New Instantiations of the CRYPTO 2017 Masking Schemes

Karpman, Pierre; Roche, Daniel S.

doi:10.1007/978-3-030-03329-3_10

New Instantiations of the CRYPTO 2017 Masking Schemes

Pierre Karpman^14,15 &
Daniel S. Roche¹⁶

Conference paper
First Online: 27 October 2018

1623 Accesses
6 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11273))

Abstract

At CRYPTO 2017, Belaïd et al. presented two new private multiplication algorithms over finite fields, to be used in secure masking schemes. To date, these algorithms have the lowest known complexity in terms of bilinear multiplication and random masks respectively, both being linear in the number of shares $d+1$. Yet, a practical drawback of both algorithms is that their safe instantiation relies on finding matrices satisfying certain conditions. In their work, Belaïd et al. only address these up to $d=2$ and 3 for the first and second algorithm respectively, limiting so far the practical usefulness of their constructions.

In this paper, we use in turn an algebraic, heuristic, and experimental approach to find many more safe instances of Belaïd et al.’s algorithms. This results in explicit instantiations up to order $d = 6$ over large fields, and up to $d = 4$ over practically relevant fields such as $\mathbb {F}_{2^8}$.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

It has become a well-accepted fact that the black-box security of a cryptographic scheme and the security of one of its real-life implementations may be two quite different matters. In the latter case, numerous side-channels or fault injection techniques may be used to aid in the cryptanalysis of what could otherwise be a very sensible design (for instance a provably-secure mode of operation on top of a block cipher with no known dedicated attacks).

A successful line of side-channel attacks is based on the idea of differential power analysis (DPA), which was introduced by Kocher, Jaffe and Jun at CRYPTO’99 [KJJ99]. The practical importance of this threat immediately triggered an effort from cryptographers to find adequate protections. One of the notable resulting counter-measures is the masking approach from Chari et al. and Goubin and Patarin [CJRR99, GP99]. The central idea of this counter-measure is to add a “mask” to sensitive variables whose observation through a side-channel could otherwise leak secret information; such variables are for instance intermediate values in a block cipher computation that depend on a known plaintext and a round key. Masking schemes apply a secret-sharing technique to several masked instances of every sensitive variable: a legitimate user knowing all the shares can easily compute the original value, while an adversary is now forced to observe more than one value in order to learn anything secret. The utility of this overall approach is that it is experimentally the case that the work required to observe n values accurately through DPA increases exponentially with n.

The challenge in masking countermeasures is to find efficient ways to compute with shared masked data while maintaining the property that the observation of n intermediate values is necessary to learn a secret (for some parameter n). When computations are specified as arithmetic circuits over a finite field $\mathbb {F}_q$, this task reduces mostly to the specification of secure shared addition and multiplication in that field. A simple and commonly used secret sharing scheme used in masking is the linear mapping $x \mapsto \left( r_1,\ldots ,r_d,x + \sum _{i=1}^d r_i\right) $ which makes addition trivial; the problem then becomes how to multiply shared values. At CRYPTO 2003, Ishai, Sahai and Wagner introduced exactly such a shared multiplication over $\mathbb {F}_2$, proven secure in a d-probing model that they introduced [ISW03]. Their scheme requires $d(d+1)/2$ random field elements (i.e. bits) and $(d+1)^2$ field multiplications to protect against an adversary able to observe d intermediate values. This relatively high quadratic complexity in the order d of the scheme lead to an effort to decrease the theoretical and/or practical cost of masking.

At EUROCRYPT 2016, Belaïd et al. presented a masking scheme over $\mathbb {F}_2$ with randomness complexity decreased to $d + d^2/4$; implementations at low but practically relevant orders $d \le 4$ confirmed the gain offered by their new algorithm [BBP+16]. At CRYPTO 2017, the same authors presented two new private multiplication algorithms over arbitrary finite fields [BBP+17]. The first, Algorithm 4, decreases the number of bilinear multiplications to $2d+1$ at the cost of additional constant multiplications and increased randomness complexity; the second, Algorithm 5, decreases the randomness complexity to only d, at the cost of $d(d+1)$ constant multiplications. Furthermore, both algorithms are proven secure w.r.t. the strong, composable notions of d-(strong) non-interference from Barthe et al. [BBD+16]. Yet a practical drawback of these last two algorithms is that their safe instantiation depends on finding matrices satisfying a certain number of conditions. Namely, Algorithm 4 uses two (related) matrices in $\mathbb {F}_q ^{d\times d}$ for an instantiation at order $d+1$ over $\mathbb {F}_q$, while Algorithm 5 uses a single matrix in $\mathbb {F}_q ^{d+1 \times d}$ for the same setting. In their paper, Belaïd et al. only succeed in providing “safe matrices” for the small cases $d = 2$ and $d = 2,\,3$ for Algorithms 4 and 5 respectively, and in giving a non-constructive existence theorem for safe matrices when $q \ge {{\mathrm{O}}}(d)^{d+1}$ (resp. $q \ge {{\mathrm{O}}}(d)^{d+2}$).

1.1 Our Contribution

In this work, we focus on the problem of safely instantiating the two algorithms of Belaïd et al. from CRYPTO 2017. We first develop equivalent matrix conditions which are in some sense simpler and much more efficient to check computationally. We use this reformulation to develop useful preconditions based on MDS matrices that increase the likelihood that a given matrix is safe. We show how to generate matrices that satisfy our preconditions by construction, which then allows to give an explicit sufficient condition, as well as a construction of safe matrices for both schemes at order $d\le 3$. Our simplification of the conditions also naturally transforms into a testing algorithm, an efficient implementation of which is used to perform an extensive experimental search. We provide explicit matrices for safe instantiations in all of the following cases:

For $d=3$, fields $\mathbb {F}_{2^k}$ with $k\ge 3$
For $d=4$, fields $\mathbb {F}_{2^k}$ with $5\le k \le 16$
For $d=5$, fields $\mathbb {F}_{2^k}$ with $10 \le k \le 16$, and additionally $k = 9$ for Algorithm 5.
For $d=6$, fields $\mathbb {F}_{2^k}$ with $15 \le k \le 16$

These are the first known instantiations for $d\ge 4$ or for $d=3$ over $\mathbb {F}_{2^3}$. We also gather detailed statistics about the proportion of safe matrices in all of these cases.

1.2 Roadmap

We recall the two masking schemes of CRYPTO 2017 and the associated matrix conditions in Sect. 3. We give our simplifications of the latter in Sect. 4 and state our preconditions in Sect. 5. A formal analysis of the case of order up to 3 is given in Sect. 6, where explicit conditions and instantiations for these orders are also developed. We present our algorithms and discuss their implementations in Sect. 7, and conclude with experimental results in Sect. 8.

2 Preliminaries

2.1 Notation

We use $\mathbb {K} ^{m\times n}$ to denote the set of matrices with m rows and n columns over the field $\mathbb {K} $. We write $m = {{\mathrm{rowdim}}}A$ and $n={{\mathrm{coldim}}}{{\varvec{A}}}$. For any vector ${{\varvec{v}}}$, ${{\mathrm{wt}}}({{\varvec{v}}})$ denotes the Hamming weight of ${{\varvec{v}}}$, i.e., the number of non-zero entries.

We use ${{\mathbf {0}}}_{m\times n}$ (resp. ${{\mathbf {1}}}_{m\times n}$) to denote the all-zero (resp. all-one) matrix in $\mathbb {K} ^{m\times n}$ for any fixed $\mathbb {K} $ (which will always be clear from the context). Similarly, ${{\varvec{I}}}_d$ is the identity matrix of dimension d.

We generally use bold upper-case to denote matrices and bold lower-case to denote vectors. (The exception is some lower-case Greek letters for matrices that have been already defined in the literature, notably ${\varvec{\gamma }}$.) For a matrix ${{\varvec{M}}}$, ${{\varvec{M}}}_{i,j}$ is the coefficient at the ith row and jth column, with numbering (usually) starting from one. (Again, ${\varvec{\gamma }}$ will be an exception as its row numbering starts at 0.) Similarly, a matrix may be directly defined from its coefficients as $\left( {{\varvec{M}}}_{i,j}\right) $.

We use “hexadecimal notation” for binary field elements. This means that $a = \sum _{i=0}^{n-1}a_iX^i \in \mathbb {F}_{2^n} \cong \mathbb {F}_2[X]/\langle I(X)\rangle $ (where I(X) is a degree-n irreducible polynomial) is equated to the integer $\tilde{a} = \sum _{i=0}^{n-1}a_i2^i$, which is then written in base 16. The specific field representations we use throughout are:

Additional notation is introduced on first use.

2.2 MDS and Cauchy Matrices

An $[n,k,d]_\mathbb {K} $ linear code of length n, dimension k, minimum distance d over the field $\mathbb {K} $ is maximum-distance separable (MDS) if it reaches the Singleton bound, i.e. if $d = n - k + 1$. An MDS matrix is the redundancy part ${{\varvec{A}}}$ of a systematic generating matrix ${{\varvec{G}}} = \begin{pmatrix} {{\varvec{I}}}_k&{{\varvec{A}}}\end{pmatrix}$ of a (linear) MDS code of length double its dimension.

A useful characterization of MDS matrices of particular interest in our case is stated in the following theorem (see e.g. [MS06, Chap. 11, Theorem 8]):

Theorem 1

A matrix is MDS if and only if all its minors are non-zero, i.e. all its square sub-matrices are invertible.

Square Cauchy matrices satisfy the above condition by construction, and are thence MDS. A (non-necessarily square) matrix ${{\varvec{A}}} \in \mathbb {K} ^{n\times m}$ is a Cauchy matrix if ${{\varvec{A}}}_{i,j} = (x_i - y_j)^{-1}$, where $\{x_1,\ldots ,x_n,y_1,\ldots ,y_m\}$ are $n+m$ distinct elements of $\mathbb {K} $.

A Cauchy matrix ${{\varvec{A}}}$ may be extended to a matrix $\widetilde{{{\varvec{A}}}}$ by adding a row or a column of ones. It can be shown that all square submatrices of $\widetilde{{{\varvec{A}}}}$ are invertible, and thus themselves MDS [RS85]. By analogy and by a slight abuse of terminology, we will say of a square matrix ${{\varvec{A}}}$ that it is extended MDS (XMDS) if all square submatrices of ${{\varvec{A}}}$ extended by one row or column of ones are MDS. Further depending on the context, we may only require this property to hold for row (or column) extension to call a matrix XMDS.

A (possibly extended) Cauchy matrix ${{\varvec{A}}}$ may be generalized to a matrix ${{\varvec{A}}^{\varvec{'}}}$ by multiplying it with (non-zero) row and column scaling: one has ${{\varvec{A}}_{i,j}^{\varvec{'}}} = c_id_j\cdot (x_i - y_j)^{-1}$, $c_id_j \ne 0$. All square submatrices of generalized (extended) Cauchy matrices are MDS [RS85], but not necessarily XMDS, as one may already use the scaling to set any row or column of ${{\varvec{A}}^{\varvec{'}}}$ to an arbitrary value.

2.3 Security Notions for Masking Schemes

We recall the security notions under which the masking schemes studied in this paper were analysed. These are namely d-non-interference (d-NI) and d-strong non-interference (d-SNI), which were both introduced by Barthe et al. [BBD+16] as stronger and composable alternatives to the original d-probing model of Ishai et al. [ISW03].

Note that none of the notions presented below are explicitly used in this paper, and we only present them for the sake of completeness. Our exposition is strongly based on the one of Belaïd et al. [BBP+17].

Definition 2

(Gadgets). Let ${ f }: \mathbb {K}^n \rightarrow \mathbb {K}^m$, u, $v\,\in \mathbb {N}$; a (u, v)-gadget for the function ${ f }$ is a randomized circuit ${ C }$ such that for every tuple $({{\varvec{x}}}_1,\ldots ,{{\varvec{x}}}_n) \in (\mathbb {K}^u)^n$ and every set of random coins $\mathcal {R}$, satisfies:

$$ \left( \sum _{j=1}^v {{\varvec{y}}}_{1,j},\ldots ,\sum _{j=1}^v {{\varvec{y}}}_{m,j}\right) = { f }\left( \sum _{j=1}^u {{\varvec{x}}}_{1,j},\ldots ,\sum _{j=1}^u {{\varvec{x}}}_{m,j}\right) . $$

One further defines $x_i$ as $\sum _{j=1}^u{{\varvec{x}}}_{i,j}$, and similarly for $y_i$; ${{\varvec{x}}}_{i,j}$ is called the jth share of $x_i$.

In the above, the randomized circuit ${ C }$ has access to random-scalar gates that generate elements of $\mathbb {K}$ independently and uniformly at random, and the variable $\mathcal {R}$ records the generated values for a given execution. Furthermore, one calls probes any subset of the wires of ${ C }$ (or equivalently edges of its associated graph).

Definition 3

(t-Simulability). Let ${ C }$ be a (u, v)-gadget for ${ f }: \mathbb {K}^n \rightarrow \mathbb {K}^n$, and $\ell $, $t\,\in \mathbb {N}$. A set $\{p_1,\ldots ,p_\ell \}$ of probes of ${ C }$ is said to be t-simulable if $\exists \, I_1,\ldots ,I_n \subseteq \{1,\ldots ,u\};\,\#I_i \le t$ and a randomized function ${{\mathrm{\pi }}}: (\mathbb {K}^t)^n \rightarrow \mathbb {K}^\ell $ such that for any $({{\varvec{x}}}_1,\ldots ,{{\varvec{x}}}_n) \in (\mathbb {K}^u)^n$, $\{p_1,\ldots ,p_\ell \} \sim \{{{\mathrm{\pi }}}(\{x_{1,i},\,i\in I_1\},\ldots ,\{x_{n,i},\,i \in I_n\})\}$.

This notion of simulability leads to the following.

Definition 4

(d-Non-interference). A (u, v)-gadget ${ C }$ for a function over $\mathbb {K}^n$ is d-non-interfering (or d-NI) if and only if any set of at most d probes of ${ C }$ is t-simulable, $t \le d$.

Definition 5

(d-Strong non-interference). A (u, v)-gadget ${ C }$ for a function over $\mathbb {K}^n$ is d-strong non-interfering (or d-SNI) if and only if for every set $P_1$ of at most $d_1$ internal probes (that do not depend on “output wires” or output shares $y_{i,j}$’s) and every set $P_2$ of $d_2$ external probes (on output wires or shares) such that $d_1 +d_2 \le d$, then $P_1 \cup P_2$ is $d_1$-simulable.

It is clear that a d-SNI gadget is also d-NI. Barthe et al. also showed that the two notions were not equivalent, but that the composition of a d-NI and a d-SNI gadget was d-SNI [BBD+16].

3 The Masking Schemes of CRYPTO 2017

We recall here the main ideas of the two masking schemes of Belaïd et al. introduced at CRYPTO 2017 [BBP+17] and their associated matrix conditions; we refer to that paper for a full description of the gadgets and algorithms.

3.1 Pseudo-Linear Multiplication Complexity [BBP+17, Sect. 4]

This scheme is the composition of two gadgets, only the first of which is of interest to us. In order to build a d-SNI multiplication gadget with $d+1$ input and output shares, Belaïd et al. first give a d-NI gadget with $d+1$ input and $2d+1$ output shares, and then compress its output into $d+1$ shares using a d-SNI gadget from Carlet et al. [CPRR16].

To implement d-NI multiplication over a field $\mathbb {K}$, the first gadget needs a certain matrix ${\varvec{\gamma }} \in \mathbb {K}^{d\times d}$; in turn, this defines a related matrix ${{\varvec{\delta }}} \in \mathbb {K}^{d\times d}$ as ${{\varvec{\delta }}} = {{\mathbf {1}}}_{d\times d} - {{\varvec{\gamma }}}$. The multiplication algorithm is then derived from the equality:

$$\begin{aligned} a \cdot b&= \left( a_0 + \sum _{i=1}^d(r_i + a_i)\right) \cdot \left( b_0 + \sum _{i=1}^{d}(s_i + b_i)\right) \\&- \sum _{i=1}^dr_i\cdot \left( b_0+\sum _{j=1}^d({{\varvec{\delta }}}_{i,j}s_j + b_j)\right) - \sum _{i=1}^d s_i\cdot \left( a_0 + \sum _{j=1}^d({{\varvec{\gamma }}}_{i,j}r_j+a_j)\right) , \end{aligned}$$

where $a = \sum _{i=0}^d a_i$, $b = \sum _{i=0}^d b_i$ are the shared multiplicands, and the $r_i$s and $s_i$s are arbitrary (a priori random) values. This equality leads to defining the output shares of this first gadget as:

$c_0 \,{:=}\,\left( a_0 + \sum _{i=1}^d(r_i + a_i)\right) \cdot \left( b_0 + \sum _{i=1}^{d}(s_i + b_i)\right) $;
$c_i \,{:=}\,- r_i\cdot \left( b_0+\sum _{j=1}^d({{\varvec{\delta }}}_{i,j}s_j + b_j)\right) $, $1 \le i \le d$;
$c_{i+d} \,{:=}\,- s_i\cdot \left( a_0+\sum _{j=1}^d({{\varvec{\gamma }}}_{i,j}r_j + a_j)\right) $, $1 \le i \le d$.

By considering a proper scheduling of the operations needed to compute the above shares and the probes that this makes available to the adversary, Belaïd et al. show that a necessary and sufficient condition for their resulting scheme to be d-SNI is that ${{\varvec{\gamma }}}$ and ${{\varvec{\delta }}}$ both satisfy a certain condition, stated below.

Condition 4.1

([BBP+17]). Let ${{\varvec{\gamma }}} \in \mathbb {K}^{d\times d}$; $\ell = 2d^2+4d + 1$; ${{{\varvec{D}}}}_{{{\varvec{\gamma }}},j} \in \mathbb {K}^{d\times d}$ be the diagonal matrix whose non-zero entry at row i is equal to ${{\varvec{\gamma }}}_{j,i}$; ${{{\varvec{T}}}}_d \in \mathbb {K}^{d\times d}$ be the upper-triangular matrix whose non-zero entries are all one; and ${{{\varvec{T}}}}_{{{\varvec{\gamma }}},j} \in \mathbb {K}^{d\times d} = {{{\varvec{D}}}}_{{{\varvec{\gamma }}},j}{{{\varvec{T}}}}_d$. Equivalently:

One then defines ${{\varvec{L}}} \in \mathbb {K}^{(d+1)\times \ell }$ and ${\varvec{M}}_{{\varvec{\gamma }}} \in \mathbb {K}^{d\times \ell }$ as:

$$\begin{aligned} {{\varvec{L}}}= & {} \bigg ( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} \begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} 1 &{} {{\mathbf {0}}}_{1\times d} &{} {{\mathbf {0}}}_{1\times d} &{} {{\mathbf {0}}}_{1\times d} &{} {{\mathbf {0}}}_{1\times d} \\ {{\mathbf {0}}}_{d\times 1}&{} {{{\varvec{I}}}}_d &{} {{\mathbf {0}}}_{d\times d} &{} {{{\varvec{I}}}}_d &{} {{{\varvec{I}}}}_d \end{array} &{} \cdots &{} \begin{array}{ccc} {{\mathbf {0}}}_{1\times d} &{} {{\mathbf {1}}}_{1\times d} &{} {{\mathbf {1}}}_{1\times d} \\ {{{\varvec{I}}}}_d &{} {{{\varvec{T}}}}_d &{} {{{\varvec{T}}}}_d \end{array} &{}\cdots &{} \begin{array}{c} {{\mathbf {1}}}_{1\times d}\\ {{{\varvec{T}}}}_d \end{array} \end{array} \bigg ), \\ {\varvec{M}}_{\varvec{\gamma }}= & {} (\begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} {{\mathbf {0}}}_{d\times 1}&{{\mathbf {0}}}_{d\times d}&{{{\varvec{I}}}}_d&{{{\varvec{I}}}}_d&{{{\varvec{D}}}}_{\varvec{\gamma },1}&\cdots&{{{\varvec{D}}}}_{\varvec{\gamma },d}&{{{\varvec{T}}}}_d&{{{\varvec{T}}}}_{\varvec{\gamma },1}&\cdots&{{{\varvec{T}}}}_{\varvec{\gamma },d} \end{array} ). \end{aligned}$$

Finally, ${{\varvec{\gamma }}}$ is said to satisfy Condition 4.1 if for any vector ${{\varvec{v}}} \in \mathbb {K}^\ell $ of Hamming weight ${{\mathrm{wt}}}({{\varvec{v}}}) \le d$ such that ${{\varvec{L}}}{{\varvec{v}}}$ contains no zero coefficient (i.e. is of maximum Hamming weight $d+1$), then ${{\varvec{M}}}_{{\varvec{\gamma }}}{{\varvec{v}}}\ne {{\mathbf {0}}}_{d\times 1}$.

An equivalent, somewhat more convenient formulation of Condition 4.1 can be obtained by contraposition; ${{\varvec{\gamma }}}$ satisfies Condition 4.1 if:

$$\begin{aligned} {{\varvec{v}}} \in \ker ({{\varvec{M}}}_{{\varvec{\gamma }}}) \wedge {{\mathrm{wt}}}({{\varvec{v}}}) \le d \Rightarrow {{\mathrm{wt}}}({{\varvec{L}}}{{\varvec{v}}}) < d + 1. \end{aligned}$$

(1)

Whichever formulation is adopted, the logic behind this condition is that a violation of the implication means that there exists a linear combination of at most d probes that depends on all the input shares (as ${{\varvec{L}}}{{\varvec{v}}}$ is of full weight) and on no random mask (as ${{\varvec{M}}}_{{\varvec{\gamma }}}{{\varvec{v}}} = {{\mathbf {0}}}_{d\times 1}$). In that respect, ${{\varvec{L}}}$ and ${{\varvec{M}}}$ behave as “indicator matrices” for the shares and masks on which depend individual probes.

3.2 Linear Randomness Complexity [BBP+17, Sect. 5]

The second scheme that we consider is defined by a single d-NI multiplication gadget over $\mathbb {K}$ that has $(d+1)$ input and output shares. An instantiation depends on a matrix ${{\varvec{\gamma }}} \in \mathbb {K}^{(d+1)\times d}$ whose rows sum to zero, i.e., such that $\sum _{i=0}^{d} {{\varvec{\gamma }}}_i = {{\mathbf {0}}}_{1\times d}$.^{Footnote 1} This lets us defining the output shares as:

$c_i = a_0b_i + \sum _{j = 1}^d({{\varvec{\gamma }}}_{i,j}r_j + a_jb_i)$, $0 \le i \le d$,

where again $a = \sum _{i=0}^d a_i$, $b = \sum _{i=0}^d b_i$ are the shared multiplicands and the $r_i$s are arbitrary values.

Belaïd et al. show that a necessary and sufficient condition for their resulting gadget to be d-NI is that ${{\varvec{\gamma }}}$ satisfies a condition similar to Condition 4.1, stated below.

Condition 5.1

([BBP+17]). Let ${{\varvec{\gamma }}} \in \mathbb {K}^{(d+1)\times d}$ $\ell $, ${{{\varvec{D}}}}_{{{\varvec{\gamma }}},j}$, ${{{\varvec{T}}}}_d$, ${{{\varvec{T}}}}_{{{\varvec{\gamma }}},j}$ be as in Condition 4.1 and $\mathbb {K}(\omega _0,\ldots ,\omega _d)$ be the field of rational fractions over indeterminates $\omega _0,\ldots ,\omega _d$; define ${{\varvec{L}}^{\varvec{'}}} \in \mathbb {K}(\omega _0,\ldots ,\omega _d)^{(d+1)\times \ell }$ and ${{\varvec{M}}}'_{{\varvec{\gamma }}} \in \mathbb {K}^{d\times \ell }$ as:

$$\begin{aligned} \varvec{L'}= & {} \bigg ( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} \begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} 1 &{}{{\mathbf {0}}}_{1\times d} &{} {{\mathbf {0}}}_{1\times d} &{} {{\mathbf {0}}}_{1\times d} &{} {{\mathbf {0}}}_{1\times d} \\ {{\mathbf {0}}}_{d\times 1}&{} {{{\varvec{I}}}}_d &{} {{\mathbf {0}}}_{d\times d} &{} \omega _0{{{\varvec{I}}}}_d &{} \omega _1{{{\varvec{I}}}}_d \end{array} &{} \cdots &{} \begin{array}{ccc} {{\mathbf {0}}}_{1\times d} &{}\omega _0{{\mathbf {1}}}_{1\times d} &{} \omega _1{{\mathbf {1}}}_{1\times d}\\ \omega _d{{{\varvec{I}}}}_d &{}\omega _0{{{\varvec{T}}}}_d &{} \omega _1{{{\varvec{T}}}}_d \end{array} &{}\cdots &{} \begin{array}{c} \omega _d{{\mathbf {1}}}_{1\times d} \\ \omega _d{{{\varvec{T}}}}_d\end{array} \end{array} \bigg ), \\ {{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}= & {} (\begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} {{\mathbf {0}}}_{d\times 1}&{{\mathbf {0}}}_{d\times d}&{{{\varvec{I}}}}_d&{{{\varvec{D}}}}_{{\varvec{\gamma }},0}&{{{\varvec{D}}}}_{{\varvec{\gamma }},1}&\cdots&{{{\varvec{D}}}}_{{\varvec{\gamma }},d}&{{{\varvec{T}}}}_{{\varvec{\gamma }},0}&{{{\varvec{T}}}}_{{\varvec{\gamma }},1}&\cdots&{{{\varvec{T}}}}_{{\varvec{\gamma }},d} ). \end{array} \end{aligned}$$

Then ${{\varvec{\gamma }}}$ is said to satisfy Condition 5.1 if for any vector ${{\varvec{v}}} \in \mathbb {K}^\ell $ of Hamming weight ${{\mathrm{wt}}}({{\varvec{v}}}) \le d$ such that ${{\varvec{L}}^{\varvec{'}}}{{\varvec{v}}}$ contains no zero coefficient, then ${{\varvec{M}}_{{\varvec{\gamma }}}^{\varvec{'}}}{{\varvec{v}}}\ne {{\mathbf {0}}}_{d\times 1}$.

Note that as $\mathbb {K}$ is a subfield of $\mathbb {K}(\omega _0,\ldots ,\omega _d)$ (viz.the field of its constants), the product ${{\varvec{L}}^{\varvec{'}}}{{\varvec{v}}}$ is well-defined. Also, again by contraposition, Condition 5.1 can be expressed as:

$$\begin{aligned} {{\varvec{v}}} \in \ker ({{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}) \wedge {{\mathrm{wt}}}({{\varvec{v}}}) \le d \Rightarrow {{\mathrm{wt}}}({{\varvec{L}}^{\varvec{'}}}{{\varvec{v}}}) < d + 1. \end{aligned}$$

(2)

4 Simplifying and Unifying the Conditions

In this section, we describe a few simplifications and consolidations of the correctness and safety for the two schemes described in the previous section. These simplifications are important for our analytical and algorithmic results, and the consolidations of the two schemes allow for ease in presentation.

Specifically, we develop three related conditions ${{\mathrm{\mathcal {C}}}}$, ${{\mathrm{\mathcal {C}}}}'$, and ${{\mathrm{\mathcal {C}}}}''$, on the matrices ${{\varvec{M}}}_{{\varvec{\gamma }}}$, ${{\varvec{L}}}_d$, ${{\varvec{M}}}'_{{\varvec{\gamma }}}$, and ${{\varvec{L}}}'_d$ defined in Conditions 4.1 and 5.1, such that the safety of the masking schemes is guaranteed when these conditions are true. We prove that the first condition ${{\mathrm{\mathcal {C}}}}$ and the third condition ${{\mathrm{\mathcal {C}}}}''$ are both exactly equivalent to the requirements of Conditions 4.1 and 5.1. The second condition ${{\mathrm{\mathcal {C}}}}'$ is always a sufficient condition as it implies the other two, and it is also necessary under a very mild condition on the cardinality of $\mathbb {K}$.

4.1 Unifying ${\varvec{M}}_{{\gamma }}$ and ${\varvec{M}}^{\prime }_{{\gamma }}$

Recall the definitions of matrices ${{\varvec{M}}}_{{\varvec{\gamma }}}$ from Condition 4.1 and ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$ from Condition 5.1. These are both $d\times \ell $ matrices (where $\ell = 2d^2+4d+1$) consisting of zeros, ones, and entries from ${{\varvec{\gamma }}}$. Moreover, ${{\varvec{M}}}_{{\varvec{\gamma }}}$ and ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$ are exactly the same except for in one submatrix of d columns: this submatrix is ${{\varvec{T}}}_d$ in ${{\varvec{M}}}_{{\varvec{\gamma }}}$ and ${{\varvec{T}}}_{{{\varvec{\gamma }}},0}$ in ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$.

We can unify these two matrices by considering, in the case of Condition 4.1, augmenting the ${{\varvec{\gamma }}}$ matrix with an additional row of 1’s at index 0. Then ${{\varvec{T}}}_d = {{\varvec{T}}}_{{{\varvec{\gamma }}},0}$ and we can consider only the second form of the matrix ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$.

Note that the corresponding matrices ${\varvec{L}}_{{\varvec{\gamma }}}$ and ${\varvec{L}}^{\varvec{'}}_{{\varvec{\gamma }}}$ from Conditions 4.1 and 5.1 respectively are still not identical, but the locations of non-zero entries (i.e., the support) in ${\varvec{L}}_{{\varvec{\gamma }}}$ and ${\varvec{L}}^{\varvec{'}} _{{\varvec{\gamma }}}$ are the same.

Now for both schemes, there is a single matrix ${{\varvec{\gamma }}}\in \mathbb {K}^{(d+1)\times d}$ which determines their correctness (do the output shares always correspond to the multiplication of the input value) and safety (is it possible for an attacker to learn any secret with at most d probes).

To succinctly state the unified condition, we first define a simple predicate ${{\mathrm{\mathcal {Z}}}}$ for when a matrix ${{\varvec{X}}}\in \mathbb {K} ^{m\times n}$ (or column vector ${{\varvec{x}}}\in \mathbb {K} ^m$) has at least one row of zeros:

$$ {{\mathrm{\mathcal {Z}}}}({{\varvec{X}}}) := \exists \,i \in \{1,\ldots ,m\} \text { s.t. } \forall \,j \in \{1,\ldots ,n\}, {{\varvec{X}}}_{i,j} = 0. $$

Based on the above discussion, we define the following crucial predicate for the safety definition for two arbitrary matrices ${{\varvec{A}}}$ and ${{\varvec{B}}}$ with the same number of columns:

$$\begin{aligned} {{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}}) := \forall \, {{\varvec{v}}} \in \ker ({{\varvec{A}}}) \text { s.t. } {{\mathrm{wt}}}({{\varvec{v}}}) \le {{\mathrm{rowdim}}}({{\varvec{A}}}),\text { then } {{\mathrm{\mathcal {Z}}}}({{\varvec{B}}}{{\varvec{v}}}). \end{aligned}$$

(3)

Typically we will have ${{\varvec{A}}}={{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{B}}}$ is either ${{\varvec{L}}}$ or ${{\varvec{L}}^{\varvec{'}}}$.

Now we can restate the correctness and safety conditions for the two schemes. The following propositions follow directly from the definitions and discussions so far.

Proposition 6

For ${{\varvec{\gamma }}}\in \mathbb {K}^{(d+1)\times d}$, the scheme of Sect. 3.1 is correct and safe if and only if the following conditions are met, where $ {{\varvec{\delta }}} = \begin{pmatrix}{\mathbf {2}}_{1\times d}\\ {{\mathbf {1}}}_{d\times d}\end{pmatrix} - {{\varvec{\gamma }}}$:^{Footnote 2}

(1)
${{\varvec{\gamma }}}_{0,j} = 1\text { for all }j \in \{1,\ldots ,d\}$
(2)
${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}},{{\varvec{L}}})$
(3)
${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}_{\varvec{\delta }}^{\varvec{'}},{{\varvec{L}}})$

Proposition 7

For ${{\varvec{\gamma }}}\in \mathbb {K}^{(d+1)\times d}$, the scheme of Sect. 3.2 is correct and safe if and only if the following conditions are met:

(1)
$\sum _{i=0}^{d} {{\varvec{\gamma }}}_{i} = {\mathbf {0}}_{1\times d}$
(2)
${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}},{{\varvec{L}}^{\varvec{'}}})$

4.2 Equivalent Condition With Kernel Bases

Next we develop a condition similar to the definition of ${{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$ as defined in (3) above, but in terms of kernel bases rather than individual vectors. This modified condition is equivalent under a mild requirement on the size of the field $\mathbb {K} $.

The general idea is that rather than considering all matrix-vector products ${{\varvec{B}}}{{\varvec{v}}}$, where ${{\varvec{v}}}$ is a d-sparse vector in the right kernel of ${{\varvec{A}}}$, we consider instead the kernel basis for a size-d subset of ${{\varvec{A}}}$’s columns, and multiply the corresponding columns in ${{\varvec{B}}}$ times this basis. Specifying this condition requires some additional notation which will also be useful later on.

Let ${{\mathrm{kerb}}}({{\varvec{X}}})$ denote a basis of the right kernel of ${{\varvec{X}}}$. That is, any vector ${{\varvec{v}}}\in \ker ({{\varvec{X}}})$ is a linear combination of the columns of ${{\mathrm{kerb}}}({{\varvec{X}}})$.

Let $[c_1,\ldots ,c_k]$ be a list of k distinct column indices, where each $1\le c_i \le \ell $. Selecting only these columns from any matrix with $\ell $ columns is a linear operator corresponding to a selection matrix ${{\varvec{P}}}\in \{0,1\}^{\ell \times k}$, where ${{\varvec{P}}}_{i,j}=1$ iff $c_j=i$. Define $ S ^\ell _m$ as the set of all $\ell \times m$ selection matrices. That is, $ S ^\ell _m$ consists of all $\{0,1\}$-matrices with $\ell $ rows and at most m columns, where there is a single 1 in each column and no two 1s in the same row.

Note that the product of a selection matrix and its transpose is an identity matrix with some rows and columns set to zero. For any matrix (or vector) ${{\varvec{X}}}\in \mathbb {K} ^{m\times n}$ with at most k non-zero rows, there is a selection matrix ${{\varvec{P}}}\in S ^{k}_m$ such that ${{\varvec{P}}}{{\varvec{P}}}^T{{\varvec{X}}} = {{\varvec{X}}}$.

The equivalent condition to (3) that we consider now is formed by multiplying some subset of ${{\varvec{B}}}$’s columns times a kernel basis of the same subset of ${{\varvec{A}}}$’s columns:

$$\begin{aligned} {{\mathrm{\mathcal {C}}}}'({{\varvec{A}}},{{\varvec{B}}})\ := \ \forall \, {{\varvec{P}}} \in S ^\ell _{{{\mathrm{rowdim}}}({{\varvec{A}}})},\ {{\mathrm{\mathcal {Z}}}}\mathopen {}\left( {{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}\mathopen {}\left( {{\varvec{A}}}{{\varvec{P}}}\right) \mathclose {} \right) \mathclose {}. \end{aligned}$$

(4)

One direction of the equivalence is straightforward, and the other depends on the Schwartz-Zippel lemma and therefore on the size of the field. Even so, the field size requirement here is very mild; indeed the field is sufficiently large in all cases where we are aware of any valid constructions of the schemes.

Theorem 8

For any ${{\varvec{A}}}\in \mathbb {K} ^{n\times \ell }$ and ${{\varvec{B}}}\in \mathbb {K} ^{m\times \ell }$, we have ${{\mathrm{\mathcal {C}}}}'({{\varvec{A}}},{{\varvec{B}}})\Rightarrow {{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$. If $\mathbb {K} $ has at least $m+1$ distinct elements, then ${{\mathrm{\mathcal {C}}}}'({{\varvec{A}}},{{\varvec{B}}})\Leftarrow {{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$ also.

Proof

We begin with the “$\Rightarrow $” direction.

Let ${{\varvec{v}}}$ be a vector satisfying the conditions of ${{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$; that is, ${{\varvec{v}}}\in \ker {{\varvec{A}}}$ and ${{\mathrm{wt}}}({{\varvec{v}}})\le {{\mathrm{rowdim}}}({{\varvec{A}}})$. The latter fact means that there exists ${{\varvec{P}}}\in S ^\ell _{{{\mathrm{rowdim}}}({{\varvec{A}}})}$ such that ${{\varvec{P}}}{{\varvec{P}}}^T{{\varvec{v}}}={{\varvec{v}}}$.

Because ${{\varvec{A}}}{{\varvec{v}}}={{\mathbf {0}}}$, we then have $({{\varvec{A}}}{{\varvec{P}}})({{\varvec{P}}}^T{\varvec{v}})={{\mathbf {0}}}$, which means that the vector ${{\varvec{P}}}^T{{\varvec{v}}}$ is a linear combination of the columns of ${{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})$.

The condition ${{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$ concerns the matrix-vector product ${{\varvec{B}}}{{\varvec{v}}}$, which equals ${{\varvec{B}}}{{\varvec{P}}}{{\varvec{P}}}^T{{\varvec{v}}}$. From above, we know that this is a linear combination of the columns in the matrix ${{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})$. By the assumption that ${{\mathrm{\mathcal {C}}}}'({{\varvec{A}}},{{\varvec{B}}})$, this matrix contains a zero row, and therefore any linear combination of its columns also contains a zero row; hence ${{\mathrm{\mathcal {Z}}}}({{\varvec{B}}}{{\varvec{v}}})$.

For the “$\Leftarrow $” direction, we prove using the contrapositive. Assume there exists some selection of columns ${{\varvec{P}}}\in S ^\ell _n$ such that $\lnot {{\mathrm{\mathcal {Z}}}}({{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}}))$. We need to show that $\lnot {{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$.

Suppose the column dimension of ${{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})$ (i.e., the nullity of ${{\varvec{A}}}{{\varvec{P}}}$) is k, and let ${{\varvec{x}}}$ be a column vector of k indeterminates $x_1,\ldots ,x_k$. Now consider the matrix-vector product ${{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})\cdot {{\varvec{x}}}$. This is a column vector of dimension m consisting of degree-1 polynomials in the k indeterminates. Furthermore, none of these polynomials is zero because of the assumption $\lnot {{\mathrm{\mathcal {Z}}}}({{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}}))$.

The product of the m polynomials in ${{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})\cdot {{\varvec{x}}}$ is a single non-zero polynomial in k variables with total degree m. By the Schwartz-Zippel-DeMillo-Lipton lemma [Sch80, Corollary 1], and because $\#\mathbb {K} > m$, there must exist some assignment of the k variables to values in $\mathbb {K} $ such that this product polynomial is non-zero. That is, there exists some column vector ${{\varvec{w}}}\in \mathbb {K} ^k$ such that $ {{\mathrm{wt}}}({{\varvec{B}}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})\cdot {{\varvec{w}}}) = m. $

Because ${{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})\cdot {{\varvec{w}}}\in \mathbb {K} ^n$, there is an n-sparse vector ${{\varvec{v}}}\in \mathbb {K} ^\ell $ such that ${{\varvec{P}}}^T{{\varvec{v}}}={{\mathrm{kerb}}}({{\varvec{A}}}{{\varvec{P}}})\cdot {{\varvec{w}}}$. This vector ${{\varvec{v}}}$ shows that ${{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$ is false. Namely, ${{\varvec{v}}} \in \ker ({{\varvec{A}}})$ because ${{\varvec{A}}}{{\varvec{v}}}=({{\varvec{A}}}{{\varvec{P}}})({{\varvec{P}}}^T{{\varvec{v}}})={{\mathbf {0}}}$; it has low weight ${{\mathrm{wt}}}({{\varvec{v}}}) \le n$; and ${{\varvec{B}}}{{\varvec{v}}}=({{\varvec{B}}}{{\varvec{P}}})({{\varvec{P}}}^T{{\varvec{v}}})$ is of full weight m from the previous paragraph. $\square $

4.3 Eliminating Rows and Columns

The third simplification to the correctness and safety conditions of the two masking schemes that we develop is an equivalent condition to ${{\mathrm{\mathcal {C}}}}({{\varvec{A}}},{{\varvec{B}}})$ that depends on less than half of the columns in the original matrices. The intuition is that most of the columns of these matrices have weight 1, and thus those probes in the masking scheme do not gain the attacker any real advantage. So we can focus on only the parts of ${{\varvec{A}}}$ and ${{\varvec{B}}}$ whose columns have weight greater than 1. We first develop some new terminology to talk about these submatrices, then prove a lemma which shows how to eliminate columns from ${{\varvec{\gamma }}}$ corresponding to the weight-one probes, and finally state and prove the equivalent condition ${{\mathrm{\mathcal {C}}}}''$.

So far the schemes are both defined by a matrix ${{\varvec{\gamma }}}$ with $d+1$ rows and d columns. In fact, the definitions of matrices ${{\varvec{M}}}_{{\varvec{\gamma }}}$, ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$, ${{\varvec{L}}}$, and ${{\varvec{L}}^{\varvec{'}}}$ from Conditions 4.1 and 5.1 generalize to any rectangular matrix ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times n}$. If ${{\varvec{\gamma }}}$ has $d+1$ rows and n columns, then ${{\varvec{M}}}_{{\varvec{\gamma }}}$ and ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ both have n rows, while ${{\varvec{L}}}_n$ and ${{\varvec{L}}}'_n$ have $n+1$ rows, and all four matrices have $\ell _n=2dn+4n+1$ columns.

We focus on the bottom-right $n\times (dn+n)$ submatrix of each ${{\varvec{M}}}'_{{\varvec{\gamma }}}$, ${{\varvec{L}}}_n$ and ${{\varvec{L}}}'_n$, which we call the “triangular part” of each. Formally, we define a linear operator $\varvec{\varDelta }$ such that, for any matrix ${{\varvec{A}}}$ with n or $n+1$ rows and $2dn+4n+1$ columns, $\varvec{\varDelta }({{\varvec{A}}})$ consists of the bottom-right $n\times (dn+n)$ submatrix of ${{\varvec{A}}}$.

In summary, we have:

Notice that the matrices ${{\varvec{L}}}_n$ and ${{\varvec{L}}}'_n$ have some different entries but the same support; for convenience we denote by ${{\varvec{N}}}_n$ any matrix with this same dimension and support.

Inspecting the definition of ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$, we see that rows of this matrix correspond to columns of ${{\varvec{\gamma }}}$, and removing one column of ${{\varvec{\gamma }}}$ corresponds to removing a single row and $2d+4$ columns from each of ${{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}}$ and ${{\varvec{N}}}$.

Notice also that the columns of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and of ${{\varvec{L}}}_n$ which are not in the triangular parts all have weight at most one. This means, as we show in the following technical lemma, that the effect of any such column choice (as a probe) can be eliminated by removing one row each from ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{L}}}_n$. In terms of masking schemes, this means that a single probe corresponding to these non-triangular parts allows the adversary to cancel at most one random value and to learn at most one share. Because the number of shares is $d+1$ in a scheme allowing d probes, this results in no advantage for the adversary.

Lemma 9

Let ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times n}$, ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ be as above. Suppose ${{\varvec{u}}}\in \mathbb {K} ^{\ell _n}$ is a vector with ${{\mathrm{wt}}}({{\varvec{u}}})=1$ whose single non-zero entry is between index 2 and $dn+3n+1$ inclusive, and ${{\varvec{v}}}\in \mathbb {K} ^{\ell _n}$ is any other vector. Then there exists a selection matrix ${{\varvec{P}}}\in S ^n_{n-1}$ and another vector ${{\varvec{w}}}\in \mathbb {K} ^{\ell _{n-1}}$ with ${{\mathrm{wt}}}({{\varvec{w}}})\le {{\mathrm{wt}}}({{\varvec{v}}})$ such that

$$ {{\mathrm{wt}}}({{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}{{\varvec{w}}}) \le {{\mathrm{wt}}}({{\varvec{M}}}'_{{{\varvec{\gamma }}}}({{\varvec{u}}}+{{\varvec{v}}})) \quad \text {and}\quad {{\mathrm{wt}}}({{\varvec{N}}}_{n-1}{{\varvec{w}}}) \ge {{\mathrm{wt}}}({{\varvec{N}}}_n({{\varvec{u}}}+{{\varvec{v}}})) - 1. $$

Proof

Write i for the index of the non-zero entry in ${{\varvec{u}}}$. We can see that the ith column of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ both have weight at most one. Indeed, for each $i\in \{2,\ldots ,dn+3n+1\}$, there is a corresponding index $j\in \{1,\ldots ,n\}$ such that the ith columns of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ are zero everywhere except possibly in row j (provided that we continue to index the rows of ${{\varvec{N}}}_n$ starting at 0).

Removing the jth row from ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ results in two new matrices ${{\varvec{A}}},{{\varvec{B}}}$ (respectively) whose ith columns are both zero, and hence ${{\varvec{A}}}{{\varvec{u}}}={{\mathbf {0}}}$ and ${{\varvec{B}}}{{\varvec{u}}}={{\mathbf {0}}}$. This means that

$$\begin{aligned} {{\mathrm{wt}}}({{\varvec{A}}}{{\varvec{v}}})&= {{\mathrm{wt}}}({{\varvec{A}}}({{\varvec{u}}}+{{\varvec{v}}})) \le {{\mathrm{wt}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}({{\varvec{u}}}+{{\varvec{v}}})) \\ {{\mathrm{wt}}}({{\varvec{B}}}{{\varvec{v}}})&= {{\mathrm{wt}}}({{\varvec{B}}}({{\varvec{u}}}+{{\varvec{v}}})) \ge {{\mathrm{wt}}}({{\varvec{N}}}_n({{\varvec{u}}}+{{\varvec{v}}})) - 1. \end{aligned}$$

Write ${{\varvec{P}}}\in S ^n_{n-1}$ as the matrix which selects all n columns of ${{\varvec{\gamma }}}$ except for the jth column. Now ${{\varvec{A}}}$ and ${{\varvec{B}}}$ are the same as ${{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}$ and ${{\varvec{N}}}_{n-1}$ respectively, except that they each have $2d+4$ extra columns. The remaining task is to modify ${{\varvec{v}}}$ so that it is zero at all the indices corresponding to these extra columns, without changing ${{\mathrm{wt}}}({{\varvec{A}}}{{\varvec{v}}})$ or ${{\mathrm{wt}}}({{\varvec{B}}}{{\varvec{v}}})$.

We can see that $d+3$ of these extra columns come from the first $dn+3n+1$ columns of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ and, since the jth row has been removed, they are in fact now zero columns. So letting ${{\varvec{v}}}'$ be the same as ${{\varvec{v}}}$ with any such entries set to zero, we do not change the products ${{\varvec{A}}}{{\varvec{v}}}'$ or ${{\varvec{B}}}{{\varvec{v}}}'$ at all.

The $d+1$ remaining extra columns come from the triangular parts $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ and $\varvec{\varDelta }({{\varvec{N}}}_n)$. There are now two cases to consider. First, if $j=1$, i.e., we have removed the second row of ${{\varvec{N}}}_n$ and the first row of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$. Then these extra columns from the triangular part of ${{\varvec{A}}}$ are all zero columns, and from ${{\varvec{B}}}$ they have the form $(a\ 0\ \cdots \ 0)^T$ for some non-zero entry a in the first row of ${{\varvec{N}}}_n$. Upon inspection, we see that these columns are exactly a times the very first columns of ${{\varvec{A}}}$ and ${{\varvec{B}}}$ respectively. Therefore we can modify the vector ${{\varvec{v}}}'$ to a new vector ${{\varvec{v}}}''$, where any non-zero entries in such positions are divided by a and added to the first entry, then set to zero. This does not change the value of ${{\varvec{A}}}{{\varvec{v}}}''$ or ${{\varvec{B}}}{{\varvec{v}}}''$.

The second case is that $j\ge 2$, i.e., we have removed a later row. Then the extra columns in ${{\varvec{A}}}$ and ${{\varvec{B}}}$ are exactly identical to the columns immediately to their left in the respective matrices. So we can form ${{\varvec{v}}}''$ in this case by adding any non-zero entry of ${{\varvec{v}}}'$ in such positions to the adjacent position and then setting it to zero, without changing ${{\varvec{A}}}{{\varvec{v}}}''$ or ${{\varvec{B}}}{{\varvec{v}}}''$.

After this, we have a vector ${{\varvec{v}}}''$ with ${{\mathrm{wt}}}({{\varvec{v}}}'') \le {{\mathrm{wt}}}({{\varvec{v}}})$, and with zeros in all of the “extra column” indices of ${{\varvec{A}}}$ and ${{\varvec{B}}}$, such that ${{\mathrm{wt}}}({{\varvec{A}}}{{\varvec{v}}}'') \le {{\mathrm{wt}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}({{\varvec{u}}}+{{\varvec{v}}}))$ and ${{\mathrm{wt}}}({{\varvec{B}}}{{\varvec{v}}}'') \ge {{\mathrm{wt}}}({{\varvec{N}}}_n({{\varvec{u}}}+{{\varvec{v}}}))-1$. Finally, setting ${{\varvec{w}}}$ to be the sub-vector of ${{\varvec{v}}}''$ with these extra column entries removed completes the proof. $\square $

Repeated application of the previous lemma allows us to completely eliminate all of the columns in ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ other than the triangular parts, at the cost of having to consider all possible column-subsets of ${{\varvec{\gamma }}}$ itself. This leads to the following condition:

$$\begin{aligned} {{\mathrm{\mathcal {C}}}}''({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n) :=\ \forall \, k\in \{1,\ldots ,n\}, \forall \, {{\varvec{P}}}\in S ^n_k,\ {{\mathrm{\mathcal {C}}}}(\varvec{\varDelta }({{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}), \varvec{\varDelta }({{\varvec{N}}}_k)). \end{aligned}$$

(5)

In other words, we restrict our attention to only square submatrices of the triangular parts of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$. As it turns out, this condition is exactly equivalent to the original one.

Theorem 10

For any field $\mathbb {K} $, matrix ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times n}$ where $n\ge 1$, and matrix ${{\varvec{N}}}_n\in \{{{\varvec{L}}}_n,{{\varvec{L}}}'_n\}$, we have ${{\mathrm{\mathcal {C}}}}''({{\varvec{M}}}'_{{\varvec{\gamma }}}, {{\varvec{N}}}_n) \Leftrightarrow {{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}, {{\varvec{N}}}_n)$.

Proof

We prove the equivalent double negation $\lnot {{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n) \Leftrightarrow \lnot {{\mathrm{\mathcal {C}}}}''({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n)$.

First we prove the “$\Rightarrow $” direction by induction on n. Assuming that $\lnot {{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n)$ means there exists a vector ${{\varvec{v}}}\in \mathbb {K} ^{\ell _n}$ such that ${{\mathrm{wt}}}({{\varvec{v}}})\le n$, ${{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{v}}}={{\mathbf {0}}}$, and ${{\varvec{N}}}_n{{\varvec{v}}}$ has full weight $n+1$.

For the base case, let $n=1$. Because ${{\mathrm{wt}}}({{\varvec{v}}})=1$ and ${{\mathrm{wt}}}({{\varvec{N}}}_n{{\varvec{v}}})=2$, the lone non-zero entry of ${{\varvec{v}}}$ must correspond to a weight-2 column in ${{\varvec{N}}}_n$, and the only such columns are in the triangular part. So considering the vector formed from the last $d+1$ entries of ${{\varvec{v}}}$ shows that $\lnot {{\mathrm{\mathcal {C}}}}(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_n))$, which is equivalent to $\lnot {{\mathrm{\mathcal {C}}}}''({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n)$ when $n=1$.

Now for the induction case, let $n\ge 2$ and assume the $\Rightarrow $ direction is true for all size-$(n-1)$ subsets of columns of ${{\varvec{\gamma }}}$.

Again we start with a vector ${{\varvec{v}}}$ which is a counterexample to ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n)$. If ${{\varvec{v}}}$ has any non-zero entry in indices 2 through $dn+3n+1$, then we can isolate that entry in its own vector ${{\varvec{u}}}$ and write ${{\varvec{v}}}={{\varvec{u}}}+{{\varvec{v}}}^*$, where ${{\mathrm{wt}}}({{\varvec{v}}}^*) = {{\mathrm{wt}}}({{\varvec{v}}})-1 \le n-1$. Now apply Lemma 9 to obtain a vector ${{\varvec{w}}}\in \mathbb {K} ^{\ell _{n-1}}$ and a selection matrix ${{\varvec{P}}}\in S ^n_{n-1}$ such that ${{\mathrm{wt}}}({{\varvec{w}}})\le n-1$, ${{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}{{\varvec{w}}}={{\mathbf {0}}}$, and ${{\mathrm{wt}}}({{\varvec{N}}}_{n-1}{{\varvec{w}}})=n-1$. Therefore $\lnot {{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}},{{\varvec{N}}}_{n-1})$, so we can apply the induction hypothesis to complete this sub-case.

Otherwise, the non-zero entries of ${{\varvec{v}}}$ are in the very first index, or in the last $(d+1)n$ indices which correspond to the triangular parts. But the first columns of ${{\varvec{N}}}_n$ and ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ are all zeros except for the first row in ${{\varvec{N}}}_n$, which is eliminated in the triangular part $\varvec{\varDelta }({{\varvec{N}}}_n)$. Therefore, if this entry of ${{\varvec{v}}}$ is non-zero, we can change it to zero without affecting ${{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{v}}}$, which must equal ${{\mathbf {0}}}$, or the last n rows of ${{\varvec{N}}}_n{{\varvec{v}}}$, which must be all non-zero. Hence the vector consisting of the last $(d+1)n$ entries of ${{\varvec{v}}}$ is a counterexample to ${{\mathrm{\mathcal {C}}}}(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_n))$. This completes the $\Rightarrow $ direction of the proof.

For the $\Leftarrow $ direction, assume that $\lnot {{\mathrm{\mathcal {C}}}}''({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n)$. This means there is some $k\in \{1,\ldots ,n\}$, some selection of columns from ${{\varvec{\gamma }}}$ defined by ${{\varvec{P}}}\in S ^n_k$, and some ${{\varvec{v}}}\in \mathbb {K} ^{\ell _k}$ such that ${{\mathrm{wt}}}({{\varvec{v}}})\le k$, $\varvec{\varDelta }({{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}){{\varvec{v}}}={{\mathbf {0}}}$, and $\varvec{\varDelta }({{\varvec{N}}}_k){{\varvec{v}}}$ has full weight k.

Because the triangular part is a subset of the whole, we can prepend ${{\varvec{v}}}$ with $dk+3k+1$ zeros to obtain a vector ${{\varvec{v}}}'$ such that ${{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}{{\varvec{v}}}'={{\mathbf {0}}}$ and ${{\varvec{N}}}_k{{\varvec{v}}}'$ is non-zero everywhere except possibly in the first row. Observe that the row of ${{\varvec{N}}}_k$ immediately above the triangular part is exactly identical to the top row of $\varvec{\varDelta }({{\varvec{N}}}_k)$, so in fact ${{\varvec{N}}}_k{{\varvec{v}}}'$ has full weight $k+1$.

This shows that there exists at least one $k\ge 1$ such that there exists a selection ${{\varvec{P}}}\in S ^n_k$ and a vector ${{\varvec{v}}}'$ which is a counterexample to ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}},{{\varvec{N}}}_k)$. Assume now that k is the largest such integer.

If $k=n$, then ${{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}={{\varvec{M}}}'_{{\varvec{\gamma }}}$, and ${{\varvec{v}}}'$ is a counterexample to ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_n)$ already.

Otherwise, if $k<n$, we show that we can construct a larger selection matrix ${{\varvec{Q}}}$ and corresponding vector ${{\varvec{w}}}$ satisfying the conditions above, which is a contradiction to the assumption that k is the largest such value.

Construct another selection matrix ${{\varvec{Q}}}\in S ^n_{k+1}$ consisting of the columns selected by ${{\varvec{P}}}$ plus some additional column i; for convenience write ${{\varvec{\zeta }}} = {{\varvec{\gamma }}}{{\varvec{Q}}}$. Note that ${{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}$ and ${{\varvec{N}}}_k$ are submatrices of ${{\varvec{M}}}'_{{{\varvec{\zeta }}}}$ and ${{\varvec{N}}}_{k+1}$ respectively, the latter both having exactly one more row and some number of extra columns. Therefore by extending ${{\varvec{v}}}'$ to a larger vector ${{\varvec{v}}}''$ by inserting zeros in the locations of these extra columns, we have that ${{\varvec{M}}}'_{{{\varvec{\zeta }}}}{{\varvec{v}}}''$ is zero everywhere except possibly at index i, and ${{\varvec{N}}}_{k+1}{{\varvec{v}}}''$ is non-zero everywhere except at index i. Let a be the ith entry of ${{\varvec{M}}}'_{{{\varvec{\zeta }}}}{{\varvec{v}}}''$ and b be the ith entry of ${{\varvec{N}}}_{k+1}{{\varvec{v}}}''$.

Finally, we show how to add one more entry to ${{\varvec{v}}}''$ to “fix” the exceptions at index i in the previous sentence, making $a=0$ and $b\ne 0$. There are four cases to consider:

1.
If $a=0$ and $b\ne 0$, then we are done.
2.
If $a=0$ and $b=0$, then set the $(i+1)$th entry of ${{\varvec{v}}}$ to 1; this corresponds to a column of zeros in ${{\varvec{M}}}'_{{{\varvec{\zeta }}}}$ and a column of the identity matrix in ${{\varvec{N}}}_{k+1}$. So adding that column keeps $a=0$ but sets b to 1.
3.
If $a\ne 0$ and $b\ne 0$, then set the $(k+i+1)$th entry of ${{\varvec{v}}}$ to $-a$. This entry corresponds to a column of the identity matrix in ${{\varvec{M}}}'_{{\varvec{\zeta }}}$ and a column of zeros in ${{\varvec{N}}}_{k+1}$, so adding it keeps $b\ne 0$ but cancels the value of a.
4.
If $a\ne 0$ and $b=0$, then set the $(2k+i+2)$th entry of ${{\varvec{v}}}$ to $-a/{{\varvec{\zeta }}}_{0,i}$. This entry corresponds to a column of ${{{\varvec{D}}}}_{{{\varvec{\zeta }}},0}$ in ${{\varvec{M}}}'_{{{\varvec{\zeta }}}}$, and a column of either ${{\varvec{I}}}_{k+1}$ or $\omega _0{{\varvec{I}}}_{k+1}$ within ${{\varvec{N}}}_{k+1}$, and therefore the change to ${{\varvec{v}}}$ cancels out a and sets b to some non-zero value.

This newly constructed vector has weight at most ${{\mathrm{wt}}}({{\varvec{v}}}'')+1 \le k+1$, and is therefore a counterexample to ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\zeta }}},{{\varvec{N}}}_{k+1})$. This is a contradiction to the assumption that k was maximal, which completes the $\Leftarrow $ direction and the entire proof. $\square $

5 A Matrix Precondition

We use the results of the previous two sections to develop a useful precondition for generating ${{\varvec{\gamma }}}$ matrices which satisfy the safety and correctness conditions of the two schemes. This precondition guarantees the correctness conditions, and (as we will see in later sections) seems to increase the probability that a matrix satisfies the safety condition. We then show how to explicitly generate matrices which satisfy these preconditions.

5.1 Definitions

As in the previous section, let ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times d}$ be a matrix whose entries determine the correctness and safety of one of the two masking schemes according to Proposition 6 or Proposition 7. (Either ${{\varvec{\gamma }}}$ must have a row equal to ${{\mathbf {1}}}$, or they must sum to ${{\mathbf {0}}}$.)

Then Theorems 8 and 10 tell us that a sufficient condition for safety is that for every square submatrix of $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$, all vectors in its right kernel have at least one joint zero entry when multiplied with the corresponding submatrix of $\varvec{\varDelta }({{\varvec{N}}}_d)$. The general idea of the preconditions developed in this section is to minimize the rank of this right kernel, effectively limiting the number of possible “unsafe” vectors. In particular, when a square submatrix of $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ is non-singular, then its nullity is zero and the scheme is safe with respect to that subset of rows and columns.

This suggests a strategy to increase the likelihood of a matrix leading to a safe scheme: one may try to choose ${{\varvec{\gamma }}}$ in a way that ensures that $\varvec{\varDelta }({{\varvec{M}}}'_{{{\varvec{\gamma }}}{{\varvec{P}}}}){{\varvec{Q}}}$ has a trivial kernel for as many selection matrices ${{\varvec{P}}}\in S ^d_k$ and ${{\varvec{Q}}}\in S ^{\ell _k}_{k}$ as possible. That is, square submatrices of the triangular part of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ should be non-singular as often as possible.

A good such choice for ${{\varvec{\gamma }}}$ is to take it to be such that all its square submatrices are MDS. To justify this claim, recall from Sect. 2 that any square submatrix of an MDS matrix is invertible, i.e., has a trivial kernel. Further, from the definition of $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$, its columns consist of (partial) rows of ${{\varvec{\gamma }}}$; therefore many of its submatrices are in fact (transposed) submatrices of ${{\varvec{\gamma }}}$ itself.

Example 11

Consider for the case $d=3$, the submatrix of $\varvec{\varDelta }({{\varvec{M}}}_{\varvec{\gamma }}^{\varvec{'}})$ given by:

$$ {{\varvec{X}}} = \begin{pmatrix} {{\varvec{\gamma }}}_{0,1} &{} {{\varvec{\gamma }}}_{1,1} &{} {{\varvec{\gamma }}}_{2,1}\\ 0 &{} {{\varvec{\gamma }}}_{1,2} &{} {{\varvec{\gamma }}}_{2,2}\\ 0 &{} {{\varvec{\gamma }}}_{1,3} &{} {{\varvec{\gamma }}}_{2,3}\\ \end{pmatrix}. $$

(Note that in the case of Condition 4.1, ${{\varvec{\gamma }}}_{0,1}$ must equal 1.) If all square submatrices of ${{\varvec{\gamma }}}$ are MDS, the bottom-right $2\times 2$ submatrix of ${{\varvec{X}}}$ is necessarily non-singular, and ${{\varvec{\gamma }}}_{0,1}\ne 0$, so therefore this entire submatrix is non-singular. This would not be the case for an arbitrary matrix ${{\varvec{\gamma }}}$, even if say, one takes it to be full-rank.

We now state our two preconditions on the matrices used to instantiate either masking scheme. As will be clear in the remainder of this paper, these preconditions are by no means sufficient, nor necessary. Yet we will also see, both formally (in Sect. 6) and experimentally (in Sect. 8) how they may be useful.

Precondition 4.1

A matrix ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times d}$ satisfies Precondition 4.1 for Condition 4.1 if it can be written as $\displaystyle {{\varvec{\gamma }}} = \begin{pmatrix}{{\mathbf {1}}}_{1\times d}\\ {{\varvec{A}}}\end{pmatrix}$, and both matrices ${{\varvec{A}}}$ and ${{\mathbf {1}}}_{d\times d} - {{\varvec{A}}}$ are row XMDS.

Any such matrix ${{\varvec{\gamma }}}$ clearly satisfies the correctness condition, which is item (1) in Proposition 6. The XMDS property also ensures that all square submatrices of ${{\varvec{\gamma }}}$ and ${{\varvec{\delta }}}$ are non-singular, which (we expect) will make the safety conditions (2) and (3) from Proposition 6 more likely satisfied.

Precondition 5.1

A matrix ${{\varvec{\gamma }}} \in \mathbb {K} ^{(d+1)\times d}$ satisfies Precondition 5.1 for Condition 5.1 if $\sum _{i=0}^{d} {{\varvec{\gamma }}}_i = {{\mathbf {0}}}_{1\times d}$ and all of its square submatrices are MDS.

Again, this precondition guarantees the correctness of the scheme, corresponding to item (1) of Proposition 7, and the non-singular submatrices make it (we expect) more likely that the safety condition, item (2), is also true.

5.2 Explicit constructions

It is relatively easy to check if a given matrix satisfies either of the above preconditions. Here we do even better, providing a direct construction for families of matrices that satisfy each of them.

Theorem 12

(Satisfying Precondition 4.1). Let $\{x_1,\ldots ,x_d,y_1,\ldots ,y_d\} \in \mathbb {K} \backslash \{0\}$ be 2d distinct non-zero elements of $\mathbb {K}$, and define matrix ${{\varvec{A}}}\in \mathbb {K} ^{d\times d}$ by ${{\varvec{A}}}_{i,j} = x_i / (x_i - y_j)$. Then the corresponding ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times d}$ satisfies Precondition 4.1.

Proof

Define the row-extended Cauchy matrix ${{\varvec{B}}}$ as ${{\varvec{B}}}_{0,j} = 1$, $1 \le j \le d$; ${{\varvec{B}}}_{i,j} = (x_i - y_j)^{-1}$, $1 \le i, j \le d$. The generalized extended matrix obtained from ${{\varvec{B}}}$ by the row scaling ${{\varvec{c}}} = \begin{pmatrix}1&x_1&\cdots&x_d \end{pmatrix}$ is equal to ${{\varvec{\gamma }}}$, and all its square submatrices are invertible by construction, hence ${{\varvec{A}}}$ is row XMDS.

The matrix ${{\varvec{C}}} = {{\mathbf {1}}}_{d\times d} - {{\varvec{A}}}$ is given by $\begin{pmatrix}(x_i - y_j - x_i)\cdot (x_i - y_j)^{-1}\end{pmatrix} = \begin{pmatrix}-y_j\cdot (x_i - y_j)^{-1}\end{pmatrix}$. It is a generalized Cauchy matrix with column scaling given by $\begin{pmatrix}-y_1&\ldots&-y_d\end{pmatrix}^T$, and is then MDS. Because $0 \notin \{x_1,\ldots ,x_d,y_1,\ldots ,y_d\}$, one may extend ${{\varvec{C}}}$ by one row on top using $x_0 = 0$, resulting in ${{\varvec{C}}^{\varvec{'}}}$ s.t. ${{\varvec{C}}}_{0,j}^{\varvec{'}} = -y_j\cdot (0 - y_j)^{-1} = 1$, $1 \le j \le d$; ${{\varvec{C}}}_{i,j}^{\varvec{'}} = {{\varvec{C}}}_{i,j}$, $1 \le i,j \le d$. In other words,

$$ {{\varvec{C}}^{\varvec{'}}} = \begin{pmatrix} {{\mathbf {1}}}_{1\times d}\\ {{\varvec{C}}} \end{pmatrix} $$

is a generalized Cauchy matrix, whose square submatrices are all invertible by construction, hence ${{\varvec{C}}} = {{\mathbf {1}}}_{d \times d} -{{\varvec{A}}}$ is row XMDS. $\square $

Theorem 13

(Satisfying Precondition 5.1). Let $\{x_1,\ldots ,x_d,x_{d+1},y_1,\ldots ,y_d\} \in \mathbb {K} $ be $2d+1$ distinct elements of $\mathbb {K} $; let ${{\varvec{A}}} = \begin{pmatrix}(x_i - y_j)^{-1}\end{pmatrix}$; and let ${{\varvec{c}}} = \begin{pmatrix}c_1&\cdots&c_{d+1}\end{pmatrix}$ be a non-zero vector in the left kernel of ${{\varvec{A}}}$. Then ${{\varvec{\gamma }}} = \begin{pmatrix}c_i\cdot (x_i - y_j)^{-1}\end{pmatrix}$ satisfies Precondition 5.1.

Proof

By construction, the $d+1\times d$ Cauchy matrix ${{\varvec{A}}}$ has a left kernel of dimension one. Furthermore, any vector of this kernel that is not the null vector is of full Hamming weight, as being otherwise would imply the existence of $k \le d$ linearly-dependent rows of ${{\varvec{A}}}$. The row scaling coefficients $\begin{pmatrix}c_1&\cdots&c_{d+1}\end{pmatrix}$ are thus all non-zero, and the generalized Cauchy matrix ${{\varvec{A}}}'$ is such that its rows sum to the null vector and all its square submatrices are invertible. $\square $

6 Analytic Construction for Order up to 3

In this section, we develop explicit polynomial conditions on the entries of generalized Cauchy matrices that are sufficient to ensure both the correctness and safety of the two masking schemes described in Sect. 3.

The results are explicit constructions for many field sizes. For order $d=1$, Corollary 15 proves that any non-zero ${{\varvec{\gamma }}}$ matrix makes the scheme secure. For order $d=2$, Corollary 16 proves that our MDS preconditions of the previous section always produce safe constructions without the need for any further checks. Finally, for order $d=3$, Theorems 19 and 21 provide $x_i$ and $y_i$ values to use in order to generate safe Cauchy matrices for any field of characteristic 2 with $q\ge 4$.

The idea behind our preconditions in Sect. 5 was to ensure that all square submatrices of ${{\varvec{\gamma }}}$ are non-singular, and therefore many square submatrices of the matrix $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ have nullity zero. For small dimensions, we can go further and actually require that all submatrices of $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ which could possibly violate the condition ${{\mathrm{\mathcal {C}}}}''$ from (5) are non-singular. This will in turn guarantee a safe and correct construction by Theorem 10 and Propositions 6 and 7.

6.1 Columns Which Must be Selected

Let ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times n}$ and recall the definitions of $\varvec{\varDelta }({{\varvec{N}}}_n)$ and $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$; in the former case we show only the positions of the non-zero entries, which are the same whether $\varvec{N}_n=\varvec{L}_n$ or $\varvec{N}_n=\varvec{L}'_n$.

$$\begin{aligned} \varvec{\varDelta }(\varvec{N}_n)= & {} \left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }} \begin{array}{r@{\quad }r@{\quad }r@{\quad }r} * &{} * &{} \cdots &{} * \\ &{} * &{} \cdots &{} * \\ &{} &{} \ddots &{} \vdots \\ &{} &{} &{} * \end{array} \begin{array}{r@{\quad }r@{\quad }r@{\quad }r@{\quad }} * &{} * &{} \cdots &{} * \\ &{} * &{} \cdots &{} * \\ &{} &{} \ddots &{} \vdots \\ &{} &{} &{} * \end{array} \cdots \begin{array}{r@{\quad }r@{\quad }r@{\quad }r@{\quad }} * &{} * &{} \cdots &{} * \\ &{} * &{} \cdots &{} * \\ &{} &{} \ddots &{} \vdots \\ &{} &{} &{} * \end{array} \end{array} \right) , \\ \varvec{\varDelta }(\varvec{M}'_{\varvec{\gamma }})= & {} \left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }} \begin{array}{rrrr} {\varvec{\gamma }}_{0,1} &{} {\varvec{\gamma }}_{0,1} &{} \cdots &{} {\varvec{\gamma }}_{0,1} \\ &{} {\varvec{\gamma }}_{0,2} &{} \cdots &{} {\varvec{\gamma }}_{0,2} \\ &{} &{} \ddots &{} \vdots \\ &{} &{} &{} {\varvec{\gamma }}_{0,n} \end{array} \begin{array}{rrrr} {\varvec{\gamma }}_{1,1} &{} {\varvec{\gamma }}_{1,1} &{} \cdots &{} {\varvec{\gamma }}_{1,1} \\ &{} {\varvec{\gamma }}_{1,2} &{} \cdots &{} {\varvec{\gamma }}_{1,2}\\ &{} &{} \ddots &{} \vdots \\ &{} &{} &{} {\varvec{\gamma }}_{1,n} \end{array} \cdots \begin{array}{rrrr} {\varvec{\gamma }}_{d,1} &{} {\varvec{\gamma }}_{d,1} &{} \cdots &{} {\varvec{\gamma }}_{d,1} \\ &{} {\varvec{\gamma }}_{d,2} &{} \cdots &{} {\varvec{\gamma }}_{d,2}\\ &{} &{} \ddots &{} \vdots \\ &{} &{} &{} {\varvec{\gamma }}_{d,n} \end{array} \end{array} \right) . \end{aligned}$$

Notice that all pairs of columns in ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_n$ with the same index (hence corresponding to the same probe in the masking scheme) have the same weight. The next lemma shows that any unsafe set of probes from among these columns must include at least two of the full-weight columns.

Lemma 14

Let ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times n}, {{\varvec{M}}}'_{{\varvec{\gamma }}}, {{\varvec{L}}}_n$ be as above. If ${{\varvec{\gamma }}}$ has no zero entries, then any column selection ${{\varvec{P}}}\in S ^{\ell _n}_n$ which is a counterexample to ${{\mathrm{\mathcal {C}}}}'(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_n))$ must include at least two columns of full weight n from $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ and $\varvec{\varDelta }({{\varvec{N}}}_n)$.

Proof

A counterexample to ${{\mathrm{\mathcal {C}}}}'(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_n))$ is a selection matrix ${{\varvec{P}}}\in S ^{\ell _n}_n$ such that the matrix product $\varvec{\varDelta }({{\varvec{N}}}_n){{\varvec{P}}}\cdot {{\mathrm{kerb}}}(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}){{\varvec{P}}})$ has no zero rows.

The only columns of $\varvec{\varDelta }({{\varvec{N}}}_n)$ which are non-zero in the last row are those columns of full weight, so at least one must be included in ${{\varvec{P}}}$ for the product to have no zero rows. But in order for $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}){{\varvec{P}}}$ to have a non-trivial kernel, it must have a second column with a non-zero in the last row. $\square $

6.2 Dimensions 1 and 2

Combined with the results of the prior sections, this leads immediately to solutions for orders $n=1$ or $n=2$.

Corollary 15

For any ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times 1}$ that contains no zero entries, we have ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}, {{\varvec{N}}}_1)$.

Proof

Clearly there is no way to include two full-weight columns in a selection ${{\varvec{P}}}\in S ^{\ell _1}_1$ of a single column. Therefore from Lemma 14, we have $\lnot {{\mathrm{\mathcal {C}}}}'(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_1))$. By Theorems 8 and 10 this implies the statement above. $\square $

Corollary 16

For any ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times 2}$ such that all square submatrices of ${{\varvec{\gamma }}}$ are MDS, we have ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_2)$.

Proof

Any selection of 2 columns of $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ that includes at least 2 full-weight columns is simply a transposed submatrix of ${{\varvec{\gamma }}}$ of dimension 2. By Theorem 1, any such submatrix is non-singular, and thus has a trivial kernel. Therefore by Lemma 14 there are no counterexamples to ${{\mathrm{\mathcal {C}}}}'(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_2))$, and by Theorems 8 and 10 again the stated result follows. $\square $

Most notably, these corollaries guarantee that any matrix with column dimension 1 or 2 which satisfies Precondition 4.1 or Precondition 5.1 is an instantiation of the respective masking scheme that is correct and safe. Because we have explicit constructions for these preconditions in Theorems 12 and 13 over any field $\mathbb {F}_q $ with $q>2d+1$, we also have explicit instantiations for the masking schemes secure against 1 or 2 probes.

6.3 Dimension 3

Next we turn to the case of $n=3$. It is no longer possible to construct safe instances of ${{\varvec{\gamma }}}$ based on the MDS preconditions alone, but there is only one other shape of square submatrices that need be considered.

Lemma 17

Let ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times 3}, {{\varvec{M}}}'_{{\varvec{\gamma }}}, {{\varvec{L}}}_n$ be as above. If every square submatrix of ${{\varvec{\gamma }}}$ is MDS, and for all distinct triples of indices $\{i,j,k\}\subseteq \{0,1,\ldots ,d+1\}$ the matrix

$$ \begin{pmatrix} {{\varvec{\gamma }}}_{i,1} &{} {{\varvec{\gamma }}}_{j,1} &{} {{\varvec{\gamma }}}_{k,1} \\ {{\varvec{\gamma }}}_{i,2} &{} {{\varvec{\gamma }}}_{j,2} &{} {{\varvec{\gamma }}}_{k,2} \\ {{\varvec{\gamma }}}_{i,3} &{} {{\varvec{\gamma }}}_{j,3} &{} 0 \end{pmatrix} $$

is non-singular, then we have ${{\mathrm{\mathcal {C}}}}({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_3)$.

Proof

The goal is to ensure that no square submatrix of $\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}})$ which could possibly be part of a counterexample to ${{\mathrm{\mathcal {C}}}}'(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_3))$ has a non-trivial kernel. Already we know from Lemma 14 that any such submatrix must include two distinct full-weight columns. Because all square submatrices of ${{\varvec{\gamma }}}$ are MDS, these two columns have a trivial kernel, meaning a third column must be added if one hopes to find a counterexample. This leads to three cases, depending on the weight of this third column.

If the third column has weight 1, the situation is analogous to that of Example 11. The corresponding matrix is non-singular if and only if some $2\times 2$ submatrix of ${{\varvec{\gamma }}}$ is non-singular, which it must be by the MDS assumption.

Next, if the third column has full weight 3, then we have a $3\times 3$ submatrix of ${{\varvec{\gamma }}}$, which again must be non-singular.

The remaining case is that the third column has weight 2, as in the statement of the lemma. All that remains is to prove that this index k must be distinct from i and j. By way of contradiction, and without loss of generality, suppose $i=k$. Then after subtracting the third column from the first, we obtain the matrix

$$\begin{pmatrix} 0 &{} {{\varvec{\gamma }}}_{j,1} &{} {{\varvec{\gamma }}}_{i,1} \\ 0 &{} {{\varvec{\gamma }}}_{j,2} &{} {{\varvec{\gamma }}}_{i,2} \\ {{\varvec{\gamma }}}_{i,3} &{} {{\varvec{\gamma }}}_{j,3} &{} 0 \end{pmatrix},$$

which is non-singular if and only if the original matrix is non-singular. And indeed, this matrix must be non-singular because the upper-right $2\times 2$ matrix is a submatrix of ${{\varvec{\gamma }}}$.

Therefore the only remaining case of a submatrix which could be a counterexample to ${{\mathrm{\mathcal {C}}}}'(\varvec{\varDelta }({{\varvec{M}}}'_{{\varvec{\gamma }}}),\varvec{\varDelta }({{\varvec{N}}}_3))$ is one of the form given in the statement of the lemma. Applying once again Theorems 8 and 10 completes the proof. $\square $

This finally leads to a way to construct safe instances for the schemes when $d=3$ based only on polynomial conditions, via the following steps:

1.
Write down a symbolic $4\times 3$ matrix ${{\varvec{\gamma }}}$ satisfying Precondition 4.1 or Precondition 5.1 according to the constructions of Theorem 12 or Theorem 13, leaving all the $x_i$’s and $y_i$’s as indeterminates.
2.
Extract all $3\times 3$ matrices from ${{\varvec{\gamma }}}$ that match the form of Lemma 17 and compute their determinants, which are rational functions in the $x_i$s and $y_i$s.
3.
Factor the numerators of all determinants, removing duplicate factors and factors such as $x_i-y_i$ which must be non-zero by construction.
4.
A common non-root to the resulting list of polynomials corresponds to a ${{\varvec{\gamma }}}$ matrix which is safe for the given scheme.

Next we show the results of these computations for each of the two schemes. We used the Sage [Sag16] computer algebra system to compute the lists of polynomials according to the procedure above, which takes about 1 s on a modern laptop computer.

Proposition 18

If $x_1,x_2,x_3,y_1,y_2,y_3\in \mathbb {F}_q $ are distinct non-zero elements so that the list of polynomials in Fig. 1 all evaluate to non-zero values, then the matrix ${{\varvec{\gamma }}}$ constructed according to Theorem 12 generates a safe masking scheme according to Condition 4.1.

From the degrees of these polynomials, and by the Schwartz-Zippel lemma [Sch80] and applying the union bound, a safe construction for Condition 4.1 exists over any field $\mathbb {F}_q $ with $q>54$.

In fact, we have an explicit construction for any binary field $\mathbb {F}_q $ with $q\ge 16$.

Theorem 19

Let $(x_1,x_2,x_3) = ( {\texttt {\textit{1}}}, {\texttt {\textit{3}}}, {\texttt {\textit{5}}})$ and $(y_1,y_2,y_3)=({\texttt {\textit{6}}}, {\texttt {\textit{4}}}, {\texttt {\textit{a}}})$. Then for any $k\ge 4$, the matrix ${{\varvec{\gamma }}}$ constructed according to Theorem 12 generates a safe masking scheme over $\mathbb {F}_{2^k}$ according to Condition 4.1.

Proof

Small cases with $4\le k \le 8$ are checked computationally by making the appropriate substitutions into the polynomials of Fig. 1.

For $k\ge 9$, consider the degrees of the $x_i$s and $y_i$s when treated as polynomials over $\mathbb {F}_2$. The highest degree is $\deg y_3=3$, and all other elements have degree at most 2. Inspecting the polynomials in Fig. 1, we see that they are all sums of products of at most three distinct variables. Therefore, when evaluated at these $x_i$s and $y_i$s, the degree of any resulting polynomial is at most 7. Over $\mathbb {F}_{2^k}$ where $k\ge 8$ there is therefore no reduction, and the polynomials are guaranteed to be non-zero in all cases because they are non-zero over $\mathbb {F}_{2^8}$. $\square $

Next we do the same for the masking scheme with linear randomness complexity, namely that of Condition 5.1.

Proposition 20

If $x_1,x_2,x_3,x_4,y_1,y_2,y_3\in \mathbb {F}_q $ are distinct non-zero elements so that the list of polynomials in Fig. 2 all evaluate to non-zero values, then the matrix constructed according to Theorem 13 generates a safe masking scheme according to Condition 5.1.

Applying the Schwartz-Zippel lemma and union bound in this context guarantees a safe construction for Condition 5.1 over any field $\mathbb {F}_q $ with $q>36$. Again, we have an explicit construction for binary fields of order at least 16.

Theorem 21

Let $(x_1,x_2,x_3,x_4) = ( {\texttt {\textit{1}}}, {\texttt {\textit{2}}}, {\texttt {\textit{5}}}, {\texttt {\textit{6}}})$ and $(y_1,y_2,y_3)=({\texttt {\textit{4}}}, {\texttt {\textit{7}}}, {\texttt {\textit{f}}})$. Then for any $k\ge 4$, the matrix ${{\varvec{\gamma }}}$ constructed according to Theorem 13 generates a safe masking scheme over $\mathbb {F}_{2^k}$ according to Condition 5.1.

The proof is the same as Theorem 19, consisting of computational checks for $4\le k\le 8$ and then an argument for all $k\ge 9$ based on the degrees of the $x_i$ and $y_i$ polynomials.

7 Efficient Algorithms to Test Safeness

We now turn to a computational approach, in order to deal with the schemes at order $d > 3$ that were not treated in the previous section.

To test whether a matrix may be used to safely instantiate either of the masking schemes of Belaïd et al., we use the condition ${{\mathrm{\mathcal {C}}}}'({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_d)$ defined in (4), which according to Theorem 8 is a sufficient condition for the scheme under consideration to be safe. The definition of this condition immediately indicates an algorithm, which we have implemented with some optimizations, using M4RIE [Alb13] for the finite field arithmetic.

7.1 The Algorithm

To test whether a matrix ${{\varvec{\gamma }}}\in \mathbb {K} ^{(d+1)\times d}$ satisfies the conditions of Proposition 6 or Proposition 7, simply construct ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_d$ and for all d-subsets of columns ${{\varvec{P}}}\in S ^{\ell }_d$, check if ${{\mathrm{\mathcal {Z}}}}({{\varvec{N}}}_d{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{P}}}))$.

This algorithm is much more efficient than the one directly suggested by Condition 4.1: instead of testing all $\sum _{i=1}^d\left( {\begin{array}{c}\ell \\ i\end{array}}\right) q^i$ vectors of $\mathbb {F}_q ^\ell $ of weight d or less, it is enough to do $\left( {\begin{array}{c}\ell \\ d\end{array}}\right) $ easy linear algebra computations. While this remains exponential in d, it removes the practically insuperable factor $q^d$ and gives a complexity that does not depend on the field size (save for the cost of arithmetic).

(Note that we could have used the condition ${{\mathrm{\mathcal {C}}}}''$ as in Theorem 10 instead, but this turns out to be more complicated in practice due to the need to take arbitrary subsets of the rows and columns of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ and ${{\varvec{N}}}_d$.)

We now describe two implementation strategies for this algorithm.

7.2 Straightforward Implementation with Optimizations

Two simple optimizations may be used to make a straightforward implementation of the above algorithm more efficient in practice.

Skipping Bad Column Picks. We can see already from the support of ${{\varvec{N}}}_d$ that some subsets of columns ${{\varvec{P}}}\in S ^\ell _d$ never need to be checked because ${{\mathrm{\mathcal {Z}}}}({{\varvec{N}}}_d{{\varvec{P}}})$ is already true, independent of the actual choice of ${{\varvec{\gamma }}}$. This is the case for example when the columns selected by ${{\varvec{P}}}$ are all of weight 1.

For the specific cases of $d=4$, this reduces the number of supports to be considered from $\left( {\begin{array}{c}49\\ 4\end{array}}\right) = 211\,876$ to $103\,030$, saving roughly a factor 2. A similar behaviour is observed for $d=5$, when one only has to consider $6\,448\,239$ supports among the $\left( {\begin{array}{c}71\\ 5\end{array}}\right) = 13\,019\,909$ possible ones. Note that the same optimization could be applied to the naïve algorithm that exhaustively enumerates low-weight vectors of $\mathbb {F}_q ^\ell $.

Testing Critical Cases First. Looking again at how ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ is defined, it is easy to see that for some column selections ${{\varvec{P}}}$, ${{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{P}}}$ does not in fact depend on ${{\varvec{\gamma }}}$. For these, it is enough to check once and for all that ${{\mathrm{\mathcal {Z}}}}({{\varvec{N}}}_{{\varvec{\gamma }}}{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{P}}}))$ indeed holds (if it does not, the scheme would be generically broken). Going further, even some column subsets such that ${{\varvec{M}}}_{{\varvec{\gamma }}}{{\varvec{P}}}$ actually depends on ${{\varvec{\gamma }}}$ may always be “safe” provided that ${{\varvec{\gamma }}}$ satisfies a certain precondition, such as for instance being MDS, as suggested in Sect. 5.

Conversely, it may be the case that for some ${{\varvec{P}}}$, ${{\mathrm{\mathcal {Z}}}}({{\varvec{N}}}_d{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{P}}}))$ often does not hold. It may then be beneficial to test this subset ${{\varvec{P}}}$ before others that are less likely to make the condition fail. We have experimentally observed that such subsets do exist. For instance, in the case $d = 5$ for Condition 4.1, only ${\approx }320\,000$ column subsets seem to determine whether a matrix satisfies the condition or not.^{Footnote 3} There, checking these supports first and using an early-abort strategy, verifying that a matrix does not satisfy the condition is at least ${\approx }20$ times faster than enumerating all possible column subsets.

7.3 Batch Implementation

Especially when the matrix ${{\varvec{\gamma }}}$ under consideration actually satisfies the required conditions, checking these using the straightforward strategy entails considerable redundant computation due to the overlap between subsets of columns.

To avoid this, we also implemented a way to check the condition ${{\mathrm{\mathcal {C}}}}'({{\varvec{M}}}'_{{\varvec{\gamma }}},{{\varvec{N}}}_d)$ that operates over the entire matrix simultaneously, effectively considering many subsets of columns in a single batch.

Recall that the algorithm needs to (1) extract a subset of columns of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$, (2) compute a right kernel basis for this subset, (3) multiply ${{\varvec{N}}}_d$ times this kernel basis, and (4) check for zero rows in the resulting product.

Steps (2) and (3) would typically be performed via Gaussian elimination: For each column of ${{\varvec{M}}}'_{{\varvec{\gamma }}}$ that is in the selection, we search for a pivot row, permute rows if necessary to move the pivot up, then eliminate above and below the pivot and move on. If there is no pivot in some column, this means a new null vector has been found; we use the previous pivots to compute the null vector and add it to the basis. Finally, we multiply this null space basis by the corresponding columns in ${{\varvec{N}}}_d$ and check for zero rows.

The key observation for this algorithm is that we can perform these steps (2) and (3) in parallel to add one more column to an existing column selection. That is, starting with some subset of columns, we consider the effect on the null space basis and the following multiplication by ${{\varvec{N}}}_d$ simultaneously for all other columns in the matrices. Adding columns with pivots does not change the null space basis or the product with ${{\varvec{N}}}_d$. Columns with no pivots add one additional column to the null space basis, which results in a new column in the product with ${{\varvec{N}}}_d$. This new column of ${{\varvec{N}}}_d{{\varvec{P}}}\cdot {{\mathrm{kerb}}}({{\varvec{M}}}'_{{\varvec{\gamma }}}{{\varvec{P}}})$ may be checked for non-zero entries and then immediately discarded as the search continues; in later steps, the rows of this product which already have a non-zero entry no longer need to be considered.

All of this effectively reduces the cost of the check by a factor of $\ell $ compared to the prior version, replacing the search over all size-d subsets with a search over size-$(d-1)$ subsets and some matrix computations. This strategy is especially effective when the ${{\varvec{\gamma }}}$ matrix under consideration is (nearly or actually) safe, meaning that the early termination techniques above will not be very useful.

8 Experimental Results and Explicit Instantiations

We implemented both algorithms of the previous section in the practically-useful case of binary fields, using M4RIE for the underlying linear algebra [Alb13], and searched for matrices fulfilling Conditions 4.1 and 5.1 in various settings, leading to instantiations of the masking schemes of Belaïd et al. up to $d=6$ and $\mathbb {F}_{2^{16}}$.^{Footnote 4} We also collected statistics about the fraction of matrices satisfying the conditions, notably in function of the field over which they are defined, and experimentally verified the usefulness of Precondition 4.1.

8.1 Statistics

We give detailed statistics about the proportion of preconditioned matrices allowing to instantiate either masking scheme up to order 6; this is presented in Tables 1 and 2. The data was collected by drawing at random matrices satisfying Precondition 4.1 or Precondition 5.1 and checking if they satisfied the safety conditions or not for the respective scheme.

For combinations of field size and order where no safe matrix was found, we give the result as an upper bound.

Notice that the probability for Condition 5.1 appears to be consistently a bit higher than that for Condition 4.1. The combinations of field size q and order d where safe instances are found were almost the same for both schemes, except for order 5 and $q=2^9$, where a safe preconditioned matrix was found for Condition 5.1 but not for Condition 4.1. This difference between the schemes may be explained by the fact that Condition 4.1 places conditions on two matrices ${{\varvec{\gamma }}}$ and ${{\mathbf {1}}}_{d\times d}-{{\varvec{\gamma }}}$, whereas Condition 5.1 depends only on the single matrix ${{\varvec{\gamma }}}$.

An important remark is that for the smallest field $\mathbb {F}_{2^5}$, the statistics do not include results about the non-preconditioned safe matrices, which were the only safe ones we found, see the further discussion below.

We indicate the sample sizes used to obtain each result, as they may vary by several orders of magnitude due to the exponentially-increasing cost of our algorithm with the order. As an illustration, our batch implementation is able to check 1 000 000 dimension-4 matrices over $\mathbb {F}_{2^6}$ in 12 400 seconds on one core of a 2 GHz Sandy Bridge CPU, which increases to 590 000 and 740 000 s for $\mathbb {F}_{2^{12}}$ and $\mathbb {F}_{2^{16}}$ respectively because of more expensive field operations; 1 600 000 s allowed to test ${\approx }145\,000$ and ${\approx }25\,000$ dimension-5 matrices for these last two fields, and ${\approx }2\,400$ dimension-6 matrices for $\mathbb {F}_{2^{16}}$.

Table 1. Instantiations over $\mathbb {F}_{2^5} \sim \mathbb {F}_{2^{10}}$. Sample sizes (as indicated by symbols in the exponents) were as follows: $*\approx 400\,000$; $\ddagger = 1\,000\,000$; $\star \approx 4\,000\,000$; $\dagger \approx 11\,000\,000$.

Full size table

Table 2. Instantiations over $\mathbb {F}_{2^{11}} \sim \mathbb {F}_{2^{16}}$. Sample sizes (as indicated by symbols in the exponents) were as follows: $\ddagger = 1\,000\,000$; $*\approx 400\,000$; $\diamond \approx 145\,000$; $\bullet \approx 65\,000$; $\triangleleft \approx 40\,000$; $\oslash \approx 30\,000$; $\ltimes \approx 25\,000$; $\wr \approx 560\,000$; $\curlywedge \approx 12\,700$.

Full size table

Usefulness of the Preconditions. We now address the question of the usefulness of the preconditions of Sect. 5. Our goal is to determine with what probability randomly-generated matrices in fact already satisfy the preconditions, and whether doing so for a matrix ${{\varvec{\gamma }}}$ has a positive impact on its satisfying Condition 4.1 or Condition 5.1.

We did this experimentally in two settings, both for the first scheme corresponding to Condition 4.1: order $d = 4$ over $\mathbb {F}_{2^8}$ and order $d = 5$ over $\mathbb {F}_{2^{13}}$. We generated enough random matrices ${{\varvec{\gamma }}}$ in order to obtain respectively 20 000 and 2 000 of them satisfying Condition 4.1, and counted how many of the corresponding safe pairs (${{\varvec{\gamma }}}$, ${{\mathbf {1}}}_{d\times d} - {{\varvec{\gamma }}}$) had at least one or both elements that were MDS and XMDS. The same statistics were gathered for all the generated matrices, including the ones that were not safe. The results are respectively summarized in Tables 3 and 4.

Table 3. Case $d = 4$ over $\mathbb {F}_{2^8}$, for Condition 4.1.

Full size table

Table 4. Case $d = 5$ over $\mathbb {F}_{2^{13}}$, for Condition 4.1.

Full size table

A first comment on the results is that as already remarked in Sect. 5, the preconditions are not necessary to find safe instantiations. Indeed, for a few of the smallest cases $d=3, q=2^3$ and $d=4,q=2^5$, we were only able to find safe instantiations that did not meet the preconditions. For example, one can clearly see that the leading $2\times 2$ submatrix of the following matrix is singular, and hence the matrix is not MDS:

$${{\varvec{\gamma }}} = \begin{pmatrix} \texttt {4} &{} \texttt {2} &{} \texttt {6}\\ \texttt {4} &{} \texttt {2} &{} \texttt {3}\\ \texttt {4} &{} \texttt {2} &{} \texttt {3} \end{pmatrix}.$$

Yet (surprisingly), ${{\varvec{\gamma }}}$ and ${{\mathbf {1}}}-{{\varvec{\gamma }}}$ satisfy all requirements of Condition 4.1 over $\mathbb {F}_{2^3}$.

Nonetheless, the precondition is clearly helpful in the vast majority of cases. From our experiments, in cases where any preconditioned safe matrix exists, then nearly all safe matrices satisfy the precondition, while a significant fraction of random matrices do not. Enforcing the precondition by construction or as a first check is then indeed a way to improve the performance of a random search of a safe matrix. This is especially true for larger orders; for example, we did not find any safe matrices for order $d=6$ over $\mathbb {F}_{2^{15}}$ by random search, but only by imposing Precondition 4.1.

Lastly, one should notice that specifically considering Cauchy matrices seems to further increase the odds of a matrix being safe, beyond the fact that it satisfies Condition 4.1: in the case $d = 4$, $\mathbb {F}_{2^8}$, Table 1 gives a success probability of 0.11, which is significantly larger than the 0.063 of Table 3, and in the case $d = 5$, $\mathbb {F}_{2^{13}}$, Table 2 gives 0.2, also quite higher than the 0.14 of Table 4. As of yet, we do not have an explanation for this observation.

8.2 Instantiations of [BBP+17, Sect. 4]

We conclude by giving explicit matrices allowing to safely instantiate the scheme of [BBP+17, Sect. 4] over various binary fields from order 3 up to 6; the case of order at most 2 is treated in Sect. 6 (Belaïd et al. also provided examples for $d=2$). Our examples include practically-relevant instances with $d=3,4$ over $\mathbb {F}_{2^8}$.

We only give one matrix ${{\varvec{\gamma }}}$ for every case we list, but we emphasise that as is required by the masking scheme, this means that both ${{\varvec{\gamma }}}$ and ${{\varvec{\delta }}} = {{\mathbf {1}}}_{d\times d} - {{\varvec{\gamma }}}$ satisfy Condition 4.1. We list instances only for the smallest field size we know of, and for $\mathbb {F}_{2^8}$ (when applicable), but have computed explicit instances for all field sizes up to $\mathbb {F}_{2^{16}}$. These are given in the full version of this paper [KR18, Appendix A].

Instantiations at Order 3. The smallest field for which we could find an instantiation at order 3 was $\mathbb {F}_{2^3}$. Recall that we also have an explicit construction in Sect. 6 for any $2^k$ with $k\ge 4$.

$$ {{\varvec{\gamma }}}(\mathbb {F}_{2^3}) = \begin{pmatrix} \texttt {3} &{} \texttt {5} &{} \texttt {4}\\ \texttt {3} &{} \texttt {6} &{} \texttt {7}\\ \texttt {3} &{} \texttt {5} &{} \texttt {4} \end{pmatrix} \qquad {{\varvec{\gamma }}}(\mathbb {F}_{2^8}) = \begin{pmatrix} \texttt {e3} &{} \texttt {b7} &{} \texttt {50}\\ \texttt {bd} &{} \texttt {e8} &{} \texttt {8b}\\ \texttt {53} &{} \texttt {25} &{} \texttt {a0}\\ \end{pmatrix} $$

Instantiations at Order 4. The smallest field for which we could find an instantiation at order 4 was $\mathbb {F}_{2^5}$. The following matrices ${{\mathrm{\gamma }}}(\mathbb {F}_q)$ may be used to instantiate the scheme over $\mathbb {F}_q$.

$$ \begin{array}{cc} {{\varvec{\gamma }}}(\mathbb {F}_{2^5}) = \begin{pmatrix} \texttt {1c} &{} \texttt { c} &{} \texttt {1e} &{} \texttt { b}\\ \texttt {1c} &{} \texttt { c} &{} \texttt {1e} &{} \texttt {12}\\ \texttt {10} &{} \texttt {18} &{} \texttt {17} &{} \texttt {14}\\ \texttt {1c} &{} \texttt { c} &{} \texttt {1e} &{} \texttt {10}\\ \end{pmatrix} &{} {{\varvec{\gamma }}}(\mathbb {F}_{2^8}) = \begin{pmatrix} \texttt {56} &{} \texttt {5e} &{} \texttt {a1} &{} \texttt {3d} \\ \texttt {97} &{} \texttt {27} &{} \texttt {71} &{} \texttt {c7} \\ \texttt {f5} &{} \texttt {ae} &{} \texttt {68} &{} \texttt {88} \\ \texttt {1c} &{} \texttt { 3} &{} \texttt {9c} &{} \texttt {8e} \end{pmatrix}\\ \end{array} $$

Instantiations at Order 5. The smallest field for which we could find an instantiation at order 5 was $\mathbb {F}_{2^{10}}$. The following matrix may be used to instantiate the scheme over $\mathbb {F}_{2^{10}}$.

$$ \begin{array}{cc} {{\varvec{\gamma }}}(\mathbb {F}_{2^{10}}) = \begin{pmatrix} \texttt {276} &{} \texttt {13e} &{} \texttt { 64} &{} \texttt {1ab} &{} \texttt {120}\\ \texttt {189} &{} \texttt {181} &{} \texttt {195} &{} \texttt {30f} &{} \texttt {3fe}\\ \texttt {20a} &{} \texttt {3a1} &{} \texttt {199} &{} \texttt { 30} &{} \texttt {2db}\\ \texttt {156} &{} \texttt {1ab} &{} \texttt {2f8} &{} \texttt { e5} &{} \texttt {2a8}\\ \texttt {303} &{} \texttt {321} &{} \texttt {265} &{} \texttt { d8} &{} \texttt { 3a}\\ \end{pmatrix}\\ \end{array} $$

Instantiations at Order 6. The smallest field for which we could find an instantiation at order 6 was $\mathbb {F}_{2^{15}}$. The following matrix may be used to instantiate the scheme over $\mathbb {F}_{2^{15}}$.

$$ {{\varvec{\gamma }}}(\mathbb {F}_{2^{15}}) = \begin{pmatrix} \texttt {151d} &{} \texttt {5895} &{} \texttt {5414} &{} \texttt {392b} &{} \texttt {2092} &{} \texttt {29a6}\\ \texttt {5c69} &{} \texttt {2f9e} &{} \texttt {241d} &{} \texttt {2ef7} &{} \texttt { baa} &{} \texttt {6f40}\\ \texttt {6e0d} &{} \texttt { 8cf} &{} \texttt {7ca1} &{} \texttt {6503} &{} \texttt {23dc} &{} \texttt {6b3b}\\ \texttt {10d7} &{} \texttt {588e} &{} \texttt {2c22} &{} \texttt {1245} &{} \texttt {6a38} &{} \texttt {6484}\\ \texttt {1637} &{} \texttt {7062} &{} \texttt {2ae0} &{} \texttt { d1b} &{} \texttt {5305} &{} \texttt {381f}\\ \texttt {23f6} &{} \texttt { 7d5} &{} \texttt {21bf} &{} \texttt {2879} &{} \texttt {2033} &{} \texttt {4377}\\ \end{pmatrix} $$

8.3 Instantiations of [BBP+17, Sect. 5]

We now give similar instantiation results for the scheme with linear randomness complexity. This time, only a single matrix of dimension $(d+1)\times d$ is necessary to obtain a d-NI scheme. As in the previous case, we only focus here on the cases where $3 \le d \le 6$, and only list the matrices over the smallest binary field we have as well as $\mathbb {F}_{2^8}$ (where possible). We refer to [KR18] for all other cases.

Instantiations at Order 3. The smallest field for which we could find an instantiation at order 3 was $\mathbb {F}_{2^3}$. Recall that we also have an explicit construction in Sect. 6 for any $2^k$ with $k\ge 4$.

$$ {{\varvec{\gamma }}}(\mathbb {F}_{2^3}) = \begin{pmatrix} \texttt {1} &{} \texttt {7} &{} \texttt {4}\\ \texttt {4} &{} \texttt {4} &{} \texttt {4}\\ \texttt {2} &{} \texttt {1} &{} \texttt {4}\\ \texttt {7} &{} \texttt {2} &{} \texttt {4}\\ \end{pmatrix} \qquad {{\varvec{\gamma }}}(\mathbb {F}_{2^8}) = \begin{pmatrix} \texttt {da} &{} \texttt {d5} &{} \texttt {e6}\\ \texttt {e8} &{} \texttt {1d} &{} \texttt {44}\\ \texttt {ad} &{} \texttt {b3} &{} \texttt {ce}\\ \texttt {9f} &{} \texttt {7b} &{} \texttt {6c} \end{pmatrix} $$

Instantiations at Order 4. The smallest field for which we could find an instantiation at order 4 was $\mathbb {F}_{2^5}$. The following matrices ${{\mathrm{\gamma }}}(\mathbb {F}_q)$ may be used $\mathbb {F}_q$.

$$ \begin{array}{cc} {{\varvec{\gamma }}}(\mathbb {F}_{2^5}) = \begin{pmatrix} \texttt {17} &{} \texttt { f} &{} \texttt {13} &{} \texttt {16}\\ \texttt { b} &{} \texttt { 7} &{} \texttt {1a} &{} \texttt {11}\\ \texttt { 1} &{} \texttt {1e} &{} \texttt {19} &{} \texttt { 3}\\ \texttt {1b} &{} \texttt {10} &{} \texttt { 2} &{} \texttt { a}\\ \texttt { 6} &{} \texttt { 6} &{} \texttt {12} &{} \texttt { e} \end{pmatrix} &{} {{\varvec{\gamma }}}(\mathbb {F}_{2^8}) = \begin{pmatrix} \texttt {ac} &{} \texttt {39} &{} \texttt {c0} &{} \texttt {36} \\ \texttt {79} &{} \texttt {5f} &{} \texttt {d9} &{} \texttt {51} \\ \texttt {9d} &{} \texttt {16} &{} \texttt {ca} &{} \texttt {63} \\ \texttt {a3} &{} \texttt {cb} &{} \texttt { 6} &{} \texttt {81}\\ \texttt {eb} &{} \texttt {bb} &{} \texttt {d5} &{} \texttt {85} \end{pmatrix}\\ \end{array} $$

Instantiations at Order 5. The smallest field for which we could find an instantiation at order 5 was $\mathbb {F}_{2^{9}}$. The following matrix may be used to instantiate the scheme over $\mathbb {F}_{2^{9}}$.

$$ \begin{array}{cc} {{\varvec{\gamma }}}(\mathbb {F}_{2^{9}}) = \begin{pmatrix} \texttt { 7d} &{} \texttt {12c} &{} \texttt { 18} &{} \texttt {1a3} &{} \texttt { da}\\ \texttt {121} &{} \texttt {131} &{} \texttt {109} &{} \texttt {1a7} &{} \texttt { 3b}\\ \texttt { 4a} &{} \texttt {131} &{} \texttt { 91} &{} \texttt { a4} &{} \texttt {1c4}\\ \texttt {17c} &{} \texttt { cb} &{} \texttt {14b} &{} \texttt { 41} &{} \texttt { 57}\\ \texttt { fd} &{} \texttt { 87} &{} \texttt { ac} &{} \texttt {17a} &{} \texttt {149}\\ \texttt { 97} &{} \texttt {160} &{} \texttt { 67} &{} \texttt {19b} &{} \texttt { 3b}\\ \end{pmatrix}\\ \end{array} $$

Instantiations at Order 6. The smallest field for which we could find an instantiation at order 6 was $\mathbb {F}_{2^{15}}$. The following matrix may be used to instantiate the scheme over $\mathbb {F}_{2^{15}}$.

$$ {{\varvec{\gamma }}}(\mathbb {F}_{2^{15}}) = \begin{pmatrix} \texttt {475c} &{} \texttt {77e7} &{} \texttt {64ef} &{} \texttt {7893} &{} \texttt {4cd1} &{} \texttt {6e20}\\ \texttt {63dd} &{} \texttt { 71f} &{} \texttt {29da} &{} \texttt {600e} &{} \texttt {36be} &{} \texttt {1db7}\\ \texttt {5511} &{} \texttt { d63} &{} \texttt {3719} &{} \texttt {4874} &{} \texttt { 664} &{} \texttt {5014}\\ \texttt {410e} &{} \texttt {7cf2} &{} \texttt { 9d9} &{} \texttt {10a1} &{} \texttt {7525} &{} \texttt {6098}\\ \texttt {7bfe} &{} \texttt {2998} &{} \texttt {7e20} &{} \texttt {1438} &{} \texttt {35e6} &{} \texttt { 51e}\\ \texttt {7564} &{} \texttt {75d3} &{} \texttt {221a} &{} \texttt {67c7} &{} \texttt {56f1} &{} \texttt {18d5}\\ \texttt {3e04} &{} \texttt {5d22} &{} \texttt {2fcf} &{} \texttt {33b7} &{} \texttt {6a39} &{} \texttt {5ed0} \end{pmatrix} $$

8.4 Minimum Field Sizes for Safe Instantiations

We conclude by briefly comparing the minimum field sizes for which we could find safe instantiations of Conditions 4.1 and 5.1 with the ones given by the non-constructive existence theorems of Belaïd et al. Namely, [BBP+17, Theorem 4.5] guarantees the existence of a pair of safe matrices for Condition 4.1 in dimension d over $\mathbb {F}_q$ as long as $q > 2d\cdot (12d)^d$, and [BBP+17, Theorem 5.4] of a safe matrix for Condition 5.1 as long as $q > d\cdot (d+1)\cdot (12d)^d$. We give in Table 5 the explicit values provided by these two theorems for $2 \le d \le 6$ and q a power of two, along with the experimental minima that we found. From these, it seems that the sufficient condition of Belaïd et al. is in fact rather pessimistic.

Table 5. Sufficient field sizes for safe instantiations in characteristic two. Sizes are given as $\log (q)$.

Full size table

Notes

1.
Note that for convenience in the subsequent share definitions and consistency with the notation of [BBP+17], the row index of $\varvec{\gamma }$ starts from zero and not one.
2.
In fields of characteristic 2, the matrix ${\mathbf {2}}_{1\times d}$ is actually ${{\mathbf {0}}}_{1\times d}$.
3.
This figure was found experimentally by regrouping the supports in clusters of $10\,000$, independently of q. A more careful analysis may lead to a more precise result.
4.
$\mathbb {F}_{2^{16}}$ is the largest field size implemented in M4RIE, and $d=6$ the maximum dimension for which safe instantiations (seem to) exist below this field size limitation.

References

Albrecht, M.: The M4RIE library, The M4RIE Team (2013)
Google Scholar
Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 116–129. ACM (2016)
Google Scholar
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 616–648. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_22
Chapter Google Scholar
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Private multiplication over finite fields. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 397–426. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_14
Chapter Google Scholar
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards Sound Approaches to Counteract Power-Analysis Attacks, in Wiener [Wie99], pp. 398–412
Chapter Google Scholar
Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic Decomposition for Probing Security. IACR Cryptology ePrint Archive 2016, 321 (2016)
Google Scholar
Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_15
Chapter MATH Google Scholar
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Chapter Google Scholar
Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis, in Wiener [Wie99], pp. 388–397
Chapter Google Scholar
Karpman, P., Roche, D.S.: New Instantiations of the CRYPTO 2017 Masking Schemes. IACR Cryptology ePrint Archive 2018, 492 (2018)
Google Scholar
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes, 12th edn. North-Holland Mathematical Library, North-Holland (2006)
MATH Google Scholar
Roth, R.M., Seroussi, G.: On generator matrices of MDS codes. IEEE Trans. Inf. Theor. 31(6), 826–830 (1985)
Article MathSciNet Google Scholar
The Sage Developers: Sagemath, the Sage Mathematics Software System (Version 7.4) (2016)
Google Scholar
Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)
Article MathSciNet Google Scholar
Wiener, Michael (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1
Book MATH Google Scholar

Download references

Acknowledgements

We thank Daniel Augot for the interesting discussions we had in the early stages of this work.

This work was performed while the second author was graciously hosted by the Laboratoire Jean Kuntzmann at the Université Grenoble Alpes.

The first author was supported in part by the French National Research Agency through the framework of the “Investissements d’avenir” program (ANR-15-IDEX-02).

The second author was supported in part by the National Science Foundation under grants #1319994 and #1618269, and in part by the Office of Naval Research award #N0001417WX01516.

Some of the computations were performed using the Grace supercomputer hosted by the U.S. Naval Academy Center for High Performance Computing, with funding from the DoD HPC Modernization Program.

Author information

Authors and Affiliations

Univ. Grenoble Alpes, CNRS, 38000, Grenoble, France
Pierre Karpman
INP, Institute of Engineering Univ. Grenoble Alpes, LJK, 38000, Grenoble, France
Pierre Karpman
United States Naval Academy, Annapolis, USA
Daniel S. Roche

Authors

Pierre Karpman
View author publications
You can also search for this author in PubMed Google Scholar
Daniel S. Roche
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Pierre Karpman or Daniel S. Roche .

Editor information

Editors and Affiliations

Nanyang Technological University, Singapore, Singapore
Thomas Peyrin
University of Auckland, Auckland, New Zealand
Steven Galbraith

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Karpman, P., Roche, D.S. (2018). New Instantiations of the CRYPTO 2017 Masking Schemes. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11273. Springer, Cham. https://doi.org/10.1007/978-3-030-03329-3_10

Download citation

DOI: https://doi.org/10.1007/978-3-030-03329-3_10
Published: 27 October 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03328-6
Online ISBN: 978-3-030-03329-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Abstract

1 Introduction

1.1 Our Contribution

1.2 Roadmap

2 Preliminaries

2.1 Notation

2.2 MDS and Cauchy Matrices

Theorem 1

2.3 Security Notions for Masking Schemes

Definition 2

Definition 3

Definition 4

Definition 5

3 The Masking Schemes of CRYPTO 2017

3.1 Pseudo-Linear Multiplication Complexity [BBP+17, Sect. 4]

Condition 4.1

3.2 Linear Randomness Complexity [BBP+17, Sect. 5]

Condition 5.1

4 Simplifying and Unifying the Conditions

4.1 Unifying \({\varvec{M}}_{{\gamma }}\) and \({\varvec{M}}^{\prime }_{{\gamma }}\)

Proposition 6

Proposition 7

4.2 Equivalent Condition With Kernel Bases

Theorem 8

Proof

4.3 Eliminating Rows and Columns

Lemma 9

Proof

Theorem 10

Proof

5 A Matrix Precondition

5.1 Definitions

Example 11

Precondition 4.1

Precondition 5.1

5.2 Explicit constructions

Theorem 12

Proof

Theorem 13

Proof

6 Analytic Construction for Order up to 3

6.1 Columns Which Must be Selected

Lemma 14

Proof

6.2 Dimensions 1 and 2

Corollary 15

Proof

Corollary 16

Proof

6.3 Dimension 3

Lemma 17

Proof

Proposition 18

Theorem 19

Proof

Proposition 20

Theorem 21

7 Efficient Algorithms to Test Safeness

7.1 The Algorithm

7.2 Straightforward Implementation with Optimizations

7.3 Batch Implementation

8 Experimental Results and Explicit Instantiations

8.1 Statistics

8.2 Instantiations of [BBP+17, Sect. 4]

8.3 Instantiations of [BBP+17, Sect. 5]

8.4 Minimum Field Sizes for Safe Instantiations

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper