Paper 2022/1540

Exploiting algebraic structures in probing security

Maxime Plançon, IBM Research - Zurich, ETH Zurich
Abstract

The so-called $\omega$-encoding, introduced by Goudarzi, Joux and Rivain (Asiacrypt 2018), generalizes the commonly used arithmetic encoding. By using the additionnal structure of this encoding, they proposed a masked multiplication gadget (GJR) with quasilinear (randomness and operations) complexity. A follow-up contribution by Goudarzi, Prest, Rivain and Vergnaud in this line of research appeared in TCHES 2021. The authors revisited the aforementioned multiplication gadget (GPRV), and brought the IOS security notion for refresh gadgets to allow secure composition between probing secure gadgets. In this paper, we propose a follow up on GPRV, that is, a region-probing secure arithmetic circuit masked compiler. Our contribution stems from a single Lemma, linking algebra and probing security for a wide class of circuits, further taking advantage of the algebraic structure of $\omega$-encoding, and the extension field structure of the underlying field $\mathbb F$ that was so far left unexploited. On the theoretical side, we propose a security notion for $\boldsymbol{\omega}_d$-masked circuits which we call Reducible-To-Independent-K-linear (RTIK). When the number of shares $d$ is less than or equal to the degree $k$ of $\mathbb F$, RTIK circuits achieve region-probing security. Moreover, RTIK circuits may be composed naively and remain RTIK. We also propose a weaker version of IOS, which we call KIOS, for refresh gadgets. This notion allows to compose RTIK circuits with a randomness/security tradeoff compared to the naive composition. To substantiate our new definitions, we also provide examples of competitively efficient gadgets verifying the latter weaker security notions. Explicitly, we give 1) two refresh gadgets that use $d-1$ random field elements to refresh a length $d$ encoding, both of which are KIOS but not IOS, and 2) a multiplication gadget with bilinear multiplication complexity $d^{\log 3}$ and uses $d$ fresh random elements per run. Our compiler outperforms ISW asymptotically, but for our security proofs to hold, we do require that the number of shares $d$ is less than or equal to the degree of $\mathbb F$ as an extension, so that there is sufficient structure to exploit.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
MaskingRefresh GadgetMultiplication GadgetProbing Security
Contact author(s)
MPL @ zurich ibm com
History
2023-06-26: last of 2 revisions
2022-11-07: received
See all versions
Short URL
https://ia.cr/2022/1540
License
No rights reserved
CC0

BibTeX 

@misc{cryptoeprint:2022/1540,
      author = {Maxime Plançon},
      title = {Exploiting algebraic structures in probing security},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1540},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1540}},
      url = {https://eprint.iacr.org/2022/1540}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.