# Reframing And Extending The Random Probing Expansion

#### Giuseppe Manzoni

Independent researcher, giuseppe.manzoni@zelya.org

**Abstract.** In the context of circuits leaking the internal state, there are various models to analyze what the adversary can see, like the *p*-random probing model in which the adversary can see the value of each wire with probability *p*. In this model, for a fixed *p*, it's possible to reach an arbitrary security by 'expanding' a stateless circuit via iterated compilation, reaching a security of  $2^{-\kappa}$  with a polynomial size in  $\kappa$ .

The existing proofs of the expansion work by first compiling the gadgets multiple times, and then by compiling the circuit with the resulting gadgets while assuming the worst from the original circuit. Instead, we reframe the expansion by proving it as a security reduction from the compiled circuit to the original one. Additionally, we extend it to support a broader range of encodings, and arbitrary probabilistic gates with an arbitrary number of inputs and outputs.

This allows us to obtain two concrete results: (i) At the cost of an additional size factor  $\mathcal{O}(\log(d)^3)$ , any *d*-probing secure compiler can be used to produce stateless circuits with security  $2^{-d}$  against any adversary that sees all wires with a constant SD-noise of  $2^{-7.41}/p$ , where *p* is the characteristic of the circuit's field. (ii) Any *n*-shares compiler with (t, f)-RPE gadgets needs t + 1 (which in practice is  $\lceil \frac{n}{2} \rceil$ ) randoms in the random gadget instead of *n*.

**Keywords:** Side-Channel Security  $\,\cdot\,$  Leakage Resilience  $\,\cdot\,$  Probing Model  $\,\cdot\,$  Random Probing Model

### 1 Introduction

Even when a cryptographic algorithm is secure against classical black-box attacks, its implementation could still be vulnerable to side-channel attacks, which make use of some physical leakage (e.g. the running time [Koc96], the power consumption [KJJ99], the electromagnetic radiation [QS01]).

Many types of physical leakage can be modelled using the noisy leakage models [CJRR99, PR13a, DDF14, PGMP19]. In particular, we'll focus on the noisy models with the following leakage: for every wire with a value  $\mathbf{x}$  with distribution X, the adversary can see any leakage  $\mathbf{f}(\mathbf{x})$ , such that the distribution X and the conditional distribution  $X|\mathbf{f}(X)$  are closer than some  $\delta$  using some metric M (for example the Euclidean norm in [PR13a, PGMP19], the statistical distance in [DDF14, PGMP19, GPRV22], and the Average Relative Error in [PGMP19]). Of those metrics, we'll measure the noise using the statistical distance as it corresponds to an intuitive concept of the indistinguishability<sup>1</sup> between the distributions X and  $X|\mathbf{f}(X)$ .

Given a circuit and its noisy leakage  $\delta$ , we can calculate the security of that circuit. In case the guaranteed security is not enough for the intended purpose, we can 'compile' it: transform it into a new circuit that carries out the same function. Usually a compiler will

<sup>&</sup>lt;sup>1</sup>i.e. SD  $[\mathbf{x}; \mathbf{y}] \leq \delta$  iff no adversary  $\mathcal{A}$  can distinguish between  $\mathbf{x}$  and  $\mathbf{y}$  with advantage better than  $\delta$ , i.e. for all  $\mathcal{A}$ ,  $|\Pr[\mathcal{A}(\mathbf{x}) = 1] - \Pr[\mathcal{A}(\mathbf{y}) = 1]| \leq \delta$ . See for example [MT10].

substitute every gate with a small circuit or 'gadget', every wire with n wires or 'shares', and every value will be 'masked' or 'encoded' so that the values in the shares together reveal the original value. This operation usually allows to increase the security at the cost of having a bigger circuit, but this is not guaranteed: if the circuit doesn't have enough noise (i.e. the leakage  $\delta$  is too high), then compiling the circuit will only lead to a lower security. For this reason the ideal is a compiler able to guarantee an arbitrary security for the highest possible tolerated leakage, and with the lowest possible circuit size increase.

As the noisy models tend to be hard to handle when writing proofs, other models have been introduced like the trandom probing model [ISW03, DDF14, BCP<sup>+</sup>20] in which each wire leaks the exact value with a given probability p, and leaks nothing with probability 1 - p. While this model doesn't describe any physical attack, it is equivalent to the noisy model. In particular, a compiler that tolerates a leakage of p in the random-probing model is guaranteed to tolerate a noise of  $p/|\mathbb{K}|$  in the noisy model.

As we anticipated, the ideal compiler is one that can reach an arbitrary security, and do so while tolerating the highest possible leakage, and so the ideal is to tolerate a constant leakage regardless of the desired security. The first compiler we know of that has achieved this was described in [Ajt11]. It used expander graphs and it was followed by [ADF16] which simplified and improved it using geometric codes. [AIS18] provided an even simpler compiler, with (as calculated by  $[BCP^+20]$ ) a tolerated leakage in the random probing model of  $2^{-26}$  and complexity of  $\mathcal{O}(\kappa^{8.2})$ , and this was achieved using an expansion strategy of compilers using multi-party computation protocols. A further improvement was made by [BCP+20] whose compiler tolerated a leakage of  $2^{-7.97}$  with complexity of  $\mathcal{O}(\kappa^{7.5})$  and this by using the Random Probing Expandability (or RPE) property. This expansion works by compiling a set of gadgets with themselves to obtain bigger and more secure gadgets. These are then compiled again and again until the wanted security level is reached, and then they are composed into the output circuit. This approach was then refined in [BRT21] which provided a more in-depth analysis of the RPE property, it calculated a few of its limits, and it provided gadgets that reach them. They provided a few alternative compilers. One with a better tolerated leakage  $2^{-7.5}$  and lower complexity  $\mathcal{O}(\kappa^{3.9})$ , while another works for a generic number of shares, with a complexity of  $\mathcal{O}(\kappa^{e(n)})$  with  $e(n) := \frac{\log(3n^2 - 2n)}{\log\lfloor (n+1)/2 \rfloor}$  where the number of shares and the desired security are unrelated due to the expansion. A successive article [BRTV21] extended the random probing expansion by allowing a different compiler at different stages of the expansion, even if we believe they made a mistake in one of the proofs, and so they inverted the order of the compilers, see footnote 2.

A completely different and widely researched model is the *t*-probing model, where the attacker can place at most *t* probes, and obtain the exact value contained in those wires. There have been various papers reducing the security of one of the noisy models to that of the probing model. Various do so by using refresh gates that don't leak the internal computation, like [PR13b]. In this paper we'll focus on reductions without those leak-free refresh gates, and the first article we know that proved the reduction without them is [DDF14]. They provide a *n*-shares compiler based on [ISW03, RP10] that produces circuits that are  $\lfloor (n-1)/2 \rfloor$ -probing secure, and they show that given a circuit *c*, the compiled circuit has a security of  $\|c\| e^{-n/12}$  for a noise of  $\Theta(1/(n \cdot |\mathbb{K}|))$ . There have been improvements to this reduction, for example [PGMP19] achieves it by using a different metric. Yet, to our knowledge, there are no results that tolerate a constant noise for an arbitrary security by starting with a generic probing secure compiler.

#### 1.1 Our Contributions

At the core of our paper there is the introduction of the Random Probing Reducibility (or RPR) property, which reduces the security of a compiled circuit to the security of the original one. In particular if a compiler is *e*-RPR, then any compiled circuit with leakage rate *p* can be abstracted into a virtual circuit with leakage rate e(p), and the concrete circuit will have the same guaranteed security of the virtual circuit. In other words, given a circuit with a security of  $2^{-\kappa}$  for a leakage probability e(p), the compiled circuit has a security of  $2^{-\kappa}$  for the leakage probability *p*. If e(p) < p this guarantees the same security for a higher leakage probability.

With the RPR property we can calculate two out of the three main properties that characterize generic compiler sequences: the security amplification order and tolerated leakage, while the third is the size amplification order. Those three are all we need to calculate the asymptotic size increase necessary to reach a fixed leakage rate as the security level  $\kappa$  grows. More precisely, we analyze a circuit parametric in its guaranteed security level  $\kappa$ , so that  $c_{\kappa}$  has security  $2^{-\kappa}$  for the leakage probability  $2^{-p(\kappa)}$ , for some function p. If we compile this circuit to obtain one with security  $2^{-\kappa}$  for a constant tolerated leakage, then we have a size increase of the factor  $\mathcal{O}(p(\kappa)^e)$  as  $\kappa \to \infty$  for some exponent e that depends only on the the compiler sequence. This means that if we compile a fixed circuit c we obtain a complexity of  $\mathcal{O}(\kappa^e)$ , like in [BCP<sup>+</sup>20]. If instead we use an initial circuit  $c_t$  that is obtained by a t-probing secure compiler with polynomial complexity, then we obtain a complexity of  $\mathcal{O}(||c_t|| \log(t)^e)$  for the exact same exponent e. In particular we provide a compiler sequence with e := 3, with tolerated leakage rate  $2^{-7.41}$ .

Additionally we extend the RPE to tolerate more encodings. We provide the 'encoding strength' property that encapsulates the properties of the encoding that are required by the RPE, and this allows us to consider any  $\vec{v}$ -linear encoding, but more importantly it allows us to use the field-extension encoding that we need to output a circuit over  $\mathbb{F}_p$  from a circuit over  $\mathbb{F}_{p^m}$ . This is why from a tolerated leakage rate  $2^{-7.41}$  we obtain a tolerated noise of  $2^{-7.41}/p$  instead of  $2^{-7.41}/p^m$ . For the common case of circuits whose fields has characteristic 2, like for the AES encryption, the tolerated noise is  $2^{-8.41}$ .

The main proof we include for the expansion consists in showing that a compiler made of (t, e)-RPE gadgets is e-RPR. This proof works by composition of sub-circuits: we use a property that is implied by the (t, e)-RPE, that it's preserved by composing two circuit, and such that if all the compiler's output circuits have that property, then the compiler is e-RPR. Yet the RPE is not suited for this job as it was designed to handle the implementation of a gate, not those of a generic circuit, so we need to introduce a new property that we call Extended RPE (or ERPE). As the ERPE needs to handle the implementations of generic probabilistic circuits, it's also capable of handling the implementation of generic probabilistic gates. For this reason we present it as our main expandability property instead of the narrower RPE.

Lastly, to show the concrete usefulness of this new property, we provide a  $(t, \cdot)$ -ERPE random gadget with only t + 1 random gades. This means that an *n*-shares compiler made of (t, e)-RPE gadgets only need t + 1 randoms in the random gadget, and not *n*. Thanks to the analysis from [BRT21] the optimal *t* for the RPE is  $t := \lfloor \frac{n-1}{2} \rfloor$  which means a single step of the expansion converts each random into  $\lfloor \frac{n+1}{2} \rfloor = \lceil \frac{n}{2} \rceil$  randoms instead of *n* of the existing random gadget that are required by [BCP+20, BRT21].

### Contents

| 1        | Introduction                             |               |  |  |
|----------|------------------------------------------|---------------|--|--|
|          | 1.1 Our Contributions                    | 2             |  |  |
| <b>2</b> | Notation and Fundamental Concepts        | 4             |  |  |
| 3        | Circuit and Security<br>3.1 Circuit Type | <b>6</b><br>6 |  |  |

|                          | 3.2       Encoding                                                                                                                                                                                                                    | 7 9                               |  |  |  |  |  |
|--------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|--|--|--|--|--|
|                          | 3.4       Circuit Security         3.5       Compiler Sequences                                                                                                                                                                       | 9<br>11                           |  |  |  |  |  |
| 4                        | Calculating the RPR                                                                                                                                                                                                                   | 12                                |  |  |  |  |  |
|                          | 4.1       RTD       From RPE       From RPE to RPR       From RPE to RPR                                                                                                                                                              | 14<br>15                          |  |  |  |  |  |
| 5                        | Calculating the Properties of Compiler Sequences         5.1       Composition of Compiler Sequences         5.2       Charging Formaging                                                                                             | <b>16</b><br>16                   |  |  |  |  |  |
|                          | 5.2 Classic Expansion                                                                                                                                                                                                                 | 10                                |  |  |  |  |  |
| 6                        | Main Compiler Sequence         6.1       Field-Extension compiler         6.2       High Tolerated Leakage Compiler         6.3       Main Compiler Sequence                                                                          | 17<br>17<br>18<br>19              |  |  |  |  |  |
| A Definition of Circuit  |                                                                                                                                                                                                                                       |                                   |  |  |  |  |  |
| в                        | Lemmas for Fundamental ConceptsB.1Simulatability and Dependency Functions                                                                                                                                                             | <b>21</b><br>21<br>22<br>23<br>24 |  |  |  |  |  |
| С                        | From Probing Security To Constant Noise With Polylog Size IncreaseC.1Lemma 28: RPS to Probing SecurityC.2Proposition 7: Probing Model to RPSC.3Theorem 1: Complexity of Compiler Sequences                                            | <b>25</b><br>25<br>28<br>29       |  |  |  |  |  |
| D Theorem 2: ERPE to RPR |                                                                                                                                                                                                                                       |                                   |  |  |  |  |  |
| Е                        | Proofs For the Main Compiler         E.1 Security from the RPE         E.2 Composition of Compiler Sequences         E.3 Proofs For the Classic Expansion         E.4 Gadgets Without Strength for Fully-leakable Deterministic Gates | <b>34</b><br>34<br>35<br>36<br>38 |  |  |  |  |  |

### 2 Notation and Fundamental Concepts

We'll use  $\vec{x}$  for a vector,  $\breve{x}$  for a set, **x** for a random variable. For functions, they describe their codomain.

Then we can give a few common/intuitive definitions. We'll indicate with  $\Pr[\mathbf{A}]$  the probability of the event  $\mathbf{A}$ , and with  $\operatorname{Is}[A]$  the function that returns 1 if the predicate A is true and 0 otherwise. With ':=' we indicate a definition and with '=' equality. Given a set  $\check{S}$  we write  $\leftarrow \check{S}$  to mean an anonymous random variable with the uniform distribution over  $\check{S}$ , independent from all the random variables defined before it and used only there. Similarly to  $[\operatorname{BCP}^+20]$ , we'll use  $[m] := \mathbb{Z} \cap [1, m]$  as the set of indexes for a tuple of m values,  $\mathcal{P}([m])$  is the power set of [m]. Additionally, we'll sometimes use vector operations on the subsets of [m], by interpreting them like a vector  $\{false, true\}^m$  that says if index i is in the set. In particular, we'll use the concatenation of two vectors  $\vec{a} \parallel \vec{b}$  also on those

sets. Lastly, we use  $\mathbb{K}$  for a generic field,  $\mathbb{F}_q$  for a field of order q and  $\mathbb{S}$  for a set with at least two elements, and we'll note with supp $[\mathbf{x}]$  the support of  $\mathbf{x}$  i.e. the possible values that  $\mathbf{x}$  can take with probability different from zero. Also, for brevity we'll always use 'monotone' as 'monotone non-strictly increasing' unless specified otherwise, where for sets we'll use the partial order  $\subseteq$ , while for statements we'll consider true > false, and for functions we'll consider  $f \leq g$  iff  $\forall x. f(x) \leq g(x)$ .

As the difference is important in various proofs, we'll define both  $\vec{x}|_{I}$  and  $\vec{x}_{I}$ . We'll use  $\vec{x}|_{I}$  to return the elements of  $\vec{x} \in \mathbb{K}^{m}$  that have the indexes in  $I \subseteq [m]$  while keeping track of which elements were selected. This by replacing with  $\bot$  the elements of  $\vec{x}$  whose indexes are not in I. Instead we'll use  $\vec{x}_{I}$  if we're not keeping track of which elements are selected and we want a smaller tuple, the same notation as selecting a single element.

Lastly, as we are working with circuits, the most natural definition of 'probabilistic function' is one that returns a new random variable at each invocation, like executing a probabilistic circuit and obtaining a different value each time. As this is not a function, we formally define with 'probabilistic function'  $\mathbf{f} : \check{I} \to \check{O}$  some deterministic function (here fto differentiate) with domain  $\check{I}$  and codomain the probability distributions over  $\check{O}$ . When we define  $\mathbf{f}(x) := \ldots$  we define the f(x) that calculates the distribution of that expression, and whenever we use  $\mathbf{f}(x)$  we mean  $\leftarrow f(x)$ . The intuitive description holds as long as the expression in definition of  $\mathbf{f}(x) := \ldots$  has no correlation with any random variable defined outside it, which will always be the case.

**Definition 1** (Partial Order). Given two discrete random variables  $\mathbf{a}, \mathbf{b}$ , we say  $\mathbf{a} \stackrel{d}{\leq} \mathbf{b}$  iff for all monotone predicates P we have that  $\Pr[P(\mathbf{a})] \leq \Pr[P(\mathbf{b})]$ .

In particular this is a partial order for the equivalence  $\stackrel{d}{=}$  which asks if they have the same distribution, see Lemma 16, and this partial order is preserved by the parallel composition of arrays as long as the four random variables are independent, see Lemma 17. Both those lemmas are in Subsection B.2.

**Definition 2** (Simulatability). We'll say that a probabilistic function  $\mathbf{f} : \mathbb{S}_{in} \to \mathbb{S}_{out}$  can be simulated using some probabilistic function  $\mathbf{g}$  with domain  $\mathbb{S}_{in}$  if there is a probabilistic function **Sim** such that for all  $x \in \mathbb{S}_{in}$  we have that  $\mathbf{f}(x) \stackrel{d}{=} \mathbf{Sim}(\mathbf{g}(x))$ .

To say that **f** can be simulated using **g**, we could write that  $\mathbf{g} \xrightarrow{\text{sim}} \mathbf{f}$ , or that for all  $x \in \mathbb{S}_{\text{in}}, \mathbf{g}(x) \xrightarrow{\text{sim}} \mathbf{f}(x)$ .

**Definition 3** (Simulatability From Inputs). We'll say that a probabilistic function  $\vec{\mathbf{f}}$ :  $\mathbb{S}_{in}^{i} \to \mathbb{S}_{out}^{o}$  can be simulated using the input elements  $\vec{I} \subseteq [i]$  if  $\vec{\mathbf{f}}$  can be simulated from the function  $(\vec{x} \mapsto \vec{x}_{\vec{I}})$ .

In other words,  $\vec{\mathbf{f}}$  can be simulated using the input elements  $\check{I}$  iff for all  $\vec{x}, \vec{y}$  we have that  $\vec{y}_{\check{I}} = \vec{x}_{\check{I}}$  implies  $\vec{\mathbf{f}}(\vec{x}) \stackrel{d}{=} \vec{\mathbf{f}}(\vec{y})$ , see Lemma 12 in Subsection B.1.

Note that the simulatability from the inputs uses an input domain  $\mathbb{S}_{in} \times \ldots \times \mathbb{S}_{in}$ , while the simulatability allows any kind of domain, e.g. any subset of  $\mathbb{S}_{in} \times \ldots \times \mathbb{S}_{in}$ .

**Definition 4** (Dependency Function). Given a probabilistic function  $\vec{\mathbf{f}} : \mathbb{S}_{in}^i \to \mathbb{S}_{out}^o$  we'll indicate with  $\operatorname{Dep}_{[\vec{\mathbf{f}}]}$  its dependency function: the minimal function  $Dep : \mathcal{P}([o]) \to \mathcal{P}([i])$  such that for all subsets of the outputs  $\check{O} \subseteq [o]$  the function  $\vec{\mathbf{f}}_{\check{O}}$  can be simulated using the inputs  $\check{Dep}(\check{O})$ .

Note that the dependency function always exists and it's unique (Lemma 14) and it's monotone (Lemma 15). See Subsection B.1.

### 3 Circuit and Security

In this section we'll define the circuits that our proofs operate on. In particular, like the previous papers on the expansion [BCP<sup>+</sup>20, BRT21], they are circuits without memory and we consider only the leakage once the values in the wires become stable, and so we won't consider behaviors like glitches.

We'll also report the definition of the various security notions, and the relevant reductions and relationships between them. Lastly we use those notions to define the main properties of compiler sequences, and we state the main theorem to calculate their asymptotic size increase.

#### 3.1 Circuit Type

We can parameterize the type of circuit based on the values and the gates it operates on.

**Definition 5** (Circuit Type). We define a type of circuits as the tuple  $(\mathbb{S}, \mathcal{G})$  which is identified by the two values:

- A finite set S with at least two elements, which describes the values that the circuit operates on.
- A finite enumeration  $\mathcal{G}_i$ , one for each gate, which contains the following:
  - A deterministic function  $\mathbb{S}^i \times \mathbb{S}^r \to \mathbb{S}^o$  (where i, r, o depend on the gate and are respectively the inputs, randoms, and outputs used by it.
  - A probability distributions over  $\mathbb{S}^r$  that describes the randoms used by the gate.
  - If the gate is fully leakable (it leaks its i + r inputs and randoms) or if it's leakless.

We are aware that the choice of leaking both inputs and the internally generated randoms is unusual, but it's necessary to allow the expansion to work with probabilistic gates. This is because while the random gate can have gadgets with no internal leakage, this is not always the case, and we must have a way to quantify the impact of this leakage. The most straight-forward way to do this is to allow the leakage of the randoms together with the inputs, as the two are independent, and together they completely define the output.

While our proofs are more generic, we define  $C_{\text{std},q} := C_{\mathbb{F}_q,\mathcal{G}_{\text{std}}}$  as the circuit type with the standard gates:

- 1. An addition gate  $[a, b], [] \mapsto [a + b]$ . Fully leakable.
- 2. A subtraction gate  $[a, b], [] \mapsto [a b]$ . Fully leakable.
- 3. A copy gate  $[a], [] \mapsto [a, a]$ . Fully leakable.
- 4. A multiplication  $[a, b], [] \mapsto [a \cdot b]$ . Fully leakable.
- 5. The random gate  $[], [r] \mapsto [r]$ , where the random is uniform over K. Leakless.
- 6. The constant-c gates  $[], [] \mapsto [c]$ . Leakless.

We define a circuit  $c \in C_{\mathbb{S},\mathcal{G}}$  as a stateless composition of gates  $\mathcal{G}$ , with wires that contain the values in  $\mathbb{S}$ , and we'll use the following functions describe c's behavior. For a more formal definition see Appendix A.

•  $\vec{c}_{outs} : \mathbb{S}^i \times \mathbb{S}^r \to \mathbb{S}^o$ ; the deterministic function that calculates the outputs of the circuit from its inputs and randoms.

- $\vec{c}_{\text{wires}} : \mathbb{S}^i \times \mathbb{S}^r \to \mathbb{S}^w$ ; the deterministic function that calculates the inputs and randoms of every fully-leakable gate in c, which are the leakable internal wires of c.
- $\mathbf{Rnds}_c() \in \mathbb{S}^r$ ; the probabilistic function that calculates the random needed as parameter of the circuit, with the correct distribution.
- $\operatorname{Leak}_{c}: [0,1] \to \mathcal{P}([w])$ ; the probabilistic function that maps the leakage probability of a single wire to a description of which of the leakable wires are leaking.
- $\operatorname{Gates}(c) \in \mathbb{N}^{|\mathcal{G}|}$ ; the vectorial function that for each gate returns how many gates of that type are in the circuit. This means that  $\|\operatorname{Gates}(c)\|_1$  is the total number of gates in c, where  $\|\cdot\|_1$  is the p-norm with p = 1.

For simplicity and compactness, we'll also define  $\vec{\mathbf{c}}_{outs}(\vec{x}) := \vec{c}_{outs}(\vec{x}, \mathbf{Rnds}_c()), \vec{\mathbf{c}}_{wires}(\vec{x}) := \vec{c}_{wires}(\vec{x}, \mathbf{Rnds}_c()), \vec{\mathbf{c}}_{all}(\vec{x}, \vec{r}) := \vec{c}_{wires}(\vec{x}, \vec{r}) \parallel \vec{c}_{outs}(\vec{x}, \vec{r}), \vec{\mathbf{c}}_{all}(\vec{x}) := \vec{c}_{all}(\vec{x}, \mathbf{Rnds}_c()), \text{ and } \parallel c \parallel := \parallel \mathbf{Gates}(c) \parallel_{\mathbf{r}}.$ 

Note that the function  $\mathbf{Leak}_c$  is monotone. More accurately, given any circuit c and any leakage probability  $p, p' \in [0, 1]$ , Lemma 18 shows that that:

$$p \leq p' \implies \check{\mathbf{Leak}}_c(p) \stackrel{a}{\leq} \check{\mathbf{Leak}}_c(p')$$

#### 3.2 Encoding

All the circuits we consider will have an associated encoding.

**Definition 6** (Encoding). We define an encoding E as a pair of:

- A probabilistic function to encode  $E.\vec{Enc} : \mathbb{D}_{\ell} \to \mathbb{S}_{out}^{\ell'}$  with  $\mathbb{D}_{\ell} \subseteq \mathbb{S}_{in}^{\ell}$ , such that it returns a new encoding for its parameter, for some tuples  $(\ell, \ell')$ . Given a set  $\check{U} \subseteq \mathbb{D}_{\ell}$ , we write with  $E.\vec{Enc}[\check{U}]$  the union of the supports of  $E.\vec{Enc}$  for every input in the set  $\check{U}$ , i.e. the set of the valid encodings of  $\check{U}$ .
- A deterministic function to decode  $E.\vec{\text{Dec}}: E.\vec{\text{Enc}}[\mathbb{D}_{\ell}] \to \mathbb{D}_{\ell}$  that maps each valid encoding to the value it represents, and it must be such that  $E.\vec{\text{Dec}} \circ E.\vec{\text{Enc}}$  is the identity function.

We can also define the composition of encodings: Given a pair of encodings C, D then we denote with  $C \circ D$  as  $(C \circ D).$ **Enc** := C.**Enc**  $\circ D.$ **Enc**,  $(C \circ D).$ **De** $\vec{c}$  := D.**De** $\vec{c} \circ C.$ **De** $\vec{c}$ .

**Definition 7** (*n*-shares Encoding). An *n*-shares encoding is one that has  $\ell' = n \cdot \ell$  for fall  $\ell \in \mathbb{N}$ , has  $\mathbb{D}_{\ell} := \mathbb{S}_{in}^{\ell}$ , and is compatible with the concatenation of vectors:  $E.\vec{\mathbf{Enc}}(\vec{a} \parallel \vec{b}) \stackrel{d}{=} E.\vec{\mathbf{Enc}}(\vec{a}) \parallel E.\vec{\mathbf{Enc}}(\vec{b})$  and  $E.\vec{\mathbf{Dec}}(\vec{c} \parallel \vec{d}) = E.\vec{\mathbf{Dec}}(\vec{c}) \parallel E.\vec{\mathbf{Dec}}(\vec{d})$ , assuming the the number of elements in  $\vec{c}, \vec{d}$  is a multiple of *n*.

**Definition 8** (Encoding Strength). Given an *n*-shares encoding, we say that it has encoding strength k, with  $k \in \mathbb{N} \cap [0, n)$  if

- The values of  $\leq k$  shares provide no information on the virtual wires: for all  $\check{S} \subseteq [n]$  with  $|\check{S}| \leq k$ ,  $\check{\text{Dep}}_{[E, \mathbf{Enc}]}(\check{S}) = \emptyset$ .
- From the value of k shares and that of the virtual wire is possible to uniquely reconstruct the value of the missing shares so that the decoding matches the virtual wire.

An immediate implication is that the dependency function of the encoding is fully determined if an encoding has strength:

**Lemma 1.** Given an n-shares encoding E with strength k, then for all  $\check{I} \subseteq [n]$  we have that  $\check{\text{Dep}}_{[E,\vec{\text{Enc}}]}(\check{I}) = \emptyset$  if  $|\check{I}| \leq k$  and [1] otherwise.

Note that an *n*-shares encoding with strength n-1 behaves like the additive encoding while one with strength 0 doesn't really do any masking. Also note that [BCP<sup>+</sup>20] defined the RPE for the additive encoding, but their proofs only need strength n-1 to work. Additionally, the RPE can be easily generalized to any encoding strength with little change, see Subsection 4.1.

While the proof of the expansion (Theorem 2) is more generic, in most of this paper we'll use encodings with strength that operate over a finite field. In particular we'll consider the following two encodings:

- For finite field  $\mathbb{K}$ , given  $\vec{v} \in (\mathbb{K} \setminus \{0\})^n$ , we define the  $\vec{v}$ -linear encoding, with  $\mathbb{S}_{in}, \mathbb{S}_{out} := \mathbb{K}$ , such that  $\forall \vec{x} \in \mathbb{K}^n$ .  $\operatorname{Dec}(\vec{x}) := \vec{v} \cdot \vec{x}$  and with the encoding function that selects an encoding uniformly between the possible ones. They all have encoding strength of n-1. This family of encoding includes the *polynomial sharings* of [GPRV22], and the more common *additive encoding* which is the 1-linear encoding, with  $\operatorname{Dec}(x) = \sum_{i} x_i$ .
- For an irreducible polynomial  $P \in \mathbb{F}_q[x]$  with degree  $m \geq 2$  and some q power of a prime, we define the *field-extension encoding*, with  $\mathbb{S}_{in} := \mathbb{F}_{q^m}$ ,  $\mathbb{S}_{out} := \mathbb{F}_q$ , m shares, and the following deterministic encoding: as  $\mathbb{F}_{q^m}$  can be constructed from  $\mathbb{F}_q$  using P, each value of  $\mathbb{F}_{q^m}$  can be seen as a polynomial of  $\mathbb{F}_q[x]$  with degree < m, and so we define **Enc** as the function that outputs the array of coefficients of the input value. Dec is simply the inverse of **Enc**. This has encoding strength of 0.

The traditional definition of 'correct implementation' isn't suitable as we need to maintain a correspondence between the values of the virtual circuit and the values of the correct implementation even when they pass through a probabilistic sub-circuit. Not doing so will also undermine the expansion and the Random Probing Reducibility, as it'd break the abstraction between the virtual circuit and the concrete one.

**Definition 9** (Correctness). Given two circuits v, c and an *n*-shares encoding E we say that c is a *correct implementation* of v for E (or that v is the *virtual circuit* of c for E) if there is an encoding R for the randoms such that:

- The encoding R transforms the random distribution of the virtual circuit into the distribution of the implemented circuit  $\mathbf{Rnds}_c() \stackrel{d}{=} R.\mathbf{Enc}(\mathbf{Rnds}_v())$
- For all inputs  $\vec{x} \in E.\mathbf{Enc}[\mathbb{S}^i]$  and randoms  $\vec{r} \in \mathrm{supp}[\mathbf{Rnds}_c()]$  of the implemented circuit,

$$\vec{v}_{\text{outs}}(E.\vec{\text{Dec}}(\vec{x}), R.\vec{\text{Dec}}(\vec{r})) = E.\vec{\text{Dec}}(\vec{c}_{\text{outs}}(\vec{x}, \vec{r}))$$

This correctness implies that  $E.\vec{\text{Dec}} \circ \vec{\textbf{c}}_{outs} \stackrel{d}{=} \vec{\textbf{v}}_{outs} \circ E.\vec{\text{Dec}}$  (Lemma 19) and for deterministic gates it's equivalent to the more common  $E.\vec{\text{Dec}} \circ \vec{\textbf{c}}_{outs} = \vec{\textbf{v}}_{outs} \circ E.\vec{\text{Dec}}$  (Proposition 6). The property '*a* is a correct implementation of *b*' is transitive (Lemma 20), and being a correct implementation is preserved by the composition in parallel and in series (Lemma 21). See Subsection B.3.

#### 3.3 Circuit compiler

**Definition 10** (Circuit compiler). We can then define a circuit compiler as a pair of an encoding E from  $\mathbb{S}_{in} \to \mathbb{S}_{out}$  and a compilation function  $CC : \mathcal{C}_{\mathbb{S}_{in},\mathcal{G}_{in}} \to \mathcal{C}_{\mathbb{S}_{out},\mathcal{G}_{out}}$  such that for all circuits  $c \in \mathcal{C}_{\mathbb{S}_{in},\mathcal{G}_{in}}$ , the compiled circuit CC(c) must be a correct implementation of c using E.

From this definition and from Lemma 20 quickly follows that given a circuit c with an encoding D, and given a compiler (E, CC), then CC(c) has the encoding  $E \circ D$ .

Like for the encodings, given the two circuit compilers O, I such that the input circuit type of O matches the output circuit type of I, we can define the compiler  $O \circ I$  with  $(O \circ I).E := O.E \circ I.E$  and  $(O \circ I).CC := O.CC \circ I.CC$ . This is a circuit compiler as the correctness property is proven by Lemma 20.

**Definition 11** (Circuit Complexity Matrix). Like in [BCP<sup>+</sup>20], we can define the circuit complexity matrix of a compiler C (if it exists) as the matrix  $M_C$  such that for all circuits c,  $Gates(C.CC(c)) = M_C \cdot Gates(c)$ .

This implies that if  $M_O, M_I$  are the circuit complexity matrices of the compilers O, Ithen  $M_{O \circ I} = M_O M_I$ .

**Definition 12** (Gadgets). Given an encoding E with shares from  $\mathbb{S}_{in}$  to  $\mathbb{S}_{out}$ , we can then define the gadgets  $\vec{G} : \mathcal{C}_{\mathbb{S}_{in},\mathcal{G}_{in}} \to \mathcal{C}_{\mathbb{S}_{out},\mathcal{G}_{out}}$  as the sequence of  $|\mathcal{G}_{in}|$  circuits of type  $\mathcal{C}_{\mathbb{S}_{out},\mathcal{G}_{out}}$ , such that for all  $g \in [|\mathcal{G}_{in}|]$ ,  $\vec{G}_g$  is a correct implementation of g using E.

With the gadgets we can make a compiler. In particular, given the gadgets  $\vec{G}$  with encoding E we can define the function  $CC_{\vec{G}}$  that substitutes every gate g with the circuit  $\vec{G}_g$ . Then the tuple  $C := (E, CC_{\vec{G}})$  is a compiler, see Lemma 22. The circuit complexity matrix of this compiler exists, and if  $\vec{G}$  has  $\ell$  elements we have

$$M_C := \left[ \begin{array}{c} \operatorname{Gates}(\vec{G}_1) \mid \operatorname{Gates}(\vec{G}_2) \mid \cdots \mid \operatorname{Gates}(\vec{G}_\ell) \end{array} 
ight]$$

#### 3.4 Circuit Security

To define the security of a circuit we first describe the adversaries from [DDF14, PGMP19]:

**Definition 13** ( $\delta$ -noisy adversary). Given a  $\delta \in [0, 1]$  we define a  $\delta$ -noisy adversary on  $\mathbb{S}^{\ell}$  a machine  $\mathcal{A}$  that plays the following game against an oracle that knows  $\vec{x} \in \mathbb{S}$ :

- 1.  $\mathcal{A}$  specifies a sequence of  $\ell$  functions **Noise** such that every **Noise**<sub>i</sub> is  $\delta$ -noisy, where a function **f** is  $\delta$ -noisy if the statistical distance between uniform distribution X and the conditional distribution  $X|\mathbf{f}(X)$  is  $\leq \delta$ . See [PGMP19] for more on what they call  $\delta$ -SD-noisy functions.
- 2.  $\mathcal{A}$  receives  $\operatorname{Noise}_1(\vec{x}_1) \parallel \ldots \parallel \operatorname{Noise}_\ell(\vec{x}_\ell)$  and outputs some value  $\operatorname{out}_{\mathcal{A}}(\vec{x})$ .

**Definition 14** (*p*-random probing adversary). Given a  $p \in [0, 1]$  we define a *p*-random probing adversary on  $\mathbb{S}^{\ell}$  a machine  $\mathcal{A}$  that plays the following game against an oracle that knows  $\vec{x} \in \mathbb{S}$ :

- 1.  $\mathcal{A}$  specifies a sequence  $\vec{p} \in [0, p]^{\ell}$ .
- 2.  $\mathcal{A}$  receives  $(\mathbf{f}_1 \parallel \ldots \parallel \mathbf{f}_{\ell})(\vec{x})$  and outputs some value  $\vec{\mathbf{out}}_{\mathcal{A}}(\vec{x})$ , where  $\mathbf{f}_i(x)$  returns x with probability  $\vec{p}_i$ , and it returns  $\perp$  with probability  $1 \vec{p}_i$ .

For each  $\delta$ -noisy adversary there is an equivalent  $(\delta \cdot |\mathbb{S}|)$ -random probing adversary [DDF14], and for every *p*-random probing adversary there is an equivalent  $(p \cdot \frac{|\mathbb{S}|-1}{2})$ -noisy adversary [PGMP19].

**Definition 15** (Secure Against Adversary). Given a circuit c with encoding E such that the original circuit was defined over  $\mathbb{S}_{\text{orig}}$  and with i inputs, and given  $\varepsilon \in [0, 1]$  we'll say that c is  $\varepsilon$ -secure against a given type of adversary if for every adversary  $\mathcal{A}$  of that type, there is a random variable  $\mathbf{Sim}$  such that for all  $\vec{x} \in \mathbb{S}_{\text{orig}}^{i}$ ,

$$\operatorname{SD}\left[\vec{\operatorname{Sim}}; \vec{\operatorname{out}}_{\mathcal{A}}(\vec{\operatorname{c}}_{\operatorname{wires}}(E.E\vec{\operatorname{nc}}(\vec{x})))\right] \leq \epsilon$$

From the relationship between the adversaries above, if a circuit is  $\varepsilon$ -secure against  $\delta$ -noisy adversaries, it's  $\varepsilon$ -secure against  $\frac{2\delta}{|\mathbb{S}|-1}$ -random probing adversaries, and if it's  $\varepsilon$ -secure against p-random probing adversaries, then it's  $\varepsilon$ -secure against  $\frac{p}{|\mathbb{S}|}$ -noisy adversaries.

We note that the definition of  $(p, \varepsilon)$ -RPS from [BCP<sup>+</sup>20] is equivalent to  $\varepsilon$ -secure against a *p*-random probing adversary, see Lemma 27, yet we'll use a stronger definition for the Random Probing Security as we already defined that concept and we need something stronger for the Random Probing Reducibility later.

**Definition 16** (RPS). Given a circuit  $c \in C_{\mathbb{S},\mathcal{G}}$  with encoding E, we'll say that c is  $(p, \varepsilon)$ -RPS (Random Probing Security) with  $p, \varepsilon \in [0, 1]$  if the probability that the leakage depends on any unmasked inputs is upper bounded by  $\varepsilon$ :

$$\Pr\left[\check{\operatorname{Dep}}_{\left[\vec{c}_{wires} \circ E. \vec{Enc}\right]}(\check{\mathbf{Leak}}_{c}(p)) \neq \emptyset\right] \leq \varepsilon$$

We can call p the leakage rate, while  $\varepsilon$  is essentially an upper bound on the circuit leakage, which is a measure of the guaranteed security, but the higher the  $\varepsilon$  the lower the security.

As we anticipated, if a circuit is  $(p, \varepsilon)$ -RPS, then it's  $\varepsilon$ -secure against a *p*-random probing adversary (see Lemma 28). Additionally, we can rise the  $\varepsilon$  and lower the *p* and the circuit remain RPS (see Lemma 23), and every circuit with w > 0 internal wires is  $(\varepsilon/w, \varepsilon)$ -RPS for every  $\varepsilon \in [0, 1]$  (see Lemma 26).

We also want to note the similarity between our definition of the RPS and the security in the *t*-probing model:

**Definition 17** (*t*-Probing Security). Given a circuit c with encoding E, we'll say that c is secure in the *t*-probing model if  $\leq t$  wires don't reveal any information on any inputs:

$$\left| \boldsymbol{\breve{W}} : \left| \boldsymbol{\breve{W}} \right| \le t. \left. \tilde{\operatorname{Dep}}_{\left[ \boldsymbol{\vec{c}}_{wires} \circ E. \boldsymbol{Enc} \right]} (\boldsymbol{\breve{W}}) = \boldsymbol{\emptyset} \right|$$

1...

In particular we have the following reduction: if a circuit c with w wires is secure in the t-probing model, then it's  $(\frac{t}{2we}, 2^{-t})$ -RPS, see Proposition 7. If we apply this to the result of the most classic compilers for the t-probing model, which have a circuit size increase of  $\Theta(t^2)$  e.g. [ISW03], then the compiled circuits are  $(1/\Theta(t), 2^{-t})$ -RPS.

While the RPE of [BCP<sup>+</sup>20] is a property of a single gadget and its main theorem works by crating bigger and bigger RPE gadgets, we'll provide a property relative to a whole compiler that describes a single step of the compilation. In particular we defined it so that RPE implies the RPR, see Proposition 1.

**Definition 18** (RPR). We'll say that a compiler  $(E, CC) : C_{in} \to C_{out}$  is *e*-RPR (Random Probing Reducible) for a continuous monotone function  $e : [0, 1] \to [0, 1]$  if for all circuits  $c \in C_{in}$  and for all  $p, \varepsilon \in [0, 1]$  the circuit c is  $(e(p), \varepsilon)$ -RPS implies that CC(c) is  $(p, \varepsilon)$ -RPS.

This is meant to be interpreted as follows: a compiled circuit CC(c) with leakage p can be abstracted into a virtual circuit c with leakage e(p), and if the virtual circuit has a guaranteed security of  $\varepsilon$ , then so does the actual circuit CC(c).

We note that the RPR is preserved if the parameter function e in e-RPR is increased, see Lemma 24.

**Lemma 2** (RPR of the Composition of Compilers). Given the circuit types  $C_{\text{in}}, C_{\text{mid}}, C_{\text{out}}$ , given the compiler  $D: C_{\text{in}} \to C_{\text{mid}}$  that is  $e_D$ -RPR and given a compiler  $C: C_{\text{mid}} \to C_{\text{out}}$  that is  $e_C$ -RPR, then  $C \circ D$  is  $(e_D \circ e_C)$ -RPR.

*Proof.* We need to prove that given any circuits  $c \in C_{\text{in}}$  and any  $p, \varepsilon \in [0, 1]$  such that c is  $(e_D(e_C(p)), \varepsilon)$ -RPS, then C.CC(D.CC(c)) is  $(p, \varepsilon)$ -RPS.

We can use the definition of 'D is  $e_D$ -RPR' with the circuit c, the leakage probability  $e_C(p)$  and the circuit leakage  $\varepsilon$ . Then as c is  $(e_D(e_C(p)), \varepsilon)$ -RPS we obtain that D.CC(c) is  $(e_C(p), \varepsilon)$ -RPS.

We can use the definition of 'C is  $e_C$ -RPR' with the circuit D.CC(c), the leakage probability p and the circuit leakage  $\varepsilon$ . Then as D.CC(c) is  $(e_C(p), \varepsilon)$ -RPS, we obtain that C.CC(D.CC(c)) is  $(p, \varepsilon)$ -RPS.

**Corollary 1.** By induction with Lemma 2 we obtain that a given a sequence of compilers C such that  $C_i$  is  $e_i$ -RPR, then  $C_n \circ \ldots \circ C_1$  is  $(e_1 \circ \ldots \circ e_n)$ -RPR<sup>2</sup>.

#### 3.5 Compiler Sequences

In this section we won't limit ourselves to a single expansion strategy, but we'll provide a theorem that describes the asymptotic size of a circuit compiled with  $C_i$  as  $i \to \infty$ , where C is a sequence of compilers, for example the classical expansion of [BCP<sup>+</sup>20] has  $C_i := X^i$  where X is any compiler.

**Definition 19** (Compiler Sequence). We define a compiler sequence as an infinite sequence C of circuit compilers  $C_j$  all with the same input and output circuit types and leakages.

This section's theorem can be seen as an extension of the results of [BCP+20], and it uses three properties that are an extension of properties found in [BCP+20] see Subsection 5.2 for more details on their relationship.

**Definition 20** (Tolerated Leakage). We say that P is a tolerated leakage for a compiler sequence C if there is a sequence e such that  $C_j$  is  $e_j$ -RPR and such that  $e_m(P) \to 0$  as  $m \to \infty$ .

In other words the more the parameter m is increased, the more the leakage of the virtual circuit goes to 0, and this happens for all  $p \leq P$  due to the monotonicity of all e.

**Definition 21** (Size Amplification Order). We say that  $\lambda$  is a size amplification order of a compiler sequence C if the increase in circuit size (measured with the 1-norm of the circuit complexity matrix) is  $\|M_{C_m}\|_1 = \mathcal{O}(\lambda^m)$  as  $m \to \infty$ .

**Definition 22** (Security Amplification Order). We say that d > 1 is a security amplification order for a compiler sequence C and a tolerated leakage P if  $\log_2 e_m(P) = \Omega(d^m)$  as  $m \to \infty$  where e is the e from the definition of 'tolerated leakage P'.

From those two amplification orders we can derive how fast the expansion reaches the target leakage rate, this is similar to the exponent of  $[BCP^+20]$ :

**Definition 23** (Expansion Exponent). We say that  $e := \frac{\log \lambda}{\log d}$  is an expansion exponent for a compiler sequence C and a tolerated leakage P, where  $\lambda$  is a size amplification order for C and d is an security amplification order for C, P.

<sup>&</sup>lt;sup>2</sup>As the RPE implies the RPR, this contrasts with [BRTV21]'s Lemma 9, which we believe to be wrong. In particular if we call  $G^k$  the gadget of the k-th compilation. Then they define the gadget  $G^{(k)} := CC_{k-1} \circ \ldots \circ CC_1(G^k)$  i.e.  $G^{(k)} = CC_{G^{(k-1)}}(G^k)$ . This 'i.e.' doesn't hold, which undermines their proof. The core reason is that given two groups of gadgets  $b, b', CC_b \circ CC_{b'} = CC_{CC_b \circ b'}$ , which can be easily proven with the associativity of the operation of substituting a leaf of a tree with a sub-tree. In practice, the right side of the 'i.e.' for k = 3 is  $G^{(3)} = CC_{CC_G^{(1)}}(G^3)$  which, as explained, means that  $G^{(3)} = (CC_{G^1} \circ CC_{G^2})(G^3) = (CC_1 \circ CC_2)(G^3)$ . This is not the definition  $G^{(3)} = (CC_2 \circ CC_1)(G^3)$ .

We can now consider a circuit parameterized in its security level, and we can analyse the asymptotic size increase in case we compile it to reach a constant tolerated leakage.

**Theorem 1** (Complexity of Compiler Sequences). Given a compiler sequence  $C: C_{\text{in}} \to C_{\text{out}}$ , given a circuit  $c_{\kappa} \in C_{\text{in}}$  parametric in its security level, i.e. such that  $c_{\kappa}$  is  $(2^{-p(\kappa)}, 2^{-\kappa})$ -RPS for some  $p: (0, \infty) \to (0, \infty)$ ; then there is a function  $n: (0, \infty) \to \mathbb{N}$  that calculates which compiler in C to use, such that the compiled circuit  $c'_{\kappa} := C_{n(\kappa)}.CC(c_{\kappa})$  satisfies the following properties:

- For all  $\kappa > 0$ , the circuit  $c'_{\kappa}$  is  $(P, 2^{-\kappa})$ -RPS.
- As  $\kappa \to \infty$ ,  $\|c'_{\kappa}\| = \mathcal{O}(\|c_{\kappa}\| p(\kappa)^e)$

This where P is a tolerated leakage of C, and e is a expansion exponent of C, P.

The proof of this theorem is in Subsection C.3, and it has a few immediate consequences. The first follows immediately from Theorem 1 and the security reductions from Subsection 3.4:

Corollary 2. Theorem 1 is true also with point 1 substituted with:

1 For all  $\kappa > 0$ , the circuit  $c'_{\kappa}$  is  $2^{-\kappa}$ -secure against a  $P/|\mathbb{K}_{out}|$ -noisy adversary.

We can then use a fixed input circuit and use Lemma 26 to obtain the security guarantee for it:

**Corollary 3.** If we apply Corollary 2 to a fixed input circuit c, then the compiled circuit size is

$$\left\|c_{\kappa}'\right\| = \mathcal{O}\left(\kappa^{e}\right)$$

Note that the expression  $\|c'_{\kappa}\| = \mathcal{O}(\kappa^e)$  in Corollary 3 is supposed to mirror [BCP<sup>+</sup>20]'s expression 12:  $\|c'_{\kappa}\| = \mathcal{O}(\|c\| \kappa^e)$ . Those are equal because in our case  $\|c\|$  is constant by hypothesis, while in theirs we can only assume<sup>3</sup> they use a fixed c.

Lastly, instead of using Corollary 2 with a fixed circuit, we can apply it to the input circuit  $c_{\kappa}$  obtained as the output of a  $\kappa$ -probing secure compiler. All we need to use is Proposition 7 to obtain an RPS guarantee from the  $\kappa$ -probing security property.

**Corollary 4.** If we apply Corollary 2 to an input circuit  $c_{\kappa}$  obtained from a  $\kappa$ -probing secure polynomial compiler, then the compiled circuit size is

$$\|c_{\kappa}'\| = \mathcal{O}\left(\|c_{\kappa}\|\log(\kappa)^e\right)$$

In other words, with a polylograrithmic size increase a *t*-probing secure compiler can be made to create circuits  $2^{-t}$ -secure against a  $\delta$ -noisy adversary, where the constant  $\delta$  and the exponent of the logarithm depend on the compiler sequence.

### 4 Calculating the RPR

In this section we'll first report the definition of RPE from  $[BCP^+20]$ , in particular we'll give a single generic definition for a *i*-to-*o* gate instead of the two definitions for 2-to-1 and 1-to-2 gates, this to better compare it to our more generic properties. We'll then provide the definition of the ERPE property such that if all the gadgets of a compiler are (t, e)-ERPE, then the compiler is *e*-RPR (Theorem 2). This definition was tailored to that theorem to highlight the requirements for the expansion, so the result is quite different from the RPE. For this reason we show that the (t, e)-RPE implies the (t, e)-ERPE.

<sup>&</sup>lt;sup>3</sup>It's not clear if they mean a fixed c or  $||c|| \to \infty$ , but they calculate their 'security expansion' using the RPE, and by their Corollary 1, a set of (t, f)-RPE gadgets leads to a  $(p, 2f^k(p))$ -RPS compiler. By definition that means that given a circuit c, the compiled circuit is  $(p, 2 ||c|| f^k(p))$ -RPS. This means that to reach a security level of  $\kappa$  they need to satisfy  $2 ||c|| f^k(p) \le 2^{-\kappa}$  and not  $f^k(p) \le 2^{-\kappa}$ . This undermines their expression 12 if  $||c|| \to \infty$ .

#### 4.1 RPE

Before reporting the definition of RPE from [BCP<sup>+</sup>20], we'll first give a helper definition that captures the relationship between J and J' as used in [BCP<sup>+</sup>20]'s RPE. In particular, the RPE uses the RPE (t, n - 1)-normalization for n shares, as the additive encoding has strength n - 1. As noted in Subsection 3.2, the RPE can be extended to any encoding with strength k, and this by using the RPE (t, k)-normalization instead of the RPE (t, n - 1)-normalization.

**Definition 24** (RPE (t, k)-normalization). Calling *n* the number of shares, given  $\check{J} \subseteq [n \cdot o]$ , we'll say that a  $\check{J}' \subseteq [n \cdot o]$  is an RPE (t, k)-normalization of  $\check{J}$  (with  $t \leq k < n$ ) if all the blocks of shares with  $\leq t$  shares are the same between  $\check{J}$  and  $\check{J}'$ , while each block with with > t shares is substituted with some set of k shares. Formally (with  $\check{s}(i)$  the set of all the shares of the virtual wire i) we need that for all outputs  $i \in [o]$ :

 $\breve{J}' \cap \breve{s}(i) = \begin{cases} \breve{J} \cap \breve{s}(i) & \text{if } \left| \breve{J} \cap \breve{s}(i) \right| \le t \\ \breve{z} \text{ for some } \breve{z} : |\breve{z}| = k & \text{otherwise} \end{cases}$ 

We'll now provide the definition of RPE from  $[BCP^+20]$ , but extended to any *i*-to-*o* gate. We have split their  $Sim_1^G$  (which returns two results) in the two functions O' and I, while their  $Sim_2^G$  is implicit in the notion of simulatability. We also extend it to support any encoding with strength. Lastly, we add a few requirements on the *e* of the *e*-RPE that are only present for the formal proof.

**Definition 25** (RPE). Given a gadget  $G \in C_{\mathbb{S}_{out},\mathcal{G}_{out}}$  (with w internal wires) a correct implementation for a fully-leakable deterministic gate  $g \in C_{\mathbb{S}_{in},\mathcal{G}_{in}}$  (with i inputs and o outputs) using the *n*-shares encoding E with strength k, and given a monotone and continuous function  $e : [0,1] \to [0,1]$ , we say that G is (t,e)-RPE (Random Probing Expandability) with  $t \in \mathbb{N} \cap [0,k]$  if there are the deterministic functions  $\check{O}', \check{I}$  such that for all subsets of output wires  $\check{O} \subseteq [n \cdot o]$ ,

0 We define the input failure events  $\check{F}(\check{O},\check{W}) \subseteq [i]$ , and the failure of an input happens if the simulation needs more than t shares. More formally, for  $j \in [i]$ 

$$j \in \breve{F}(\breve{O},\breve{W}) \iff \left| \breve{I}(\breve{O},\breve{W}) \cap \breve{s}(j) \right| > t$$

where  $\check{I}(\cdot, \cdot) \subseteq [n \cdot i]$  are the input dependencies, and  $\check{s}(j)$  are the shares of j.

- 1 For every subset of the internal wires  $\breve{W} \subseteq [w]$ , the function  $\vec{x} \mapsto \vec{\mathbf{G}}_{\mathrm{all}}(\vec{x})_{\breve{W} \parallel \breve{O}'(\breve{O},\breve{W})}$ can be simulated using the inputs  $\breve{I}(\breve{O},\breve{W})$ .
- 2 For all subsets of internal wires  $\breve{W} \subseteq [w]$ , the outputs  $\breve{O}'(\breve{O},\breve{W})$  that the simulation is actually providing are an RPE (t, k)-normalization of  $\breve{O}$ .
- 3 For every leakage probability vector  $p \in [0, 1]$ , the failure events must have the probability distribution  $\check{F}(\check{O}, \check{\operatorname{Leak}}_G(p)) \stackrel{d}{=} \check{\operatorname{Leak}}_q(e(p))$

We define the following two properties roughly equivalent to those from  $[BCP^+20]$  and which can be calculated with a tool like VRAPS:

**Definition 26** (RPE-Tolerated Leakage). We say that P is a *t*-RPE-tolerated leakage of some gadget G if there is an e such that G is (t, e)-RPE, and for all  $p \in (0, P]$  we have that e(p) < p.

**Definition 27** (RPE-amplification order). We say that d is a t-RPE-amplification order of some gadget G if there is an e such that G is (t, e)-RPE, and  $e(p) = \Theta(p^d)$ .

#### 4.2 **ERPE**

As we anticipated in the introduction, instead of the RPE we use the more generic ERPE, which allows us to handle generic probabilistic gates. Also note that the ERPE is defined for generic circuits and not only gates, and it's defined so that it's preserved by composition.

**Definition 28** (ERPE). Given a generic circuit  $c \in C_{S_{out},G_{out}}$  (with w internal wires) a correct implementation of a circuit  $c' \in C_{S_{in},G_{in}}$  (with i inputs, o outputs) using the n-shares encoding E with strength k and the encoding of the randoms R, given a continuous and monotone function  $e : [0,1] \to [0,1]$ , and a  $t \in [0,k] \cap \mathbb{N}$ , we say that c is (t,e)-ERPE (Extended Random Probing Expandability) of c' if there is a function for the input dependencies  $\check{I}_c$ , a function for the outputs actually simulated  $\check{O}_c$ , and a function for the dependencies on the virtual wires  $\check{W}'_c$  such that

- 1. For all leakage rates  $p \in [0, 1]$ , for all subsets of output  $\check{O} \in [n \cdot o]$ , the distribution of virtual wires is the same for all  $\check{O}$  (i.e.  $\check{W}'_c(\check{O}, \mathbf{Leak}_c(p)) \stackrel{d}{=} \check{W}'_c(\emptyset, \mathbf{Leak}_c(p))$ ) and it's upper bounded by the leakage e(p) (i.e.  $\check{W}'_c(\emptyset, \mathbf{Leak}_c(p)) \stackrel{d}{\leq} \mathbf{Leak}_{c'}(e(p))$ ).
- 2. For every subset of the internal wires  $\breve{W} \subseteq [w]$ , for all possible combinations of outputs to simulate  $\breve{O} \in [n \cdot o]$ , for all the possible inputs actually provided  $\breve{I}$  that are an RPE (t, k)-normalization of  $\breve{I}_c(\breve{O}, \breve{W})$ , the outputs actually simulated must be  $\breve{O}_c(\breve{O}, \breve{W}, \breve{I})$ an RPE (t, k)-normalization of  $\breve{O}$ , and they together with  $\breve{W}$  can simulated from the inputs  $\breve{I}$  and virtual wires  $\breve{W}'_c(\breve{O}, \breve{W})$ : for all inputs  $\vec{x} \in E.\mathbf{Enc}[\mathbb{S}^i_{\mathrm{in}}]$  and for all the virtual randoms  $\vec{r'} \in \mathrm{supp}[\mathbf{Rnds}_{c'}()]$

$$\vec{x}_{\breve{I}} \parallel \vec{c'}_{\text{wires}}(E.\vec{\text{Dec}}(\vec{x}), \vec{r'})_{\breve{W}'_c(\breve{O}, \breve{W})} \xrightarrow{\text{sim}} \vec{c}_{\text{all}}(\vec{x}, R.\vec{\text{Enc}}(\vec{r'}))_{\breve{W} \parallel \breve{O}_c(\breve{O}, \breve{W}, \breve{I})}$$



**Figure 1:** The structure of the ERPE property. On the left side the wires, and on the right side their values. In gray the entities of the virtual circuit c'.

In Figure 1 we represent a compact scheme of the relationships within the ERPE, in particular, the composition in series is equivalent to stacking two copies of this scheme on top of each other, while in case of multiple compilations we stack them in depth, roughly by substituting the exact calculation of  $\vec{c'}_{all}$  with the other simulator.

We will now enunciate the main theorem for the expansion, its proof is in Appendix D

**Theorem 2** (ERPE to RPR). Given the gadgets  $\vec{G}$  for an n-shares encoding E, such that for all input gates g the gadget  $\vec{G}_g$  is (t, e)-ERPE of g, then the compiler  $(E, CC_{\vec{G}})$  is e-RPR.

We will show in Lemma 25 that the (t, e)-ERPE is preserved by increasing e.

A special consideration can be given to leakless gadgets for leakless gates, as the (t, e)-ERPE property only uses the input-output behavior of the gadget and it's independent from e. From the definition of ERPE we have the following immediate necessary and sufficient condition:

**Lemma 3** (Leakless ERPE). Given a leakless circuit  $c \in C_{S_{out},G_{out}}$  a correct implementation of a leakless circuit  $c' \in C_{S_{in},G_{in}}$  using the n-shares encoding E with strength k and the encoding of the randoms R, where c' has i inputs, o outputs, given a continuous and monotone function  $e : [0,1] \to [0,1]$ , and a  $t \in [0,k] \cap \mathbb{N}$ , then c is (t,e)-ERPE of c' iff for all combinations of the required output wires  $\check{O} \in [n \cdot o]$ , there is a combination of possible inputs  $\check{I} \in [n \cdot i]$  such that for all the inputs actually provided  $\check{I}'$  an RPE (t,k)normalization of  $\check{I}$  there is a set of outputs actually provided  $\check{O}'$  an RPE (t,k)-normalization of  $\check{O}$  such for all inputs  $\vec{x} \in E.\tilde{\mathbf{Enc}}[\mathbb{S}^i_{in}]$  and for all virtual randoms  $\vec{r'} \in \mathrm{supp}[\mathbf{Rnds}_{c'}()]$ we must have that  $\vec{x}_{\check{I}'} \xrightarrow{\mathrm{sim}} \vec{c}_{\mathrm{outs}}(\vec{x}, R.\tilde{\mathbf{Enc}}(\vec{r'}))_{\check{O}'}$ .

This lemma has the following immediate implication:

**Corollary 5** (Constant Gate). Any n-shares correct and leakless implementation of a leakless gate (with no inputs and no randoms) for an encoding of strength k is (t, e)-ERPE for any  $t \in [0, k] \cap \mathbb{N}$ , and for any continuous and monotone function  $e : [0, 1] \rightarrow [0, 1]$ .

#### 4.3 From RPE to RPR

We can first define a simple variation of the RPE as we need it in a proof later:

**Definition 29** (wRPE). We define the (t, e)-wRPE (Weak RPE) as property that is identical to the RPE except that the item 3 has the  $\stackrel{d}{\leq}$  instead of the  $\stackrel{d}{=}$ , and it also asks that the probability distribution of the failure events  $\check{F}(\check{O}, \mathbf{Leak}_G(p))$  is the same for all  $\check{O}$ .

Then we have the following implications that we'll prove in Subsection E.1.

**Proposition 1.** The (t, e)-RPE implies the (t, e)-wRPE which implies the (t, e)-ERPE.

Instead of showing that the random gadget with n randoms from [BCP+20, BRT21] is  $(t, \cdot)$ -ERPE, we will prove in Subsection E.1 the more general proposition:

**Proposition 2** (Additive Random Gadgets). For the n-shares additive encoding, given a  $t \in [0, n-1] \cap \mathbb{N}$ , and any continuous monotone  $e : [0,1] \to [0,1]$ , we consider the gadget obtained by a parallel of at least t + 1 random gates and the remaining to reach n are constant-0 gates. This gadget is (t, e)-ERPE for the random gate.

With this we can obtain the following result that links our paper with [BCP+20], which can be derived from the last two propositions, Lemma 25, and Theorem 2:

**Theorem 3** (RPE to RPR). Given a gadget-based compiler from the framework of  $[BCP^+20]$  (i.e. additive encoding over circuits  $C_{std,q}$ ) whose *i*-th gate of types (addition, subtraction, copy, multiplication) has a gadget that is  $(t, e_i)$ -RPE, with any leakless constantc gadget, and any random gadget from Proposition 2, then that compiler is e-RPR with  $e := \max e_i$ .

### 5 Calculating the Properties of Compiler Sequences

In order to provide the main compiler we need to analyze what happens to the security amplification order, to the size amplification order and to the tolerated leakage when we compose compilers and compiler sequences. We also need to know how to calculate them from the properties of compilers of [BCP<sup>+</sup>20], which we formalized here with the circuit complexity matrix, the RPE-amplification order, the RPE-tolerated leakage.

#### 5.1 Composition of Compiler Sequences

We'll first analyze the size amplification order by adding a compiler before and after the main compiler sequence. Note that any constant composition of compilers is itself a compiler. The proofs of this section are in Subsection E.2.

**Lemma 4** (Size Amplification Order). Given a compiler sequence C and given two compilers I, O such that we can define  $C'_m := O \circ C_m \circ I$  then C' has all the size amplification order of C.

Then we'll give a lemma for the security amplification order, in case we add a compiler before the main sequence.

**Lemma 5** (Single Input Compiler). Given a compiler sequence C and given a compiler I such that we can define  $C'_n := C_n \circ I$ ; if there is some l > 0 such that I is  $\mathcal{O}(x^l)$ -RPR then C' has all the tolerated leakage, security amplification order, size amplification order and expansion exponent of C.

Lastly, we give a lemma for the security amplification order, in case we add an compiler in output, which was taken from a compiler sequence so that we can obtain the following useful property.

**Lemma 6** (Fixed Output Compiler Sequence). Given a compiler sequence I and a compiler sequence O (with respectively a tolerated leakage of  $P_i$ ,  $P_o$ ; a security amplification order of  $d_i$ ,  $d_o$  for the aforementioned tolerated leakage) then there is a k such that  $C_n := O_k \circ I_n$  has a security amplification order of  $d_i$  relative to a tolerated leakage of  $P_o$ .

#### 5.2 Classic Expansion

In this section we'll analyze the classical expansion strategy from [BCP<sup>+</sup>20, BRT21], where the compiler sequence is  $C_n := X^n$ , and we calculate the three properties of compiler sequences from the properties of their gadgets. The proofs will be in Subsection E.3.

The following lemma shows that  $[BCP^+20]$ 's  $N_{max}$  (which they define as the highest module of any eigenvalue of the circuit complexity matrix  $M_X$ ) is a size amplification order.

**Lemma 7** (Size Amplification Order). Given a compiler sequence  $C_n := X^n$ , with diagonalizable circuit complexity matrices  $M_X$ , then the highest module of any eigenvalue of  $M_X$  is a size amplification order.

<sup>&</sup>lt;sup>4</sup>In [BRTV21] they use the equivalent of  $C_n := O_n \circ I_k$  instead of  $C_n := O_k \circ I_n$ , due to what we believe to be an error in their Lemma 9, see footnote 2.

We can then analyze the tolerated leakage, which is the minimum tolerated leakage of all gadgets like in [BRT21].

**Lemma 8** (Tolerated Leakage). Given a compiler sequence  $C_m := X^m$  such that X was obtained from Theorem 3, given a t and such that the *i*-th gate in (addition, multiplication, copy, subtraction) has a t-RPE-tolerated leakage  $P_i$ , then  $P := \min_i P_i$  is a tolerated leakage for C.

We can then show that for these families of compilers the security amplification order is independent of the tolerated leakage, like it's the case in [BRT21].

**Lemma 9** (Universality of security amplification order). Given a compiler sequence  $C_n := X^n$  if d is a security amplification order for some tolerated leakage, then it's a security amplification order for any tolerated leakage.

Lastly, we can show that the overall amplification order is the minimal amplification order of all the compilers, like in [BRT21].

**Lemma 10** (Security Amplification Order). Given a compiler sequence  $C_m := X^m$  such that X was obtained from Theorem 3, given a t such that the *i*-th gate in (addition, multiplication, copy, subtraction) has a t-RPE-amplification order  $d_i$ , then  $d := \min_i d_i$  is a security amplification order for C for any tolerated leakage.

### 6 Main Compiler Sequence

In this section we'll provide our main compiler sequence to make the output of a *t*-probing secure compiler tolerate a constant noise of  $2^{-7.41}/p$  with a cube-logarithmic size increase. To do that we first need to define two more compilers.

#### 6.1 Field-Extension compiler

First we'll give a pair of useful lemmas for gadgets whose encoding has strength 0. We report an immediate consequence of Lemma 3 in case of a leakless gate implemented by a leakless gadget:

**Proposition 3.** Any correct leakless implementation of a leakless gate for a strength 0 encoding is (0, e)-ERPE for any continuous and monotone function  $e : [0, 1] \rightarrow [0, 1]$ .

Then we can analyze a fully-leakable deterministic gate, proven in Subsection E.4.

**Lemma 11.** Given a gadget G (with w internal wires) for the fully-leakable deterministic gate g (with i inputs) that is correct for an n-shares encoding E with strength 0, then G is (0, e)-ERPE, with  $e(x) := \min\{1, (w \cdot x)^{1/i}\}$ .

The Field-Extension compiler we'll present here is similar to the method presented in [GJR18] to reduce the order of the field, the main difference is that they obtain  $p' = \Theta\left(\frac{p}{k \log k}\right)$ . The lack of the square for the p is due to the different leakage model, as they consider one where the inputs are bundled together: they either all leak or all don't.

**Proposition 4.** There is a  $C_{\operatorname{std},q^k} \to C_{\operatorname{std},q}$  compiler that is e-RPR with  $e(p) := \min\{1, (w \cdot p)^{1/2}\}$  where  $w := \Theta(k \log k)$  is the number of wires in the multiplication gadget, and the 1-norm of its circuit complexity matrix is  $\Theta(k \log k)$ .

*Proof.* The compiler uses the field-extension encoding, which has k shares and strength 0, and that creates an extension field  $\mathbb{F}_{q^k}$  from a field  $\mathbb{F}_q$  by using some irreducible polynomial  $P \in \mathbb{F}_q[x]$  with degree k.

This extension compiler follows the usual way to build a field of order  $q^k$  from one of order q using the same irreducible polynomial P.

We can implement the addition, subtraction, copy, random, constant-c gadgets using k gates (one per coefficient of the polynomials) of their own type, except the constant-c that uses the field-extension encoding to obtain the values of the coefficients for the k constants.

The last gadget is the multiplication, which is made of a multiplication of the two inputs polynomials followed by the rest of the division by P, and it's widely known that this can be implemented using  $\Theta(k \log k)$  gates by using the fast Fourier transform.

The correctness of these gadgets follows from the definition of the field-extension encoding and the properties of extension fields. The random and constant-c gadgets are leakless as they're made of leakless gates. Additionally, every gadget of this compiler is (0, e)-ERPE thanks to Lemma 11 and Lemma 25 for the fully leakable gates, and Proposition 3 for the leakless ones. Then we know that this compiler is e-RPR from Theorem 2 as all gadgets are (0, e)-ERPE. The size complexity is  $||M||_1 := \Theta(k \log k)$  as the complexity matrix has finite elements and the highest element is proportional to the number of wires w, which is  $\Theta(k \log k)$ .

#### 6.2 High Tolerated Leakage Compiler

**Proposition 5.** There is a  $C_{std,p} \rightarrow C_{std,p}$  compiler with expansion exponent 4.09 and tolerated leakage  $2^{-7.41}$ .

*Proof.* To prove this we'll provide the gadgets, calculate their  $(1, \cdot)$ -RPE and then we'll use Theorem 3 to obtain the RPR.

This compiler has the random gadget  $[] \mapsto [\leftarrow \mathbb{F}_p, \leftarrow \mathbb{F}_p, 0]$ , the constant-*c* gadget  $[] \mapsto [c, 0, 0]$ , and with the following gates from [BRT21], except the copy gadget has an additional refresh. We'll first report the refresh circuit, which we'll call  $\vec{\mathbf{ref}}(\vec{a})$  and it calculates  $\vec{\mathbf{c}}$  with randoms  $\vec{\mathbf{r}} := \leftarrow \mathbb{F}_p^2$ :

$$\begin{split} \vec{\mathbf{c}}_1 &:= \vec{a}_1 + \vec{\mathbf{r}}_1 \\ \vec{\mathbf{c}}_2 &:= \vec{a}_2 + \vec{\mathbf{r}}_2 \\ \vec{\mathbf{c}}_3 &:= \vec{a}_3 - (\vec{\mathbf{r}}_1 + \vec{\mathbf{r}}_2) \end{split}$$

The addition gadget is  $\vec{a}, \vec{b} \mapsto \vec{ref}(\vec{a}) + \vec{ref}(\vec{b})$ , while the subtraction gadget is  $\vec{a}, \vec{b} \mapsto \vec{ref}(\vec{a}) - \vec{ref}(\vec{b})$  and the copy gadget is  $\vec{a} \mapsto \vec{ref}(\vec{a'}), \vec{ref}(\vec{a'})$  with  $\vec{a'} := \vec{ref}(\vec{a})$ .

The multiplication gadget is  $\vec{a}, \vec{b} \mapsto \vec{c}$  with  $\vec{c}$  calculated with

$$\forall i \in [3]. \ \vec{\mathbf{b}'}_{i,\cdot} := \vec{\mathbf{ref}}(\vec{b})$$
  
$$\vec{\mathbf{a}'} := \vec{\mathbf{ref}}(\vec{a})$$
  
$$\forall i \in [3]. \ \vec{\mathbf{c}}_i := \left(\sum_k (\vec{\mathbf{a}'}_i \cdot \vec{\mathbf{b}'}_{i,k} + \vec{\mathbf{r}}_{i,k})\right) - \left(\sum_k \vec{\mathbf{r}}_{k,i}\right)$$

Which uses 4 refresh circuits and 9 additional randoms.

In Table 1 we report the 1-RPE-tolerated leakage and the 1-RPE-amplification order as calculated by VRAPS. Then Lemma 8 and Lemma 10 show that their minimal values are the tolerated leakage and the security amplification order for the classic expansion using this compiler.

In particular, the tolerated leakage is  $2^{-7.41}$ , which can be compared to [BRT21]'s  $2^{-7.50}$ , while the security amplification order is 2 which is the same as [BRT21].

**Table 1:**  $log_2$  of RPE-tolerated leakage, and the RPE-amplification order for the RPE with t := 1, calculated using the VRAPS tool

| Gadget         | $log_2$ of 1-RPE-tolerated leakage | 1-RPE-amplification order |
|----------------|------------------------------------|---------------------------|
| Addition       | -4.75                              | 2                         |
| Subtraction    | -4.75                              | 2                         |
| Multiplication | -7.41                              | 2                         |
| Сору           | -4.95                              | 2                         |

The circuit complexity matrix with the gates in the order (addition, subtraction, copy, multiplication, random, constant-0, constant-c with  $c \neq 0$ ) is

|     | [9 | 6 | 9 | 35 | 0 | 0 | 0 |
|-----|----|---|---|----|---|---|---|
|     | 2  | 5 | 3 | 5  | 0 | 0 | 0 |
|     | 4  | 4 | 9 | 29 | 0 | 0 | 0 |
| M = | 0  | 0 | 0 | 9  | 0 | 0 | 0 |
|     | 4  | 4 | 6 | 17 | 2 | 0 | 0 |
|     | 0  | 0 | 0 | 0  | 1 | 3 | 2 |
|     | 0  | 0 | 0 | 0  | 0 | 0 | 1 |

Is diagonalizable with the eigenvalues 17,3,3,9,2,3,1, and so by Lemma 7 the size amplification order is 17.

By using both amplification orders we can calculate the expansion exponent, which is  $e := \frac{\log 17}{\log 2} = 4.09$ , which can be compared to [BRT21]'s 3.9.

#### 6.3 Main Compiler Sequence

**Theorem 4.** For every prime p, and natural  $k \ge 2$ , there is a compiler sequence  $X : C_{\operatorname{std},p^k} \to C_{\operatorname{std},p}$  with expansion exponent 3 relative to a tolerated leakage  $2^{-7.41}$ .

*Proof.* We define  $X_t := H^l \circ C^t \circ E$  where E is the field-extension compiler of Proposition 4, where H is the high-tolerated leakage compiler of Proposition 5, where  $l \in \mathbb{N}$  is some constant, and where C is the parametric compiler from [BRT21] instantiated with 21 shares, except that we use our random gadget with 11 randoms instead of 21.

From Lemma 7 we know that we can take the size amplification order of  $(C^t)_t$  from [BRT21] which is  $3n^2 - 2n$  for a compiler C with n shares, and so 1281 as we use n = 21. Note that we can use a size amplification order of 1331 as by definition we can always use a higher value. Then from Lemma 10 we know that we can take the security amplification order of  $(C^t)_t$  from [BRT21] which is  $\lfloor (n+1)/2 \rfloor$  as we're using  $t := \lfloor (n-1)/2 \rfloor$ . As n = 21 we obtain that 11 is a security amplification order of  $(C^t)_t$ .

Using Proposition 5 we know that  $(H^l)_l$  has a tolerated leakage of  $2^{-7.41}$ ; and as l is a constant, we can use Lemma 4 to show that  $X_t$  has the size amplification order of 1331.

We can apply Lemma 6 to  $(H^l \circ C^t)_t$  to show that for the security amplification order 11 of  $(C^t)_t$  and the tolerated leakage  $2^{-7.41}$  of  $(H^l)_l$  there is a l (which is the one we'll use) such that  $(H^l \circ C^t)_t$  has the security amplification order 11 for the tolerated leakage  $2^{-7.41}$ . We can then apply Lemma 5 to  $X_t$  and obtain that it has the security amplification order 11 for the tolerated leakage  $2^{-7.41}$ . Paired with the size amplification order, this means that  $X_t$  has a expansion exponent of 3 relative to a tolerated leakage of  $2^{-7.41}$ .

We can apply Corollary 4 with the compiler sequence from Theorem 4 after the classical t-probing secure compiler from [ISW03] or its extension to bigger fields from [RP10]. As their complexity is  $\Theta(t^2)$ , the overall compiler creates circuits that are  $2^{-t}$ -secure against  $2^{-7.41}/p$ -noisy adversaries with an overall size  $\mathcal{O}(t^2 \log(t)^3)$ .

## A Definition of Circuit

The usual way to describe the circuit, for example in  $[BCP^+20]$ , is to define them as a graph where the nodes are the gates and the links the wires. Yet a normal graph doesn't track where each wire is connected, and so it's only meaningful for commutative gates with identical outputs. Additionally, we have the restriction that each input and output has a single wire linked to it which we'd need to codify into the graph. We need to ask that the graph is acyclic, we need two additional gate types for the circuit's overall inputs and outputs, and we need a way to assign to those additional nodes a label to distinguish which input or output of the overall circuit they represent.

We believe a more suitable structure for this specific kind of circuits, which also simplifies our proofs, is a tree that describes the circuits iteratively:

**Definition 30** (Circuit). We'll define a *circuit*  $c \in C_{S,G}$  as either

- An index of a gate in  $\mathcal{G}$ .
- Parallel composition of two smaller circuits  $c := c' \parallel c''$ .
- Serial composition of two smaller circuits  $c := c_o \circ c_i$ , as long as the number of inputs of  $c_o$  matches that of the outputs of  $c_i$ .
- The identity circuit, which outputs its single input.
- The swap circuit, which swaps its two inputs.

Where the identity and swap circuits are just for reshuffling the wires, to ensure that this formalism can represent all the circuits that can be defined as a graph of gates.

Given a circuit  $c \in C_{S,G}$ , we can now give the formal definitions of  $\vec{c}_{outs}$ ,  $\vec{c}_{wires}$ ,  $\mathbf{Rnds}_c()$ , Leak<sub>c</sub> and  $\mathbf{Gates}(c)$ , and we'll do so iteratively based on c:

- If c is the g-th gate, then  $\vec{c}_{outs}$  is the function that defines the gate. If it's leakless then  $\vec{c}_{wires}(\vec{x}, \vec{r}) := []$  otherwise  $\vec{c}_{wires}(\vec{x}, \vec{r}) := \vec{x} \parallel \vec{r}, \mathbf{Rnds}_c()$  draws a value from the probability distribution in the description of the gate. We can then define  $\mathrm{Gates}(c)_g := 1$  and  $\mathrm{Gates}(c)_{\neq g} := \vec{0}$ . Lastly, given  $\mathbf{v}$  a result of  $\mathrm{Leak}_c(p)$  we have that for all j the probability of  $j \in \mathbf{v}$  is p and they are independent.
- If c is an identity circuit, then  $\vec{c}_{outs}([a]) = [a]$ ,  $\mathbf{Rnds}_c() := []$ ,  $\mathbf{Gates}(c) := \vec{0}$ .  $\vec{c}_{wires}(\vec{x}, \vec{r}) := []$ ,  $\mathbf{Leak}_c(p) := \emptyset$ .
- If c is a swap circuit, then  $\vec{c}_{outs}([a,b]) = [b,a]$ ,  $\mathbf{Rnds}_c() := []$ ,  $\mathbf{Gates}(c) := \vec{0}$ .  $\vec{c}_{wires}(\vec{x},\vec{r}) := []$ ,  $\mathbf{Leak}_c(p) := \emptyset$ .
- If c is a parallel  $c' \parallel c''$ , then  $\mathbf{Rnds}_c() := \mathbf{Rnds}_{c'}() \parallel \mathbf{Rnds}_{c''}()$ ,  $\mathbf{Gates}(c) := \mathbf{Gates}(c') + \mathbf{Gates}(c'')$ ,  $\mathbf{Leak}_c(p) := \mathbf{Leak}_{c'}(p) \parallel \mathbf{Leak}_{c''}(p)$ , and

$$\begin{aligned} \vec{c}_{\text{outs}}(\vec{x'} \parallel \vec{x''}, \vec{r'} \parallel \vec{r''}) &:= \vec{c'}_{\text{outs}}(\vec{x'}, \vec{r'}) \parallel \vec{c''}_{\text{outs}}(\vec{x''}, \vec{r''}) \\ \vec{c}_{\text{wires}}(\vec{x'} \parallel \vec{x''}, \vec{r'} \parallel \vec{r''}) &:= \vec{c'}_{\text{wires}}(\vec{x'}, \vec{r'}) \parallel \vec{c''}_{\text{wires}}(\vec{x''}, \vec{r''}) \end{aligned}$$

• If c is a series  $c'' \circ c'$ , then  $\mathbf{Rnds}_c() := \mathbf{Rnds}_{c'}() \parallel \mathbf{Rnds}_{c''}()$ ,  $\mathbf{Gates}(c) := \mathbf{Gates}(c') + \mathbf{Gates}(c'')$ ,  $\mathbf{Leak}_c(p) := \mathbf{Leak}_{c'}(p) \parallel \mathbf{Leak}_{c''}(p)$ , and

$$\vec{c}_{\text{outs}}(\vec{x}, \vec{r'} \parallel \vec{r''}) := \vec{c'}_{\text{outs}}(\vec{c'}_{\text{outs}}(\vec{x}, \vec{r'}), \vec{r''})$$
$$\vec{c}_{\text{wires}}(\vec{x}, \vec{r'} \parallel \vec{r''}) := \vec{c'}_{\text{wires}}(\vec{x}, \vec{r'}) \parallel \vec{c''}_{\text{wires}}(\vec{c'}_{\text{outs}}(\vec{x}, \vec{r'}), \vec{r''})$$

### **B** Lemmas for Fundamental Concepts

We'll prove here various lemmas for the properties of the simulatability, of the dependency functions, of the partial order, etc, that we need in this paper.

#### **B.1** Simulatability and Dependency Functions

**Lemma 12** (Simulatability from the Inputs). The probabilistic vectorial function  $\vec{\mathbf{f}} : \mathbb{S}_{in}^i \to \mathbb{S}_{out}^o$  can be simulated using the input elements  $\breve{I} \subseteq [i]$  iff for all  $\vec{x}, \vec{y} \in \mathbb{S}_{in}^i, \ \vec{y}_{\breve{I}} = \vec{x}_{\breve{I}}$  implies  $\vec{\mathbf{f}}(\vec{x}) \stackrel{d}{=} \vec{\mathbf{f}}(\vec{y})$ .

*Proof.* By definition,  $\vec{\mathbf{f}}$  can be simulated using the input elements  $\vec{I}$  iff  $\vec{\mathbf{f}}$  can be simulated from  $(\vec{x} \mapsto \vec{x}_{\check{I}})$ , i.e. iff there is a  $\mathbf{Sim} : \mathbb{S}_{\mathrm{in}}^{|\check{I}|} \to \mathbb{S}_{\mathrm{out}}^{o}$  such that  $\vec{x} \in \mathbb{S}_{\mathrm{in}}^{i}$ ,  $\vec{\mathbf{f}}(x) \stackrel{d}{=} \mathbf{Sim}(\vec{x}_{\check{I}})$ .

This implies that for every  $\vec{x}, \vec{y} \in \mathbb{S}_{in}^i, \vec{y}_{\check{I}} = \vec{x}_{\check{I}} \implies \vec{\mathbf{f}}(\vec{x}) \stackrel{d}{=} \mathbf{Sim}(\vec{x}_{\check{I}}) \stackrel{d}{=} \mathbf{Sim}(\vec{y}_{\check{I}}) \stackrel{d}{=} \vec{\mathbf{f}}(\vec{y}).$ 

For the opposite implication we have that  $\vec{x}, \vec{y} \in \mathbb{S}_{in}^i, \ \vec{y}_{\tilde{I}} = \vec{x}_{\tilde{I}} \implies \vec{\mathbf{f}}(\vec{x}) \stackrel{d}{=} \vec{\mathbf{f}}(\vec{y})$ . This implies that for every  $\vec{c} \in \mathbb{S}_{in}^{|\tilde{I}|}$  all  $\vec{\mathbf{f}}(\vec{x})$  with  $\vec{x}_{\tilde{I}} = \vec{c}$  have all the same probability distribution. This means that there is a **Sim** such that  $\vec{x} \in \mathbb{S}_{in}^i, \ \vec{\mathbf{f}}(x) \stackrel{d}{=} \mathbf{Sim}(\vec{x}_{\tilde{I}})$ .  $\Box$ 

**Lemma 13** (Multiple Simulatability). Given a probabilistic vectorial function  $\vec{\mathbf{f}} : \mathbb{S}_{in}^i \to \mathbb{S}_{out}^o$ , if it can be simulated from the inputs  $\check{I}$ , and it can also be simulated from the inputs  $\check{I}'$ , then it can be simulated from the inputs  $\check{I} \cap \check{I}'$ .

*Proof.* This was proven in [BBP<sup>+</sup>16] as their Lemma 7.5. We could prove it using the equivalence relationship  $\vec{x} \sim_{\vec{I}} \vec{y} \iff \vec{x}_{\vec{I}} = \vec{y}_{\vec{I}}$ , and so from Lemma 12 we have that  $\vec{f}$  can simulated from the inputs I iff  $\vec{x} \sim_{\vec{I}} \vec{y} \implies \vec{f}(\vec{x}) \stackrel{d}{=} \vec{f}(\vec{y})$ . Then it's a matter of showing that  $\vec{y} \sim_{\vec{I} \cap \vec{I}'} \vec{y'}$  means that there are  $\vec{x}, \vec{x'}, \vec{m}$  such that  $\vec{y} \sim_{\vec{I}} \vec{x} \sim_{\vec{I}} \vec{m} \sim_{\vec{I}'} \vec{x'} \sim_{\vec{I}} \vec{y'}$ . Note that this only works because the domain  $\mathbb{S}_{in}^i$  allows every element to take values independent from the values of the other elements.

**Lemma 14** (Dependency Function). Given a probabilistic vectorial function  $f : \mathbb{S}_{in}^i \to \mathbb{S}_{out}^o$ , its dependency function always exist and is unique.

*Proof.* The dependency function exists if for every subset of the outputs there is the minimal subset of inputs that allow to simulate those outputs. Thanks to Lemma 13 those subsets of the inputs create a finite meet-semilattice and so there is a single global minimum.  $\Box$ 

Lemma 15 (Monotonicity). All the dependency functions are monotone.

*Proof.* Given a  $\mathbf{f} : \mathbb{S}_{in}^i \to \mathbb{S}_{out}^o$ , we define  $\check{Dep}(\check{O}) := \bigcap_{\check{O}' \supseteq \check{O}} \check{Dep}_{[\mathbf{f}]}(\check{O}')$  and by construction we have that  $\check{Dep}$  is monotone and  $\check{Dep}(\check{O}) \subseteq \check{Dep}_{[\mathbf{f}]}(\check{O})$ . Also,  $\mathbf{f}_{\check{O}}$  can be simulated using the inputs  $\check{Dep}(\check{O})$ . This is because it can be simulated using the inputs  $\check{Dep}_{[\mathbf{f}]}(\check{O}')$  for any  $\check{O}' \supseteq \check{O}$  by simulating more outputs and discarding the ones not needed. Then we can apply Lemma 13 on every possible  $\check{Dep}_{[\mathbf{f}]}(\check{O}')$  to see that it can be simulated from the inputs  $\check{Dep}(\check{O})$ . This means that  $\check{Dep} \supseteq \check{Dep}_{[\mathbf{f}]}$  as the latter is minimal by definition. All this means  $\check{Dep} = \check{Dep}_{[\mathbf{f}]}$  and that they are monotone.

#### **B.2** Partial Order of Distributions

**Lemma 16** (Partial Order). The relationship  $\stackrel{d}{\leq}$  is a partial order for the equivalence  $\stackrel{d}{=}$ .

*Proof.* The reflexivity is immediately proven, as  $\mathbf{a} \stackrel{d}{\leq} \mathbf{a}$  iff for all monotone P,  $\Pr[P(\mathbf{a})] \leq \Pr[P(\mathbf{a})]$  which is obviously true.

The transitivity is just as obvious, as given a  $\mathbf{a}, \mathbf{b}, \mathbf{c}, P$  we have that  $\Pr[P(\mathbf{a})] \leq \Pr[P(\mathbf{b})]$ and  $\Pr[P(\mathbf{b})] \leq \Pr[P(\mathbf{c})]$  imply  $\Pr[P(\mathbf{a})] \leq \Pr[P(\mathbf{c})]$ .

For the antisymmetry, we have that for all monotone  $P \Pr[P(\mathbf{a})] \leq \Pr[P(\mathbf{b})]$  and for all monotone P,  $\Pr[P(\mathbf{b})] \leq \Pr[P(\mathbf{a})]$ , mean that for all monotone P,  $\Pr[P(\mathbf{a})] = \Pr[P(\mathbf{b})]$ . As the random variables  $\mathbf{a}, \mathbf{b}$  are discrete, there is a sequence of P such that  $P_1$  is always false, and  $P_{i+1}$  was true for all the elements of  $P_i$  plus one. All this implies that for all x,  $\Pr[\mathbf{a} = x] = \Pr[\mathbf{b} = x]$  and so  $\mathbf{a} \stackrel{d}{=} \mathbf{b}$ .

**Lemma 17** (Parallel Composition). If  $\vec{\mathbf{v}} \stackrel{d}{\leq} \vec{\mathbf{V}}$  and  $\vec{\mathbf{u}} \stackrel{d}{\leq} \vec{\mathbf{U}}$ , with  $\vec{\mathbf{v}}, \vec{\mathbf{u}}, \vec{\mathbf{V}}, \vec{\mathbf{U}}$  pair-wise independent, then  $\vec{\mathbf{v}} \parallel \vec{\mathbf{u}} \stackrel{d}{\leq} \vec{\mathbf{V}} \parallel \vec{\mathbf{U}}$ 

*Proof.* To prove this, we'll prove it in two stages:  $\vec{\mathbf{v}} \parallel \vec{\mathbf{u}} \leq \vec{\mathbf{v}} \parallel \vec{\mathbf{U}}$  and  $\vec{\mathbf{v}} \parallel \vec{\mathbf{U}} \leq \vec{\mathbf{v}} \parallel \vec{\mathbf{U}}$ . We'll only write the proof of the first as the other one is basically identical.

So we prove that given a generic monotone P,  $\Pr[P(\vec{\mathbf{v}} \parallel \vec{\mathbf{u}})] \leq \Pr[P(\vec{\mathbf{v}} \parallel \vec{\mathbf{U}})]$ 

Let's call  $P_{\vec{x}}(\vec{y}) := P(\vec{x} \parallel \vec{y})$ . This is monotone, and so by hypothesis

$$\forall \vec{x}. \Pr[P_{\vec{x}}(\vec{\mathbf{u}})] \leq \Pr\left[P_{\vec{x}}(\vec{\mathbf{U}})\right]$$

This implies that  $\sum_{\vec{x}} \Pr[\vec{x} = \vec{v}] \Pr[P_{\vec{x}}(\vec{u})] \le \sum_{\vec{x}} \Pr[\vec{x} = \vec{v}] \Pr\left[P_{\vec{x}}(\vec{U})\right]$ 

As  $\vec{\mathbf{v}}$  is independent with  $\vec{\mathbf{u}}$  and  $\vec{\mathbf{U}}$ , we have that

$$\sum_{\vec{x}} \Pr[\vec{x} = \vec{\mathbf{v}} \land P(\vec{x} \parallel \vec{\mathbf{u}})] \le \sum_{\vec{x}} \Pr\left[\vec{x} = \vec{\mathbf{v}} \land P(\vec{x} \parallel \vec{\mathbf{U}})\right]$$

And so that  $\Pr[P(\vec{\mathbf{v}} \parallel \vec{\mathbf{u}})] \leq \Pr\Big[P(\vec{\mathbf{v}} \parallel \vec{\mathbf{U}})\Big]$ 

**Lemma 18** (Leaking Wires). For every circuit c and for every leakage rates  $p, p' \in [0, 1]$ ,

$$p \le p' \implies \check{\mathbf{Leak}}_c(p) \stackrel{d}{\le} \check{\mathbf{Leak}}_c(p')$$

*Proof.* First of all, if c has no leakable wire, then  $\check{\mathbf{Leak}}_c(p) := []$  making the thesis true by definition of  $\stackrel{d}{\leq}$ . Then let's first consider  $\check{\mathbf{v}}(p) \in \{\emptyset, [1]\}$  a probabilistic function that returns a random variable with Bernoulli distribution  $\Pr[\check{\mathbf{v}}(p) = [1]] = p$ .

The possible monotone predicates for  $\check{\mathbf{v}}$  are  $P(\cdot) := true, P(\cdot) := false, P(\check{a}) := (\check{a} = [1])$ . It's immediate to prove that if  $p \leq p'$  then for all monotone predicates P,

$$\Pr[P(\mathbf{\breve{v}}(p))] \le \Pr[P(\mathbf{\breve{v}}(p'))]$$

This means that  $p \leq p' \implies \breve{\mathbf{v}}(p) \leq \breve{\mathbf{v}}(p')$ . As  $\mathbf{Leak}_c(p) \stackrel{d}{=} \breve{\mathbf{v}}(p) \parallel \ldots \parallel \breve{\mathbf{v}}(p)$ , we can prove the lemma by using Lemma 17.

#### B.3 Correctness

**Lemma 19** (Necessary Condition for Correctness). If C is a correct implementation of c for E, then for every encoded input  $\vec{x} \in E.\vec{\text{Enc}}[\mathbb{S}^i]$ 

$$E.\vec{\text{Dec}}(\vec{\mathbf{C}}_{outs}(\vec{x})) \stackrel{d}{=} \vec{\mathbf{c}}_{outs}(E.\vec{\text{Dec}}(\vec{x}))$$

*Proof.* By definition  $\mathbf{Rnds}_C() \stackrel{d}{=} \mathbf{Rnds}_C()$ , and this is preserved if we apply equal functions one on each side of the  $\stackrel{d}{=}$ , so

$$\vec{c}_{outs}(E.\vec{Dec}(\vec{x}), R.\vec{Dec}(\vec{Rnds}_C())) \stackrel{d}{=} E.\vec{Dec}(\vec{C}_{outs}(\vec{x}, \vec{Rnds}_C()))$$

As by hypothesis  $\mathbf{Rnds}_{C}() \stackrel{d}{=} R.\mathbf{Enc}(\mathbf{Rnds}_{c}())$ , we can apply  $R.\mathbf{Dec}$  to each side and obtain that  $R.\mathbf{Dec}(\mathbf{Rnds}_{C}()) \stackrel{d}{=} \mathbf{Rnds}_{c}()$ , so the previous expression is equivalent to

$$\vec{\mathbf{c}}_{\mathbf{outs}}(E.\vec{\mathrm{Dec}}(\vec{x})) \stackrel{d}{=} E.\vec{\mathrm{Dec}}(\vec{\mathbf{C}}_{\mathbf{outs}}(\vec{x}))$$

**Proposition 6** (Correctness for Deterministic). Given a deterministic c, 'C is a correct implementation of c for E' is equivalent to: for every encoded input  $\vec{x} \in E.\vec{\mathbf{Enc}}[\mathbb{S}^i]$ 

$$E.\text{Dec}(\mathbf{C_{outs}}(\vec{x})) = \vec{\mathbf{c}_{outs}}(E.\text{Dec}(\vec{x}))$$

Proof. For Lemma 19, the correctness implies

$$E.\vec{\text{Dec}}(\vec{\mathbf{C}}_{outs}(\vec{x})) \stackrel{d}{=} \vec{\mathbf{c}}_{outs}(E.\vec{\text{Dec}}(\vec{x}))$$

As  $\vec{\mathbf{c}}_{outs}$  is deterministic by hypothesis, and because  $\vec{\mathbf{C}}_{outs}$  has a discrete probability distribution, the  $\stackrel{d}{=}$  implies the =.

For the opposite implication, we have by hypothesis that c is deterministic, so we can rewrite the hypothesis as: for all encoded inputs  $\vec{x}$ 

$$\vec{c}_{\text{outs}}(E.\vec{\text{Dec}}(\vec{x}), []) = E.\vec{\text{Dec}}(\vec{C}_{\text{outs}}(\vec{x}), \vec{\text{Rnds}}_C())$$

In other words, for all encoded inputs  $\vec{x}$  for all the possible values  $\vec{r}$  of the randoms of the compiled circuit

$$\vec{c}_{\text{outs}}(E.\vec{\text{Dec}}(\vec{x}), []) = E.\vec{\text{Dec}}(\vec{C}_{\text{outs}}(\vec{x}, \vec{r}))$$

We can prove the definition of correct implementation by using any encoding for the randoms such that  $\vec{\mathbf{Enc}}([]) = \mathbf{Rnds}_C()$ .

**Lemma 20** (Transitiveness of the correctness). If c'' is a correct implementation of c' (using E'), and c' is a correct implementation of c (using E), then c'' is a correct implementation of c (using  $E' \circ E$ ).

*Proof.* Let's call R' the encoding of the randoms relative to E', same for R and E, then to prove the point 1 of the definition of correct implementation we have:

$$\vec{\mathbf{Rnds}}_{c''}() \stackrel{d}{=} R'.\vec{\mathbf{Enc}}(\vec{\mathbf{Rnds}}_{c'}()) \stackrel{d}{=} R'.\vec{\mathbf{Enc}}(R.\vec{\mathbf{Enc}}(\vec{\mathbf{Rnds}}_{c}())) \stackrel{d}{=} (R' \circ R).\vec{\mathbf{Enc}}(\vec{\mathbf{Rnds}}_{c}())$$

We can then report the point 2 of the definition of 'c' is a correct implementation of c' applied with the values  $\vec{x} := E'.\vec{\text{Dec}}(\vec{x})$  and  $\vec{r} := R'.\vec{\text{Dec}}(\vec{r})$ :

$$\vec{c}_{\text{outs}}(E.\vec{\text{Dec}}(E'.\vec{\text{Dec}}(\vec{x})), R.\vec{\text{Dec}}(R'.\vec{\text{Dec}}(\vec{r}))) = E.\vec{\text{Dec}}(\vec{c'}_{\text{outs}}(E'.\vec{\text{Dec}}(\vec{x}), R'.\vec{\text{Dec}}(\vec{r})))$$

And we can apply E.Dec to both sides of the point 2 of the definition of 'c'' is a correct implementation of c'':

$$E.\vec{\text{Dec}}(\vec{c'}_{\text{outs}}(E'.\vec{\text{Dec}}(\vec{x}), R'.\vec{\text{Dec}}(\vec{r}))) = E.\vec{\text{Dec}}(E'.\vec{\text{Dec}}(\vec{c''}_{\text{outs}}(\vec{x}, \vec{r})))$$

As = is transitive, they imply the point 2 of the definition of correct implementation.  $\Box$ 

**Lemma 21** (The composition retains the correctness). If c', d' are correct implementations of respectively c, d, then  $c' \parallel d'$  is a correct implementation of  $c \parallel d$ , and  $c' \circ d'$  is a correct implementation of  $c \circ d$ , assuming the last composition is meaningful.

*Proof.* The first point of the definition of correctness can be proven by the definition of  $\mathbf{Rnds}()$  for series and parallel and by the encoding of the randoms for the series and parallel being obtained by a parallel of the two encodings of the randoms.

The second point can be proven quickly by writing one side of the equation, write it in terms of the two sub-circuits, split the encoding functions in the parallel of the two encodings, apply the second point of the two correctness hypotheses for the sub-circuits, and then write it again in terms of the overall circuit.  $\Box$ 

**Lemma 22** (Gadget-based compiler). Given the gadgets  $\tilde{G}$  defined with the n-shares encoding E, then  $(E, CC_{\tilde{G}})$  is a compiler, where the compilation function  $CC_{\tilde{G}} : \mathcal{C}_{S_{in},\mathcal{G}_{in}} \to \mathcal{C}_{S_{out},\mathcal{G}_{out}}$  obtained by substituting every gate g with the relative circuit  $\tilde{G}_g$ . More formally,

$$CC_{\vec{G}}(c) = \begin{cases} \vec{G}_c & \text{if } c \text{ a gate of } \mathcal{G}_{in} \\ CC_{\vec{G}}(c') \parallel CC_{\vec{G}}(c'') & \text{if } c = c' \parallel c'' \text{ for any } c', c'' \\ CC_{\vec{G}}(c_o) \circ CC_{\vec{G}}(c_i) & \text{if } c = c_o \circ c_i \text{ for any } c_o, c_i \\ i' & \text{if } c \text{ is the identity circuit} \\ s' & \text{if } c \text{ is the swap circuit} \end{cases}$$

where the identity gadget i' is obtained by composing in parallel n identity circuits, and the swap gadget s' is any gadget made of identity and swap circuits to link the inputs i with the outputs i + n and vice-versa.

*Proof.* We can prove that  $(E, CC_{\vec{G}})$  is a compiler inductively. For the base case, the  $\vec{G}_c$  are correct by definition of gadgets, while the identity and swap gadget are correct as their circuit is deterministic and  $E.\vec{Dec}$  is preserved, see Proposition 6. For the induction step, both types of composition preserve the correctness, as stated in Lemma 21.

#### B.4 Monotonicity of security definitions

**Lemma 23** (Monotone RPS). If a circuit c is  $(p, \varepsilon)$ -RPS then given any  $p', \varepsilon \in [0, 1]$  with  $p' \leq p, \varepsilon' \geq \varepsilon$  the circuit c is  $(p', \varepsilon')$ -RPS.

*Proof.* We can first define the monotone predicate (monotone due to composition of monotone functions remaining monotone, and the dependency function is monotone for Lemma 15)  $P(W) := \tilde{\text{Dep}}_{[\vec{c}_{wires} \circ E. \mathbf{Enc}]}(W) \neq \emptyset$ .

Then  $(p, \varepsilon)$ -RPS iff  $\Pr\left[P(\check{\mathbf{Leak}}_c(p))\right] \leq \varepsilon$  and by Lemma 18 we obtain that

$$\Pr\left[P(\check{\mathbf{Leak}}_{c}(p'))\right] \leq \Pr\left[P(\check{\mathbf{Leak}}_{c}(p))\right] \leq \varepsilon \leq \varepsilon'$$

**Lemma 24** (Monotone RPR). Given a compiler C that is e-RPR, and given a monotone continuous  $e' \ge e$ , then C is also e'-RPR.

*Proof.* We need to prove that C is also e'-RPR. This means that given a generic  $p, \varepsilon \in [0, 1]$ and a generic circuit c, we have additional hypothesis that c is  $(e'(p), \varepsilon)$ -RPS and we need to prove that C.CC(c) is  $(p, \varepsilon)$ -RPS.

As  $e(p) \leq e'(p)$  and c is  $(e'(p), \varepsilon)$ -RPS, then by Lemma 23 we obtain that c is  $(e(p), \varepsilon)$ -RPS, which means we can use the hypothesis that C that is e-RPR to obtain that C.CC(c)is  $(p, \varepsilon)$ -RPS.  $\square$ 

**Lemma 25** (Monotone ERPE). Given two circuits c, c' such that c is (t, e)-ERPE of c', then for all continuous monotone  $e': [0,1] \rightarrow [0,1]$  with  $e' \geq e$ , the circuit c is (t,e')-ERPE of c'

*Proof.* All the conditions of the ERPE are untouched by changing e with e' except the continuity, the monotonicity and the  $[0,1] \rightarrow [0,1]$  (which are preserved by hypothesis), and that  $\breve{W}'_c(\emptyset, \mathbf{Leak}_c(p)) \stackrel{d}{\leq} \mathbf{Leak}_{c'}(e(p))$ . As for all p we have that  $e(p) \leq e'(p)$ , then we can use Lemma 18 which guarantees that  $\mathbf{Leak}_{q}(e(p)) \stackrel{d}{\leq} \mathbf{Leak}_{q}(e'(p))$  and this proves the thesis as  $\stackrel{a}{\leq}$  is a partial order, and so it's transitive.  $\square$ 

**Lemma 26.** Given a circuit c with w > 1 internal wires, then  $\forall \varepsilon \in [0, 1]$ , c is  $(\varepsilon/w, \varepsilon)$ -RPS.

*Proof.* By definition of RPS we need to show that

$$\Pr \Bigl[ \breve{\mathrm{Dep}}_{\left[ \vec{\mathbf{c}}_{\mathbf{wires}} \circ E. \vec{\mathbf{Enc}} \right]} (\breve{\mathbf{Leak}}_{c}(\varepsilon/w)) \neq \emptyset \Bigr] \leq \varepsilon$$

As  $\tilde{\text{Dep}}_{[\vec{e}_{wires} \circ E. \vec{Enc}]}(\emptyset) = \emptyset$ , we have that  $\tilde{\text{Dep}}_{[\vec{e}_{wires} \circ E. \vec{Enc}]}(\breve{w}) \neq \emptyset \implies \breve{w} \neq \emptyset$ , which implies  $\Pr\left[\tilde{\text{Dep}}_{[\vec{e}_{wires} \circ E. \vec{Enc}]}(\vec{Leak}_c(\varepsilon/w)) \neq \emptyset\right] \leq \Pr\left[\tilde{Leak}_c(\varepsilon/w) \neq \emptyset\right] = 1 - (1 - \varepsilon/w)^w$ So it's sufficient to show that  $1 - (1 - \varepsilon/w)^w \leq \varepsilon$ . As  $w \geq 1$ ,  $\varepsilon/w \in [0, 1]$  we can use

Bernoulli's inequality, which states that  $\varepsilon/w \cdot w \ge 1 - (1 - \varepsilon/w)^w$ .

#### С From Probing Security To Constant Noise With Polylog Size Increase

We'll prove the theorems we need to demonstrate Corollary 4, and show that with a polylograrithmic size increase a t-probing secure compiler can be made to create circuits  $2^{-t}$ -secure against a  $\delta$ -noisy adversary for some constant  $\delta$ .

#### C.1 Lemma 28: RPS to Probing Security

As [BCP+20] gives a definition of random probing security without an explicit connection to existing concepts like the random probing adversary of [DDF14], so we state the following:

Lemma 27 (Security against random probing adversary). A circuit c is  $(p, \varepsilon)$ -random probing secure according to  $[BCP^+ 20]$  if there is a Sim such that for all  $\vec{x} \in \mathbb{S}^i_{\text{orig}}$ ,

$$\mathrm{SD}\left[\vec{\mathbf{Sim}};\vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{\mathbf{Leak}}_{c}(p)}\right] \leq \varepsilon$$

This is equivalent to say that c is  $\varepsilon$ -secure against a p-random probing adversary.

*Proof.* Note that the definition of random probing security according to  $[BCP^+20]$  can be rewritten as

 $\mathrm{SD}\left[\vec{\mathbf{Sim}};\vec{\mathbf{out}}_{\mathcal{A}'}(\vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x})))\right] \leq \varepsilon$ 

where  $\mathcal{A}'$  is the *p*-random probing adversary that specifies the maximum leakage *p* for all wires, and that returns the value of the leaking wires without altering them.

From the definition of  $\varepsilon$ -secure against an adversary, and for the expression just written, this lemma can be proven by the following: for all *p*-random probing adversaries  $\mathcal{A}$  there is a  $\mathbf{Sim}_{\mathbf{A}}$  such that for all  $\vec{x} \in \mathbb{S}^{i}_{\text{orig}}$ 

$$\mathrm{SD}\left[\vec{\mathbf{Sim}}_{\mathcal{A}};\vec{\mathbf{out}}_{\mathcal{A}}(\vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x})))\right] \leq \mathrm{SD}\left[\vec{\mathbf{Sim}};\vec{\mathbf{out}}_{\mathcal{A}'}(\vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x})))\right]$$

We can prove this by first noticing that for every *p*-random probing adversaries  $\mathcal{A}$  there is a  $\mathbf{f}_{\mathcal{A}}$  such that  $\mathbf{out}_{\mathcal{A}} = \mathbf{f}_{\mathcal{A}} \circ \mathbf{out}_{\mathcal{A}'}$ , as  $\mathcal{A}'$  uses the highest possible leakage rate and returns the leaking wires as is. For this reason  $\mathbf{f}_{\mathcal{A}}$  has to first lower the probability of each wires from *p* to the various  $p_i \leq p$  chosen by  $\mathcal{A}$  (this by keeping each leaking value with probability  $p_i/p$ , and discarding it with probability  $1 - p_i/p$ ), and then apply the same function that  $\mathcal{A}$  does on the vector of leaked values.

This means that we can choose  $\vec{\mathbf{Sim}}_{\mathbf{A}} := \vec{\mathbf{f}}_{\mathcal{A}}(\vec{\mathbf{Sim}})$ . From here the lemma follows from a well-known property of the SD (which we can find for example in [HU05]): for all  $\mathbf{A}, \mathbf{B}, \mathbf{f}$  we have that SD  $[\mathbf{f}(\mathbf{A}); \mathbf{f}(\mathbf{B})] \leq$  SD  $[\mathbf{A}; \mathbf{B}]$ .

With this lemma we can then prove that our RPS implies the security against random probing adversaries.

**Lemma 28** (RPS to Probing Security). If a circuit is  $(p, \varepsilon)$ -RPS, then it's  $\varepsilon$ -secure against a p-random probing adversary.

*Proof.* If a circuit c with n-share encoding E with  $n \cdot i$  inputs and original field  $\mathbb{S}_{\text{orig}}$  is  $(p, \varepsilon)$ -RPS then by definition

$$\Pr\left[\check{\operatorname{Dep}}_{\left[\vec{\mathbf{c}}_{wires}\circ E.\mathbf{E}\vec{\mathbf{nc}}\right]}(\check{\mathbf{Leak}}_{c}(p))\neq\emptyset\right]\leq\varepsilon$$

$$\iff\sum_{\breve{W}}\Pr\left[\breve{W}=\check{\mathbf{Leak}}_{c}(p)\right]\Pr\left[\check{\operatorname{Dep}}_{\left[\vec{\mathbf{c}}_{wires}\circ E.\mathbf{E}\vec{\mathbf{nc}}\right]}(\breve{W})=\emptyset\right]\geq1-\varepsilon$$

We also have that

$$\begin{aligned} \Pr\left[\breve{\mathrm{Dep}}_{\left[\vec{\mathbf{c}}_{\mathbf{wires}}\circ E.\mathbf{Enc}\right]}(\breve{W}) &= \emptyset\right] &= \mathrm{Is}\left[\breve{\mathrm{Dep}}_{\left[\vec{\mathbf{c}}_{\mathbf{wires}}\circ E.\mathbf{Enc}\right]}(\breve{W}) &= \emptyset\right] \\ &= \mathrm{Is}\left[\exists \vec{\mathbf{Sim}}. \ \forall \vec{x} \in \mathbb{S}^{i}_{\mathrm{orig}}. \ \vec{\mathbf{Sim}} \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))_{\breve{W}}\right] \\ &= \max_{\mathbf{Sim}} \min_{\vec{x} \in \mathbb{S}^{i}_{\mathrm{orig}}} \mathrm{Is}\left[\vec{\mathbf{Sim}} \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\right] \end{aligned}$$

If we substitute this into the statement before the last we obtain

$$\iff \sum_{\breve{W}} \Pr\Big[\breve{W} = \mathbf{Leak}_{c}(p)\Big] \max_{\mathbf{Sim}} \min_{\vec{x} \in \mathbb{S}^{i}_{\text{orig}}} \operatorname{Is}\Big[\mathbf{Sim} \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\Big] \ge 1 - \varepsilon$$

We can bring the maximization over  $\vec{Sim}$  out of the sum by making it a maximization over a function  $\vec{Sim'}$ :

$$\iff \max_{\mathbf{Sim}'} \sum_{\breve{W}} \Pr\Big[\breve{W} = \mathbf{Leak}_c(p)\Big] \min_{\vec{x} \in \mathbb{S}_{\mathrm{orig}}^i} \mathrm{Is} \left[\mathbf{Sim}'(\breve{W}) \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\right] \ge 1 - \varepsilon$$

As  $\sum \min \le \min \ge$ , the last statement implies

$$\max_{\mathbf{Sim'}} \min_{\vec{x} \in \mathbb{S}^i_{\text{orig}}} \sum_{\breve{W}} \Pr\Big[\breve{W} = \mathbf{Leak}_c(p)\Big] \text{Is} \Big[\mathbf{Sim'}(\breve{W}) \stackrel{d}{=} \vec{\mathbf{c}}_{\text{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\Big] \ge 1 - \varepsilon$$

Which is equivalent to

$$\exists \mathbf{S}\vec{\mathbf{m}}'. \ \forall \vec{x} \in \mathbb{S}^{i}_{\mathrm{orig}}. \ \sum_{\vec{W}} \Pr\Big[\breve{W} = \mathbf{L}\vec{\mathbf{eak}}_{c}(p)\Big] \mathrm{Is}\left[\mathbf{S}\vec{\mathbf{m}}'(\breve{W}) \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\right] \geq 1 - \varepsilon$$

That is equivalent to saying that  $\exists \mathbf{Sim}'$  such that  $\mathbf{Sim}'(\breve{W})$  returns some vector  $\vec{\cdot}|_{\breve{W}}$ , and such that  $\forall \vec{x} \in \mathbb{S}_{\text{orig}}^{i}$ 

$$\sum_{\breve{W}} \Pr\left[\breve{W} = \mathbf{Leak}_{c}(p)\right] \operatorname{Is}\left[\mathbf{Sim}'(\breve{W}) \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\right] \ge 1 - \varepsilon$$

As the content of the Is  $[\ldots]$  is a deterministic predicate that compares probability distributions, the last statement is equivalent to saying that  $\exists \mathbf{Sim}'$  such that  $\mathbf{Sim}'(\breve{W})$  returns some vector  $\exists_{\breve{W}}$ , and such that  $\forall \vec{x} \in \mathbb{S}^i_{\text{orig}}$ 

$$\sum_{\breve{W}} \Pr\Big[\breve{W} = \mathbf{Leak}_c(p)\Big] \mathrm{Is}\left[\neg(\mathbf{Sim}'(\breve{W}) \stackrel{d}{=} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}})\right] \leq \varepsilon$$

As SD  $[\mathbf{A}; \mathbf{B}] \leq$ Is  $\left[\neg(\mathbf{A} \stackrel{d}{=} \mathbf{B})\right]$  can be quickly proven by separating the two possible values of the Is  $[\cdot]$ , the previous statement implies:  $\exists \mathbf{S} \vec{\mathbf{im}}$  such that  $\mathbf{S} \vec{\mathbf{im}}(\breve{W})$  returns some vector  $\vec{\cdot}|_{\breve{W}}$ , and such that  $\forall \vec{x} \in \mathbb{S}^{i}_{\text{orig}}$ 

$$\sum_{\breve{W}} \Pr\Big[\breve{W} = \mathbf{Leak}_{c}(p)\Big] \mathrm{SD}\left[\mathbf{Sim}(\breve{W}); \vec{\mathbf{c}}_{\mathbf{wires}}(E.\mathbf{Enc}(\vec{x}))|_{\breve{W}}\right] \leq \varepsilon$$

Let's consider the left side of this inequality

$$\sum_{\breve{W}} \Pr\Big[\breve{W} = \mathbf{L\breve{eak}}_c(p)\Big] \mathrm{SD}\left[\mathbf{S}\vec{\mathbf{im}}(\breve{W}); \vec{\mathbf{c}}_{\mathbf{wires}}(E.\mathbf{E}\vec{\mathbf{nc}}(\vec{x}))|_{\breve{W}}\right]$$

Let's define the random variable  $\breve{\mathbf{L}} := \mathbf{Leak}_c(p)$ 

$$= \sum_{\breve{W}} \Pr\Big[\breve{W} = \breve{\mathbf{L}}\Big] \mathrm{SD}\left[\vec{\mathbf{Sim}}(\breve{W}); \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}\right]$$

By definition of Statistical Distance,

$$= \sum_{\breve{W}} \Pr\left[\breve{W} = \breve{\mathbf{L}}\right] \frac{1}{2} \sum_{\vec{y} \in (\mathbb{S} \cup \{\bot\})^{ni}} \left| \Pr\left[\mathbf{Sim}(\breve{W}) = \vec{y}\right] - \Pr\left[\mathbf{c}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}} = \vec{y}\right] \right|$$

As both  $\vec{\mathbf{Sim}}(\breve{W})$  and  $\vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x}))|_{\breve{W}}$  return a vector  $\vec{\cdot}|_{\breve{W}}$ , we can ignore the other elements as they are all  $\perp$ 

$$\begin{split} &= \sum_{\breve{W}} \Pr\left[\breve{W} = \breve{\mathbf{L}}\right] \frac{1}{2} \sum_{\vec{y} \in \mathbb{S}^{|\breve{W}|}} \left| \Pr\left[\mathbf{S}\vec{\mathbf{im}}(\breve{W})_{\breve{W}} = \vec{y}\right] - \Pr\left[\vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x}))_{\breve{W}} = \vec{y}\right] \right| \\ &= \frac{1}{2} \sum_{\breve{W}} \sum_{\vec{y} \in \mathbb{S}^{|\breve{W}|}} \left| \Pr\left[\breve{W} = \breve{\mathbf{L}}\right] \Pr\left[\mathbf{S}\vec{\mathbf{im}}(\breve{W})_{\breve{W}} = \vec{y}\right] - \Pr\left[\breve{W} = \breve{\mathbf{L}}\right] \Pr\left[\vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x}))_{\breve{W}} = \vec{y}\right] \right| \\ &= \frac{1}{2} \sum_{\breve{W}} \sum_{\vec{y} \in \mathbb{S}^{|\breve{W}|}} \left| \Pr\left[\breve{W} = \breve{\mathbf{L}} \wedge \mathbf{S}\vec{\mathbf{im}}(\breve{W})_{\breve{W}} = \vec{y}\right] - \Pr\left[\breve{W} = \breve{\mathbf{L}} \wedge \vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x}))_{\breve{W}} = \vec{y}\right] \right| \\ &= \frac{1}{2} \sum_{\breve{W}} \sum_{\vec{y} \in \mathbb{S}^{|\breve{W}|}} \left| \Pr\left[\left(\mathbf{S}\vec{\mathbf{im}}(\breve{\mathbf{L}})_{\breve{\mathbf{L}}}, \breve{\mathbf{L}}\right) = (\vec{y}, \breve{W})\right] - \Pr\left[\left(\vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x}))_{\breve{\mathbf{L}}}, \breve{\mathbf{L}}\right) = (\vec{y}, \breve{W})\right] \right| \end{split}$$

As given  $\vec{z}, \vec{w}, (\vec{z}_{\vec{w}}, \vec{w})$  is bijective with  $\vec{z}|_{\vec{w}}$ ,

$$= \frac{1}{2} \sum_{\vec{y} \in (\mathbb{S} \cup \{\bot\})^{ni}} \left| \Pr\left[ \mathbf{S}\vec{\mathbf{m}}(\breve{\mathbf{L}}) |_{\breve{\mathbf{L}}} = \vec{y} \right] - \Pr\left[ \vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x})) |_{\breve{\mathbf{L}}} = \vec{y} \right] \right|$$
  
$$= \frac{1}{2} \sum_{\vec{y} \in (\mathbb{S} \cup \{\bot\})^{ni}} \left| \Pr\left[ \mathbf{S}\vec{\mathbf{m}}(\breve{\mathbf{L}}) = \vec{y} \right] - \Pr\left[ \vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x})) |_{\breve{\mathbf{L}}} = \vec{y} \right] \right|$$
  
$$= \frac{1}{2} \sum_{\vec{y} \in (\mathbb{S} \cup \{\bot\})^{ni}} \left| \Pr\left[ \mathbf{S}\vec{\mathbf{m}}(\breve{\mathbf{Leak}}_{c}(p)) = \vec{y} \right] - \Pr\left[ \vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x})) |_{\breve{\mathbf{Leak}}_{c}(p)} = \vec{y} \right] \right|$$
  
$$= \operatorname{SD}\left[ \mathbf{S}\vec{\mathbf{m}}(\breve{\mathbf{Leak}}_{c}(p)); \vec{\mathbf{c}}_{wires}(E.\vec{\mathbf{Enc}}(\vec{x})) |_{\breve{\mathbf{Leak}}_{c}(p)} \right]$$

This means that  $\exists \mathbf{Sim}'$ .  $\forall \vec{x} \in \mathbb{S}^i_{\text{orig}}$ .  $\operatorname{SD}\left[\mathbf{Sim}'; \mathbf{\vec{c}_{wires}}(E.\mathbf{Enc}(\vec{x}))|_{\mathbf{Leak}_c(p)}\right] \leq \varepsilon$ , and the thesis follows from Lemma 27.

### C.2 Proposition 7: Probing Model to RPS

As we need to obtain the RPS property and not the weaker security in the random probing model, we can not use the result from [DDF14]. Instead we report the following proposition:

**Proposition 7** (Probing Model to RPS). If a circuit c with w wires is secure in the t-probing model, then it's  $(\frac{t}{2we}, 2^{-t})$ -RPS where e is the mathematical constant.

*Proof.* We can prove this with the following passages:

$$\Pr\left[\tilde{\operatorname{Dep}}_{[\vec{\mathbf{c}}_{wires}\circ E.\mathbf{Enc}]}(\mathbf{Leak}_{c}(p)) \neq \emptyset\right]$$

$$= \sum_{\breve{W}\subseteq[w]} \Pr\left[\breve{W} = \mathbf{Leak}_{c}(p)\right] \operatorname{Is}\left[\tilde{\operatorname{Dep}}_{[\vec{\mathbf{c}}_{wires}\circ E.\mathbf{Enc}]}(\breve{W}) \neq \emptyset\right]$$

$$= \sum_{\breve{W}\subseteq[w]} p^{|\breve{W}|} (1-p)^{w-|\breve{W}|} \operatorname{Is}\left[\tilde{\operatorname{Dep}}_{[\vec{\mathbf{c}}_{wires}\circ E.\mathbf{Enc}]}(\breve{W}) \neq \emptyset\right]$$

By definition of 'secure in the t-probing model',  $|\breve{W}| \leq t$  guarantees no dependency, so

$$\leq \sum_{\breve{W} \subseteq [w]} p^{|\breve{W}|} (1-p)^{w-|\breve{W}|} \operatorname{Is} \left[ \left| \breve{W} \right| > t \right] = \sum_{\substack{\breve{W} \subseteq [w] \\ |\breve{W}| > t}} p^{|\breve{W}|} (1-p)^{w-|\breve{W}|}$$
$$= \sum_{l:=t+1}^{w} {w \choose l} p^{l} (1-p)^{w-l} \leq \sum_{l:=t+1}^{w} {w \choose l} p^{l} \leq \sum_{l:=t+1}^{w} \frac{w^{l}}{l!} p^{l}$$

Using Stirling's approximation, which is known to be a lower bound of l!

$$\leq \sum_{l:=t+1}^{w} \frac{(pw)^l}{\sqrt{2\pi l} (\frac{l}{e})^l} \leq \sum_{l:=t+1}^{w} (\frac{epw}{l})^l \leq \sum_{l:=t+1}^{w} (\frac{epw}{t})^l$$

If we choose a  $p < \frac{t}{we}$ ,

$$\Pr\left[\check{\operatorname{Dep}}_{\left[\vec{\mathbf{c}}_{wires}\circ E.\vec{\mathbf{Enc}}\right]}(\check{\mathbf{Leak}}_{c}(p))\neq\emptyset\right]\leq \sum_{l:=t+1}^{w}(\frac{epw}{t})^{l}\leq \sum_{l:=t+1}^{\infty}(\frac{epw}{t})^{l}=\frac{(\frac{epw}{t})^{t+1}}{1-\frac{epw}{t}}$$

If we choose  $p := \frac{t}{2we}$ 

$$\Pr\left[\check{\operatorname{Dep}}_{\left[\vec{\mathbf{c}}_{\mathbf{wires}}\circ E.\mathbf{Enc}\right]}(\check{\mathbf{Leak}}_{c}(\frac{t}{2we})) \neq \emptyset\right] \leq \frac{(\frac{epw}{t})^{t+1}}{1-\frac{epw}{t}} = \frac{0.5^{t+1}}{1-0.5} = 2^{-t}$$

This by definition means that c is  $\left(\frac{t}{2we}, 2^{-t}\right)$ -RPS

#### C.3 Theorem 1: Complexity of Compiler Sequences

**Theorem 1:** Given a compiler sequence  $C : C_{\text{in}} \to C_{\text{out}}$ , given a circuit  $c_{\kappa} \in C_{\text{in}}$ parametric in its security level, i.e. such that  $c_{\kappa}$  is  $(2^{-p(\kappa)}, 2^{-\kappa})$ -RPS for some  $p : (0, \infty) \to (0, \infty)$ ; then there is a function  $n : (0, \infty) \to \mathbb{N}$  that calculates which compiler in C to use, such that the compiled circuit  $c'_{\kappa} := C_{n(\kappa)}.CC(c_{\kappa})$  satisfies the following properties:

- For all  $\kappa > 0$ , the circuit  $c'_{\kappa}$  is  $(P, 2^{-\kappa})$ -RPS.
- As  $\kappa \to \infty$ ,  $\|c'_{\kappa}\| = \mathcal{O}(\|c_{\kappa}\| p(\kappa)^e)$

This where P is a tolerated leakage of C, and e is a expansion exponent of C, P.

*Proof.* Let's call d the security amplification order and  $\lambda$  the size amplification order that lead to the expansion exponent e. Then from the definition of d, there is a sequence of functions e such that  $C_m$  is  $e_m$ -RPR and  $\log_2 e_m(P) = \Omega(d^m)$  as  $m \to \infty$ . In other words there is a b < 0 such that

$$\liminf_{m \to \infty} \frac{|\log_2 e_m(P)|}{d^m} = -2b > 0$$

As  $\log_2 e_m(P) \leq 0$ , this means that  $\limsup_{m \to \infty} \frac{\log_2 e_m(P)}{d^m} = 2b < b$ 

And so eventually  $\log_2 e_m(P) \leq bd^m$ , i.e. eventually  $e_m(P) \leq 2^{d^m b}$ . More precisely this means that there is an n' such that for every  $m \geq n'$  we have that  $e_m(P) \leq 2^{d^m b}$ .

We can now choose

$$n(\kappa) := \max\{n', \log_d \frac{p(\kappa)}{-b}\}$$

As  $n(\kappa) \ge n'$  we have that  $e_{n(\kappa)}(P) \le 2^{d^{n(\kappa)}b}$  Additionally,  $2^{d^{n(\kappa)}b} \le 2^{-p(\kappa)}$  as

$$d^{n(\kappa)}b \le d^{\log_d \frac{p(\kappa)}{-b}}b = \frac{p(\kappa)}{-b}b = -p(\kappa)$$

This means that as  $c_{\kappa}$  is  $(2^{-p(\kappa)}, 2^{-\kappa})$ -RPS, then by Lemma 23 the circuit  $c_{\kappa}$  is  $(e_{n(\kappa)}(P), 2^{-\kappa})$ -RPS as  $e_{n(\kappa)}(P) \leq 2^{-p(\kappa)}$ .

We can then apply the definition of RPR from  $C_{n(\kappa)}$  is  $e_{n(\kappa)}$ -RPR' to obtain that  $c'_{\kappa} := C_{n(\kappa)}.CC(c_{\kappa})$  is  $(P, 2^{-\kappa})$ -RPS, which satisfies point 1 of the theorem.

Then by definition of size amplification order, the definition of circuit complexity matrix, of circuit size and of *p*-norm,

$$\|c_{\kappa}'\| \leq \left\|M_{C_{n(\kappa)}}\right\|_{1} \|c_{\kappa}\| = \mathcal{O}\left(\|c_{\kappa}\| \lambda^{n(\kappa)}\right)$$

As  $n(\kappa) = \max\{n', \log_d \frac{p(\kappa)}{-b}\} = \max\{n', \frac{\log p(\kappa)}{\log d} - \frac{\log - b}{\log d}\} = \frac{\log p(\kappa)}{\log d} + \Theta(1)$  then  $\lambda^{n(\kappa)} = \lambda^{\frac{\log p(\kappa)}{\log d} + \Theta(1)} = \Theta\left(\lambda^{\frac{\log p(\kappa)}{\log d}}\right) = \Theta\left(p(\kappa)^{\frac{\log \lambda}{\log d}}\right)$ 

And so  $\|c'_{\kappa}\| = \mathcal{O}\left(\|c_{\kappa}\| \lambda^{n(\kappa)}\right) = \mathcal{O}\left(\|c_{\kappa}\| \Theta\left(p(\kappa)^{\frac{\log_2 \lambda}{\log_2 d}}\right)\right) = \mathcal{O}\left(\|c_{\kappa}\| p(\kappa)^e\right)$  which proves the second point, and so the theorem.  $\Box$ 

### **D** Theorem 2: ERPE to RPR

In this appendix we will prove our main theorem for the expansion: Theorem 2. To do this we first introduce a few other lemmas in order to make the proof more readable. The following two lemmas are an immediate consequence of Lemma 3.

**Lemma 29** (Identity Circuit). Any correct and leakless n-shares implementation G of the identity circuit for an encoding with strength k is (t, e)-ERPE for any  $t \in [0, k] \cap \mathbb{N}$  and for any monotone and continuous  $e : [0, 1] \to [0, 1]$ .

**Lemma 30** (Swap Circuit). Any correct and leakless n-shares implementation G of the swap circuit for an encoding with strength k is (t, e)-ERPE for any  $t \in [0, k] \cap \mathbb{N}$  and for any monotone and continuous  $e : [0, 1] \to [0, 1]$ .

**Lemma 31** (Parallel Composition). Given a compiler  $(E, CC_b)$  and two circuits  $c'_1, c'_2$  such that  $c_1 := CC_b(c'_1)$  is (t, e)-ERPE of  $c'_1$  and  $c_2 := CC_b(c'_2)$  is (t, e)-ERPE of  $c'_2$ , then  $c_1 \parallel c_2$  is (t, e)-ERPE of  $c'_1 \parallel c'_2$ .

*Proof.* We'll call  $c = c_1 \parallel c_2$ ,  $c' = c'_1 \parallel c'_2$ , and we choose

$$\begin{split} & \breve{I}_{c}(\breve{O}_{1} \parallel \breve{O}_{2}, \breve{W}_{1} \parallel \breve{W}_{2}) := \breve{I}_{c_{1}}(\breve{O}_{1}, \breve{W}_{1}) \parallel \breve{I}_{c_{2}}(\breve{O}_{2}, \breve{W}_{2}) \\ & \breve{W}_{c}'(\breve{O}_{1} \parallel \breve{O}_{2}, \breve{W}_{1} \parallel \breve{W}_{2}) := \breve{W}_{c_{1}}'(\breve{O}_{1}, \breve{W}_{1}) \parallel \breve{W}_{c_{2}}'(\breve{O}_{2}, \breve{W}_{2}) \\ & \breve{O}_{c}(\breve{O}_{1} \parallel \breve{O}_{2}, \breve{W}_{1} \parallel \breve{W}_{2}, \breve{I}_{1}' \parallel \breve{I}_{2}') := \breve{O}_{c_{1}}(\breve{O}_{1}, \breve{W}_{1}, \breve{I}_{1}') \parallel \breve{O}_{c_{2}}(\breve{O}_{2}, \breve{W}_{2}, \breve{I}_{2}') \end{split}$$

Then by using those definitions and the fact that the RPE (t, k)-normalization is compatible with the composition in parallel, the items of the definition of ERPE become the following

1 For all leakage rates  $p \in [0, 1]$ , we must have that

$$\breve{W'_{c_1}}(\emptyset, \mathbf{L\check{eak}}_{c_1}(p)) \parallel \breve{W'_{c_2}}(\emptyset, \mathbf{L\check{eak}}_{c_2}(p)) \stackrel{a}{\leq} \mathbf{L\check{eak}}_{c_1'}(e(p)) \parallel \mathbf{L\check{eak}}_{c_2'}(e(p))$$

This has the structure  $\mathbf{A} \parallel \mathbf{B} \stackrel{d}{\leq} \mathbf{C} \parallel \mathbf{D}$ , which means we can prove it using Lemma 17 as  $\mathbf{A}, \mathbf{B}, \mathbf{C}, \mathbf{D}$  are pairwise independent, and as  $\mathbf{A} \stackrel{d}{\leq} \mathbf{C}$  and  $\mathbf{B} \stackrel{d}{\leq} \mathbf{D}$  by the the item 1 of the ERPE of  $c_1$  and  $c_2$ .

Then we need to show that for all possible combinations of output to simulate  $\check{O}_1 \parallel \check{O}_2 \in [n \cdot (o_1 + o_2)]$ , we must have that

This is true as for the item 1 of the ERPE of  $c_1$  and  $c_2$  we obtain that

$$\vec{W}_{c_1}'(\breve{O}_1, \breve{\mathbf{Leak}}_{c_1}(p)) \stackrel{d}{=} \vec{W}_{c_1}'(\emptyset, \breve{\mathbf{Leak}}_{c_1}(p)) \\
\vec{W}_{c_2}'(\breve{O}_2, \breve{\mathbf{Leak}}_{c_2}(p)) \stackrel{d}{=} \vec{W}_{c_2}'(\emptyset, \breve{\mathbf{Leak}}_{c_2}(p))$$

2 We need to show that for all subsets of the required output wires  $\check{O}_1 \parallel \check{O}_2 \subseteq [n \cdot (o_1 + o_2)]$ , for every subset of the internal wires  $\check{W}_1 \parallel \check{W}_2 \subseteq [w_1 + w_2]$ , for all the inputs actually provided  $\check{I}_1$  an RPE (t, k)-normalization of  $\check{I}_{c_1}(\check{O}_1, \check{W}_1)$  and  $\check{I}_2$  an RPE (t, k)-normalization of  $\check{I}_{c_2}(\check{O}_2, \check{W}_2)$ , we need that  $\check{O}_{c_1}(\check{O}_1, \check{W}_1, \check{I}_1)$  an RPE (t, k)-normalization of  $\check{O}_1$  and  $\check{O}_{c_2}(\check{O}_2, \check{W}_2, \check{I}_2)$  an RPE (t, k)-normalization of  $\check{O}_2$ . This is true by the item 2 of the ERPE of  $c_1, c_2$ .

Additionally, we need that the function that takes as parameter the inputs  $\vec{x_1} \parallel \vec{x_2} \in E.\vec{Enc}[\mathbb{S}_{in}^{i_1+i_2}]$  and the original randoms  $\vec{r_1'} \parallel \vec{r_2'} \in \text{supp}[\vec{Rnds}_{c_1'}() \parallel \vec{Rnds}_{c_2'}()]$  and calculates

$$\vec{c_{1}}_{\text{all}}(\vec{x_{1}}, R.\vec{\mathbf{Enc}}(\vec{r_{1}'}))_{\breve{W}_{1}} \| \breve{O_{c_{1}}(\breve{O}_{1},\breve{W}_{1},\breve{I}_{1})} \| \vec{c_{2}}_{\text{all}}(\vec{x_{2}}, R.\vec{\mathbf{Enc}}(\vec{r_{2}'}))_{\breve{W}_{2}} \| \breve{O_{c_{2}}(\breve{O}_{2},\breve{W}_{2},\breve{I}_{2})}$$

can be simulated using  $(\vec{x_1})_{\vec{I_1}} \parallel (\vec{x_2})_{\vec{I_2}}$ , and

$$\vec{c_{1}}_{\text{wires}}(E.\vec{\text{Dec}}(\vec{x_{1}}), \vec{r_{1}'})_{\breve{W_{c_{1}}}(\breve{O}_{1}, \breve{W}_{1})} \parallel \vec{c_{2}}_{\text{wires}}(E.\vec{\text{Dec}}(\vec{x_{2}}), \vec{r_{2}'})_{\breve{W_{c_{2}}}(\breve{O}_{2}, \breve{W}_{2})}$$

This is guaranteed by the item 2 of the ERPE of  $c_1$  and  $c_2$  and by the composition of the simulatability.

**Lemma 32** (Series Composition). Given a compiler  $(E, CC_b)$  and two circuits  $c'_1, c'_2$  such that  $c_1 := CC_b(c'_1)$  is (t, e)-ERPE of  $c'_1$  and  $c_2 := CC_b(c'_2)$  is (t, e)-ERPE of  $c'_2$ , then  $c_1 \circ c_2$  is (t, e)-ERPE of  $c'_1 \circ c'_2$ .

*Proof.* We'll call  $c := c_o \circ c_i, c' := c'_o \circ c'_i$ , and we choose

- $$\begin{split} & \breve{I}_{c}(\breve{O},\breve{W}_{i} \parallel \breve{W}_{o}) := \breve{I}_{c_{i}}(\breve{I}_{c_{o}}(\breve{O},\breve{W}_{o}),\breve{W}_{i}) \\ & \breve{W}_{c}'(\breve{O},\breve{W}_{i} \parallel \breve{W}_{o}) := \breve{W}_{c_{i}}'(\breve{I}_{c_{o}}(\breve{O},\breve{W}_{o}),\breve{W}_{i}) \parallel \breve{W}_{c_{o}}'(\breve{O},\breve{W}_{o}) \\ & \breve{O}_{c}(\breve{O},\breve{W}_{i} \parallel \breve{W}_{o},\breve{I}) := \breve{O}_{c_{o}}(\breve{O},\breve{W}_{o},\breve{O}_{c_{i}}(\breve{I}_{c_{o}}(\breve{O},\breve{W}_{o}),\breve{W}_{i},\breve{I})) \end{split}$$
- 1 We need to prove that for all combinations of the output wires  $\check{O} \in [\mu]^o$  the probability distribution of  $\check{W}'_c(\check{O}, \mathbf{Leak}_{c'}(p)) \stackrel{d}{=} \check{W}'_c(\emptyset, \mathbf{Leak}_{c'}(p))$ . We'll prove this by showing that

 $\breve{W}_{c}'(\breve{O}, \mathbf{Leak}_{c}(p)) \stackrel{d}{=} \breve{W}_{c_{i}}'(\emptyset, \mathbf{Leak}_{c_{i}}(p)) \parallel \breve{W}_{c_{o}}'(\emptyset, \mathbf{Leak}_{c_{i}}(p))$ 

Proof:

$$\breve{W}_c'(\breve{O}, \check{\mathbf{Leak}}_c(p))$$

By definition, with  $\mathbf{w}_{\mathbf{o}} := \mathbf{Leak}_{c_o}(p)$ 

$$=\Pr\left[\breve{W}_{c_{i}}^{\prime}(\breve{I}_{c_{o}}^{\prime}(\breve{O},\breve{\mathbf{w}_{o}}),\breve{\mathbf{Leak}}_{c_{i}}(p)) \parallel \breve{W}_{c_{o}}^{\prime}(\breve{O},\breve{\mathbf{w}_{o}}) = \breve{w}_{i}^{\prime} \parallel \breve{w}_{o}^{\prime}\right]$$
$$=\Pr\left[\breve{W}_{c_{i}}^{\prime}(\breve{I}_{c_{o}}(\breve{O},\breve{\mathbf{w}_{o}}),\breve{\mathbf{Leak}}_{c_{i}}(p)) = \breve{w}_{i}^{\prime} \wedge \breve{W}_{c_{o}}^{\prime}(\breve{O},\breve{\mathbf{w}_{o}}) = \breve{w}_{o}^{\prime}\right]$$
$$=\sum_{w_{o}}\Pr\left[\breve{W}_{c_{i}}^{\prime}(\breve{I}_{c_{o}}(\breve{O},\breve{w}_{o}),\breve{\mathbf{Leak}}_{c_{i}}(p)) = \breve{w}_{i}^{\prime} \wedge \breve{W}_{c_{o}}^{\prime}(\breve{O},\breve{w}_{o}) = \breve{w}_{o}^{\prime} \wedge \breve{\mathbf{w}_{o}} = w_{o}\right]$$
$$=\sum_{w_{o}}\Pr\left[\breve{W}_{c_{i}}^{\prime}(\breve{I}_{c_{o}}(\breve{O},\breve{w}_{o}),\breve{\mathbf{Leak}}_{c_{i}}(p)) = \breve{w}_{i}^{\prime}\right]\Pr\left[\breve{W}_{c_{o}}^{\prime}(\breve{O},\breve{w}_{o}) = \breve{w}_{o}^{\prime} \wedge \breve{\mathbf{w}_{o}} = w_{o}\right]$$

For the item 1 of the ERPE of  $c_i,\, \breve{W'_{c_i}}$  is identically distributed for every value of its first parameter

$$= \sum_{w_o} \Pr\left[\breve{W}'_{c_i}(\emptyset, \mathbf{Leak}_{c_i}(p)) = \breve{w}'_i\right] \Pr\left[\breve{W}'_{c_o}(\breve{O}, \mathbf{\breve{w_o}}) = \breve{w}'_o \land \mathbf{\breve{w_o}} = w_o\right]$$
$$= \Pr\left[\breve{W}'_{c_i}(\emptyset, \mathbf{Leak}_{c_i}(p)) = \breve{w}'_i\right] \sum_{w_o} \Pr\left[\breve{W}'_{c_o}(\breve{O}, \mathbf{\breve{w_o}}) = \breve{w}'_o \land \mathbf{\breve{w_o}} = w_o\right]$$

$$= \Pr\left[\breve{W}_{c_{i}}^{\prime}(\emptyset, \breve{\mathbf{Leak}}_{c_{i}}(p)) = \breve{w}_{i}^{\prime}\right] \Pr\left[\breve{W}_{c_{o}}^{\prime}(\breve{O}, \breve{\mathbf{w}_{o}}) = \breve{w}_{o}^{\prime}\right]$$
$$= \Pr\left[\breve{W}_{c_{i}}^{\prime}(\emptyset, \breve{\mathbf{Leak}}_{c_{i}}(p)) = \breve{w}_{i}^{\prime}\right] \Pr\left[\breve{W}_{c_{o}}^{\prime}(\breve{O}, \breve{\mathbf{Leak}}_{c_{o}^{\prime}}(p)) = \breve{w}_{o}^{\prime}\right]$$

For the item 1 of the ERPE of  $c_o,\, W'_{c_o}$  is identically distributed for every value of its first parameter

$$= \Pr\left[\breve{W}_{c_{i}}^{\prime}(\emptyset, \breve{\mathbf{Leak}}_{c_{i}}(p)) = \breve{w}_{i}^{\prime}\right] \Pr\left[\breve{W}_{c_{o}}^{\prime}(\emptyset, \breve{\mathbf{Leak}}_{c_{o}}(p)) = \breve{w}_{o}^{\prime}\right]$$
$$= \Pr\left[\breve{W}_{c_{i}}^{\prime}(\emptyset, \breve{\mathbf{Leak}}_{c_{i}}(p)) \parallel \breve{W}_{c_{o}}^{\prime}(\emptyset, \breve{\mathbf{Leak}}_{c_{o}}(p)) = \breve{w}_{i}^{\prime} \parallel \breve{w}_{o}^{\prime}\right]$$

Additionally, We need to prove that for all leakage rates  $p \in [0, 1]$  the distribution of the set of leaking virtual wires  $\breve{W}'_c$  must be upper bounded by the leakage of the virtual circuit:

$$\breve{W}_{c}^{\prime}(\emptyset, \mathbf{Leak}_{c}(p)) \stackrel{a}{\leq} \mathbf{Leak}_{c}(e(p))$$

We can prove this by showing that

$$\breve{W}_c'(\emptyset, \mathbf{Leak}_c(p)) \stackrel{d}{=} \breve{W}_{c_i}'(\emptyset, \mathbf{Leak}_{c_i}(p)) \parallel \breve{W}_{c_o}'(\emptyset, \mathbf{Leak}_{c_i}(p)) \stackrel{d}{\leq} \mathbf{Leak}_{c'}(e(p))$$

We already proved the left part in the proof, and to prove the right part we can use the item 1 of the ERPE of  $c_o$  and  $c_i$  and obtain that:

$$\breve{W}_{c_i}'(\emptyset, \mathbf{Leak}_{c_i}(p)) \stackrel{d}{\leq} \mathbf{Leak}_{c_i'}(e(p)) \land \breve{W}_{c_o}'(\breve{O}, \mathbf{Leak}_{c_i}(p)) \stackrel{d}{\leq} \mathbf{Leak}_{c_o'}(e(p))$$

As the four expressions are all independent, we can use Lemma 17 and obtain that

$$\breve{W'_{c_i}}(\emptyset, \mathbf{\check{Leak}}_{c_i}(p)) \parallel \breve{W'_{c_o}}(\breve{O}, \mathbf{\check{Leak}}_{c_i}(p)) \stackrel{d}{\leq} \mathbf{\check{Leak}}_{c'_i}(e(p)) \parallel \mathbf{\check{Leak}}_{c'_o}(e(p))$$

2 For all combinations of the output wires  $\check{O} \in [n \cdot o]$  for all the internal wires  $\check{W}_i \parallel \check{W}_o \subseteq [w]$ , we define  $\check{M} := \check{I}_{c_o}(\check{O}, \check{W}_o)$ , and  $\check{I} := \check{I}_{c_i}(\check{M}, \check{W}_i)$ . For all the possible provided inputs  $\check{I}'$  an RPE (t, k)-normalization of  $\check{I}$  we define  $\check{M}' := \check{O}_{c_i}(\check{M}, \check{W}_i, \check{I}')$ , and  $\check{O}' := \check{O}_{c_o}(\check{O}, \check{W}_o, \check{M}')$ .

From item 2 of the ERPE of  $c_i$ ,  $\breve{M}'$  an RPE (t, k)-normalization of  $\breve{M}$ ; and from item 2 of ERPE of  $c_o$ ,  $\breve{O}'$  an RPE (t, k)-normalization of  $\breve{O}$ , which proves the first part of this point by definition.

Then for all  $\vec{x}, \vec{r'_i}, \vec{r'_o}$  we need to prove that

$$\vec{x}_{\check{I}'} \| \vec{c'}_{\text{wires}}(E.\vec{\text{Dec}}(\vec{x}), \vec{r'_i} \| \vec{r'_o})_{\breve{W}'_c(\breve{O},\breve{W})} \xrightarrow{\text{sim}} \vec{c}_{\text{all}}(\vec{x}, R_{c_i}.\vec{\text{Enc}}(\vec{r'_i}) \| R_{c_o}.\vec{\text{Enc}}(\vec{r'_i}))_{\breve{W}_o \| \breve{W}_i \| \breve{O}}$$

We first define  $(\mathbf{w}_i, \vec{\mathbf{v}}) := \vec{c}_{iall}(\vec{x}, R_{c_i} \cdot \mathbf{Enc}(\vec{r}'_i))$  and  $(\mathbf{w}_o, \vec{\mathbf{y}}) := \vec{c}_{oall}(\vec{\mathbf{v}}, R_{c_o} \cdot \mathbf{Enc}(\vec{r}'_o))$ . We also define the corresponding values in the virtual circuit  $\vec{x'} := E \cdot \mathbf{Dec}(\vec{x})$ ,  $(\vec{w}'_i, \vec{v'}) := \vec{c}'_{iall}(\vec{x'}, \vec{r}'_i)$ , and  $(\vec{w}'_o, \vec{y'}) := \vec{c}'_{oall}(\vec{v'}, \vec{r}'_o)$ .

Thanks to our definition of correctness,

$$\begin{aligned} \vec{v'} &= (\vec{c_i})_{\text{outs}}(\vec{x'}, \vec{r_i'}) \\ &= (\vec{c_i'})_{\text{outs}}(E.\text{Dec}(\vec{x}), R_{c_i}.\text{Dec}(R_{c_i}.\vec{\text{Enc}}(\vec{r_i'}))) \\ &= E.\text{Dec}((\vec{c_i})_{\text{outs}}(\vec{x}, R_{c_i}.\vec{\text{Enc}}(\vec{r_i'}))) \\ &= E.\vec{\text{Dec}}(\vec{\mathbf{v}}) \end{aligned}$$

Then what we need to prove is that

$$\vec{x}_{\check{I}'} \parallel (\vec{w'_i})_{\check{W'_{c_i}}(\check{M},\check{W_i})} \parallel (\vec{w'_o})_{\check{W'_{c_o}}(\check{O},\check{W_o})} \xrightarrow{\operatorname{sim}} \vec{\mathbf{y}}_{\check{O}'} \parallel (\vec{\mathbf{w_i}})_{\check{W_i}} \parallel (\vec{\mathbf{w_o}})_{\check{W_o}}$$

By the item 2 of the ERPE of  $c_i$  (as  $\check{M}'$  an RPE (t, k)-normalization of  $\check{M}$ ,  $\check{I}$  an RPE (t, k)-normalization of  $\check{I}$ ;  $\vec{w'_i}$  was calculated with input  $\vec{x'}$  and  $\vec{x'} = E.\vec{\text{Dec}}(\vec{x})$  by definition) that

$$\vec{x}_{\breve{I}'} \parallel (\vec{w'_i})_{\breve{W'_{c_i}}(\breve{M},\breve{W_i})} \stackrel{\mathrm{sim}}{\longrightarrow} \vec{\mathbf{v}}|_{\breve{M}'} \parallel (\vec{\mathbf{w_i}})_{W_i}$$

By the item 2 of the ERPE of  $c_o$  (as  $\breve{O}'$  an RPE (t, k)-normalization of  $\breve{O}$ ,  $\breve{M}'$  an RPE (t, k)-normalization of  $\breve{M}$ ;  $\vec{w'_o}$  was calculated with input  $\vec{v'}$  and  $\vec{v'} = E.Dec(\vec{v})$ )

$$\vec{\mathbf{v}}_{\breve{M}'} \parallel (\vec{w'_o})_{\breve{W'_{c_o}}(\breve{O},\breve{W_o})} \xrightarrow{\mathrm{sim}} \vec{\mathbf{y}}_{\breve{O}'} \parallel (\vec{\mathbf{w_o}})_{\breve{W_o}}$$

Combining those two we obtain that

$$\vec{x}_{\breve{I}'} \parallel (\vec{w}'_i)_{\breve{W}'_{c_i}(\breve{M},\breve{W}_i)} \parallel (\vec{w}'_o)_{\breve{W}'_{c_o}(\breve{O},\breve{W}_o)} \xrightarrow{\text{sim}} \vec{\mathbf{v}}_{\breve{M}'} \parallel (\vec{\mathbf{w}_i})_{\breve{W}_i} \parallel (\vec{w}'_o)_{\breve{W}'_{c_o}(\breve{O},\breve{W}_o)}$$
$$\xrightarrow{\text{sim}} \vec{\mathbf{y}}_{\breve{O}'} \parallel (\vec{\mathbf{w}_i})_{\breve{W}_i} \parallel (\vec{\mathbf{w}_o})_{\breve{W}_o}$$

**Lemma 33** (Link Between Dependencies). Given a circuit c' with n-shares encoding D', w the number of internal wires, and the compiled circuit c (with encoding  $D := E \circ D'$ , i inputs, o outputs) that is (t, e)-ERPE of c', given  $I_c, \breve{W}'_c, \breve{O}_c$  from the definition of ERPE, then for all  $\breve{W} \subseteq [w]$ 

$$\tilde{\operatorname{Dep}}_{\left[\vec{\mathbf{c}}_{wires} \circ D. \vec{\mathbf{Enc}}\right]}(\breve{W}) \subseteq \tilde{\operatorname{Dep}}_{\left[\vec{\mathbf{c}'}_{wires} \circ D'. \vec{\mathbf{Enc}}\right]}(\breve{W'_c}(\emptyset, \breve{W}))$$

*Proof.* We know from the item 2 of the ERPE with  $\check{O} := \emptyset$ , for all  $\check{I}$  an RPE (t, k)normalization of  $\check{I}_c(\emptyset, \check{W})$ , for all  $\vec{x} \in E.\tilde{\mathbf{Enc}}[\mathbb{S}_{in}^i]$  and for all  $\vec{r'} \in \mathrm{supp}[\mathbf{Rnds}_{c'}()]$ ,

$$\vec{x_{\check{I}}} \parallel \vec{c'}_{\text{wires}}(E.\vec{\text{Dec}}(\vec{x}), \vec{r'})_{\breve{W}'_{c}(\emptyset, \breve{W})} \xrightarrow{\text{sim}} \vec{c}_{\text{all}}(\vec{x}, R.\vec{\text{Enc}}(\vec{r'}))_{\breve{W} \parallel \breve{O}_{c}(\breve{1}, \breve{W}, \breve{I})}$$

This implies that  $\vec{x}_{\check{I}} \parallel \vec{c'}_{wires}(E.\vec{Dec}(\vec{x}), \vec{r'})_{\check{W}'_c(\emptyset, \check{W})} \xrightarrow{\text{sim}} \vec{c}_{wires}(\vec{x}, R.\vec{Enc}(\vec{r'}))_{\check{W}}$ We can choose  $\vec{r'} := \vec{Rnds}_{c'}()$  (and so  $R.\vec{Enc}(\vec{r'}) = \vec{Rnds}_c()$ ) and so  $\forall \vec{x} \in E.\vec{Enc}[\mathbb{S}^i_{in}]$ 

$$\vec{x}_{\check{I}} \parallel \vec{\mathbf{c'}}_{\mathbf{wires}}(E.\vec{\mathrm{Dec}}(\vec{x}))_{\check{W}'_c(\emptyset,\check{W})} \xrightarrow{\mathrm{sim}} \vec{\mathbf{c}}_{\mathbf{wires}}(\vec{x})_{\check{W}}$$

Then  $\forall \vec{y} \in \mathbb{S}_{in}^i$  We can choose  $\vec{\mathbf{x}} := E.\vec{\mathbf{Enc}}(\vec{y})$  (and so  $E.\vec{\mathrm{Dec}}(\vec{\mathbf{x}}) := \vec{y}$ ) and we obtain

$$E.\vec{\mathbf{Enc}}(\vec{y})_{\check{I}} \parallel \vec{\mathbf{c'}}_{\mathbf{wires}}(\vec{y})_{\check{W}'_c(\emptyset,\check{W})} \xrightarrow{\mathrm{sim}} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(\vec{y}))_{\check{W}}$$

As  $\check{I}$  an RPE (t,k)-normalization of  $\check{I}_c$  we have that  $\check{\mathrm{Dep}}_{[E.\mathbf{Enc}]}(\check{I}) = \emptyset$  i.e.  $[] \xrightarrow{\mathrm{sim}} E.\mathbf{Enc}(\vec{y})_{\check{I}}$ . So,  $\forall \vec{y} \in \mathbb{S}^i_{\mathrm{in}} \ \vec{\mathbf{c'}}_{\mathrm{wires}}(\vec{y})_{\check{W}'_c}(\emptyset,\check{W}) \xrightarrow{\mathrm{sim}} \vec{\mathbf{c}}_{\mathrm{wires}}(E.\mathbf{Enc}(\vec{y})))_{\check{W}}$ 

As the original circuit has encoding D', we can choose  $\vec{\mathbf{y}} := D' \cdot \vec{\mathbf{Enc}}(\vec{z})$ , then

$$\vec{\mathbf{c'}}_{\mathbf{wires}}(D'.\vec{\mathbf{Enc}}(\vec{z}))_{\breve{W}_c'(\emptyset,\breve{W})} \xrightarrow{\mathrm{sim}} \vec{\mathbf{c}}_{\mathbf{wires}}(E.\vec{\mathbf{Enc}}(D'.\vec{\mathbf{Enc}}(\vec{z})))_{\breve{W}}$$

This is equivalent to  $(\vec{\mathbf{c'}}_{wires} \circ D'. \vec{\mathbf{Enc}})_{\breve{W}'_c(\emptyset,\breve{W})} \xrightarrow{\text{sim}} (\vec{\mathbf{c}}_{wires} \circ D. \vec{\mathbf{Enc}})_{\breve{W}}$ 

As by definition the function  $(\vec{\mathbf{c'}_{wires}} \circ D'. \vec{\mathbf{Enc}})_{\vec{W'}}$  can be simulated using the inputs  $\tilde{\mathrm{Dep}}_{[\vec{\mathbf{c'}}_{wires} \circ D'. \vec{\mathbf{Enc}}]}(\vec{W'})$ , we obtain that the function  $(\vec{\mathbf{c}}_{wires} \circ D. \vec{\mathbf{Enc}})|_{\vec{W}}$  can be simulated using the inputs  $\tilde{\mathrm{Dep}}_{[\vec{\mathbf{c'}}_{wires} \circ D'. \vec{\mathbf{Enc}}]}(\vec{W'}_g(\emptyset, \vec{W}))$ . By definition,  $\tilde{\mathrm{Dep}}_{[\vec{\mathbf{c}}_{wires} \circ D. \vec{\mathbf{Enc}}]}$  is minimal, and so  $\tilde{\mathrm{Dep}}_{[\vec{\mathbf{c}}_{wires} \circ D. \vec{\mathbf{Enc}}]}(\vec{W}) \subseteq \tilde{\mathrm{Dep}}_{[\vec{\mathbf{c'}}_{wires} \circ D'. \vec{\mathbf{Enc}}]}(\vec{W'}_g(\emptyset, \vec{W}))$ 

**Lemma 34** (All outputs ERPE to RPR). Given a compiler (E, CC) such that for all circuits  $c' \in C_{\text{in}}$  the compiled circuit c := CC(c') is (t, e)-ERPE of c', then c is e-RPR.

*Proof.* Let's call D' the encoding of c' and  $D := E \circ D'$  the encoding of c, and  $W'_c$  from the definition of ERPE

To say that it's e-RPR is to say that given a circuit c, if c' is  $(e(p), \varepsilon)$ -RPS, then c is  $(p, \varepsilon)$ -RPS.

From the definition of the RPS of c',  $\Pr\left[\tilde{\text{Dep}}_{[\vec{c'}_{wires} \circ D' \cdot \vec{Enc}]}(\vec{Leak}_{c'}(e(p))) \neq \emptyset\right] \leq \varepsilon$ 

The item 1 of the ERPE says that  $\breve{W}'_c(\emptyset, \mathbf{Leak}_c(p)) \stackrel{d}{\leq} \mathbf{Leak}_{c'}(e(p))$  and as  $\breve{W} \mapsto \widetilde{\mathrm{Dep}}_{[\vec{\mathbf{c'}}_{wires} \circ D'. \mathbf{Enc}]}(\breve{W}) \neq \emptyset$  is monotone, we can apply the definition of  $\stackrel{d}{\leq}$  and the hypothesis, and obtain that  $\Pr\left[\widetilde{\mathrm{Dep}}_{[\vec{\mathbf{c'}}_{wires} \circ D'. \mathbf{Enc}]}(\breve{W}'_c(\emptyset, \mathbf{Leak}_c(p))) \neq \emptyset\right] \leq \varepsilon$ 

We know from Lemma 33 that for all  $\breve{W} \subseteq [w]$ 

$$\tilde{\operatorname{Dep}}_{\left[\vec{\mathbf{c}}_{wires} \circ D. \vec{\mathbf{Enc}}\right]}(\vec{W}) \subseteq \tilde{\operatorname{Dep}}_{\left[\vec{\mathbf{c}'}_{wires} \circ D'. \vec{\mathbf{Enc}}\right]}(\vec{W}_{c}'(\emptyset, \tilde{W}))$$

and so we obtain that  $\Pr\left[\check{\operatorname{Dep}}_{\left[\vec{c}_{wires} \circ D. \vec{Enc}\right]}(\check{\operatorname{Leak}}_{c}(p)) \neq \emptyset\right] \leq \varepsilon$ . I.e. c is  $(p, \varepsilon)$ -RPS.  $\Box$ 

**Theorem 2:** Given the gadgets  $\vec{G}$  correct for an *n*-shares encoding *E*, and such that for all gates  $g \in \mathcal{G}_{in}$  the gadget  $\vec{G}_g$  is (t, e)-ERPE of g, then the compiler  $(E, CC_{\vec{G}})$  is e-RPR.

Proof. We first show that for all circuits  $c \in C_{in}$ , the compiled circuit  $CC_{\vec{G}}(c)$  is (t, e)-ERPE of c. We can do this by induction. We know that for all gates g,  $\vec{G}_g$  is (t, e)-ERPE of g. Also, if c is the identity circuit  $CC_{\vec{G}}(c)$  is (t, e)-ERPE for Lemma 29, and same for the swap circuit and Lemma 30. The two induction steps are the composition in parallel and in series, and are proven respectively by Lemma 31 and Lemma 32. This means we can use Lemma 34 to show that the compiler  $(E, CC_{\vec{G}})$  is e-RPR.

### E Proofs For the Main Compiler

We'll present in this appendix the proofs necessary to analyze our main compiler.

#### E.1 Security from the RPE

**Proposition 1:** The (t, e)-RPE implies the (t, e)-wRPE which implies the (t, e)-ERPE.

*Proof.* The first implication is true as the RPE satisfies the conditions of the wRPE, while we can prove the second implication by constructing the wRPE from the ERPE by only limiting it. We write the definition of Definition 28 and we call G the implementation, we limit it to deterministic fully-leakable gate g, so  $\vec{r'} := [], R.Enc(\vec{r'}) := Rnds_G()$ , and  $\vec{g}_{wires}$  is the identity function. We then limit and rename  $\check{O}_G(\check{O},\check{W},\cdot) := \check{O}'(\check{O},\check{W})$ . We define  $\check{W}'_G(\check{O},\check{W}) := \check{F}(\check{O},\check{W})$  with  $\check{F}$  defined like in the RPE:

$$j \in \breve{F}(\breve{O},\breve{W}) \iff \left| \breve{I}_{\breve{G}}(\breve{O},\breve{W}) \cap \breve{s}(j) \right| > t$$

Then we have that if  $I_G(\check{O},\check{W})\cap\check{s}(j)\neq\check{I}\cap\check{s}(j)$  then  $j\in\check{F}(\check{O},\check{W})$  and  $|\check{I}\cap\check{s}(j)|=k$ . Thanks to the completion property implicit in the definition of 'E has strength k' we obtain the following simulation

$$\vec{x}_{\check{I}} \parallel E.\vec{\mathrm{Dec}}(\vec{x})_{\check{F}(\check{O},\check{W})} \xrightarrow{\mathrm{sim}} \vec{x}_{\check{I}_{\check{G}}(\check{O},\check{W})}$$

So we can use the right side as the basis for the simulation of item 2 instead of the left side, and so we can avoid the quantification over  $\check{I}$ . The result is the definition of (t, e)-wRPE, which makes it a sufficient condition for the (t, e)-ERPE.

**Proposition 2:** For the *n*-shares additive encoding, given a  $t \in [0, n-1] \cap \mathbb{N}$ , and any continuous monotone  $e : [0, 1] \rightarrow [0, 1]$ , we consider the gadget obtained by a parallel of at least t + 1 random gates and the remaining to reach *n* are constant-0 gates. This gadget is (t, e)-ERPE for the random gate.

*Proof.* First of all, let's call G the gadget, and  $\ell$  the number of randoms in G. G is correct for the random gate by using the  $\ell$ -shares additive encoding for the randoms. Then we rewrite Lemma 3 with i = 0,  $\check{I} := \emptyset$ ,  $\check{I}' := \emptyset$ ,  $\vec{x} := []$ , with o = 1,  $e(\cdot) = 0$  and then apply the definition of RPE (t, n - 1)-normalization, and we obtain that G is (t, 0)-ERPE of the random gate iff

- for all  $\check{O} \subseteq [n]$  with  $|\check{O}| \leq t$ , for all virtual randoms  $\vec{r'} \in \text{supp}[\mathbf{Rnds}_g()]$ , we have that  $[] \xrightarrow{\text{sim}} \vec{G}_{\text{wires}}([], R.\mathbf{Enc}(\vec{r'}))_{\check{O}}$
- and there is a  $j \in [n]$ , such that for all virtual randoms  $\vec{r'} \in \text{supp}[\mathbf{Rnds}_g()]$ , we have that  $[] \xrightarrow{\text{sim}} \vec{G}_{\text{wires}}([], R.\mathbf{Enc}(\vec{r'}))_{[o] \setminus \{j\}}$ .

In the first case we have  $|\check{O}| \leq t$ , so the adversary obtains at most t randoms. As the encoding of the randoms has strength  $\ell - 1 \geq (t + 1) - 1 \geq t$ , we have that  $\vec{G}_{\text{wires}}([], R.\tilde{\mathbf{Enc}}(\vec{r'}))|_{\check{O}}$  can be simulated with no virtual random.

For the second case, we can chose j := 1 and one of the randoms is not selected, and so due to the additive encoding having strength  $\ell - 1$ ,  $\vec{G}_{wires}([], R.Enc(\vec{r'}))|_{[o] \setminus \{1\}}$  can be simulated with no virtual random, as required.

#### E.2 Composition of Compiler Sequences

**Lemma 4:** Given a compiler sequence C and given two compilers I, O such that we can define  $C'_m := O \circ C_m \circ I$  then C' has all the size amplification order of C.

Proof. By definition of circuit complexity matrix,

$$M_{C'_m} = M_O \cdot M_{C_m} \cdot M_I$$

And by the properties of the matrix norm induced by the vector p-norms,

$$\|M_{C'_m}\|_1 \le \|M_O\|_1 \cdot \|M_{C_m}\|_1 \cdot \|M_I\|_1$$

Which means that given a generic  $\lambda$ , size amplification order of C

$$\|M_{C'_{m}}\|_{1} \leq \|M_{O}\|_{1} \cdot \|M_{C_{m}}\|_{1} \cdot \|M_{I}\|_{1} = \Theta(\|M_{C_{m}}\|_{1}) = \mathcal{O}(\lambda^{m})$$

which means that  $\lambda$  is also a size amplification order for C'

**Lemma 5:** Given a compiler sequence C and given a compiler I such that we can define  $C'_n := C_n \circ I$ ; if there is some l > 0 such that I is  $\mathcal{O}(x^l)$ -RPR then C' has all the tolerated leakage, security amplification order, size amplification order and expansion exponent of C.

*Proof.* Given a generic P tolerated leakage of C and relative security amplification order d, let's call f a function such that I is f-RPR and  $f(x) = \mathcal{O}(x^l)$ . This means that  $\log_2 f(x) = \Omega(\log_2 x)$ . By hypothesis there is a sequence of functions  $e_n$  such that  $C_n$  is  $e_n$ -RPR and  $\log_2 e_n(P) = \Omega(d^n)$ , and so  $\log_2 f(e_n(P)) = \Omega(\log_2 e_n(P)) = \Omega(\Omega(d^n)) = \Omega(d^n)$ . As  $C'_i$  is  $(f \circ e_i)$ -RPR by Lemma 2, then P is a tolerated leakage of C', and d is a relative security amplification order. By Lemma 4 also the size amplification order is preserved, and so is the expansion exponent.

**Lemma 6:** Given a compiler sequence I and a compiler sequence O (with respectively a tolerated leakage of  $P_i$ ,  $P_o$ ; a security amplification order of  $d_i$ ,  $d_o$  for the aforementioned tolerated leakage) then there is a k such that  ${}^5 C_n := O_k \circ I_n$  has a security amplification order of  $d_i$  relative to a tolerated leakage of  $P_o$ .

Proof. Let's define  $e^i$  the e from the definition of  $d_i$  and of  $P_i$ , then  $I_n$  is  $e_n^i$ -RPR and  $\log_2 e_n^i(P_i) = \Omega(d_i^n)$ . Let's also define  $e^o$  the e from the definition of  $d_o$  and of  $P_i$ , then  $O_n$  is  $e_n^o$ -RPR, and  $\log_2 e_n^o(P_o) = \Omega(d_o^n)$ . This means that there is a k such that  $e_k^o(P_o) \leq P_i$ , and for that k (as  $e_n^i$  is monotone) we have that  $\log_2 e_n^i(e_k^o(P_o)) \leq \log_2 e_n^i(P_i) = \Omega(d_i^n)$ , which proves the thesis as  $O_k \circ I_n$  is  $(e_n^i \circ e_k^o)$ -RPR per Lemma 2.

#### E.3 Proofs For the Classic Expansion

**Lemma 7:** Given a compiler sequence  $C_n := X^n$ , with diagonalizable circuit complexity matrices  $M_X$ , then the highest module of any eigenvalue of  $M_X$  is a size amplification order.

*Proof.* We will consider the circuit complexity matrix  $M_X$ , which is a square matrix with elements in  $\Re$ . If it's diagonalizable in  $\mathbb{C}$ , then there are the matrices P, J such that  $M_X = P^{-1} \cdot J \cdot P$ , where J is a diagonal matrix with the values  $\lambda_i$  which are the eigenvalues of  $M_X$ , and  $\lambda_1$  is the highest eigenvalue in module.

Additionally, from [HJ85] we know that

$$||M_{C_n}||_1 = ||M_X^n||_1 = ||P^{-1}J^nP||_1 \le ||P^{-1}||_1 ||J||_1^n ||P||_1$$

And that  $||J||_1 = \max_{j \in [n]} \sum_{i=1}^n |J_{i,j}| = \max_{j \in [n]} |\lambda_j| = |\lambda_1|$ Which means that  $||M_{C_n}||_1 = \mathcal{O}(|\lambda_1|^n)$ , and so  $|\lambda_1|$  is a size amplification order.  $\Box$ 

**Lemma 8:** Given a compiler sequence  $C_m := X^m$  such that X was obtained from Theorem 3, given a t such that the *i*-th gate in (addition, multiplication, copy, subtraction) has a t-RPE-tolerated leakage  $P_i$ , then  $P := \min P_i$  is a tolerated leakage for C.

*Proof.* From Theorem 3 we know that X is e-RPR with  $e(p) = \max_{i} e_i(p)$ , where  $e_i$  is taken from the definition of t-RPE-tolerated leakage, and is such that for all  $p \in (0, P_i]$ ,  $e_i(p) < p$ .

This also means that for all  $p \in (0, P]$ , e(p) < p.

<sup>&</sup>lt;sup>5</sup>In [BRTV21] they use the equivalent of  $C_n := O_n \circ I_k$  instead of  $C_n := O_k \circ I_n$ , due to what we believe to be an error in their Lemma 9, see footnote 2.

As by definition of RPR e is continuous, then for every  $\epsilon \in (0, P)$ , we can apply the extreme value theorem to  $p \mapsto e(p) - p$  with  $p \in [\epsilon, P]$  and because for all  $p \in (0, P]$  we have that e(p) - p < 0 by hypothesis, then we obtain that  $M := \max_{p \in [\epsilon, P]} e(p) - p < 0$ . This

means that for all  $p \in [\epsilon, P]$  we have that  $e(p) \leq M + p$ .

By applying this iteratively we obtain that  $e^m(p) \leq M \cdot m + p$  as long as  $e^{m-1}(p) \geq \epsilon$ . If instead  $e^{m-1}(p) < \epsilon$  then  $e^m(p) < e^{m-1}(p) < \epsilon$ . This means that for every  $\epsilon \in (0, P)$  eventually as  $m \to \infty$  we have that  $e^m(P) < \epsilon$ .

This by definition means that  $e^m(P) \to 0$  as  $m \to \infty$ . Additionally from Corollary 1 we have that the compiler  $C_m$  is  $e^m$ -RPR, this means by definition that P is a tolerated leakage.

**Lemma 9:** Given a compiler sequence  $C_n := X^n$  if d is a security amplification order for some tolerated leakage, then it's a security amplification order for any tolerated leakage.

*Proof.* This is an immediate consequence of Lemma 6: given a security amplification order d of C and a tolerated leakage P of C there is a k such that eventually as  $n \to \infty$ ,  $C_n = C_k \circ C_{n-k}$  and such that C has that security amplification order d relative to the tolerated leakage P.

**Lemma 10:** Given a compiler sequence  $C_m := X^m$  such that X was obtained from Theorem 3, given a t such that the *i*-th gate in (addition, multiplication, copy, subtraction) has a t-RPE-amplification order  $d_i$ , then  $d := \min_i d_i$  is a security amplification order for C for any tolerated leakage.

*Proof.* Thanks to Theorem 3, X is e-RPR with  $e(p) := \max e_i(p)$ , the  $e_i$  taken from the definition of t-RPE-amplification order. Then as  $e_i(p) = \Theta(p^{d_i}) = \mathcal{O}(p^d)$  we have that  $e(p) = \mathcal{O}(p^d)$ .

By definition of  $e(x) = \mathcal{O}(x^d)$  we know that there is a x' < 1 such that for all 0 < x < x'we have that  $e(x)/x^d$  is upper bounded by some constant c'. Then for  $c := \max\{c'^{1/d}, 1/x'\}$ we have that  $f(x) := \min(1, (cx)^d)$  is such that  $e(x) \leq f(x)$ . This is proven for x = 0as e(x) = 0 = f(x) as e is continuous, below x' as  $e(x) \leq c'x^d \leq (cx)^d$  and above x' as  $e(x) \leq 1 \leq (cx')^d \leq (cx)^d$ .

As  $e(x) \leq f(x)$ , we can use Lemma 24 and obtain that X is f-RPR. Thanks to Corollary 1 the compiler  $C_n$  is  $f^n$ -RPR.

We can split f and write it as f(x) = min(1, f'(x)) and  $f'(x) := (cx)^d$ . As f' maps a value  $\geq 1$  to one  $\geq 1$ , we have that  $f^n(x) = min(1, f'^n(x))$ .

We then have by induction that  $f'^n(x) = x^{d^n} \prod_{i=1}^n c^{d^i}$ . This because  $f'^0(x) := x$  and

$$f'(f'^{n}(x)) = (cx^{d^{n}} \prod_{i=1}^{n} c^{d^{i}}))^{d} = x^{d^{n}d}c^{d} \prod_{i=1}^{n} c^{d^{i}d} = x^{d^{n+1}} \prod_{i=1}^{n+1} c^{d^{i}d}$$

As  $\sum_{i=1}^{n} d^{i-n} = \sum_{i=0}^{n-1} d^{-i} \le \sum_{i=0}^{\infty} d^{-i} = 1/(1-1/d) = d/(d-1)$ , then

$$f'^{n}(x) = x^{d^{n}} \prod_{i=1}^{n} c^{d^{i}} = (c^{i-1} x)^{d^{n}} \le (c^{d/(d-1)}x)^{d^{n}}$$

This means  $C_n$  is  $e_n$ -RPR with  $e_n(x) := \min(1, c^{d/(d-1)}x)^{d^n}$  by Lemma 24. This means that for any  $P < c^{-d/(d-1)}$  we have that  $\log_2 e_n(P) = d^n \log_2(c^{d/(d-1)}P) \le 0$  which means that  $\log_2 e_n(P) = \Theta(d^n)$  which means P is a tolerated leakage and d is a security

amplification order for P. We can apply Lemma 9 and we obtain that d is a security amplification order for any tolerated leakage.

#### E.4 Gadgets Without Strength for Fully-leakable Deterministic Gates

**Lemma 11:** Given a gadget G (with w internal wires) for the fully-leakable deterministic gate g (with i inputs) that is correct for an n-shares encoding E with strength 0, then G is (0, e)-ERPE, with  $e(x) := \min\{1, (w \cdot x)^{1/i}\}$ .

*Proof.* To prove that we can prove that it's (0, e)-wRPE and use Proposition 1. As the encoding has strength 0, in the definition of wRPE we have that t, k := 0, and so  $\check{O}'(\cdot, \cdot) := \emptyset$  as  $\emptyset$  is the only RPE (0, 0)-normalization of anything. This makes the second point automatically true.

We can then chose  $I(\breve{W})$  to  $\emptyset$  if  $\breve{W} = \emptyset$  and  $[i \cdot n]$  otherwise. Those obviously satisfy the first point as the internal wires  $\breve{W} = \emptyset$  can be simulated with no input and no randoms, while all the others internal wires can always be simulated using all the inputs and randoms.

As per the third point, the previous assignment make  $\check{F}(\check{O},\check{W})$  equal to  $\emptyset$  if  $\check{W} = \emptyset$ and [i] otherwise, which means that we also satisfy the requirement that the distribution of  $\check{F}(\check{O}, \mathbf{Leak}_G(p))$  is the same for all  $\check{O}$ .

What we need to prove is that for every leakage probability vector  $p \in [0, 1]$ , the failure events must have the probability distribution  $\breve{F}(\emptyset, \mathbf{Leak}_G(p)) \stackrel{d}{\leq} \mathbf{Leak}_g(e(p))$ .

Events must have the probability distribution  $F(\emptyset, \operatorname{Leak}_G(p)) \leq \operatorname{Leak}_g(e(p))$ . Let's call  $\check{\mathbf{v}}(p)$  the probabilistic function that returns a random variable that is  $\emptyset$  with

probability  $(1-p)^w$  and is [i] with probability  $1-(1-p)^w$ . Then  $\check{F}(\emptyset, \mathbf{Leak}_G(p)) \stackrel{d}{=} \check{\mathbf{v}}(p)$ , so we need that for all monotone P and for all  $p \in [0, 1]$ 

$$\Pr[P(\breve{\mathbf{v}}(p))] \le \Pr\left| P(\check{\mathbf{Leak}}_g(e(p))) \right|$$

If we exclude the constant P (which obviously satisfy the inequality), then all monotone non-constant P have  $P(\emptyset) = false$ , P([i]) = true. We can then define the monotone non-constant predicate  $P'(\check{U}) := (\check{U} = [i])$ , and we obtain that for  $\check{U} \neq [i]$  we have that  $P'(\check{U}) = false \leq P(\check{U})$ . This means that

$$\Pr\left[P'(\check{\mathbf{Leak}}_g(e(p)))\right] \leq \Pr\left[P(\check{\mathbf{Leak}}_g(e(p)))\right]$$

And as  $\check{\mathbf{v}}(p)$  only has the values  $\emptyset$  and [i],  $\Pr[P(\check{\mathbf{v}}(p))] = \Pr[P'(\check{\mathbf{v}}(p))]$ . Those two together mean that we can prove the lemma by showing that for every  $p \in [0, 1]$ 

$$\Pr[P'(\check{\mathbf{v}}(p))] \le \Pr\left|P'(\check{\mathbf{Leak}}_g(e(p)))\right|$$

I.e.  $1 - (1-p)^w \le e(p)^i$ . If G has no wires (w = 0) then is  $0 \le e(p)^i = 0$ . Otherwise  $w \ge 1$ ,  $p \in [0,1]$  so we can use Bernulli's inequality, which that states that  $pw \ge 1 - (1-p)^w$ , which implies that  $1 - (1-p)^w \le \min\{1, pw\}$ . The thesis is proven as

$$\min\{1, wp\} = \min\{1^{i}, ((wp)^{1/i})^{i}\} = \min\{1, (wp)^{1/i}\}^{i} = e(p)^{i}$$

### References

[ADF16] Marcin Andrychowicz, Stefan Dziembowski, and Sebastian Faust. Circuit compilers with o(1/log(n)) leakage rate. Cryptology ePrint Archive, Paper 2016/173, 2016. https://eprint.iacr.org/2016/173.

- [AIS18] Prabhanjan Ananth, Yuval Ishai, and Amit Sahai. Private circuits: A modular approach. Cryptology ePrint Archive, Paper 2018/566, 2018. https://eprint. iacr.org/2018/566.
- [Ajt11] Miklós Ajtai. Secure computation with information leaking to an adversary. Electron. Colloquium Comput. Complex., TR11, 2011.
- [BBP<sup>+</sup>16] Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue, Emmanuel Prouff, Adrian Thillard, and Damien Vergnaud. Randomness complexity of private circuits for multiplication. *IACR Cryptol. ePrint Arch.*, 2016:211, 2016.
- [BCP<sup>+</sup>20] Sonia Belaïd, Jean-Sébastien Coron, Emmanuel Prouff, Matthieu Rivain, and Abdul Rahman Taleb. Random probing security: Verification, composition, expansion and new constructions. Cryptology ePrint Archive, Paper 2020/786, 2020. https://eprint.iacr.org/2020/786.
- [BRT21] Sonia Belaïd, Matthieu Rivain, and Abdul Rahman Taleb. On the power of expansion: More efficient constructions in the random probing model. Cryptology ePrint Archive, Paper 2021/434, 2021. https://eprint.iacr. org/2021/434.
- [BRTV21] Sonia Belaïd, Matthieu Rivain, Abdul Rahman Taleb, and Damien Vergnaud. Dynamic random probing expansion with quasi linear asymptotic complexity. Cryptology ePrint Archive, Paper 2021/1455, 2021. https://eprint.iacr. org/2021/1455.
- [CJRR99] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Annual International Cryptology Conference, 1999.
- [DDF14] Alexandre Duc, Stefan Dziembowski, and Sebastian Faust. Unifying leakage models: from probing attacks to noisy leakage. Cryptology ePrint Archive, Paper 2014/079, 2014. https://eprint.iacr.org/2014/079.
- [GJR18] Dahmun Goudarzi, Antoine Joux, and Matthieu Rivain. How to securely compute with noisy leakage in quasilinear complexity. In Thomas Peyrin and Steven Galbraith, editors, Advances in Cryptology – ASIACRYPT 2018, pages 547–574, Cham, 2018. Springer International Publishing.
- [GPRV22] Dahmun Goudarzi, Thomas Prest, Matthieu Rivain, and Damien Vergnaud. Probing security through input-output separation and revisited quasilinear masking. Cryptology ePrint Archive, Paper 2022/045, 2022. https://eprint. iacr.org/2022/045.
- [HJ85] Roger A. Horn and Charles R. Johnson. Norms for vectors and matrices, page 257–342. Cambridge University Press, 1985.
- [HU05] Dennis Hofheinz and Dominique Unruh. On the notion of statistical security in simulatability definitions. Cryptology ePrint Archive, Paper 2005/032, 2005. https://eprint.iacr.org/2005/032.
- [ISW03] Yuval Ishai, Amit Sahai, and David A. Wagner. Private circuits: Securing hardware against probing attacks. In *CRYPTO*, 2003.
- [KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Annual International Cryptology Conference, 1999.

- [Koc96] Paul C. Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Annual International Cryptology Conference, 1996.
- [MT10] Ueli Maurer and Stefano Tessaro. A hardcore lemma for computational indistinguishability: Security amplification for arbitrarily weak prgs with optimal stretch. In *Theory of Cryptography Conference*, 2010.
- [PGMP19] Thomas Prest, Dahmun Goudarzi, Ange Martinelli, and Alain Passelègue. Unifying leakage models on a rényi day. Cryptology ePrint Archive, Paper 2019/138, 2019. https://eprint.iacr.org/2019/138.
- [PR13a] Emmanuel Prouff and Matthieu Rivain. Masking against side-channel attacks: A formal security proof. In International Conference on the Theory and Application of Cryptographic Techniques, 2013.
- [PR13b] Emmanuel Prouff and Matthieu Rivain. Masking against side-channel attacks: A formal security proof. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology – EUROCRYPT 2013, pages 142–159, Berlin, Heidelberg, 2013. Springer Berlin Heidelberg.
- [QS01] Jean-Jacques Quisquater and David Samyde. Electromagnetic analysis (ema): Measures and counter-measures for smart cards. In *Research in Smart Cards*, 2001.
- [RP10] Matthieu Rivain and Emmanuel Prouff. Provably secure higher-order masking of aes. Cryptology ePrint Archive, Paper 2010/441, 2010. https://eprint. iacr.org/2010/441.