International Association
for Cryptologic Research

Leakage-resilient secret sharing is a fundamental building block for securing implementations against side-channel attacks. In general, such schemes correspond to a tradeoff between the complexity of the resulting masked implementations, their security guarantees and the physical assumptions they require to be effective. In this work, we revisit the Inner-Product (IP) framework, where a secret s is encoded by two vectors (w,y), such that their inner product is equal to s. So far, the state of the art is split in two. On the one hand, the most efficient IP masking schemes (in which w is public but random) are provably secure with the same security notions (i.e., in the abstract probing model) as Boolean masking, yet at the cost of a slightly more expensive implementation. Hence, their theoretical interest and practical relevance remain unclear. On the other hand, the most secure IP masking schemes (in which w is secret) lead to expensive implementations. We improve this state of the art by investigating the leakage resilience of IP masking with public w coefficients in the bounded leakage model, which depicts well implementation contexts where the physical noise is negligible. Furthermore, we do that without assuming independent leakage from the shares, which may be challenging to enforce in practice. In this model, we show that if m bits are leaked from the d shares y of the encoding over an n-bit field, then, with probability at least 1 - 2^{-\lambda} over the choice of w, the scheme is O(\sqrt{2^{-(d-1). n + m + 2\lambda)-leakage resilient. We additionally show that in large Mersenne-prime fields, a wise choice of the public coefficients w can yield leakage resilience up to O(n \cdot 2^{-d . n + n+d), in the case where one physical bit from each share is revealed to the adversary. The exponential rate of the leakage resilience we put forward significantly improves upon previous bounds in additive masking, where the past literature exhibited a constant exponential rate only. We additionally discuss the applications of our results, and the new research challenges they raise.