( $d$ -non-interference). A (u, v)-gadget $C$ for a function f defined over $\mathbb {F}_{q}^n$ is $d$-non-interfering (or $d$ -NI) if and only if every set of at most $d$ probes can be simulated with at most $d$ shares of each of its n inputs.

Definition 2.8

( $d$ -tight non-interference)[3]. A gadget $C$ is $d$-tight non-interfering (or $d$-TNI) if and only if every set of $t \le d$ probes can be simulated with at most t shares of each input.

Definition 2.9

( $d$ -strong non-interference). A (u, v)-gadget $C$ for a function f defined over $\mathbb {F}_{q}^n$ is $d$-strong non-interfering (or $d$-SNI) if and only if for every set $P_1$ of $d_1$ probes on internal wires (i.e., no output wires nor output shares) and every set $P_2$ of $d_2$ probes on output shares such that $d_1+d_2\le d$, the set $P_1 \cup P_2$ of probes can be simulated by only $d_1$ shares of each of its n inputs.

The $d$-SNI property is stronger than the $d$-NI property, which is itself stronger than the $d$-privacy property. The relations between all these notions are discussed in more details below.

2.4 Relations Between Compositional Security Notions

We recall that, from [3], if $C$ is $d$-SNI (see Definition 2.9), then it is $d$-NI (see Definition 2.7); and if it is $d$-NI, then it is $d$-private. But a $d$-private gadget is not necessarily $d$-NI (see the counterexample given in [4, Appendix B]), and a $d$-NI gadget is not necessarily $d$-SNI (see for instance gadgets implementing $\mathrm {SecMult}$ in [24] or Algorithm 3 in [4]). Furthermore, in [4, Proposition 7.4], it is proven that $d$-NI and $d$-TNI are equivalent. These relations are depicted in Fig. 1.

From [3], the composition of a $d$-TNI (or $d$-NI) gadget with a $d$-SNI^{Footnote 6} is $d$-SNI, while the composition of $d$-TNI gadgets is not necessarily $d$-NI. This implies that $d$-SNI gadgets can be directly composed while maintaining the $d$-privacy property, whereas a $d$-SNI refreshing gadget (which randomizes the shares of its inputs using fresh random values) must sometimes be involved before the composition of $d$-NI gadgets.

2.5 Case of Study

In this paper, we focus on the construction of efficient $d$-NI or $d$-SNI multiplication gadgets over $\mathbb {F}_{q}$ for any order $d$.

Definition 2.10

(multiplication gadget). A multiplication (u, v)-gadget is a (u, v)-gadget C for the function $f: (a,b) \in {{\mathbb F}}_q^2 \mapsto a\cdot b \in {{\mathbb F}}_q$.

Remark 2.11

When the sharing orders u and v will be clear from the context, the term (u, v) will be omitted.

In the sequel, the two inputs of a multiplication (u, v)-gadget $C$ are denoted by a and b. Their respective sharings are thus denoted by $\varvec{a} = {(a_0,\dots ,a_{u-1})}^\intercal \in \mathbb {F}_{q}^{u}$ and $\varvec{b} = {(b_0,\dots ,b_{u-1})}^\intercal \in \mathbb {F}_{q}^{u}$. The output is denoted by c and its sharing is denoted by $\varvec{c} = {(c_0,\dots ,c_{v-1})}^\intercal \in \mathbb {F}_{q}^{v}$. We also denote by $\varvec{r} = {(r_1,\dots ,r_R)}^\intercal \in {{\mathbb F}}_q^R$ the vector of the random scalars that are involved in the gadget $C$. Thus, any intermediate result, a.k.a. probe, in the evaluation of $C$ is a function of $a_0,\dots ,a_{u-1},b_0,\dots ,b_{u-1},r_1,\dots ,r_R$.

3 Algebraic Characterizations

This section aims at introducing algebraic characterizations for the privacy and the non-interference properties of a multiplication $(d+1,v)$-gadget (for some positive integers $d$ and v) over $\mathbb {F}_{q}$.

3.1 Bilinear Probes and Matrix Notation

For our algebraic characterizations, we focus on specific probes we call ${bilinear \,probes}$.

Definition 3.1

Let $C$ be a $(d+1,v)$-gadget for a function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. A bilinear probe p is a probe on $C$ (and thus an expression of $a_0,\dots ,a_d,b_0,\dots ,b_d,r_1,\dots ,r_R$), which is an affine functions of $a_i b_j$, $a_i$, $b_j$ and $r_k$ (for $0 \le i,j \le d$ and $1 \le k \le R$). In other words, a bilinear probe p can be written as:

$$\begin{aligned} \varvec{a}^\intercal \cdot {\varvec{M_p}} \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu }_p \;+\; \varvec{\nu }_p^\intercal \cdot \varvec{b} \;+\; \varvec{\sigma }_p^\intercal \cdot \varvec{r} \;+\; \tau _p, \end{aligned}$$

where $M_p \in \mathbb {F}_{q}^{(d+1) \times (d+1)}$, $\varvec{\mu }_{p} \in \mathbb {F}_{q}^{d+1}$, $\varvec{\nu }_{p} \in \mathbb {F}_{q}^{d+1}$, $\varvec{\sigma }_p \in \mathbb {F}_{q}^R$, and $\tau _p \in \mathbb {F}_{q}$.

In the following sections we shall say that an expression $f(x_1,\dots ,x_n,r)$ functionally depends on the variable r if there exists $a_1, \dots , a_n$ such that the function $r \mapsto f(a_1,\dots ,a_n,r)$ is not constant.

3.2 Algebraic Characterization for Privacy

We start by a simple extension of the algebraic characterization in [4] to any field $\mathbb {F}_{q}$ and to any function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$ instead of just the multiplication function $f(a,b) = a \cdot b$ (however, please note that our characterization consider only bilinear probes). We consider the following condition:

Condition 3.1

Let $C$ be a $(d+1,v)$-gadget for a two-input function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. A set of bilinear probes $P = \{p_1,\dots ,p_\ell \}$ on $C$ satisfies Condition 3.1 if and only if there exists a vector $\varvec{\lambda } \in \mathbb {F}_{q}^{\ell }$ such that the expression $\sum _{i=1}^\ell \lambda _i p_i$ can be written as

$$\begin{aligned} \sum _{i=1}^\ell \lambda _i p_i = \varvec{a}^\intercal \cdot {\varvec{M}} \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu } \;+\; \varvec{\nu }^\intercal \cdot \varvec{b} \;+\; \tau , \end{aligned}$$

where $M \in \mathbb {F}_{q}^{(d+1) \times (d+1)}$, $\varvec{\mu } \in \mathbb {F}_{q}^{d+1}$, $\varvec{\nu } \in \mathbb {F}_{q}^{d+1}$, and $\tau \in \mathbb {F}_{q}$, and such that the all-one vector $\varvec{u}_{d+1} = {(1,\dots ,1)}^\intercal \in \mathbb {F}_{q}^{d+1}$ is in the affine space $\varvec{\mu } + {{\mathrm{im}}}({\varvec{M}})$ or $\varvec{\nu } + {{\mathrm{im}}}({\varvec{M}}^\intercal )$, where ${{\mathrm{im}}}({\varvec{M}})$ is the column space of ${\varvec{M}}$.

We point out that, using notation of the above condition, for any set of bilinear probes $P = \{p_1,\dots ,p_\ell \}$ on $C$ and any $\varvec{\lambda }\in \mathbb {F}_{q}^\ell $, the expression $\sum _{i=1}^\ell \lambda _i p_i$ can be written as

$$\begin{aligned} \sum _{i=1}^\ell \lambda _i p_i = \varvec{a}^\intercal \cdot {\varvec{M}}_{\varvec{\lambda }} \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu }_{\varvec{\lambda }} \;+\; \varvec{\nu }^\intercal _{\varvec{\lambda }} \cdot \varvec{b} \;+\; \varvec{\sigma }^\intercal _{\varvec{\lambda }} \cdot \varvec{r} \;+\; \tau _{\varvec{\lambda }} , \end{aligned}$$

(1)

where $M_{\varvec{\lambda }} \in \mathbb {F}_{q}^{(d+1) \times (d+1)}$, $\varvec{\mu }_{\varvec{\lambda }} \in \mathbb {F}_{q}^{d+1}$, $\varvec{\nu }_{\varvec{\lambda }} \in \mathbb {F}_{q}^{d+1}$, $\varvec{\sigma }_{\varvec{\lambda }} \in \mathbb {F}_{q}^R$, and $\tau _{\varvec{\lambda }} \in \mathbb {F}_{q}$. Condition 3.1 is therefore equivalent to asking that there exists $\varvec{\lambda }\in \mathbb {F}_{q}^\ell $ such that:

$$\begin{aligned} \varvec{\sigma }_{\varvec{\lambda }} = \varvec{0} \quad \text {and}\quad \varvec{u}_{d+1} \in (\varvec{\mu }_{\varvec{\lambda }} + {{\mathrm{im}}}({\varvec{M}}_{\varvec{\lambda }})) \cup (\varvec{\nu }_{\varvec{\lambda }} + {{\mathrm{im}}}({\varvec{M}}_{\varvec{\lambda }}^\intercal )) . \end{aligned}$$

Theorem 3.2

Let $C$ be a $(d+1,v)$-gadget for a two-input function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. Let P be a set of bilinear probes on $C$. Then P satisfies Condition 3.1 if and only if there exist $a^{(0)},b^{(0)},a^{(1)},b^{(1)} \in \mathbb {F}_{q}$, such that:

$$ \{{(p)}_{p \in P} \mid (a,b) = (a^{(0)},b^{(0)}) \} \ne \{{(p)}_{p \in P} \mid (a,b) = (a^{(1)},b^{(1)}) \} . $$

That is, the distribution $\{ {(p)}_{p \in P} \}$ does depend on the value of (a, b).

The proof essentially uses the same ideas as the proof of Theorem A.1 of [4] and is detailed in the full version.

Remark 3.3

We do not restrict the size of the set P. Furthermore, the proof does not rely on the correctness property of $C$.

Corollary 3.4

Let $C$ be a $(d+1,v)$-gadget for a two-input function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. We suppose that any possible probe on $C$ is bilinear . Then, $C$ is $d$-private if and only if there does not exist any set P of $d$ probes on $C$ satisfying Condition 3.1.

Proof

The proof is straightforward from Theorem 3.2. $\square $

When $q=2$ and when $f(a,b) = a \cdot b$, this corollary is actually equivalent to Theorem A.1 of [5]. Contrary to this former theorem, we only need to consider set of exactly $d$ probes, as Condition 3.1 allows for discarding some probes (by choosing $\lambda _i = 0$). Furthermore, the gadget $C$ has at least $2d+2 \ge d$ possible probes: $a_0,\dots ,a_d,b_0,\dots ,b_d$. Thus, any set $\ell < d$ probes can be completed into a set of $d$ probes.

3.3 Algebraic Characterization for Non-Interference

In this subsection, we introduce a novel algebraic characterization for Non-Interference (NI). We consider the following condition:

Condition 3.2

Let $C$ be a $(d+1,v)$-gadget for a two-input function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. A set of bilinear probes $P = \{p_1,\dots ,p_\ell \}$ on $C$ satisfies Condition 3.2 if and only if there exists $\varvec{\lambda } \in \mathbb {F}_{q}^{\ell }$ such that the expression $\sum _{i=1}^\ell \lambda _i p_i$ can be written as

$$\begin{aligned} \sum _{i=1}^\ell \lambda _i p_i = \varvec{a}^\intercal \cdot {\varvec{M}} \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu } \;+\; \varvec{\nu }^\intercal \cdot \varvec{b} \;+\; \tau , \end{aligned}$$

where ${\varvec{M}} \in \mathbb {F}_{q}^{(d+1) \times (d+1)}$, $\varvec{\mu } \in \mathbb {F}_{q}^{d+1}$, $\varvec{\nu } \in \mathbb {F}_{q}^{d+1}$, and $\tau \in \mathbb {F}_{q}$, and such that all the rows of the matrix $\begin{pmatrix} {\varvec{M}}&\varvec{\mu } \end{pmatrix} \in \mathbb {F}_{q}^{(d+1)\times (d+2)}$ (which is the concatenation of the matrix ${\varvec{M}}$ and the column vector $\mu $) are non-zero or all the columns of the matrix $\begin{pmatrix} {\varvec{M}} \\ \varvec{\nu }^\intercal \end{pmatrix}\in \mathbb {F}_{q}^{(d+2)\times (d+1)}$ are non-zero.

We recall that, using notation of the above condition, for any set of bilinear probes $P = \{p_1,\dots ,p_\ell \}$ on $C$ and any $\varvec{\lambda }\in \mathbb {F}_{q}^\ell $, the expression $\sum _{i=1}^\ell \lambda _i p_i$ can be written as in Eq. 1. Therefore, Condition 3.2 is equivalent to asking that there exists $\varvec{\lambda }\in \mathbb {F}_{q}^\ell $ such that $\sum _{i=1}^\ell \lambda _i p_i$ is functionally independent from any $r_k$ ($0 \le k \le R$) and functionally depends on every $a_i$ ($0 \le i \le d$) or on every $b_j$ ($0 \le j \le d$). This condition is therefore quite natural.

Theorem 3.5

Let $C$ be a $(d+1,v)$-gadget for a two-input function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. Let P be a set of bilinear probes on $C$. Then if P satisfies Condition 3.2, P is not $d$-simulatable. Furthermore, if P is not $d$-simulatable and $q > d+ 1$, then P satisfies Condition 3.2.

We point out that the first part of the theorem does not require $q > d+1$. As the second part is used for constructions while the first part is used for lower bounds, the restriction $q > d+1$ is never an issue in our paper.

Proof

Let us start by proving the first direction, the second being more complex.

Direction 1: Left to right. By contrapositive, let us assume that there exists a set $P = \{p_1,\dots ,p_\ell \}$ of probes that satisfies Condition 3.2: that is, there exists $\lambda \in \mathbb {F}_{q}^\ell $ such that the sum $\sum _{i=1}^\ell \lambda _i p_i$ can be written as:

$$ s = \sum _{i=1}^\ell \lambda _i p_i = \varvec{a}^\intercal \cdot {\varvec{M}} \cdot \varvec{b} + \varvec{a}^\intercal \cdot \varvec{\mu } + \varvec{\nu }^\intercal \cdot \varvec{b} , $$

and, without loss of generality, such that all the rows of the matrix $M' = \begin{pmatrix} {\varvec{M}}&\varvec{\mu } \end{pmatrix} \in \mathbb {F}_{q}^{(d+1) \times (d+2)}$ are non-zero, meaning that s does functionally depend on every $a_i$ but does not functionally depend on any $r_i$.

Then, assume that the set P can be simulated with at most $d$ values of the $a_i$’s, e.g., using only $a_1,\dots ,a_d$, and let us further assume that the simulator has access to all the $b_i$’s. That is, there exists a randomized function $\mathsf {sim}$ that takes as inputs $(a_1,\dots ,a_d)$ and $(b_0,\dots ,b_d)$ such that the distribution $\mathsf {sim}(a_1,\dots ,a_d,b_0,\dots ,b_d)$ is exactly the same as the distribution P.

Since s functionally depends on $a_0$, there exist specific values $a_1,\dots ,a_d,b_0,\dots ,b_d$ such that the function:

$$ f_{(a_1,\dots ,a_d,b_1,\dots ,b_d)} :a_0 \mapsto \varvec{a}^\intercal \cdot {\varvec{M}} \cdot \varvec{b} + \varvec{a}^\intercal \cdot \varvec{\mu } + \varvec{\nu }^\intercal \cdot \varvec{b} , $$

is not constant, by definition of s functionally depending on $a_0$.

Therefore, since $\mathsf {sim}(a_1,\dots ,a_d,b_0,\dots ,b_d)$ does not depend on $a_0$, it is impossible that it perfectly simulates the distribution P. This implies that one cannot simulate such a set of probes with at most $d$ shares of each input and concludes the proof of this first direction.

Direction 2: Right to left. Let us now consider a set $P = \{p_1,\dots ,p_\ell \}$ of bilinear probes that cannot be simulated with at most $d$ shares of each input. Probes in P being bilinear, any linear combination of these probes can be written as

$$ s_{\varvec{\lambda }} = \sum _{i=1}^\ell \lambda _i p_i = \varvec{a}^\intercal \cdot {\varvec{M}}_{\varvec{\lambda }} \cdot \varvec{b} + \varvec{a}^\intercal \cdot \varvec{\mu }_{\varvec{\lambda }} + \varvec{\nu }_{\varvec{\lambda }}^\intercal \cdot \varvec{b} + \varvec{\sigma }_{\varvec{\lambda }}^\intercal \cdot \varvec{r} , $$

by definition. We want to show that, since P cannot be simulated with at most $d$ shares of each input, there exists a particular $\lambda $ such that $\varvec{\sigma }_{\varvec{\lambda }} = \varvec{0}$ and all the rows of $\begin{pmatrix} {\varvec{M}}_{\varvec{\lambda }}&\varvec{\mu }_{\varvec{\lambda }} \end{pmatrix}$ are non-zero or all the columns of $\begin{pmatrix} {\varvec{M}}_{\varvec{\lambda }} \\ \varvec{\nu }_{\varvec{\lambda }}^\intercal \end{pmatrix}$ are non-zero.

Let us once again consider the matrix ${\varvec{S}} \in \mathbb {F}_{q}^{\ell \times R}$ whose coefficients $s_{i,j}$ are defined as $s_{i,j} = \alpha $ if and only if $p_i$ can be written as $\alpha r_j + z_i$ where $z_i$ does not functionally depend on $r_j$. That is, if we write $p_i = \varvec{a}^\intercal \cdot {\varvec{M_{p_i}}} \cdot \varvec{b} + \varvec{a}^\intercal \cdot \varvec{{\mu }_{i}} + \varvec{{\nu }_{i}}^\intercal \cdot \varvec{b} + \varvec{s_{p_i}}^\intercal \cdot \varvec{r}$, the i-th row of ${\varvec{S}}$ is $\varvec{s_{p_i}}^\intercal $. We can permute the columns of ${\varvec{S}}$ and the rows of $\varvec{r}$ such that a row reduction on the matrix ${\varvec{S}}$ yields a matrix of the form:

$$ {\varvec{S'}} = \begin{pmatrix} {\varvec{0}}_{t,t} &{} {\varvec{0}}_{t,\ell -t} \\ {\varvec{I}}_{t} &{} {\varvec{S''}} \\ \end{pmatrix}. $$

Again, it is clear that since the distribution $\{p_1,\dots ,p_\ell \}$ cannot be simulated with at most $d$ shares of each input, we have $t > 0$. Indeed, otherwise we can simply simulate all probes by uniformly random values (and thus do not even need shares of the input). Let ${\varvec{N}}$ be the invertible matrix in $\mathbb {F}_{q}^{\ell \times \ell }$ such that ${\varvec{N}} \cdot {\varvec{S}} = {\varvec{S'}}$. We write ${(p'_1, \dots , p'_\ell )}^\intercal = {\varvec{N}} \cdot \varvec{p}$. Then, the distribution $\{p'_1,\dots ,p'_\ell \}$ also cannot be simulated with at most $d$ shares of each input. In addition, for $t < i \le \ell $, $p'_i$ does functionally depend on $r_i$ and no other $p'_j$ does functionally depend on $r_j$ (due to the shape of ${\varvec{S'}}$). Therefore, it is immediate that these probes can be simulated by setting them to uniformly random values, and thus the distribution $\{p'_1,\dots ,p'_t\}$ also cannot be simulated with at most $d$ shares of each input.

We remark that $(p'_1,\dots ,p'_t)$ does not functionally depend on any random bit, due to the shape of ${\varvec{S'}}$. Therefore, for each $1 \le i \le t$, we can write:

$$ p'_i = \varvec{a}^\intercal \cdot {\varvec{M'_i}} \cdot \varvec{b} + \varvec{a}^\intercal \cdot \varvec{{\mu '}_{i}} + \varvec{{\nu '}_{i}}^\intercal \cdot \varvec{b} , $$

for some matrices ${\varvec{M'_i}} \in \mathbb {F}_{q}^{(d+1) \times (d+1)}$ and vectors $\varvec{{\mu '}_{i}},\varvec{{\nu '}_{i}} \in \mathbb {F}_{q}^{d+ 1}$. Clearly, up to switching to roles of a and b, this implies that for any $a_i$, $i \in \{0,\dots ,d\}$, there exists $j \in \{1,\dots ,t\}$ such that $p'_j$ functionally depends on $a_i$, otherwise one can simulate all the $p'_i$’s with at most $d$ shares of a, and then one can simulate $P = \{p_1,\dots ,p_\ell \}$ as well.

We then just need to show that there exist $\varvec{\lambda } \in \mathbb {F}_{q}^{t}$ such that $\sum _{i = 1}^t \lambda _i \cdot p'_i$ satisfies Condition 3.2. This is actually immediate as soon as $q > d+1$: for $i = 0,\dots ,d$ the set $\mathcal {H}_i = \{\varvec{\lambda }\in \mathbb {F}_{q}^t \mid \sum _{i=1}^t \lambda _i p'_i \textit{ does not functionally depends on } a_i\}$ is a hyperplane, and thus we just need to prove that there exists $\varvec{\lambda } \in \mathbb {F}_{q}^t \setminus \cup _{i = 0}^{d} \mathcal {H}_i$, which is true as soon as $q > d+1$. This concludes the proof of Theorem 3.5. $\square $

Remark 3.6

As for Theorem 3.2, we do not restrict the size of the set P in Theorem 3.5. Furthermore, the proof does not rely on the correctness property of $C$.

Corollary 3.7

Let $C$ be a $(d+1,v)$-gadget for a two-input function $f {:\;\;}\mathbb {F}_{q}^2 \rightarrow \mathbb {F}_{q}$. We suppose that any possible probe on $C$ is bilinear. If $q > d+1$ and there does not exist any set P of $d$ probes on $C$ satisfying Condition 3.2, then $C$ is $d$-NI. Furthermore, if $C$ is $d$-NI, then there does not exist any set P of $d$ probes on $C$ satisfying Condition 3.2.

Proof

The proof is straightforward from Theorem 3.5. $\square $

4 Construction with a Linear Number of Bilinear Multiplications

Let us now show our generic $d$-SNI construction with a linear number of bilinear multiplications (i.e., multiplications by a value which is not constant), in the order $d$. The construction is in two steps. We first construct a $d$-NI multiplication $(d+1,2d+1)$-gadget. In other words, our first construction outputs $2d+1$ shares instead of $d+1$. We then show how to compress these $2 d+1$ shares into $d+1$ shares to get a $d$-SNI multiplication $(d+1,d+1)$-gadget, using the gadget SharingCompress from the Appendix C.1 of [8], that we recall and prove to be $d$-SNI (while it was only implicitly proved $d$-NI in [8]).

We start by presenting the generic construction and its security proof. The first part of our construction uses a matrix ${\varvec{\gamma }}\in \mathbb {F}_{q}^{d\times d}$ satisfying some conditions. That is why we then show that such a matrix exists for any $d$ when q is large enough (but we only prove that q being exponential in $d\log d$ is sufficient) using the probabilistic method. We conclude by explicitly constructing matrices ${\varvec{\gamma }}$ for small values of $d$.

4.1 Construction

Construction with $\varvec{2d+1}$ output shares. Let ${\varvec{\gamma }}= {(\gamma _{i,j})}_{1 \le i,j \le d} \in \mathbb {F}_{q}^{d\times d}$ be a constant matrix and let ${\varvec{\delta }}\in \mathbb {F}_{q}^{d\times d}$ be the matrix defined by $\delta _{i,j} = 1 - \gamma _{j,i}$.

The main idea of our construction with $2d+ 1$ output shares is to remark that:

$$\begin{aligned} a\cdot b =&\left( a_0 + \sum _{i=1}^d(r_i + a_i) \right) \cdot \left( b_0 + \sum _{i=1}^d(s_i + b_i)\right) \\&- \sum _{i=1}^dr_i \cdot \left( b_0 + \sum _{j=1}^d(\delta _{i,j} s_j + b_j)\right) - \sum _{i=1}^ds_i \cdot \left( a_0 + \sum _{j=1}^d(\gamma _{i,j} r_j + a_j)\right) \end{aligned}$$

if $a = \sum _{i=0}^da_i$ and $b = \sum _{j=0}^db_j$. On the right-hand side of the above equation there are only $2 d+1$ bilinear multiplications.

We can then construct a multiplication $(d+1,2d+1)$-gadget which outputs the following $2 d+ 1$ shares (the computation is performed with the usual priorities: parenthesis first, then products, then from left to right):

$ c_0 = \left( a_0 + \sum _{i=1}^d(r_i + a_i) \right) \cdot \left( b_0 + \sum _{i=1}^d(s_i + b_i)\right) $;
$c_i = - r_i \cdot \left( b_0 + \sum _{j=1}^d(\delta _{i,j} s_j + b_j)\right) $, for $i = 1,\dots ,d$;
$c_{i+d} = - s_i \cdot \left( a_0 + \sum _{j=1}^d(\gamma _{i,j} r_j + a_j)\right) $, for $i = 1,\dots ,d$.

The corresponding gadget is given in Algorithm 1 and is clearly correct.

However, the latter gadget has two issues. First, it outputs $2 d+ 1$ shares instead of $d+ 1$. Second, it is obviously not secure for every matrix ${\varvec{\gamma }}$. For example, if ${\varvec{\gamma }}$ is a matrix of zeros or the identity matrix, the gadget is clearly not $d$-private, let alone $d$-NI or $d$-SNI. Actually, it is not even clear that there exists a matrix ${\varvec{\gamma }}$ for which the gadget is private. Let us now deal with these two issues.

From $\varvec{2 d+1}$ output shares to $\varvec{d+ 1.}$ For the first issue, we use the gadget SharingCompress from the Appendix C.1 of [8] to compress the shares $c_0,\dots ,c_{2d}$ into $d+1$ shares. We recall this gadget in Algorithm 2.

Proposition 4.1

The gadget SharingCompress$[k:\ell ]$ depicted in Algorithm 2 is $(\ell -1)$-SNI.

This proof is given in the full version. From this proposition, we deduce that the instance SharingCompress$[2d+1:d+1]$ that we need is $d$-SNI.

Finally, the full gadget with a linear number of bilinear multiplications is depicted in Algorithm 4. It essentially calls Algorithm 3 which handles the special case where the number of input shares is twice the number of output shares.

As we are composing the gadget SharingCompress with our multiplication gadget above, we need to prove that the former gadget satisfies a security property which behaves well with composition. In [8], only privacy is proven which does not behave well with composition. That is why we prove instead the following proposition in the full version.

Conditions on $\varvec{{\varvec{\gamma }}}$ and $\varvec{{\varvec{\delta }}.}$ As mentioned before, the construction is completely insecure for some matrices ${\varvec{\gamma }}$, such as the matrix of zeros. Let us now exhibit necessary conditions for the scheme to be $d$-NI.

The probes involving only the $a_i$’s and the $r_i$’s^{Footnote 7} are of the following forms:

$a_i$, $r_i$, $r_i + a_i$, $\gamma _{j,i} r_i$, $\gamma _{j,i} r_i + a_i$, (for $0 \le i \le d$ and $1 \le j \le d$)
$a_0 + \sum _{i = 1}^k (r_i + a_i)$ (for $1 \le k \le d$),
$a_0 + \sum _{i = 1}^k (\gamma _{j,i} r_i + a_i)$ (for $1 \le j \le d$ and $1 \le k \le d$).

Thanks to Theorem 3.5, a necessary condition for $d$-NI is that there is no linear combination of at most $d$ of these expressions, which do not functionally depend on any $r_i$ but which does depend on all the $a_i$’s.

The probes involving only the $b_i$’s and the $s_i$’s are similar except that $a_i$, $r_i$, and $\gamma _{j,i}$ are replaced by $b_i$, $s_i$, $\delta _{j,i}$ respectively. A similar necessary condition can be deduced from Theorem 3.5.

Formally, let us introduce a first necessary condition on the matrix ${\varvec{\gamma }}$.

Condition 4.1

Let $\ell = (2d+4)\cdot d+ 1$. Let ${\varvec{I}}_d\in \mathbb {F}_{q}^{d\times d}$ be the identity matrix, ${\varvec{0}}_{m \times n} \in \mathbb {F}_{q}^{m \times n}$ be a matrix of zeros (when $n = 1$, ${\varvec{0}}_{m \times n}$ is also written $\varvec{0}_m$), ${\varvec{1}}_{m \times n} \in \mathbb {F}_{q}^{m \times n}$ be a matrix of ones, ${\varvec{D}}_{{\varvec{\gamma }},j} \in \mathbb {F}_{q}^{d\times d}$ be the diagonal matrix such that $D_{{\varvec{\gamma }},j,i,i} = \gamma _{j,i}$, ${\varvec{T}}_d\in \mathbb {F}_{q}^{d\times d}$ be the upper-triangular matrix with just ones, and ${\varvec{T}}_{{\varvec{\gamma }},j} \in \mathbb {F}_{q}^{d\times d}$ be the upper-triangular matrix for which $T_{{\varvec{\gamma }},j,i,k} = \gamma _{j,i}$ for $i\le k$. In other words, we have:

$$\begin{aligned} {\varvec{I}}_d&= \begin{pmatrix} 1 &{} 0 &{} \cdots &{} 0 \\ 0 &{} 1 &{} &{} 0 \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} 1 \end{pmatrix}&{\varvec{D}}_{{\varvec{\gamma }},j}&= \begin{pmatrix} \gamma _{j,1} &{} 0 &{} \cdots &{} 0 \\ 0 &{} \gamma _{j,2} &{} &{} 0 \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} \gamma _{j,d} \end{pmatrix} \\ {\varvec{T}}_d&= \begin{pmatrix} 1 &{} 1 &{} \cdots &{} 1 \\ 0 &{} 1 &{} &{} 1 \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} 1 \end{pmatrix}&{\varvec{T}}_{{\varvec{\gamma }},j}&= \begin{pmatrix} \gamma _{j,1} &{} \gamma _{j,1} &{} \cdots &{} \gamma _{j,1} \\ 0 &{} \gamma _{j,2} &{} &{} \gamma _{j,2} \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} \gamma _{j,d} \end{pmatrix} \end{aligned}$$

We define the following matrices:

Condition 4.1 is satisfied for a matrix ${\varvec{\gamma }}$ if for any vector $\varvec{v} \in {{\mathbb F}}_q^\ell $ of Hamming weight $\mathsf {hw}(\varvec{v}) \le d$ such that ${\varvec{L}} \cdot \varvec{v}$ contains no coefficient equal to 0 then ${\varvec{M}} \cdot \varvec{v} \ne \varvec{0}_d$.

Let us explain how this condition was constructed. The rows of ${\varvec{L}}$ correspond to $a_0,\dots ,a_d$. The rows of ${\varvec{M}}$ correspond to $r_1,\dots ,r_d$. Any linear combination of the probes involving only the $a_i$’s and the $r_i$’s can be written as

$$\begin{aligned} (a_0,\dots ,a_d) \cdot {\varvec{L}} \cdot \varvec{v} + (r_1,\dots ,r_d) \cdot {\varvec{M}} \cdot \varvec{v} . \end{aligned}$$

Hence the above condition.

Remark 4.2

If all the vectors $\varvec{v} \in {{\mathbb F}}_q^{\ell }$ of Hamming weight $\mathsf {hw}(\varvec{v}) \le d$ were considered, this condition would be equivalent to saying that the linear code of parity-check matrix ${\varvec{M}}$ has minimum distance at least $d$. However, as we only consider vectors $\varvec{v}$ such that additionally ${\varvec{L}} \cdot \varvec{v}$ contains no coefficient equal to 0, this simple relation to codes is not true. We remark however that if the linear code of parity-check matrix ${\varvec{M}}$ has minimum distance at least $d$, then the condition would be satisfied. Unfortunately for us, this code clearly has minimum distance 1, as it contains the vector ${(1,0,\dots ,0)}^\intercal \in \mathbb {F}_{q}^\ell $. That is why we cannot naively use classical coding theory results to prove the existence of a matrix ${\varvec{\gamma }}$ satisfying Condition 4.1.

We remark that the same necessary condition should hold for the matrix ${\varvec{\delta }}$ by symmetry between $a_i,r_i,{\varvec{\gamma }}$ and $b_i,s_i,{\varvec{\delta }}$. Therefore, the formal condition we are considering is the following.

Condition 4.2

Condition 4.2 holds (for a matrix ${\varvec{\gamma }}\in \mathbb {F}_{q}^{d\times d}$) if Condition 4.1 is satisfied for both ${\varvec{\gamma }}$ and ${\varvec{\delta }}$, where ${\varvec{\delta }}\in \mathbb {F}_{q}^{d\times d}$ is the matrix defined by $\delta _{i,j} = 1 - \gamma _{j,i}$.

4.2 Security Analysis

We have shown that Condition 4.2 is necessary for our gadget (Algorithm 4) to be $d$-NI. The next theorem shows it is also sufficient for it to be $d$-SNI.

Theorem 4.3

If ${\varvec{\gamma }}\in \mathbb {F}_{q}^{d\times d}$ satisfies Condition 4.2 and if $q > d+1$, then Algorithm 4 is $d$-SNI.

To prove this theorem, we use the following lemma.

Lemma 4.4

Let P be a set of t probes in Algorithm 1 such that $t \le d$. Then, there exists a set $Q_1$ of at most t probes involving only the $a_i$’s and the $r_i$’s and a set $Q_2$ of at most t probes involving only the $b_i$’s and the $s_i$’s, such that the set P can be simulated by the probes in $Q_1 \cup Q_2$.

Proof

(Lemma 4.4 ). We list hereafter all the possible probes in Algorithm 1. We gather them by sets for the needs of the proof.

Set 1::: $a_i$, $r_i$, $r_i + a_i$, $\gamma _{j,i} r_i$, $\gamma _{j,i} r_i + a_i$, (for $0 \le i \le d$ and $1 \le j \le d$);
Set 2::: $a_0 + \sum _{i = 1}^k (r_i + a_i)$ (for $1 \le k \le d$);
Set 3::: $a_0 + \sum _{i = 1}^k (\gamma _{j,i} r_i + a_i)$ (for $1 \le j \le d$ and $1 \le k \le d$);
Set 4::: $b_i$, $s_i$, $s_i + b_i$, $\delta _{j,i} s_i$, $\delta _{j,i} s_i + b_i$, (for $0 \le i \le d$ and $1 \le j \le d$);
Set 5::: $b_0 + \sum _{i = 1}^k (s_i + b_i)$ (for $1 \le k \le d$);
Set 6::: $b_0 + \sum _{i = 1}^k (\delta _{j,i} s_i + b_i)$ (for $1 \le j \le d$ and $1 \le k \le d$);
Set 7::: $-r_i \cdot \left( b_0 + \sum _{j = 1}^d(\delta _{i,j} s_j + b_j)\right) $ (for $1 \le i \le d$);
Set 8::: $-s_i \cdot \left( a_0 + \sum _{j = 1}^d(\gamma _{i,j} r_j + a_j)\right) $ (for $1 \le i \le d$);
Set 9::: $(a_0 + \sum _{i = 1}^d(r_i + a_i))\cdot (b_0 + \sum _{i = 1}^d(s_i + b_i))$.

Let us now consider a set P of t probes among the listed ones. We initialize two sets $Q_1$ and $Q_2$ to the empty set and show how to fill them with at most t probes involving only the $a_i$’s and the $r_i$’s for $Q_1$ and at most t probes involving only the $b_i$’s and the $s_i$’s for $Q_2$ in such a way that P can be perfectly simulated by probes of $Q_1 \cup Q_2$.

For all the probes of P which belong to Sets 1 to 3, then we add them directly to $Q_1$ since they only depend on $a_i$’s, $r_i$’s and constants. Similarly, for all the probes of P which belong to Sets 4 to 6, then we add them directly to $Q_2$ since they only depend on $b_i$’s, $s_i$’s and constants. For P’s probes belonging to Set 7, we add probe $-r_i$ to $Q_1$ and $b_0 + \sum _{j = 1}^d(\delta _{i,j} s_i + b_j)$ to $Q_2$. For P’s probes belonging to Set 8, we add probe $-s_i$ to $Q_2$ and $a_0 + \sum _{j = 1}^d(\gamma _{i,j} r_i + a_j)$ to $Q_1$. Finally, for probes of P from Set 9, we add $a_0 + \sum _{i = 1}^d(r_i + a_i)$ to $Q_1$ and $b_0 + \sum _{i = 1}^d(s_i + b_i)$ to $Q_2$. Since for each probe of P, at most one probe was added to $Q_1$ and at most one probe was added to $Q_2$, it is clear that after all the t probes of P are processed, $Q_1$ and $Q_2$ contain at most t probes each.

Let us now prove that all the probes of P can be perfectly simulated by the probes of $Q_1 \cup Q_2$. For probes of P belonging to six first sets, the exact same values were added to $Q_1$ (for the three first sets) or $Q_2$ (for Set 4 to 6) thus the simulation is trivial. For probes of P in Set 7, $-r_i$ was added to $Q_1$ and $b_0 + \sum _{j = 1}^d(\delta _{i,j} s_i + b_j)$ to $Q_2$. The multiplication of these two probes perfectly simulate the initial probe of P. The same conclusions can be made for probes of P in Sets 8 and 9 since each time probes were added to $Q_1$ and $Q_2$ so that their product corresponds to the initial probe of P. $\square $

Proof

(Theorem 4.3 ). From Lemma 4.4, any set P of $t \le d$ probes in Algorithm 1 can be perfectly simulated by probes of two sets $Q_1$ and $Q_2$ of cardinal at most t and containing probes involving only the $a_i$’s and the $r_i$’s for $Q_1$ and probes involving only the $b_i$’s and the $s_i$’s for $Q_2$.

From Condition 4.2, any combination of the t probes of $Q_1$ either depend on strictly less than t $a_i$’s or it is functionally dependent on at least one $r_i$. Thanks to Theorem 3.5 and the fact that $q > d+1$, the t probes of $Q_1$ can be perfectly simulated using at most t shares $a_i$. The same statement can be made for the probes of $Q_2$. Therefore, from Lemma 4.4, any set of $t \le d$ probes on Algorithm 1 can be perfectly simulated by at most t shares $a_i$ and t shares $b_i$, which proves that Algorithm 1 is $d$-TNI.

Since from Proposition 4.1, $\mathrm {SharingCompress}[2d+1:d+1]$ is $d$-SNI, from the composition theorems established in [3], Algorithm 4 is $d$-SNI. $\square $

4.3 Probabilistic Construction

In order to prove the existence of a matrix ${\varvec{\gamma }}$ which satisfies Condition 4.1 for q large enough (but only exponential in $d\log d$), we state Theorem 4.5 that makes use of the non-constructive “probabilistic method.” More precisely, we prove that if one chooses ${\varvec{\gamma }}$ uniformly at random in $\mathbb {F}_{q}^{d\times d}$, the probability that the matrix ${\varvec{\gamma }}$ satisfies Condition 4.2 is more than zero, when q is large enough. The proof of Theorem 4.5 uses probability but the existence of a matrix ${\varvec{\gamma }}$ which satisfies Condition 4.2 (for q large enough) is guaranteed without any possible error.

Theorem 4.5

For any $d\ge 1$, for any prime power q, if ${\varvec{\gamma }}$ is chosen uniformly in $\mathbb {F}_{q}^{d\times d}$, then

$$\begin{aligned} \Pr [ {\varvec{\gamma }}\ \text {satisfies Condition}\,{\textit{4.2}}] \ge 1 - 2 \cdot {(12d)}^d\cdot d\cdot q^{-1} . \end{aligned}$$

In particular, for any $d\ge 1$, there exists an integer $Q = {O(d)}^{d+1}$, such that for any prime power $q \ge Q$, there exists a matrix ${\varvec{\gamma }}\in \mathbb {F}_{q}^{d\times d}$ satisfying Condition 4.2.

As when ${\varvec{\gamma }}$ is uniformly random, so is ${\varvec{\delta }}$, Theorem 4.5 immediately follows from the following proposition and the union bound.

Proposition 4.6

For any $d\ge 1$, for any prime power q, if ${\varvec{\gamma }}$ is chosen uniformly in $\mathbb {F}_{q}^{d\times d}$, then

$$\begin{aligned} \Pr [ {\varvec{\gamma }}\ \text { satisfies Condition}\,{\textit{4.1}}] \ge 1 - {(12d)}^d\cdot d\cdot q^{-1} . \end{aligned}$$

In particular, for any $d\ge 1$, there exists an integer $Q = {O(d)}^{d+1}$, such that for any prime power $q \ge Q$, there exists a matrix ${\varvec{\gamma }}\in \mathbb {F}_{q}^{d\times d}$ satisfying Condition 4.1.

The proof of this proposition is very technical and is provided in the full version.

Remark 4.7

Note that the constants in the previous proof are not the best possible and can be improved. In the following, we present explicit constructions for small values of $d$.

4.4 Small Cases

We show here the instantiation for $d=2$. The case for $d=3$ is similar and is provided in details in the full version.

Let $d= 2$. Let us now explicitly instantiate our construction for any non-prime field ${{\mathbb F}}_q$ where $q=p^k$, $k \ge 2$. Let $\xi $ be any element in ${{\mathbb F}}_q \setminus {{\mathbb F}}_p$. A possible instantiation is:

$$ {\varvec{\gamma }}= \begin{pmatrix} \xi &{} \xi +1 \\ \xi +1 &{} \xi \end{pmatrix}, \quad {\varvec{\delta }}= \begin{pmatrix} -\xi +1 &{} -\xi \\ -\xi &{} -\xi +1 \end{pmatrix}. $$

The computed shares are hence:

$c_0 = (a_0 + (r_1 + a_1) + (r_2 + a_2)) \cdot (b_0 + (s_1 + b_1) + (s_2 + b_2))$
$c_1 = - r_1 \cdot (b_0 + ((-\xi +1) s_1 + b_1) + (-\xi s_2 + b_2))$
$c_2 = - r_2 \cdot (b_0 + (-\xi s_1 + b_1) + ((-\xi +1) s_2 + b_2))$
$c_3 = - s_1 \cdot (a_0 + (\xi r_1 + a_1) + ((\xi +1) r_2 + a_2))$
$c_4 = - s_2 \cdot (a_0 + ((\xi +1) r_1 + a_1) + (\xi r_2 + a_2))$

Let us now prove that this scheme satisfies Condition 4.2. Let us consider the matrices ${\varvec{L}}$ and ${\varvec{M}}$ as defined in Condition 4.1:

We will prove that, for any vector $\varvec{v}$ such that $\mathsf {hw}(\varvec{v}) \le 2$, it holds that if ${\varvec{M}} \cdot \varvec{v} = \varvec{0}_2$, then ${\varvec{L}} \cdot \varvec{v}$ has a 0 coefficient.

Let us start by the case $\mathsf {hw}(\varvec{v})=1$. If ${\varvec{M}} \cdot \varvec{v} = \varvec{0}_2$, the only non-zero coefficient of $\varvec{v}$ clearly must be in one of the first $1+d=3$ coordinates. Denote by i the index of this coefficient. Since $i\le 3$, from the definition of ${\varvec{L}}$, we have ${\varvec{L}} \cdot \varvec{v} = {\varvec{I}}_3 \cdot {(v_1,v_2,v_3)}^\intercal $, and thus its i-th coefficient is equal to the non-zero coefficient of $\varvec{v}$ but the two other coefficients of ${\varvec{L}}\cdot \varvec{v}$ are equal to 0. This concludes this case.

Let us tackle the case $\mathsf {hw}(\varvec{v})=2$. Note that ${\varvec{L}} \cdot \varvec{v}$ hence corresponds to a linear combination of exactly two columns of ${\varvec{L}}$. By construction of ${\varvec{L}}$, all first columns (until the occurrence of ${\varvec{T}}_d$) are of Hamming weight 1. Consequently, for ${\varvec{L}} \cdot \varvec{v}$ to have only non-zero coefficients, at least one of the $3\cdot d=6$ last coordinates of $\varvec{v}$ must be non-zero. The corresponding columns of ${\varvec{L}}$ have two possible values : ${(1,1,0)}^\top $ or ${(1,1,1)}^\top $. Let us consider the cases where one coordinate of $\varvec{v}$ corresponding to a column ${(1,1,0)}^\top $ is set. The corresponding column in ${\varvec{M}}$ is of the form ${(\alpha ,0)}^\top $, where $\alpha $ can be $1,\xi ,\xi +1$. In order for ${\varvec{L}} \cdot \varvec{v}$ to have only non-zero coefficients, the other non-zero coordinate of $\varvec{v}$ must correspond to a column of ${\varvec{L}}$ where the last coefficient is non-zero. However, for all of these columns, the corresponding column of ${\varvec{M}}$ is always of the form $(\lambda ,\beta )$, with $\beta \ne 0$, in which case ${\varvec{M}} \cdot \varvec{v} \ne \varvec{0}_2$. It just remains to consider the case where one non-zero coordinate of $\varvec{v}$ corresponds to a column ${(1,1,1)}^\top $ of ${\varvec{L}}$. The corresponding columns in ${\varvec{M}}$ can be ${(1,1)}^\top $, ${(\xi ,\xi +1)}^\top $, or ${(\xi +1,\xi )}^\top $. Note that for no other column in ${\varvec{L}}$ one can retrieve a corresponding column in ${\varvec{M}}$ whose coefficients are both non-zero. Consequently, both non-zero coordinates of $\varvec{v}$ must correspond to columns ${(1,1,1)}^\top $ of ${\varvec{L}}$. Since no two vectors among (1, 1), $(\xi ,\xi +1)$, and $(\xi +1,\xi )$ are proportional, then we always have ${\varvec{M}} \cdot \varvec{v} \ne \varvec{0}_2$.

The exact same reasoning can be held for ${\varvec{\delta }}$, since no two vectors among (1, 1), $(-\xi +1,-\xi )$, $(-\xi ,-\xi +1)$ are proportional.

5 Construction with Linear Randomness Complexity

In this section, we describe a construction that only requires a linear randomness complexity. That is, our $(d+1,d+1)$-gadget only uses $d$ random scalars. In particular, our construction breaks the linear bound of $d+1$ random scalars (for order $d\ge 3$) proven in [4]. There is no contradiction since this lower bound is proven only in $\mathbb {F}_{2}$. Our construction is described below and once again makes use of a matrix of scalars that needs to satisfy certain properties, as explained later in this section.

5.1 Construction

Construction. Let ${\varvec{\gamma }}= {(\gamma _{i,j})}_{\begin{array}{c} 0 \le i \le d\\ 1 \le j \le d \end{array}} \in \mathbb {F}_{q}^{(d+1) \times d}$ be a constant matrix (with $d+1$ rows instead of $d$ for the previous construction).

Following the previous gadget with the objective of minimizing the randomness complexity, we can construct a multiplication $(d+1,d+1)$-gadget which outputs the shares $(c_0,\dots ,c_d)$ defined as follows:

$$\begin{aligned} c_i = a_0 b_i + \sum _{j=1}^d(\gamma _{i,j} r_j + a_j b_i) , \end{aligned}$$

for $0 \le i \le d$. The gadget is formally depicted in Algorithm 5 and is correct under the condition that for any $0 \le j \le d$,

$$\begin{aligned} \sum _{i=0}^d\gamma _{i,j}=0 . \end{aligned}$$

We remark that if this construction is secure, it breaks the randomness complexity lower bound of $d+1$ random bits proven in [4] when $q = 2$. Furthermore, it is the first construction with a linear number of random scalars (in $d$). Previously, the construction with the best randomness complexity used a quasi-linear number of random scalars [4].

However, as for our construction in Sect. 4.1, the construction is clearly not secure for every matrix ${\varvec{\gamma }}$. For example, if ${\varvec{\gamma }}$ is a matrix of zeros, the gadget is clearly not private, let alone NI or SNI. Actually, it is not even clear that there exists a matrix ${\varvec{\gamma }}$ for which the gadget is private. We prove in the following that this is indeed the case if the finite field is large enough and we provide explicit choices of the matrix ${\varvec{\gamma }}$ for small orders $d\in \{2,3\}$ over small finite fields.

Condition on ${\varvec{\gamma }}$. Similarly to Sect. 4.1, the following condition is necessary for the above construction to be $d$-NI.

Condition 5.1

Let $\ell = (2d+4)\cdot d+ 1$. Let ${\varvec{I}}_d\in \mathbb {F}_{q}^{d\times d}$ be the identity matrix, ${\varvec{0}}_{m \times n} \in \mathbb {F}_{q}^{m \times n}$ be a matrix of zeros (when $n = 1$, ${\varvec{0}}_{m \times n}$ is also written $\varvec{0}_m$), ${\varvec{1}}_{m \times n} \in \mathbb {F}_{q}^{m \times n}$ be a matrix of ones, ${\varvec{D}}_{{\varvec{\gamma }},j} \in \mathbb {F}_{q}^{d\times d}$ be the diagonal matrix such that $D_{{\varvec{\gamma }},j,i,i} = \gamma _{j,i}$, ${\varvec{T}}_d\in \mathbb {F}_{q}^{d\times d}$ be the upper-triangular matrix with just ones, ${\varvec{T}}_{{\varvec{\gamma }},j} \in \mathbb {F}_{q}^{d\times d}$ be the upper-triangular matrix for which $T_{{\varvec{\gamma }},j,i,k} = \gamma _{j,i}$ for $i\le k$. Let $\omega _0,\dots ,\omega _d$ be $(d+1)$ indeterminates and we consider the field of rational fractions $\mathbb {F}_{q}(\omega _0,\dots ,\omega _d)$. In other words, we have:

$$\begin{aligned} {\varvec{I}}_d&= \begin{pmatrix} 1 &{} 0 &{} \cdots &{} 0 \\ 0 &{} 1 &{} &{} 0 \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} 1 \end{pmatrix}&{\varvec{D}}_{{\varvec{\gamma }},j}&= \begin{pmatrix} \gamma _{j,1} &{} 0 &{} \cdots &{} 0 \\ 0 &{} \gamma _{j,2} &{} &{} 0 \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} \gamma _{j,d} \end{pmatrix} \\ {\varvec{T}}_d&= \begin{pmatrix} 1 &{} 1 &{} \cdots &{} 1 \\ 0 &{} 1 &{} &{} 1 \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} 1 \end{pmatrix}&{\varvec{T}}_{{\varvec{\gamma }},j}&= \begin{pmatrix} \gamma _{j,1} &{} \gamma _{j,1} &{} \cdots &{} \gamma _{j,1} \\ 0 &{} \gamma _{j,2} &{} &{} \gamma _{j,2} \\ \vdots &{} &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} 0 &{} \gamma _{j,d} \end{pmatrix} \end{aligned}$$

We define the following matrices:

where ${\varvec{L'}} \in {\mathbb {F}_{q}(\omega _0,\dots ,\omega _d)}^{(d+1)\times \ell }$ and ${\varvec{M'}} \in \mathbb {F}_{q}^{d\times \ell }$.

Condition 5.1 is satisfied for a matrix ${\varvec{\gamma }}$ if for any vector $\varvec{v} \in {{\mathbb F}}_q^\ell $ of Hamming weight $\mathsf {hw}(\varvec{v}) \le d$ such that ${\varvec{L'}} \cdot \varvec{v}$ contains no coefficient equal to 0 then ${\varvec{M'}} \cdot \varvec{v} \ne \varvec{0}_d$.

5.2 Security Analysis

Lemma 5.1

Each probe contains at most one share $b_i$ of b.

Proof

A probe can only target the partial expression of an output or an entire output. In this construction, each output $c_i$ is built with a single share $b_i$ of b. Therefore, a probe can contain at most one such share. $\square $

Corollary 5.2

Any set of at most $d$ probes contains at most $d$ shares of b.

Proposition 5.3

The above construction with $d$ random scalars is $d$-NI, if ${\varvec{\gamma }}$ satisfies Condition 5.1.

Proof

From Condition 5.1, any combination of at most $d$ probes in our construction is either functionally dependent on at most $d$ shares $a_i$ or on at least one random scalar. Furthermore, using in addition Corollary 5.2, any combination of at most $d$ probes is functionally dependent on at most $d$ shares $b_i$. Therefore, thanks to Theorem 3.5 and the fact that $q > d+1$, the construction is $d$-NI. $\square $

5.3 Probabilistic Construction

As in the previous section, in order to prove the existence of a matrix ${\varvec{\gamma }}$ which satisfies Condition 4.2 for q large enough (but only exponential in $d\log d$), we state Theorem 5.4 that makes also use of the non-constructive “probabilistic method.” Its proof is detailed in the full version.

Theorem 5.4

For any $d\ge 1$, for any prime power q, if ${\varvec{\gamma }}$ is chosen uniformly in ${\varvec{\gamma }}\in \mathbb {F}_{q}^{(d+1) \times d}$ under the condition that $\sum _{i=0}^d\gamma _{i,j} = 0$ for $0 \le i \le d$, then

$$\begin{aligned} \Pr [ {\varvec{\gamma }}\text { satisfies Condition~4.2}] \ge 1 - d(d+1) \cdot {(12d)}^d\cdot q^{-1} \end{aligned}$$

In particular, for any $d\ge 1$, there exists an integer $Q = O(d)^{d+2}$, such that for any prime power $q \ge Q$, there exists a matrix ${\varvec{\gamma }}\in \mathbb {F}_{q}^{d\times d}$ satisfying Condition 5.1.

5.4 Small Cases

We show here the instantiation for $d\in \{2,3\}$.

$\varvec{d=2.}$ Let $d$ equal 2. Let us now explicitly instantiate our construction for any non-prime field ${{\mathbb F}}_q$ where $q=p^k$, $k \ge 2$. Let $\xi $ be any element in ${{\mathbb F}}_q \setminus {{\mathbb F}}_p$. A possible instantiation is:

$$ {\varvec{\gamma }}= \begin{pmatrix} 1 &{} \xi \\ \xi &{} 1\\ -\xi -1 &{} -\xi -1 \\ \end{pmatrix}. $$

The computed shares are hence:

$c_0=a_0b_0 + (1 \cdot r_1 + a_1b_0) + (\xi \cdot r_2 + a_2b_0) $
$c_1=a_0b_1 + (\xi \cdot r_1 + a_1b_1) + (1\cdot r_2 + a_2b_1)$
$c_2=a_0b_2 + ((-\xi -1)\cdot r_1 + a_1b_2) + (-\xi -1)\cdot r_2 + a_2b_2)$

Let us now prove that this scheme satisfies Condition 5.1. The reasoning is similar to the proof in Sect. 4.4.

In order for ${\varvec{M'}}\cdot \varvec{v}$ to be null, and for ${\varvec{L'}}\cdot \varvec{v}$ to be of full Hamming weight, we observe that the two non-zero coefficients of $\varvec{v}$ must correspond to two columns of full Hamming weight of ${\varvec{M'}}$. However, no two vectors in $(1,\xi ),(\xi ,1),(-\xi -1,-\xi -1)$ are proportional. This ensures that Condition 5.1 is satisfied for ${\varvec{\gamma }}$.

$\varvec{d=3.}$ Let $d$ equal 3. Let us now explicitly instantiate our construction for any non-prime field ${{\mathbb F}}_q$ where $q=2^k$, $k \ge 4$. Let $\xi $ be any element in ${{\mathbb F}}_q \setminus {{\mathbb F}}_p$. A possible instantiation is:

$$ {\varvec{\gamma }}= \begin{pmatrix} 1 &{} \xi &{} \xi +1\\ 1 &{} \xi ^2+1 &{} \xi \\ 1 &{} \xi +1 &{} \xi ^2+\xi +1\\ 1 &{} \xi ^2+\xi +1 &{} \xi +1\\ \end{pmatrix}. $$

The computed shares are hence:

$c_0=a_0b_0 +(1 \cdot r_1 + a_1b_0) + (\xi \cdot r_2 + a_2b_0) +((\xi +1) \cdot r_3 + a_3b_0) $
$c_1=a_0b_1 +(1 \cdot r_1 + a_1b_1) + ((\xi ^2+1) \cdot r_2 + a_2b_1) + (\xi \cdot r_3 + a_3b_1) $
$c_2=a_0b_2 +(1 \cdot r_1 + a_1b_2) + ((\xi +1) \cdot r_2 + a_2b_2) + ((\xi ^2+\xi +1\xi ) \cdot r_3 + a_3b_2)$
$c_3=a_0b_3 +(1 \cdot r_1 + a_1b_3) + ((\xi ^2+\xi +1) \cdot r_2 + a_2b_3) + ((\xi +1) \cdot r_3 + a_3b_3) $

Let us now prove that this scheme satisfies Condition 5.1. The reasoning is similar to the proof in Sect. 4.4. We check the non-proportionality of the relevant vectors $(1,\xi ,\xi +1),(1,\xi ^2+1,\xi ),(1,\xi +1,\xi ^2+\xi +1),(1,\xi ^2+\xi +1,\xi +1)$, and finish by computing all left determinants using a computer algebra system. It follows that this construction satisfies Condition 5.1.

5.5 Lower Bound

Let us now show a lower bound on the randomness complexity of $d$-NI multiplication gadgets satisfying the following condition.

Condition 5.2

A multiplication gadget satisfies Condition 5.2 if the output shares are affine functions (over ${{\mathbb F}}_q$) of the products $a_i b_j$ and of the input shares $a_i$ and $b_j$ (coefficients of the affine functions may depend on the random scalars). In other words, each output share $c_i$ can be written as (possibly after expansion and simplification):

$$\begin{aligned} c_i = \varvec{a}^\intercal \cdot {\varvec{M_i}}(\varvec{r}) \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{{\mu }_{i}}(\varvec{r}) \;+\; \varvec{\nu }_i^\intercal (\varvec{r}) \cdot \varvec{b} \;+\; \tau _i(\varvec{r}) , \end{aligned}$$

where ${\varvec{M_i}}(\varvec{r}) \in {{\mathbb F}}_q^{(d+1)\times (d+1)}$, $\varvec{\mu }_i(\varvec{r}) \in {{\mathbb F}}_q^{d+1}$, $\varvec{\nu }_i(\varvec{r}) \in {{\mathbb F}}_q^{d+1}$, and $\tau _i(\varvec{r}) \in {{\mathbb F}}_q$ are arbitrary functions of the vector $\varvec{r} \in {{\mathbb F}}_q^R$ of random scalars.

This condition is very weak. In particular, it does not restrict output shares to be bilinear and do not restrict internal values of the circuit at all. All the $d$-NI multiplication gadgets we know [4, 10, 18, 24] including the ours in Sects. 4.1 and 5.1 satisfy this condition. We first need the following lemma.

Lemma 5.5

Let ${\varvec{U}} \in {{\mathbb F}}_q^{(d+1)\times (d+1)}$ be the matrix of ones. Let ${\varvec{M}},{\varvec{M'}}$ be two matrices in ${{\mathbb F}}_q^{(d+1)\times (d+1)}$ such that ${\varvec{M}} + {\varvec{M'}} = {\varvec{U}}$. Then all the columns or all the rows of ${\varvec{M}}$, or all the columns or all the rows of ${\varvec{M'}}$ are non-zero.

Proof

Let us prove the lemma by contraposition. We suppose that both ${\varvec{M}}$ and ${\varvec{M'}}$ have a column of zeros and a row of zeros. Let us suppose that the i-th row of ${\varvec{M}}$ is a zero row and the j-th column of ${\varvec{M'}}$ is a zero column. Then $M_{i,j} = M'_{i,j} = 0 \ne 1 = U_{i,j}$ and ${\varvec{M}} + {\varvec{M'}} \ne {\varvec{U}}$. $\square $

We can now state our lower bound.

Proposition 5.6

Let C be a $d$-NI multiplication gadget satisfying Condition 5.2. Then C uses more than $\lfloor (d-1) / 2 \rfloor $ random scalars (i.e., $R \ge d/ 2$).

A $d$-NI multiplication gadget satisfying Condition 5.2 thus requires a linear number of random scalars in $d$. We recall our construction in Sect. 5.1 uses $d$ random scalars, which is linear in $d$.

Proof

Let us suppose that C uses only $R \le \lfloor (d-1) / 2 \rfloor $ random scalars. Let $k = \lfloor d/ 2 \rfloor $. Let us construct a set of probes which cannot be simulated by at most $d$ shares of each input a and b. As C satisfies Condition 5.2, we can write:

$$\begin{aligned} c_0 + \dots + c_k&= \varvec{a}^\intercal \cdot {\varvec{M}}(\varvec{r}) \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu }(\varvec{r}) \;+\; \varvec{\nu }^\intercal (\varvec{r}) \cdot \varvec{b} \;+\; \tau (\varvec{r}) , \\ c_{k+1} + \dots + c_d&= \varvec{a}^\intercal \cdot {\varvec{M'}}(\varvec{r}) \cdot \varvec{b} \;+\; \varvec{a}^\intercal \cdot \varvec{\mu '}(\varvec{r}) \;+\; \varvec{\nu '}^\intercal (\varvec{r}) \cdot \varvec{b} \;+\; \tau '(\varvec{r}) , \end{aligned}$$

where ${\varvec{M}}(\varvec{r}), {\varvec{M'}}(\varvec{r}) \in {{\mathbb F}}_q^{(d+1)\times (d+1)}$, $\varvec{\mu }(\varvec{r}), \varvec{\mu }(\varvec{r}) \in {{\mathbb F}}_q^{d+1}$, $\varvec{\nu }(\varvec{r}),\varvec{\nu }(\varvec{r}) \in {{\mathbb F}}_q^{d+1}$, and $\tau (\varvec{r}),\tau '(\varvec{r}) \in {{\mathbb F}}_q$ are arbitrary functions of the vector $\varvec{r} \in {{\mathbb F}}_q^R$ of random scalars.

Let ${\varvec{U}} \in {{\mathbb F}}_q^{(d+1)\times (d+1)}$ be the matrix of ones. As $\sum _{i=0}^dc_i = ab = \varvec{a}^\intercal \cdot {\varvec{U}} \cdot \varvec{b}$ by correctnesss of C, we have ${\varvec{M}}(\varvec{r}) + {\varvec{M'}} (\varvec{r}) = {\varvec{U}}$. In particular, when $\varvec{r} = \varvec{0}$ (for example), Lemma 5.5 ensures that $c_0 + \dots + c_k$ or $c_{k+1} + \dots + c_d$ functionally depends on every $a_i$ ($0 \le i \le d$) or on every $b_j$ ($0 \le j \le d$). Therefore, one of the following set of probes cannot be simulated by at most $d$ shares of each input a and b:

$$\begin{aligned} \{r_1,\dots ,r_R,c_0,\dots ,c_k\} \quad \text { and }\quad \{r_1,\dots ,r_R,c_{k+1},\dots ,c_d\} . \end{aligned}$$

We conclude by remarking that $R + (k+1) \le \lfloor (d-1) / 2 \rfloor + \lfloor d/ 2 \rfloor + 1 \le d$, as either $d-1$ or $d$ is odd and so either $\lfloor (d-1) / 2 \rfloor \le (d- 1) / 2 - 1$ or $\lfloor d/ 2 \rfloor \le d/ 2 - 1$. $\square $

Notes

1.
An alternative is to apply so-called threshold implementations [20]. In [23], Reparaz et al. have shown that the latter implementations can be built from circuits that are made secure in the probing model. Thus, any improvement of the complexity of arithmetic circuits secure in the probing model may lead to complexity improvement for higher-order threshold implementations.
2.
It may be remarked that the inner product masking with fixed public values for L is very close to polynomial masking, where R plays a similar role as the tuple of polynomial evaluations and where L plays a similar role as the reconstruction vector (deduced from the public values $(\alpha _i)_ {i\le d}$).
3.
More precisely, the non-zero field elements to multiplied are first represented as powers of a primitive element $\alpha $ such that $z=x\times y$ becomes $\alpha ^c=\alpha ^{a+b}$ with $(x,y,z)=(\alpha ^a,\alpha ^b,\alpha ^c)$. The mappings $x\rightarrow \alpha ^a$, $y\rightarrow \alpha ^b$ and $\alpha ^c \rightarrow z$ have been tabulated for efficiency reasons. The particular case $x=0$ or $y=0$ has been treated with care to not introduce timing dependency.
4.
For comparison/testing purpose, we did not call the device random generator but, instead, simulated the generation by a software code.
5.
This timing corresponds to a code written in assembly and involving log-alog look-up tables.
6.
The inputs of the final gadget correspond to the inputs of the $d$-TNI one, while the outputs of the final gadget correspond to the outputs of the $d$-SNI one.
7.
By probes involving only the $a_i$’s and the $r_i$’s, we mean probes that do not functionally depend on any $b_i$ nor any $s_i$.

References

Balasch, J., Faust, S., Gierlichs, B.: Inner product masking revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 486–510. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_19
Google Scholar
Balasch, J., Faust, S., Gierlichs, B., Verbauwhede, I.: Theory and practice of a leakage resilient masking scheme. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 758–775. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_45
Chapter Google Scholar
Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B., Strub, P.Y., Zucchini, R.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 116-129. ACM Press, October 2016
Google Scholar
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 616–648. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_22
Chapter Google Scholar
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. Cryptology ePrint Archive, Report 2016/211 (2016). full version of [4]. http://eprint.iacr.org/2016/211
Carlet, C., Prouff, E.: Polynomial evaluation and side channel analysis. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 315–341. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49301-4_20. http://dx.doi.org/10.1007/978-3-662-49301-4_20
Chapter Google Scholar
Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic decomposition for probing security. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 742–763. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_36
Chapter Google Scholar
Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic decomposition for probing security. Cryptology ePrint Archive, Report 2016/321 (2016). full version of [7]. http://eprint.iacr.org/2016/321
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_26
Chapter Google Scholar
Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43933-3_21
Google Scholar
Coron, J.-S., Prouff, E., Roche, T.: On the use of Shamir’s secret sharing against side-channel analysis. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 77–90. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37288-9_6
Chapter Google Scholar
Coron, J.-S., Roy, A., Vivek, S.: Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 170–187. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44709-3_10
Google Scholar
Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_24
Chapter Google Scholar
Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_16
Google Scholar
Faust, S., Rabin, T., Reyzin, L., Tromer, E., Vaikuntanathan, V.: Protecting circuits from leakage: the computationally-bounded and noisy cases. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 135–156. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_7
Chapter Google Scholar
Goubin, L., Patarin, J.: DES and differential power analysis the “duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). doi:10.1007/3-540-48059-5_15
Chapter Google Scholar
Gross, H., Mangard, S., Korak, T.: Domain-oriented masking: compact masked hardware implementations with arbitrary protection order. IACR Cryptology ePrint Archive 2016, p. 486 (2016). http://eprint.iacr.org/2016/486. To appear in the proceedings of CARDIS 2016
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_27
Chapter Google Scholar
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_9
Google Scholar
Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J Cryptol. 24(2), 292–321 (2011). http://dx.doi.org/10.1007/s00145-010-9085-7
Article MathSciNet MATH Google Scholar
Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_9
Chapter Google Scholar
Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 63–78. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_5
Chapter Google Scholar
Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_37
Chapter Google Scholar
Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9_28
Chapter Google Scholar

Download references

Acknowledgements

The second author was supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236. The third author was supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1619348, 1228984, 1136174, and 1065276, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C-0205. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government. The fourth and fifth authors were supported in part by the European Union’s H2020 Programme under grant agreement number ICT-731591 (REASSURE). The fifth author was supported in part by the French ANR project BRUTUS, ANR-14-CE28-0015.

Author information

Authors and Affiliations

Thales Communications & Security, Gennevilliers, France
Sonia Belaïd
IBM Research, Yorktown Heights, USA
Fabrice Benhamouda
UCLA, Los Angeles, USA
Alain Passelègue
Safran Identity and Security, Paris, France
Emmanuel Prouff
Sorbonne Universitès, UPMC Univ Paris 06, CNRS, INRIA, Laboratoire d’Informatique de Paris 6 (LIP6), Équipe PolSys, 4 Place Jussieu, 75252, Paris, France
Emmanuel Prouff
ANSSI, Paris, France
Adrian Thillard
Département d’informatique de L’ENS, École normale supérieure, CNRS, PSL Research University, 75005, Paris, France
Damien Vergnaud
INRIA, Paris, France
Damien Vergnaud

Authors

Sonia Belaïd
View author publications
You can also search for this author in PubMed Google Scholar
Fabrice Benhamouda
View author publications
You can also search for this author in PubMed Google Scholar
Alain Passelègue
View author publications
You can also search for this author in PubMed Google Scholar
Emmanuel Prouff
View author publications
You can also search for this author in PubMed Google Scholar
Adrian Thillard
View author publications
You can also search for this author in PubMed Google Scholar
Damien Vergnaud
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sonia Belaïd .

Editor information

Editors and Affiliations

University of Maryland, College Park, Maryland, USA
Jonathan Katz
UC San Diego, La Jolla, California, USA
Hovav Shacham

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D. (2017). Private Multiplication over Finite Fields. In: Katz, J., Shacham, H. (eds) Advances in Cryptology – CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science(), vol 10403. Springer, Cham. https://doi.org/10.1007/978-3-319-63697-9_14

Download citation

DOI: https://doi.org/10.1007/978-3-319-63697-9_14
Published: 02 August 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-63696-2
Online ISBN: 978-3-319-63697-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Private Multiplication over Finite Fields

Abstract

Similar content being viewed by others

Randomness Complexity of Private Circuits for Multiplication

Exploiting Algebraic Structures in Probing Security

Secure Multiparty Computation with Sublinear Preprocessing

Keywords

1 Introduction

1.1 Our Problem

1.2 Related Work

1.3 Our Contributions

2 Preliminaries

2.1 Notation

2.2 Arithmetic Circuits and Privacy

Definition 2.1

Definition 2.2

Remark 2.3

Remark 2.4

2.3 Compositional Security Notions

Definition 2.5

Remark 2.6

Definition 2.7

Definition 2.8

Definition 2.9

2.4 Relations Between Compositional Security Notions

2.5 Case of Study

Definition 2.10

Remark 2.11

3 Algebraic Characterizations

3.1 Bilinear Probes and Matrix Notation

Definition 3.1

3.2 Algebraic Characterization for Privacy

Condition 3.1

Theorem 3.2

Remark 3.3

Corollary 3.4

Proof

3.3 Algebraic Characterization for Non-Interference

Condition 3.2

Theorem 3.5

Proof

Remark 3.6

Corollary 3.7

Proof

4 Construction with a Linear Number of Bilinear Multiplications

4.1 Construction

Proposition 4.1

Condition 4.1

Remark 4.2

Condition 4.2

4.2 Security Analysis

Theorem 4.3

Lemma 4.4

Proof

Proof

4.3 Probabilistic Construction

Theorem 4.5

Proposition 4.6

Remark 4.7

4.4 Small Cases

5 Construction with Linear Randomness Complexity

5.1 Construction

Condition 5.1

5.2 Security Analysis

Lemma 5.1

Proof

Corollary 5.2

Proposition 5.3

Proof

5.3 Probabilistic Construction

Theorem 5.4

5.4 Small Cases

5.5 Lower Bound

Condition 5.2

Lemma 5.5

Proof

Proposition 5.6

Proof

Notes

References