Nothing Special   »   [go: up one dir, main page]
Skip to main content
SpringerLink
Log in

Connecting Leakage-Resilient Secret Sharing to Practice: Scaling Trends and Physical Dependencies of Prime Field Masking

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2024 (EUROCRYPT 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14654))

Abstract

Symmetric ciphers operating in (small or mid-size) prime fields have been shown to be promising candidates to maintain security against low-noise (or even noise-free) side-channel leakage. In order to design prime ciphers that best trade physical security and implementation efficiency, it is essential to understand how side-channel security evolves with the field size (i.e., scaling trends). Unfortunately, it has also been shown that such scaling trends depend on the leakage functions and cannot be explained by the standard metrics used to analyze Boolean masking with noise. In this work, we therefore initiate a formal study of prime field masking for two canonical leakage functions: bit leakages and Hamming weight leakages. By leveraging theoretical results from the leakage-resilient secret sharing literature, we explain formally why (1) bit leakages correspond to a worst-case and do not encourage operating in larger fields, and (2) an opposite conclusion holds for Hamming weight leakages, where increasing the prime field modulus p can contribute to a security amplification that is exponential in the number of shares, with \(\log (p)\) seen as security parameter like the noise variance in Boolean masking. We combine these theoretical results with simulated experiments and show that the interest masking in larger prime fields can degrade gracefully when leakage functions slightly deviate from the Hamming weight abstraction, motivating further research towards characterizing (ideally wide) classes of leakage functions offering such guarantees.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 119.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The only known alternative is to rely on fresh re-keying with a leakage-resilient PRF [4], which is only exploitable in tailored designs such as ISAP [17].

  2. 2.

    The literature of noise amplification bounds does not directly assume a noise-free setting, as it can be encompassed in the noisy leakage framework. On the opposite, to the best of our knowledge it is more common in the literature about the leakage-resilience of linear secret sharing schemes to rely on this assumption [8, 29].

  3. 3.

    The first equality is used in noise amplification papers [20, 34, 40] and aims at quantifying how the distribution of the secret deviates from the prior knowledge whenever some side information \({\textbf {L}}\) is available. The second equality is used in simulation-based proofs [18], and rather aims at quantifying how the side information \({\textbf {L}}\) changes whenever the secret is known.

  4. 4.

    This is true regardless of the choice of the metric, i.e., similar trends hold when considering the Mutual Information (MI).

  5. 5.

    For a more general statement of Proposition 2 concerning any linear code, see [7].

  6. 6.

    The Cauchy-Schwarz trick has already been used in the noise amplification bound of Prouff & Rivain [40, Thm. 1], although applied to another metric.

  7. 7.

    This can be formalized by applying the data processing inequality to the \({{\,\mathrm{\textsf{TV}}\,}}\).

  8. 8.

    We conjecture based on the numerical calculations of the spectrum that for \(n\ge 13\), \(\left|\widehat{\textbf{1}_{h}}(1)\right|\) maximizes the Fourier transform.

  9. 9.

    We empirically observe that all the \(\alpha _i\) are equal to one, however this stronger claim would not seem to improve the upper bound.

References

  1. Andrychowicz, M., Dziembowski, S., Faust, S.: Circuit compilers with \(O(1/\log (n))\) leakage rate. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 586–615. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_21

    Chapter  Google Scholar 

  2. Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_2

    Chapter  Google Scholar 

  3. Béguinot, J., et al.: Removing the field size loss from Duc et al.’s conjectured bound for masked encodings. In: Kavun, E.B., Pehl, M. (eds.) COSADE 2023. LNCS, vol. 13979, pp. 86–104. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-29497-6_5

    Chapter  Google Scholar 

  4. Belaïd, S., et al.: Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis. J. Cryptogr. Eng. 4(3), 157–171 (2014)

    Google Scholar 

  5. Bellizia, D., et al.: Mode-level vs. implementation-level physical security in symmetric cryptography. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 369–400. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_13

    Chapter  Google Scholar 

  6. Bender, E.A.: Asymptotic methods in enumeration. SIAM Rev. 16(4), 485–515 (1974)

    Google Scholar 

  7. Benhamouda, F., Degwekar, A., Ishai, Y., Rabin, T.: On the local leakage resilience of linear secret sharing schemes. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 531–561. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_18

    Chapter  Google Scholar 

  8. Benhamouda, F., Degwekar, A., Ishai, Y., Rabin, T.: On the local leakage resilience of linear secret sharing schemes. J. Cryptol. 34(2), 10 (2021)

    Article  MathSciNet  Google Scholar 

  9. Boucheron, S., Lugosi, G., Massart, P.: Concentration Inequalities: A Nonasymptotic Theory of Independence. OUP Oxford (2013)

    Google Scholar 

  10. Brier, E., Clavier, C., Olivier, F.: Optimal statistical power analysis. IACR Cryptology ePrint Archive, p. 152 (2003)

    Google Scholar 

  11. Bronchain, O., Standaert, F.-X.: Breaking masked implementations with many shares on 32-bit software platforms or when the security order does not matter. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(3), 202–234 (2021)

    Article  Google Scholar 

  12. Cassiers, G., Masure, L., Momin, C., Moos, T., Standaert, F.-X.: Prime-field masking in hardware and its soundness against low-noise SCA attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2023(2), 482–518 (2023)

    Article  Google Scholar 

  13. Cassiers, G., Standaert, F.-X.: Towards globally optimized masking: From low randomness to low noise rate or probe isolating multiplications with reduced randomness and security against horizontal attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 162–198 (2019)

    Article  Google Scholar 

  14. Cassiers, G., Standaert, F.-X.: Provably secure hardware masking in the transition- and glitch-robust probing model: better safe than sorry. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(2), 136–158 (2021)

    Article  Google Scholar 

  15. Cassiers, G., Bronchain, O.: Scalib: a side-channel analysis library. J. Open Source Softw. 8(86), 5196 (2023)

    Article  Google Scholar 

  16. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_26

    Chapter  Google Scholar 

  17. Dobraunig, C., et al.: ISAP v2.0. IACR Trans. Symmetric Cryptol. 2020(S1), 390–416 (2020)

    Google Scholar 

  18. Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_24

    Chapter  Google Scholar 

  19. Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete - or how to evaluate the security of any leaking device. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_16

    Chapter  Google Scholar 

  20. Dziembowski, S., Faust, S., Skórski, M.: Optimal amplification of noisy leakages. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 291–318. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_11

    Chapter  Google Scholar 

  21. Faust, S., Grosso, V., Pozo, S.M.D., Paglialonga, C., Standaert, F.-X.: Composable masking schemes in the presence of physical defaults & the robust probing model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 89–120 (2018)

    Article  Google Scholar 

  22. Galbraith, S.D., Laity, J., Shani, B.: Finding significant Fourier coefficients: clarifications, simplifications, applications and limitations (2018)

    Google Scholar 

  23. Goubin, L., Patarin, J.: DES and differential power analysis the “duplication’’ method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_15

    Chapter  Google Scholar 

  24. Grosso, V., Standaert, F.-X.: Masking proofs are tight and how to exploit it in security evaluations. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 385–412. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_13

    Chapter  Google Scholar 

  25. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27

    Chapter  Google Scholar 

  26. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  27. Maji, H.K., Nguyen, H.H., Paskin-Cherniavsky, A., Suad, T., Wang, M.: Leakage-resilience of the shamir secret-sharing scheme against physical-bit leakages. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 344–374. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_12

    Chapter  Google Scholar 

  28. Maji, H.K., et al.: Leakage-resilient linear secret-sharing against arbitrary bounded-size leakage family. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022. LNCS, vol. 13747, pp. 355–383. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22318-1_13

    Chapter  Google Scholar 

  29. Maji, H.K., et al.: Tight estimate of the local leakage resilience of the additive secret-sharing scheme & its consequences. In: ITC. LIPIcs, vol. 230, pp. 16:1–16:19. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2022)

    Google Scholar 

  30. Maji, H.K., Nguyen, H.H., Paskin-Cherniavsky, A., Wang, M.: Improved bound on the local leakage-resilience of Shamir’s secret sharing. In: ISIT, pp. 2678–2683. IEEE (2022)

    Google Scholar 

  31. Maji, H.K., Paskin-Cherniavsky, A., Suad, T., Wang, M.: Constructing locally leakage-resilient linear secret-sharing schemes. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 779–808. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_26

    Chapter  Google Scholar 

  32. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, New York (2007). https://doi.org/10.1007/978-0-387-38162-6

    Book  Google Scholar 

  33. Masure, L., Méaux, P., Moos, T., Standaert, F.-X.: Effective and efficient masking with low noise using small-mersenne-prime ciphers. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14007, pp. 596–627. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_20

    Chapter  Google Scholar 

  34. Masure, L., Standaert, F.X.: Prouff and Rivain’s formal security proof of masking, revisited - tight bounds in the noisy leakage model. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14083, pp. 343–376. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38548-3_12

    Chapter  Google Scholar 

  35. Moos, T.: Static power SCA of sub-100 nm CMOS ASICS and the insecurity of masking schemes in low-noise environments. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(3), 202–232 (2019)

    Article  Google Scholar 

  36. Moos, T., Moradi, A., Schneider, T., Standaert, F.-X.: Glitch-resistant masking revisited or why proofs in the robust probing model are needed. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 256–292 (2019)

    Article  Google Scholar 

  37. Moradi, A., Standaert, F.-X.: Moments-correlating DPA. In: TIS@CCS, pp. 5–15. ACM (2016)

    Google Scholar 

  38. Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)

    Article  MathSciNet  Google Scholar 

  39. Prest, T., Goudarzi, D., Martinelli, A., Passelègue, A.: Unifying leakage models on a Rényi day. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 683–712. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_24

    Chapter  Google Scholar 

  40. Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_9

    Chapter  Google Scholar 

  41. Prouff, E., Rivain, M., Bevan, R.: Statistical analysis of second order differential power analysis. IEEE Trans. Comput. 58(6), 799–811 (2009)

    Article  MathSciNet  Google Scholar 

  42. Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005). https://doi.org/10.1007/11545262_3

    Chapter  Google Scholar 

  43. Standaert, F.-X.: How (not) to use Welch’s T-test in side-channel security evaluations. In: Bilgin, B., Fischer, J.-B. (eds.) CARDIS 2018. LNCS, vol. 11389, pp. 65–79. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-15462-2_5

    Chapter  Google Scholar 

  44. Stromberg, K.: Probabilities on a compact group. Trans. Am. Math. Soc. 94(2), 295–309 (1960)

    Article  MathSciNet  Google Scholar 

  45. Veyrat-Charvillon, N., Standaert, F.-X.: Adaptive chosen-message side-channel attacks. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 186–199. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_12

    Chapter  Google Scholar 

Download references

Acknowledgments

François-Xavier Standaert is a senior research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). This work has been funded in parts by the German Research Foundation (DFG) CRC 1119 CROSSING (project S7), by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE, by the ERC Consolidator Grant 101044770 (CRYPTOLAYER) and by the ERC Advanced Grant 101096871 (BRIDGE). Views and opinions expressed are those of the authors only and do not necessarily reflect those of the European Union or the European Research Council. Neither the European Union nor the granting authority can be held responsible for them.

Author information

Authors and Affiliations

  1. Department of Computer Science, Technical University of Darmstadt, Darmstadt, Germany

    Sebastian Faust, Elena Micheli & Maximilian Orlt

  2. LIRMM, Univ. Montpellier, CNRS, Montpellier, France

    Loïc Masure

  3. Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium

    François-Xavier Standaert

Authors
  1. Sebastian Faust
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Loïc Masure
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elena Micheli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maximilian Orlt
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. François-Xavier Standaert
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elena Micheli .

Editor information

Editors and Affiliations

  1. Zama, Paris, France

    Marc Joye

  2. Ruhr University Bochum, Bochum, Germany

    Gregor Leander

Appendices

A Proofs of Section 2

Proof

of Lemma 1. By definition we have

$$\begin{aligned} \mathop {\textrm{Pr}}\limits \!\left( \text {Y}= \textrm{y}\;\mid \;\text {L}= h\right) & = \frac{1_{{{\,\mathrm{\textsf{HW}}\,}}{\textrm{y}} = h}}{\left( {\begin{array}{c}n\\ h\end{array}}\right) }, h \in \llbracket 0, n- 1 \rrbracket ,\\ \mathop {\textrm{Pr}}\limits \!\left( \text {Y}= \textrm{y}\right) & = \frac{1}{2^n-1} , \\ \mathop {\textrm{Pr}}\limits \!\left( \text {L}= h\right) & = \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{2^n-1}, h \in \llbracket 0, n- 1 \rrbracket .\\ \end{aligned}$$

It follows that the statistical distance for Hamming weight is

$$\begin{aligned} {{\,\mathrm{\beta }\,}}\!\left( \text {Y} \left| \text {L}\right. \right) & = & \frac{1}{2} \sum _{h = 0}^{n-1} \sum _{\textrm{y}\in \mathcal {Y}} \left|\frac{1_{{{\,\mathrm{\textsf{HW}}\,}}{\textrm{y}} = h}}{2^n-1} - \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{(2^{n}-1)^2} \right|\\ & = & \frac{1}{2^n-1} \sum _{h = 0}^{n-1} \left( {\begin{array}{c}n\\ h\end{array}}\right) \left( 1 - \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{2^n-1} \right) . \end{aligned}$$

We may then leverage Vandermonde’s convolution equality to replace the sum of squared binomial coefficients by \(\left( {\begin{array}{c}2n\\ n\end{array}}\right) - 1\). Finally, using Stirling’s formula, we get the desired result.

As per the MI, notice that it is equal to the entropy of a binomial distribution, truncated from its maximum value \(n\), and re-normalized by a factor \(\frac{2^n}{2^n-1} \approx 1 + 2^{-n}\). We argue hereafter that this slight change to the binomial distribution does not change the entropy approximation. First, the re-normalization factor does not change much the non-truncated terms of the entropy. As per the truncated term, it initially contributed to the entropy at a value \(\frac{n}{2^n} \ll \log \!\left( n\right) \).    \(\square \)

Proof

of Lemma 2. The MI of this leakage model is trivially \(\alpha \cdot n\). As per the bias, first, assume \(\alpha <1\). Then, for every \(h\in \{0,1\}^{\alpha n}\)

$$\begin{aligned} \mathop {\textrm{Pr}}\limits \!\left( \text {Y}= \textrm{y}\right) &= \frac{1}{2^n-1} , \\ \mathop {\textrm{Pr}}\limits \!\left( \text {Y}= \textrm{y}\;\mid \;\text {L}= h\right) &= {\left\{ \begin{array}{ll} 0 &{}\text { if }h\ne \mathrm {\ell }^S(\textrm{y})\\ \frac{1}{2^{n(1-\alpha )}} &{}\text {else if }h\ne 1^{\alpha n}\\ \frac{1}{2^{n(1-\alpha )}-1} &{}\text {else if }h=1^{\alpha n} \end{array}\right. },\\ \mathop {\textrm{Pr}}\limits \!\left( \text {L}= h\right) &= {\left\{ \begin{array}{ll} \frac{2^{n(1-\alpha )}}{2^n-1} &{}\text {if }h\ne 1^{\alpha n}\\ \frac{2^{n(1-\alpha )}-1}{2^n-1} &{}\text {if }h=1^{\alpha n}. \end{array}\right. } \end{aligned}$$

Therefore

$$\begin{aligned} {{\,\mathrm{\beta }\,}}\!\left( \text {Y} \left| \text {L}\right. \right) & = \frac{1}{2} \sum _{\begin{array}{c} h\in \{0,1\}^{\alpha n}\\ h\ne 1^{\alpha n} \end{array}} \sum _{\textrm{y}\in \mathcal {Y}} \left|\frac{1_{\mathrm {\ell }^S(\textrm{y}) = h}}{2^n-1} - \frac{2^{n(1-\alpha )}}{(2^{n}-1)^2} \right|+ \frac{1}{2}\sum _{\textrm{y}\in \mathcal {Y}}\left|\frac{1_{\mathrm {\ell }^S(\textrm{y}) = 1^{\alpha n}}}{2^n-1} - \frac{2^{n(1-\alpha )}-1}{(2^{n}-1)^2} \right|. \end{aligned}$$

The result follows from further algebraic computation.

If \(\alpha =1\), then the event \(\left\{ \text {L}=1^n\right\} \) has probability 0, and thus we cannot directly use the above analysis. On the other hand, \(\alpha =1\) describes the case where the secret is completely leaked, that is

$$\begin{aligned} {{\,\mathrm{\beta }\,}}\!\left( \text {Y} \left| \text {L}\right. \right) =1-\frac{1}{|\mathbb {F}_{p^{}}|}. \end{aligned}$$

Since the above equation corresponds to Eq. (5) for \(\alpha =1\), the lemma follows.    \(\square \)

B Proofs of Section 4

The following lemma tells us that the symmetry property of the HW leakage function, coming from the symmetry of the binomial distribution, also translates in the Fourier transform.

Lemma 6

(Symmetry). Let \(n\in \mathbb {N}\) and \(p = 2^n-1\). Then, for all \(h \in \llbracket 0, n\rrbracket \), and for all \(\alpha \in \mathbb {Z}_p\),

$$\begin{aligned} \left|\widehat{\textbf{1}_{h}}(\alpha ) \right|= \left|\widehat{\textbf{1}_{n-h}}(\alpha ) \right|. \end{aligned}$$
(21)

Proof

We start by recalling the identity \({{\,\mathrm{\textsf{HW}}\,}}\!\left( x \oplus y\right) = {{\,\mathrm{\textsf{HW}}\,}}\!\left( x\right) + {{\,\mathrm{\textsf{HW}}\,}}\!\left( y\right) - 2 {{\,\mathrm{\textsf{HW}}\,}}\!\left( x \wedge y\right) \). In particular, for \(y = 2^n-1 = 1...1\), and by observing that \(1...1 \oplus x = 2^n-1-x\), we get that

$$\begin{aligned} {{\,\mathrm{\textsf{HW}}\,}}\!\left( x\right) = n- {{\,\mathrm{\textsf{HW}}\,}}\!\left( 2^n-1-x\right) . \end{aligned}$$

Therefore, applying the change of variable \(x \mapsto 2^n-1-x\) in Eq. 6 gives us that

$$\begin{aligned} \widehat{\textbf{1}_{n-h}}(\alpha ) = \overline{\widehat{\textbf{1}_{h}}(\alpha )} . \end{aligned}$$

Finally, taking the absolute value in both side gives us the desired result.    \(\square \)

Proof

of Theorem 7. Using the Parseval formula, and the fact that \(\widehat{\textbf{1}_{h}}(0) = \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p}\) by definition of a PMF, we get that

$$\begin{aligned} \left( \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p}\right) ^2 + \sum _{\alpha =1}^{p-1} \left|\widehat{\textbf{1}_{h}}(\alpha )\right|^2 = \frac{1}{p} \cdot \sum _{i=0}^{p-1} \left|\textbf{1}_{h}(i)\right|^2 = \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p} . \end{aligned}$$
(22)

We will use the fact that the maximum squared absolute value of the Fourier coefficients (for non-zero harmonic) is upper bounded by the sum in the left hand-side of Eq. 22. However, stated as such, Eq. 22 would imply trivial upper bounds. Nevertheless, we will show that the sum of the left hand-side contains many identical terms. Thus by factoring the sum, we will tighten the bound.

Let \(1 \le \alpha \le p-1\). Lemma 5 tells us that we can find at least \(n\) other Fourier coefficients sharing the same absolute value as \(\left|\widehat{\textbf{1}_{h}}(\alpha )\right|\)—they can be derived by cyclically shifting the bits of \(\alpha \). Therefore, we can partition the set \(\llbracket 1, p-1 \rrbracket \) of harmonics into classes of harmonics \(\alpha \) sharing the same absolute value of Fourier coefficients, each classes containing at least \(n\) elements. We shall prove that each class actually contains at least \(2\cdot n\) elements.

Claim

Each class contains at least \(2\cdot n\) elements.

Proof

Since \(\textbf{1}_{h}\) is real-valued, we have for all \(\alpha \ne 0\), \(\left|\widehat{\textbf{1}_{h}}(\alpha )\right|= \left|\widehat{\textbf{1}_{h}}(p-\alpha )\right|\). In other words, for each of the \(n\) harmonics that are in the same class, we can derive another harmonic having the same Fourier coefficient in absolute value, hence in the class as well. We shall prove that this conjugate harmonic does not coincide with any of the first \(n\) harmonics emphasized. To see why, observe that

$$\begin{aligned} {{\,\mathrm{\textsf{HW}}\,}}\!\left( p-\alpha \right) = n- {{\,\mathrm{\textsf{HW}}\,}}\!\left( \alpha \right) \end{aligned}$$

(cf. proof of Lemma 6). Moreover, by assumption \(n\) is odd, so the parity of both hand-sides differ. It implies that the Hamming weight of \(\alpha \) is always different from the Hamming weight of \(p-\alpha \). As a consequence, none of the harmonics derived by shifting the bits of \(p-\alpha \) can never coincide with any of the harmonics derived by shifting the bits of \(\alpha \). Hence, there is at least \(2\cdot n\) elements in each class.    \(\square \)

We can now conclude the proof. Let \(\mathcal {F}_\alpha = \left\{ \alpha ' \in \mathbb {F}_{p^{}} : \left|\widehat{\textbf{1}_{h}}(\alpha ') \right|= \left|\widehat{\textbf{1}_{h}}(\alpha ) \right|\right\} \). Then for all class \(\mathcal {F}_i\), let \(\alpha _{\mathcal {F}_\alpha } = \frac{\left| \mathcal {F}_i\right| }{2n}\). Observe that \(\alpha _{\mathcal {F}_\alpha } \ge 1\) by virtue of the claim.Footnote 9 Then we can rephrase Eq. 22 as follows:

$$\begin{aligned} \left( \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p}\right) ^2 + 2n\cdot \sum _{\mathcal {F}_\alpha } \alpha _i \left|\widehat{\textbf{1}_{h}}(\alpha )\right|^2 = \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p} , \end{aligned}$$
(23)

therefore for any \(\alpha \), we get that

$$\begin{aligned} \left|\widehat{\textbf{1}_{h}}(\alpha )\right|^2 \le \sum _{\mathcal {F}_\alpha } \alpha _{\mathcal {F}_\alpha } \left|\widehat{\textbf{1}_{h}}(\alpha )\right|^2 \le \left( \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p} - \left( \frac{\left( {\begin{array}{c}n\\ h\end{array}}\right) }{p}\right) ^2 \right) \cdot \frac{1}{2n} . \end{aligned}$$

   \(\square \)

Remark 1

We may even prove that for Mersenne primes, the \(\alpha _{\mathcal {F}_\alpha }\) coefficients in Eq. 23 are integer values. To see why, observe that if \(p\) is a Mersenne prime, then \(n\) is necessarily an odd prime. It follows from Fermat’s little theorem that \(2n\) divides \(p-1\), i.e. the number of terms in Eq. 22.

Proof

of Theorem 6. We start from Eq. 17 from which we derive the following inequality.

$$\begin{aligned} \sum _{\mathrm {\ell }} \max _{\alpha \in \mathbb {F}_{^{}}^\star } \left|\widehat{\textbf{1}_{{{\,\mathrm{\textsf{HW}}\,}}^{-1}(\mathrm {\ell })}} \right|\le \frac{1}{\sqrt{2np}} \sum _{h=0}^{n-1} \sqrt{\left( {\begin{array}{c}n\\ h\end{array}}\right) } . \end{aligned}$$

The latter inequality is injected into Eq. 10, where we also use the following equality, by definition of the Hamming weight leakage model:

$$\begin{aligned} \sum _{\mathrm {\ell }} \left\Vert \textbf{1}_{{{\,\mathrm{\textsf{HW}}\,}}^{-1}(\mathrm {\ell })}\right\Vert _2 = \frac{1}{\sqrt{p}} \sum _{h=0}^{n-1} \sqrt{\left( {\begin{array}{c}n\\ h\end{array}}\right) } . \end{aligned}$$

It then comes that

$$\begin{aligned} \textsf{M}_\infty ^\text {Y}\left( {\textbf {L}}, \text {Y}\right) \le \frac{1}{2} \cdot \left( \sum _{h=0}^{n-1} \sqrt{\left( {\begin{array}{c}n\\ h\end{array}}\right) } \right) ^{d+1} \cdot \frac{1}{2^{\frac{d+1}{2}-1}} \cdot \frac{1}{p^\frac{d+1}{2}} \cdot \frac{1}{n^{\frac{d+1}{2}-1}} , \end{aligned}$$

hence the inequality in Eq. 16. The asymptotic estimation of the right hand-side is then derived from the following claim [6, Sec. 3.1]:

$$\begin{aligned} \sum _{h=0}^n\sqrt{\left( {\begin{array}{c}n\\ h\end{array}}\right) } \sim 2^{\frac{n}{2} + \frac{1}{4}} \cdot (\pi n)^{1/4} . \end{aligned}$$

   \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Faust, S., Masure, L., Micheli, E., Orlt, M., Standaert, FX. (2024). Connecting Leakage-Resilient Secret Sharing to Practice: Scaling Trends and Physical Dependencies of Prime Field Masking. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14654. Springer, Cham. https://doi.org/10.1007/978-3-031-58737-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58737-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58736-8

  • Online ISBN: 978-3-031-58737-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation