TY - GEN
T1 - Tighter Security Notions for a Modular Approach to Private Circuits
AU - Wang, Bohan
AU - Zhang, Juelin
AU - Yu, Yu
AU - Wang, Weijia
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2025.
PY - 2025
Y1 - 2025
N2 - To counteract side-channel attacks, a masking scheme splits each intermediate variable into n shares and transforms each elementary operation (e.g., field addition and multiplication) to the masked correspondence called gadget, such that intrinsic noise in the leakages renders secret recovery infeasible in practice. A simple and efficient security notion is the probing model ensuring that any shares are independently distributed from the secret input. One requirement of the probing model is that the noise in the leakages should increase with the number of shares, largely restricting the side-channel security in the low-noise scenario. Another security notion for masking, called the random probing model, allows each variable to leak with a probability p. While this model reflects the physical reality of side channels much better, it brings significant overhead. At Crypto 2018, Ananth et al. proposed a modular approach that can provide random probing security for any security level by expanding small base gadgets with n share recursively, such that the tolerable leakage probability p decreases with n while the security increases exponentially with the recursion depth of expansion. Then, Belaïd et al. provided a formal security definition called Random Probing Expandability (RPE) and an explicit framework using the modular approach to construct masking schemes at Crypto 2020. In this paper, we investigate how to tighten the RPE definition via allowing the dependent failure probabilities of multiple inputs, which results in a new definition called related RPE. It can be directly used for the expansion of multiplication gates and reduce the complexity of the base multiplication gadget from proposed at Asiacrypt 2021 to and maintain the same security level. Furthermore, we describe a method to expand any gates (rather than only multiplication) with the related RPE gadgets. Besides, we denote another new RPE definition called Multiple inputs RPE used for the expansion of multiple-input gates composed with any gates. Utilizing these methods, we reduce the complexity of the 3-share circuit compiler to , where |C| is the size of the unprotected circuit and the protection failure probability of the global circuit is .In comparison, the complexity of the state-of-the-art work, proposed at Eurocrypt 2021, is for the same value of n. Additionally, we provide the construction of a 5-share circuit compiler with a complexity .
AB - To counteract side-channel attacks, a masking scheme splits each intermediate variable into n shares and transforms each elementary operation (e.g., field addition and multiplication) to the masked correspondence called gadget, such that intrinsic noise in the leakages renders secret recovery infeasible in practice. A simple and efficient security notion is the probing model ensuring that any shares are independently distributed from the secret input. One requirement of the probing model is that the noise in the leakages should increase with the number of shares, largely restricting the side-channel security in the low-noise scenario. Another security notion for masking, called the random probing model, allows each variable to leak with a probability p. While this model reflects the physical reality of side channels much better, it brings significant overhead. At Crypto 2018, Ananth et al. proposed a modular approach that can provide random probing security for any security level by expanding small base gadgets with n share recursively, such that the tolerable leakage probability p decreases with n while the security increases exponentially with the recursion depth of expansion. Then, Belaïd et al. provided a formal security definition called Random Probing Expandability (RPE) and an explicit framework using the modular approach to construct masking schemes at Crypto 2020. In this paper, we investigate how to tighten the RPE definition via allowing the dependent failure probabilities of multiple inputs, which results in a new definition called related RPE. It can be directly used for the expansion of multiplication gates and reduce the complexity of the base multiplication gadget from proposed at Asiacrypt 2021 to and maintain the same security level. Furthermore, we describe a method to expand any gates (rather than only multiplication) with the related RPE gadgets. Besides, we denote another new RPE definition called Multiple inputs RPE used for the expansion of multiple-input gates composed with any gates. Utilizing these methods, we reduce the complexity of the 3-share circuit compiler to , where |C| is the size of the unprotected circuit and the protection failure probability of the global circuit is .In comparison, the complexity of the state-of-the-art work, proposed at Eurocrypt 2021, is for the same value of n. Additionally, we provide the construction of a 5-share circuit compiler with a complexity .
UR - https://www.scopus.com/pages/publications/105004796484
U2 - 10.1007/978-3-031-91101-9_5
DO - 10.1007/978-3-031-91101-9_5
M3 - 会议稿件
AN - SCOPUS:105004796484
SN - 9783031911002
T3 - Lecture Notes in Computer Science
SP - 124
EP - 152
BT - Advances in Cryptology – EUROCRYPT 2025 - 44th Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2025, Proceedings
A2 - Fehr, Serge
A2 - Fouque, Pierre-Alain
PB - Springer Science and Business Media Deutschland GmbH
T2 - 44th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2025
Y2 - 4 May 2025 through 8 May 2025
ER -