Randomness Complexity of

Private Circuits for Multiplication

Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue,

Emmanuel Prouff, Adrian Thillard, Damien Vergnaud

brief introduction

- side-channel attacks

- masking

- 𝑑-probing model

1/16

key-idea:for security at order 𝑑, split sensitive data 𝑥 into 𝑑 + 1 randomvariables (shares) s.t.

𝑥 = 𝑥0 ⊕𝑥1 ⊕⋯⊕ 𝑥𝑑

2/16

key-idea:for security at order 𝑑, split sensitive data 𝑥 into 𝑑 + 1 randomvariables (shares) s.t.

𝑥 = 𝑥0 ⊕𝑥1 ⊕⋯⊕ 𝑥𝑑

needs for a lot of randomness

2/16

randomness in cryptography

used everywhere:

- keys

- RSA prime factors

- ...

3/16

randomness in cryptography

used everywhere:

- keys

- RSA prime factors

- ...

strong properties:

- statistically random

- uniformly distributed

- independent

- ...

3/16

where does it come from?

4/16

where does it come from?

in the real world: natural randomness

4/16

where does it come from?

in the real world: natural randomness

in practice:

- need special hardware

- slow

- bias or uneven distribution

4/16

where does it come from?

in the real world: natural randomness

in practice:

- need special hardware

- slow

- bias or uneven distribution

randomness should beconsidered as a resource,

like space and time

4/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥

0,1 𝑛′ 0,1 𝑚′

𝑓(𝑥)

correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟

𝑑-privacy: for any set 𝑃 of 𝑑 wires in 𝐶 and for all 𝑥, 𝑦 ∈ 0,1 𝑛:{𝐶𝑃(𝐼 𝑥; 𝜌 ; 𝑟)}𝜌,𝑟 = {𝐶𝑃(𝐼 𝑦; 𝜌 ; 𝑟)}𝜌,𝑟

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

5/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥

0,1 𝑛′ 0,1 𝑚′

𝑓(𝑥)

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

5/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥

0,1 𝑚′

𝑓(𝑥)

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

0,1 𝑛′

5/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥 𝑓(𝑥)

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

0,1 𝑚′

5/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥 𝑓(𝑥)

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

5/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥 𝑓(𝑥)

correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

5/16

private circuits

𝑓: 0,1 𝑛 → 0,1 𝑚

encoder𝐼

.

.

.

𝜌1

circuit𝐶

decoder𝑂

𝑟1

.

.

.

.

.

....

𝑥 𝑓(𝑥)

correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟

𝑑-privacy: for any set 𝑃 of 𝑑 wires in 𝑪 and for all 𝑥, 𝑦 ∈ 0,1 𝑛:{𝐶𝑃(𝐼 𝑥; 𝜌 ; 𝑟)}𝜌,𝑟 = {𝐶𝑃(𝐼 𝑦; 𝜌 ; 𝑟)}𝜌,𝑟

…

…

𝑟2 𝑟𝑅

𝜌2 𝜌ℓ

5/16

ADDITIONS

ONLY

.

.

.

𝑎0𝑏0𝑎0𝑏1

𝑎0𝑏2

𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

.

.

.

𝑐0𝑐1

𝑐𝑑

⊕𝑖 𝑐𝑖 = 𝑎 ⋅ 𝑏

⊕𝑖 𝑎𝑖 = 𝑎

⊕𝑖 𝑏𝑖 = 𝑏

encoder circuit decoder

𝑟1…

𝑟2 𝑟𝑅

𝑎, 𝑏 ∈ 0,1 2 ↦ 𝑎 ⋅ 𝑏 ∈ 0,1

this paper

6/16

ADDITIONS

ONLY

.

.

.

𝑎0𝑏0𝑎0𝑏1

𝑎0𝑏2

𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

.

.

.

𝑐0𝑐1

𝑐𝑑

𝑟1…

𝑟2 𝑟𝑅

6/16

ADDITIONS

ONLY

.

.

.

𝑎0𝑏0𝑎0𝑏1

𝑎0𝑏2

𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

.

.

.

𝑐0𝑐1

𝑐𝑑

𝑟1…

𝑟2 𝑟𝑅

how much randomness is needed?

6/16

Ishai-Sahai-Wagner scheme

𝑎0𝑏0𝑟0,1

𝑟0,1⊕𝑎0𝑏1 ⊕𝑎1𝑏0𝑎1𝑏1

⋯𝑟0,𝑑 ⊕𝑎0𝑑 ⊕ 𝑎𝑑𝑏0

𝑟1,𝑑 ⊕𝑎1𝑏𝑑 ⊕𝑎𝑑𝑏1⋮ ⋮ ⋱ ⋮

𝑟0,𝑑−1𝑟0,𝑑

𝑟1,𝑑−1𝑟1,𝑑

⋯𝑟𝑑−1,𝑑 ⊕𝑎𝑑−1𝑏𝑑 ⊕𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

𝑐0𝑐1

⋮𝑐𝑑−1𝑐𝑑

7/16

Ishai-Sahai-Wagner scheme

randomness complexity: 𝑑(𝑑 + 1)/2

𝑎0𝑏0𝑟0,1

𝑟0,1⊕𝑎0𝑏1 ⊕𝑎1𝑏0𝑎1𝑏1

⋯𝑟0,𝑑 ⊕𝑎0𝑑 ⊕ 𝑎𝑑𝑏0

𝑟1,𝑑 ⊕𝑎1𝑏𝑑 ⊕𝑎𝑑𝑏1⋮ ⋮ ⋱ ⋮

𝑟0,𝑑−1𝑟0,𝑑

𝑟1,𝑑−1𝑟1,𝑑

⋯𝑟𝑑−1,𝑑 ⊕𝑎𝑑−1𝑏𝑑 ⊕𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

𝑐0𝑐1

⋮𝑐𝑑−1𝑐𝑑

7/16

ADDITIONS

ONLY

.

.

.

𝑎0𝑏0𝑎0𝑏1

𝑎0𝑏2

𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

𝑟1…

𝑟2 𝑟𝑅

8/16

.

.

.

𝑐0𝑐1

𝑐𝑑

ADDITIONS

ONLY

.

.

.

𝑎0𝑏0𝑎0𝑏1

𝑎0𝑏2

𝑎𝑑𝑏𝑑−1

𝑎𝑑𝑏𝑑

𝑟1…

𝑟2 𝑟𝑅

any probe (wire value) has the form:

𝑝 = ໄ

𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2

𝑎𝑖𝑏𝑗 ⊕ ໄ

𝑘∈𝑌⊆ 1,…,𝑅

𝑟𝑘

8/16

.

.

.

𝑐0𝑐1

𝑐𝑑

any probe (wire value) has the form:

𝑝 = ໄ

𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2

𝑎𝑖𝑏𝑗 ⊕ ໄ

𝑘∈𝑌⊆ 1,…,𝑅

𝑟𝑘

= Ԧ𝑎𝑡 ⋅ 𝑀𝑝 ⋅ 𝑏 ⊕ Ԧ𝑠𝑝𝑡 ⋅ Ԧ𝑟

with Ԧ𝑎 = 𝑎0, … , 𝑎𝑑 , 𝑏 = 𝑏0, … , 𝑏𝑑 , Ԧ𝑟 = 𝑟0, … , 𝑟𝑅 ,

𝑀𝑝 ∈ 0,1 𝑑+1 × 𝑑+1 , Ԧ𝑠𝑝 ∈ 0,1 𝑅

8/16

any probe (wire value) has the form:

𝑝 = ໄ

𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2

𝑎𝑖𝑏𝑗 ⊕ ໄ

𝑘∈𝑌⊆ 1,…,𝑅

𝑟𝑘

= Ԧ𝑎𝑡 ⋅ 𝑀𝑝 ⋅ 𝑏 ⊕ Ԧ𝑠𝑝𝑡 ⋅ Ԧ𝑟

with Ԧ𝑎 = 𝑎0, … , 𝑎𝑑 , 𝑏 = 𝑏0, … , 𝑏𝑑 , Ԧ𝑟 = 𝑟0, … , 𝑟𝑅 ,

𝑀𝑝 ∈ 0,1 𝑑+1 × 𝑑+1 , Ԧ𝑠𝑝 ∈ 0,1 𝑅

any sum of probes has the form:

Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 ⊕ Ԧ𝑠𝑡 ⋅ Ԧ𝑟

8/16

algebraic characterization

condition 1: a set of probes 𝑃 = 𝑝1, … , 𝑝ℓ satisfies condition 1 iff:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and 1,… , 1 is in the row (or column) space of 𝑀

9/16

algebraic characterization

condition 1: a set of probes 𝑃 = 𝑝1, … , 𝑝ℓ satisfies condition 1 iff:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and 1,… , 1 is in the row (or column) space of 𝑀

theorem:𝐶 is 𝑑-private

⇔there does not exist 𝑃 = 𝑝1, … , 𝑝ℓ , ℓ ≤ 𝑑 that satisfies condition 1

9/16

proof sketch

⇒ assume 𝑝1, … , 𝑝ℓ such that:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and(1, … , 1) is in the column space of 𝑀

10/16

proof sketch

⇒ assume 𝑝1, … , 𝑝ℓ such that:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and(1, … , 1) is in the column space of 𝑀

⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)

10/16

proof sketch

⇒ assume 𝑝1, … , 𝑝ℓ such that:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and(1, … , 1) is in the column space of 𝑀

⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)

Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞

1

2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)

1 if 𝑀 ⋅ 𝑏 = 1,… , 1

10/16

proof sketch

⇒ assume 𝑝1, … , 𝑝ℓ such that:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and(1, … , 1) is in the column space of 𝑀

⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)

Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞

1

2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)

1 if 𝑀 ⋅ 𝑏 = 1,… , 1

then, Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 > Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = ത𝑎

10/16

proof sketch

⇒ assume 𝑝1, … , 𝑝ℓ such that:

⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏

and(1, … , 1) is in the column space of 𝑀

⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)

Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞

1

2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)

1 if 𝑀 ⋅ 𝑏 = 1,… , 1

then, Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 > Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = ത𝑎

⇐ a lot more technical...

10/16

upper bound

11/16

upper bound

theorem:there exists a 𝑑-private circuit for multiplication with randomness complexity Õ(𝑑).

11/16

randomness complexity of ISW: 𝑂 𝑑2

needs for a quadratic complexity?

proof sketch

probabilistic method: non-constructive!

12/16

proof sketch

probabilistic method: non-constructive!

𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1

$

12/16

proof sketch

probabilistic method: non-constructive!

𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1

𝑎0𝑏0𝑎1𝑏0

𝑎0𝑏1𝑎1𝑏1

⋯𝑎0𝑏𝑑𝑎1𝑏𝑑

⋮ ⋮ ⋱ ⋮𝑎𝑑𝑏0 𝑎𝑑𝑏1 ⋯ 𝑎𝑑𝑏𝑑

𝑐0𝑐1⋮𝑐𝑑

$

12/16

proof sketch

𝑐0𝑐1⋮𝑐𝑑

…= 𝑎𝑖𝑏𝑗

⊕ ⊕ ⊕

12/16

probabilistic method: non-constructive!

𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1

$

proof sketch

𝑐0𝑐1⋮𝑐𝑑

…

= 𝑎𝑖𝑏𝑗

⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗

12/16

probabilistic method: non-constructive!

𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1

$

proof sketch

𝑐0𝑐1⋮𝑐𝑑

…

= 𝑎𝑖𝑏𝑗

⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗

correctness: 𝜌𝑑,𝑑 =⊕𝑖,𝑗 𝜌𝑖,𝑗

12/16

probabilistic method: non-constructive!

𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1

$

proof sketch

𝑐0𝑐1⋮𝑐𝑑

…

= 𝑎𝑖𝑏𝑗

⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗

correctness: 𝜌𝑑,𝑑 =⊕𝑖,𝑗 𝜌𝑖,𝑗

𝑑-privacy: if 𝑅 = Õ 𝑑 , Pr 𝑖𝑠 𝑠𝑒𝑐𝑢𝑟𝑒 > 0 ⇒ at least one algorithm is 𝑑-private

12/16

probabilistic method: non-constructive!

𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1

$

lower bounds

13/16

lower bounds

theorem:1. 𝑑-privacy ⇒ at least 𝑑 random bits (for 𝑑 ≥ 2)2. 𝑑-privacy ⇒ at least 𝑑 + 1 random bits (for 𝑑 ≥ 3)

13/16

proof sketch of 1.

lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝

(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private

14/16

proof sketch of 1.

suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶

let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑

∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗

lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝

(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private

14/16

proof sketch of 1.

suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶

let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑

∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗

𝑁 has dimension 𝑑 − 1 × 𝑑 ⇒ 𝐾𝑒𝑟 𝑁 ≠ 0

lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝

(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private

14/16

proof sketch of 1.

suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶

let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑

∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗

𝑁 has dimension 𝑑 − 1 × 𝑑 ⇒ 𝐾𝑒𝑟 𝑁 ≠ 0

let 𝑤 ∈ 𝐾𝑒𝑟 𝑁 − {0}

𝑆0 = 𝑐0 ∪ 𝑐𝑖 𝑤𝑖 = 0 and 𝑆1 = 𝑐𝑖 𝑤𝑖 = 1 satisfy requirements of lemma...

lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝

(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private

14/16

automatic tool for finding attacks

order 2 3 4 5 6

[BBDFGS15] <1 ms 36 ms 108 ms 6,3 s 26 min

this paper <10 ms <10 ms <10 ms <10 ms <10 ms

- based on the algebraic characterization- relies on coding theory (information set decoding algorithms)- not perfectly sound...- much faster than Easycrypt-based [BBDFGS15]

table: time to find an attack

15/16

16/16

16/16

16/16

thank you!