Polynomial sharings on two secrets: Buy one, get one free

. While passive side-channel attacks and active fault attacks have been studied intensively in the last few decades, strong attackers combining these attacks have only been studied relatively recently. Due to its simplicity, most countermeasures against passive attacks are based on additive sharing. Unfortunately, extending these countermeasures against faults often leads to quite a significant performance penalty, either due to the use of expensive cryptographic operations or a large number of shares due to massive duplication. Just recently, Berndt, Eisenbarth, Gourjon, Faust, Orlt, and Seker thus proposed to use polynomial sharing against combined attackers (CRYPTO 2023). While they construct gadgets secure against combined attackers using only a linear number of shares, the overhead introduced might still be too large for practical scenarios. In this work, we show how the overhead of nearly all known constructions using polynomial sharing can be reduced by nearly half by embedding two secrets in the coefficients of one polynomial at the expense of increasing the degree of the polynomial by one. We present a very general framework that allows adapting these constructions to this new sharing scheme and prove the security of this approach against purely passive side-channel attacks, purely active fault attacks, and combined attacks. Furthermore, we present new gadgets allowing us to operate upon the different secrets in a number of useful ways.


Introduction
Implementations of cryptographic systems are among the most scrutinized pieces of software, as a single small implementation error can lead to a complete security loss.Furthermore, even if the implementation matches the mathematical description perfectly, physical properties of the implementation (outside the scope of the mathematical specifications) can have the same disastrous consequences.Typical examples include non-constant timing behavior or leakage via physical side-channels such as electromagnetic radiation or power consumption that are dependent on sensitive information.To protect against these physical side-channels, the most used countermeasure is masking.Here, a sensitive value v is split into a vector (v 0 , . . ., v n−1 ) of n values (called shares) such that a sufficiently high number of shares is required to reconstruct v. Masking has proved itself to be a very resilient countermeasure and is now widely deployed in cryptographic hardware.While several different masking techniques have been developed, the classical techniques of additive and polynomial masking are still the most widely used.In additive masking, we assume that the sensitive value belongs to a field F equipped with an addition +.Now, for i = 0, . . ., n − 2, the values v i are drawn uniformly from F and v n−1 is chosen such that n−1 i=0 v i = v.For polynomial masking, we construct a polynomial p(x) = v + d i=1 a i x i with a i drawn randomly from F. Then, v i is given by p(α i ) for some public support point α i = 0.Both of these approaches have several advantages and disadvantages.Probably the most commonly cited advantage of additive masking is that it is relatively efficient regarding complexity and randomness cost to protect against an attacker with access to t ≤ d shares.However, additive masking is quite vulnerable to active attacks that insert a fault into the computation [GIP + 14].Without any additional precautions, adding a value ζ to a single share v i will simply result in a valid sharing of the value v + ζ.This attack does not look particularly dangerous at first glance but can lead to catastrophic security flaws.A simple example is outputting the product of a secret key and zero.The result does not give any information about the key, however, since the attacker can choose the added value, an additive fault on the zero would reveal the complete key.Even though the example is very contrived, it illustrates the catastrophic effects of such faults.To prevent these attacks, complex verification operations are needed that are often not suited to low hardware resources or require at least t • σ shares to protect against t probes and σ faults on the shares [GIP + 14, GLO + 21, GSZ20, DN20, FRBSG22].In contrast, polynomial masking has a natural resilience against such fault attacks as adding a value ζ to a single share v i will result in a polynomial of degree higher than d.This allows to use only O(d + σ) shares to achieve the same security as additive masking with d • σ shares even against combined attackers performing both side-channel probes and adding active faults [SFRES18, BEF + 23].Nevertheless, this linear number of shares (and thus the required area) used by polynomial masking is often too large for practical use cases.

Our Contribution
In this work, we show that we can adapt (nearly all) known constructions using polynomial masking to share two secrets in the coefficients of the polynomial, including constructions based on the classical BGW approach [BGW88] and the very recent approach of Berndt et al. [BEF + 23].They proposed a method, where each secret was masked with d + e + 1 shares to protect the circuits against d probes and e faults.Compared to other approaches, this significantly reduces the number of shares by nearly a factor of 1/2.Now, suppose that one wants to perform the same computation using a gadget width depth ∆ and n shares, but on two different secrets.Blockciphers are prototypical examples of this, as a round typically consists of the computation of many parallel identical s-boxes.When aiming to minimize the depth of the resulting circuit, we can simply run those two computations in parallel.Clearly, the depth of the resulting circuit is ∆, but we need to double the number of shares to 2n.On the other hand, if we aim to minimize the number of used shares, we can run the two computations sequentially, but then have a depth of 2∆.Our contribution shows how to perform these computations for two secrets using n + 2 shares and still remain on depth ∆.Hence, instead of computing each masked s-box on its own, we can apply our technique to compute the result of two different s-boxes by computing only a single s-box (although on n + 2 shares as we need to increase the degree of the underlying polynomial).Rather than using an area of 2∆n, we now only use an area of ∆(n + 2) = ∆n + 2∆, which, for sufficiently large n, saves a factor of two.Since the s-boxes are the only non-linear part of such blockciphers, they constitute the bottleneck of masked implementations.Our techniques thus allow us to reduce this bottleneck by half in a black-box manner, and can easily be added to existing implementations without large overhead.
Moreover, we construct gadgets that are also secure against combined attackers.Using this construction, we obtain the best of both approaches: We simultaneously have a natural resilience to active attacks and a small number of shares.As a consequence of our advancements, the runtime (and randomness cost) associated with concurrent computations involving two secrets, each with a runtime (randomness cost) of f (n), can be significantly reduced from 2f (n) to f (n + 2).To illustrate, consider the parallel execution of a circuit with a complexity function f (n) = an 2 .Our construction results in a reduction from 2an 2 to the more efficient an 2 + 4an + 2a.
To show the versatility of our approach, we first generalize several known protocols similar to the classical BGW approach [BGW88] using polynomial masking into a unified framework.Within this framework, we show how to embed both secrets simultaneously and show that in the case of AES, our approach already outperforms the state-of-the-art approaches using one secret per polynomial for small orders t ≥ 4. We also show how to use the recent new multiplication gadget LaOla of Berndt et al. [BEF + 23] with two secrets.Then, we show that our adaptions of the gadgets are (S)NI even when using two secrets.Furthermore, we also show that our approach is resilient against active fault attacks, similar to the setting studied in [SFRES18].Finally, we show that our gadgets are fault robust [BEF + 23], a recent security property that allows to securely compose fault resilient gadgets.Namely, we show that up to e faults can be either detected or corrected by our circuit.
Concluding our study, we leverage the analytical framework developed by Berndt et al. [BEF + 23] to demonstrate that our constructions attain robust security against combined attacks.This is done by proving fault-invariance of our gadgets, a crucial property ensuring that the circuit does not leak secret information, even in the presence of faults.In simpler terms, the degree of information obtained about the secrets from side-channel leakage and the circuit's output remains constant, irrespective of the injected faults.

Structure of this Work
In Section 2, we establish the needed preliminaries, including our model of circuits, the capabilities of passive and active attackers, our threat model (along with corresponding security definitions), and give an overview about polynomial (or Shamir's) sharing that embeds the secret into the lowest coefficient of a polynomial.We also examine relevant related work.In Section 3, we discuss that the case of embedding the secret in the highest coefficient of a polynomial is also secure, while other positions might not hide the secret sufficiently.Then, we come to the main idea of our paper, called double sharings: We show that we can embed one secret into the lowest and another one in the highest coefficient simultaneously and only lose one degree of freedom.In Section 4, we focus on presenting gadgets that work on double sharings and guarantee security against passive probing attacks.It is relatively easy to construct a gadget for addition by simply applying the addition in a share-wise manner.Non-linear operations (such as multiplication) are, however, much more complicated.We first consider existing gadgets for non-linear operations that follow the classical approach due to Ben-Or, Goldwasser, and Wigderson [BGW88] (BGW): First, the non-linear transformation is applied locally in a share-wise manner.This results in the degree of the computed polynomial being too high, hence now, a degree reduction is performed where each share is re-shared and then recombined locally.We show that this approach also works in the double sharing setting in a general case.To illustrate the flexibility of our approach, we do not only consider the multiplication operation (which would be sufficient for completeness), but also show how to compute other useful operations in a similar efficient manner.Finally, we also consider another type of gadget that can be used for multiplication: The LaOla gadget of Berndt et al. [BEF + 23] that does not follow the classical approach, as it first reduces the polynomials and then computes the non-linear transformation.Nevertheless, we show how to adapt the corresponding multiplication gadget to also work in the double sharing scenario.Hence, the double sharing technique can also be applied to such non-BGW gadgets.Finally, in Section 5 we consider active attackers and combined attackers that are also allowed to induce faults.Here, we follow the approach used by Seker et al. [SFRES18] and by Berndt et al. [BEF + 23]: We construct the gadgets in such a way that invalid (i.e., faulted) inputs will lead to invalid outputs with high probability.To do this, we extract the validity information (which correspond to the higher-order coefficients of the polynomials) and integrate those into the output of the computation.This integration will be performed by using error propagation polynomials that we add to the output.We first adapt the non-linear gadgets from the previous section by designing appropriate error propagation polynomials that allow to detect invalid sharings easily.To now show security against active attacks, we make use of the notion of fault invariance introduced in [BEF + 23].This, furthermore, allows us to use the results of Berndt et al. [BEF + 23] to show that these gadgets are secure against combined attacks.

Preliminaries and Notation
Throughout this work, n ∈ N ≥2 will always denote the number of shares on which we operate.Furthermore, F denotes some finite field with at least n + 1 elements.If (v 0 , . . ., v n−1 ) ∈ F n is a vector and I ⊆ {0, . . ., n − 1} is a subset of the indices, we define v I = (v i ) i∈I .For n ∈ N, we also define [n] = {0, . . ., n − 1}.We write δ a,b to refer to the Kronecker delta with δ a,b = 1 if a = b, and δ a,b = 0 else.The Hamming weight weight(v) of a vector v ∈ F n denotes the number of non-zero entries of v.
If X 0 , . . ., X n−1 are random variables, they are d-wise independent, if for all I ⊆ {0, . . ., n − 1} with |I| ≤ d and all values (x i ) i∈I in the domain of (X i ) i∈I , we have Pr[

Attacker Models
In this work, we consider both passive and active attackers.Passive attacks are sidechannel attacks where the adversary learns some intermediate values in addition to the input-output behavior of a (cryptographic) implementation.A purely active attacker does not learn any intermediate values of the implementation, but can fault some internal values to perform unexpected calculations leading to vulnerabilities.Further, we consider adversaries running combined attacks that are allowed to fault and probe intermediate values simultaneously.

Circuits
As usual, we represent the functionality that we want to compute as an arithmetic circuit C over a finite field F, i.e., a directed acyclic graph C = (V, E) where each node v ∈ V is labeled as input gate, output gate, addition gate, a multiplication gate or a random gate.When starting the computation, the input values x 1 , x 2 , . . .are assigned to the input gates.Whenever all parents of a gate have a value, we compute the value of the gate by applying the underlying operation (i.e., addition or multiplication) to these values and assign the outcome of this operation to the current gate.Random gates do not have parents and produce a uniformly random element from F. We write C(x 1 , . ..) for the probability distribution of the output gates.We also assume that the circuit can output the abort symbol ⊥ ∈ F to indicate that the computation aborts.If the randomness R used by the circuit is fixed, we denote this deterministic circuit by C R .

Compiler
In order to prevent the attacks, which will be explained in more depth later on, a common approach is to use a compiler.Such a compiler transforms a circuit Cpossibly vulnerable to attacks -into a circuit C that resists these attacks.To do this, each gate g ∈ C is transformed into a small circuit G, called a gadget.If the inputs to g are x 1 , x 2 , . . ., x r and the output is y, the small circuit G will be given encodings of x 1 , x 2 , . . ., x r and produce an encoding of y.We denote these encodings of a value v by |v|.Depending on the type of attack, these encodings will be chosen such that they resists the attack.For example, to prevent passive attacks using t probes, one could split each x i into t + 1 parts called shares such that they are t-wise independent.Hence, an attacker that only obtains t values can not reconstruct the (possibly sensitive) value of any x i .The main challenge in designing such robust circuits C is to prevent the leakage of sensitive information via intermediate results produced by the circuit.In order to construct a compiler, it is sufficient to show how to produce the gadgets for addition gates and multiplication gates.However, in this work we will also present more efficient gadgets for operations that we believe to be useful when designing gadgets for parallel computations.
Passive attacks A passive t-probing attacker A is given the circuit C and now chooses a subset of at most t wires w i of this circuit and two inputs x 0 and x 1 to the circuit.Then, a random bit b ←$ {0, 1} is chosen and the computation of C on x b is performed.Afterwards, the value on the t wires chosen by A are given to A and the attacker now outputs a bit b .If Pr[b = b ] = 1/2 for all attackers A (not necessarily time-bounded), we say that C is perfectly secure against t-probing attackers.For example, using Shamir's secret sharing [Sha79] and, e.g., the BGW protocol [BGW88], it is easy to see that we can take an arbitrary arithmetic circuit C on F and transform it into a circuit C that is perfectly secure against t-probing attackers as long as |F| > 2t + 1.Both Shamir's secret sharing and the BGW protocol will be explained in depth later.
A very useful notion to show perfect security of a circuit is non-inference (NI) [BBD + 16].Intuitively, this security notion guarantees that all information gained by probes on intermediate values can already be gained by the same number of probes on the input.Now, if the input is shared with a sufficiently high degree, a subset of the input shares does not reveal anything about the secret input.At first glance, this definition seems strong enough to argue about security against probing attackers.However, it does not support composability, i.e., the concatenation of two t-NI gadgets is not necessarily t-NI.The stronger definition of strong non-inference (SNI) [BBD + 16] supports composability.It thus suffices to prove that every gadget in the circuit is SNI to conclude that the complete circuit is perfectly secure against up to t probes.Active attacks An active σ-faulting attacker A running a fault attack T is given the circuit C and chooses a subset of at most σ wires w i along with corresponding values v i ∈ F. Furthermore, A chooses an input x to the circuit and the computation of C on x is performed.After one of the chosen wires w i is computed, the value v i is added to it.We denote the faulted circuit by T [C] and |T | = σ will refer to the number of faulted wires.Let y ← T [C] be the output of the faulted circuit and y ← C be the original output of the unfaulted circuit C (i.e., the one where all v i are equal to 0).Then, C is -secure against σ-faulting attackers if Pr[y ∈ {y, ⊥}] ≥ 1 − for all attackers A (not necessarily time-bounded).In [SFRES18], the authors propose to use a technique called infective computation that intuitively guarantees that errors introduced by the faults will spread over the complete computation.This was refined in [BEF + 23] where the notion of robustness guarantees that an error does not result in an undetected faulted value.This notion was only introduced for polynomial sharings (which will be thoroughly discussed in the next section).Intuitively, this notion means that every fault attack only changing σ wires will either (i) only change at most σ positions of the encoding or (ii) behave like adding a sufficiently random polynomial to the encoding.In the former case, the bounded number of changes will be detectable due to the error-detecting capabilities of polynomial sharing, as the degree of the resulting polynomial is too high.In the latter case, the result will, with high probability, also be detectable because of the degree of the resulting polynomial being too high.
We stress here that Definition 9 in [BEF + 23] only had the condition weight(w) ∈ [weight(v + v ) − t 1 , weight(v + v ) + t 1 ], but the case of weight(w) ∈ [0, t 1 ] is also needed to capture non-linear gadgets and was accidentally ommited [BO].The analysis presented in [BEF + 23], however, also holds for this generalized definition.
As described above, we only consider additive and non-adaptive faults and will denote the set of additive fault functions by F + .As shown in [BEF + 23], it is not sufficient to show both leakage and fault resilience to prove security against combined attacks.However, the authors also presented properties under which individual security against leakages and faults can be lifted to security against combined attack.Intuitively, these properties guarantee that all faults induced in a gadget can either be pushed to inputs of the gadgets or to their outputs.Next, we formalize these properties.

Combined attacks
We can also combine the attack types to get a (t, σ)-combined attacker that is again given a circuit C. Now, the attacker chooses t wires w i of the circuit and another σ wires w i along with values v i ∈ F. Furthermore, the attacker chooses two inputs x 0 and x 1 for the circuit.Then, a random bit b ←$ {0, 1} is chosen and the computation of C on x b is performed.Whenever one of the chosen wires w i is computed, the value v i is added to it.We denote the output of the faulted circuit by y b and by y b the original output of the circuit (i.e., the one where all v i are equal to 0).Now, the attacker is given the values assigned to w i and (δ y b ,y b , δ y b ,⊥ ) and needs to output a bit b .We say that C is -secure against (t, σ)-combined attackers if both Pr[b = b ] = 1/2 and Pr[y b ∈ {y b , ⊥}] ≥ 1 − for all attackers A (not necessarily time-bounded).
In the probing-only case, careful composition of (S)NI gadgets allowed to guarantee security of the composition.Similarly, we can use adapted (S)NI properties to achieve composability results also in the case of an attacker performing combined attacks.The notion of fault-resilience guarantees that the presence of faults in itself can not lead to the leakage of sensitive information, i.e., the (S)NI properties remain true in the presence of faults.
More precisely, fault invariance can lift the pure probing security up to security against combined attacks, as it intuitively guarantees that faults applied to a gadget can be pushed either to the input or the output of the gadget.In detail, a gadget is automatically fault-resilient SNI if it is SNI and fault invariant.
Finally, the combination of fault resilience and fault robustness allows us to give meaningful security guarantees against combined attackers.
In this work, we only consider additive faults F + .However, in [BEF + 23] it was shown that fault-resilient (S)NI gadgets with respect to additive faults are also fault-resilient (S)NI with respect to wire-independent faults 1 if the gadget is fault invariant with respect to additive faults and all faults are counted additionally as probes.

Polynomials
Throughout this work, we will always write polynomials in bold font.
f i x i .Furthermore, we will write F i for f (α i ) where α 0 , . . ., α n−1 ∈ F \ {0} will denote some pairwise distinct elements of F used as support points of the polynomial sharing.The input of a gadget will usually be denoted by f (and g in the case of gadgets with two inputs) and the output by q.

Lemma 3 (Polynomial interpolation [Kal84]). Every polynomial f of degree at most d can be interpolated from
Note that the Vandermonde matrix can be used both to evaluate a degree-k polynomial p(x) with coefficients p 0 , . . ., p k at the n points α 0 , . . ., α n−1 by and to recover all k coefficients from k + 1 distinct point-value pairs so a specific coefficient can be computed as (1)

Shamir's Secret Sharing
In order to share a value s ∈ F via polynomial sharing using a polynomial of degree d Then, we compute the vector (v 0 , . . ., v n−1 ) with v i = p χ→s (α i ).To simplify notation, this complete procedure will be denoted as (v 0 , . . ., v n−1 ) ←$ Share d (χ → s).We stress here that Share d (χ → s) thus constructs a random polynomial p χ→s , where the randomness is given by the random choices of a i (but a χ = s is fixed).We note that the random variable P χ→s describing this random polynomial is a random variable on the randomness space F d .Furthermore, the affine subspace of F n induced by the outputs of where supp denotes the support of a probability distribution.To reconstruct s from (v 0 , . . ., v n−1 ) ∈ [χ → s] d , we can first reconstruct p by taking any d + 1 distinct elements (v i ) i∈I and multiplying them with Vandermonde −1 (α I ).This recovers all coefficients of p and thus a χ = s.To simplify notation, this complete procedure will be denoted as s = Open χ (v I ).
For the sake of completeness, the following lemma shows the well known fact that this sharing is secure for χ = 0, in which it is typically known as Shamir's secret sharing.
(ii) For any subset Proof.Remember that P 0→s is the random variable on F d describing the polynomial used in the computation of Share d (0 → s) by the random choice of the coefficients a 1 , . . ., a d .Let (A 1 , . . ., A d ) be the random variable on F d describing these coefficients a 1 , . . ., a d .Clearly, {A i } i∈{1,...,d} is a set of uniform independent random variables independent from s.We will first show (i) and thus need to prove that {P 0→s (α i )} i∈I is a set of uniform independent random variables independent from s for any subset I ⊆ {0, . . ., n − 1} with |I| ≤ d.Without loss of generality, we only show this for |I| = d, as this clearly also implies the lemma for |I| < d.To prove (i), we show that there is a bijection between the outcomes of {P 0→s (α i )} i∈I and {A i } i∈{1,...,d} , which directly implies the result due to the randomness of {A i } i∈{1,...,d} .
Let V = Vandermonde(0, α I ) be the quadratic (|I| + 1) × (|I| + 1)-Vandermonde matrix on 0 and the support points indexed by I. Clearly, we have V • (s, (A i ) i∈{1,...,d} ) = (s, (P 0→s (α i )) i∈I ), as the first row of the matrix V is of the form (1, 0, 0, . . ., 0).Furthermore, V is invertible as the α i are pairwise distinct and not zero.Hence, the described linear transformation is a bijection on F d+1 .In other words, for any outcome (s, (p 0→s (α i )) i∈I ) exists exactly one outcome (s, (a 1 , . . ., a d )) such that Since V is the identity function in the first coordinate, it follows that for each s , there is also a bijection As {A i } i∈{1,...,d} is a set of uniform independent random variables independent from s, so is {P 0→s (α i )} i∈I .
The correctness of (ii) follows from Lemma 3. Interpolating the polynomial immediately gives the first coefficient a 0 = s.

Computing on Shares
Our above discussion shows how to embed a secret into a polynomial.Here, we will discuss how to perform operations on such a shared representation.
As polynomial masking is linear, we have Consequently, addition gates can be computed in a share-wise manner, such that shares with different indices are not mixed.The main complication thus comes from the non-linear multiplication gates.A classical approach to multiply (v 0 , . . ., , which we will refer to as the BGW2 protocol, is the following.

Related Work
Packed secret sharing A closely related approach to our technique is known as packed secret sharing [FY92] and was used by Grosso et al. [GSF14] to speed up masked implementations.The main differences between our technique and packed secret sharing is where the additional, second secret is hidden.In our approach, we will hide two secrets s 0 and s 1 by constructing a polynomial p(x) = s 0 + d−1 i=1 a i x i + s 1 x d for randomly chosen values a i , i.e., we hide both secrets in the coefficients of a polynomial.In contrast, packed secret sharing hides both secrets at the value of the polynomial at specific support points of the polynomial, i.e., they construct a sufficiently random polynomial p such that p(0) = s 0 and p(α * ) = s 1 for some special element α * (which is then excluded from the set of public support points).
While the differences between these approaches look rather small, they have a large consequence with regard to practicability.First, to share a secret with our technique, we can still simply sample random elements and evaluate the corresponding polynomial.In contrast, in packed secret sharing, to share a secret, a polynomial needs to be interpolated.From a theoretical point of view, both evaluation and interpolation have the same complexity by using appropriate FFT algorithms, but from a practical point of view, this change in approach requires a large number of modifications and will give worse concrete running time.Second, the degree reduction that needs be performed after the share-wise multiplication becomes much more complicated.In the original non-packed version, one could simply erase all of the monomials larger than d (by sharing the resulting shares and performing a corresponding interpolation).As discussed by Grosso et al. [GSF14], this task becomes much more difficult in the packed setting.In order to avoid these drawbacks, Grosso et al. adapt a proposal by Damgård et al. [DIK10] that first blinds the secrets contained in the polynomial, then opens these blinded values, re-shares them, and removes the blinding later on.Unfortunately, opening the blinded values makes this approach vulnerable to active attacks, as these blinded values can now be faulted by an active attacker.Hence, the natural resilience of polynomial sharing to active attacks is lost this way.Furthermore, some optimization such as the fast computation of squarings due to Roche and Prouff [PR11] do not seem to applicable to packed secret sharing.

Code-based masking
Embedding multiple secrets into a single sharing has also been used in the context of code-based masking [WMCS20].Here, the authors use the term amortization for this idea.In general, the authors use linear error correcting codes to encode the sensitive values.They show that, under certain circumstances, the generic encoder corresponding to such codes provides security against passive attacks and present a multiplication gadget working on such encodings.By choosing a high-rate code, they are able to encode multiple secrets into a single codeword, which allows them to apply their multiplication gadget to multiple secrets simultaneously.
The authors also argue that the redundancy in the encodings allows to guarantee security against fault attacks, but only against faulted inputs or outputs of gadgets.The inner workings of the gadgets are assumed to be tamper-resistant (see [WMCS20, Appendix C] for a more thorough discussion) in their security analysis.We stress here that this assumption is absolutely necessary for their security analysis: In order to obtain efficient gadgets, their multiplication gadget first converts the codewords into an additive sharing, then computes an multiplication on this additive sharing, and finally encodes the resulting additive sharing back into a codeword.As additive sharings are highly vulnerable against fault attacks (as described in the introduction), an attacker could easily modify the shared values and thus obtain valid encodings of incorrect values.

Security of Two-Secret Sharing
In this section, we show that we can also embed two secrets simultaneously in a polynomial sharing, one in the coefficient a 0 and another one in a d .For a better understanding, we first discuss the known result that we can also embed a secret s of a polynomial into the highest coefficient a d instead of the lowest coefficient a 0 .Further, we give an example why this, in general, only works securely for the highest and the lowest coefficient.Finally, we contribute our security proof for two simultaneously embedded secrets.

Hiding the Secret in Another Coefficient
We now discuss which of the coefficients are suitable for embedding a secret.

Using the highest coefficient
We first consider to hide s in the highest coefficient a d , which leads to a secure sharing.We stress here that this is a known result, though we also provide our own proof in Appendix A that some readers might find helpful for understanding the very similar proof for embedding two secrets.
Using arbitrary coefficients While the first and the last coefficient can be used to hide a secret in a secret sharing scheme, this, in general, does not hold true for the remaining coefficients: If they can be used depends on whether the considered set of support points are in a specific relation to each other [LD04].The main obstacle here is the fact that the resulting submatrix (which consists of some columns of Vandermonde(α 0 , . . ., α n−1 )) might not be invertible.
To show the severity of using "bad" support points, we consider an example taken from [ph13].Consider the finite field GF(5) on five elements and n = 3 shares with support points α 0 = 1, α 1 = 4, and α 2 = 3.Now, if the attacker obtains (v 0 , v 1 ) of (v 0 , v 1 , v 2 ) ∈ [1 → s] 2 such that v 0 = 1 and v 1 = 0, they can immediately conclude that s = 3, as all polynomials p(x) = a 2 x 2 + a 1 x + a 0 over GF(5) with p(1) = 1 and p(4) = 0 are the following: Hence, knowledge about the two shares v 0 and v 1 might completely give information about the secret s embedded in a 1 in certain situations.

Two for One: Two Secrets in One Polynomial
Previously, we have seen that it is possible to embed the secret s in the coefficient of the lowest monomial χ = 0 (as sx 0 ) or the highest monomial χ = d (as sx d ).In the following, we will embed two secrets s 0 and s 1 simultaneously into the coefficients of the polynomial where we will embed s 0 in position χ = 0 and s 1 in position χ = d.We thus generalize our notation in a straightforward way by writing (v 0 , . . ., v n−1 ) ← Share d ((0, d) → (s 0 , s 1 )) for the embedding, (s 0 , s 1 ) = Open 0,d (v I ) for the reconstruction, and [(0, d) → (s 0 , s 1 )] d for the affine subspace induced by this sharings.Note that the existence of Open 0,d directly follows from Lemma 3, as interpolation reconstructs the complete polynomial.Lemma 6.Let s 0 , s 1 ∈ F be two secrets, pairwise distinct α 0 , . . ., α n−1 ∈ F \ {0} and d < n.Then it holds (i) For any subset I ⊆ {0, . . ., n − 1} with |I| ≤ d − 1, the set of random variables {P ) (α i )} i∈I is a set of uniformly independent random variables independent of s 0 , s 1 .
(ii) For any subset I ⊆ {0, . . ., n − 1} with |I| > d, we can reconstruct s 0 and s 1 via Proof.Let P (0,d)→(s0,s1) be the random variable on F d−1 describing the polynomial used in the computation of Share d ((0, d) → (s 0 , s 1 )) by the random choice of the coefficients a 1 , . . ., a d−1 .Let (A 1 , . . ., A d−1 ) be the random variable on F d−1 describing these coefficients a 1 , . . ., a d−1 .Clearly, {A i } i∈{1,...,d−1} is a set of uniform independent random variables independent from s 0 and s 1 .We will first show (i) and thus need to prove that {P (0,d)→(s0,s1) (α i )} i∈I is a set of uniform independent random variables independent from s 0 and s 1 for any subset I ⊆ {0, . . ., n − 1} with |I| ≤ d − 1.Without loss of generality, we only show this for |I| = d − 1, as this clearly also implies the lemma for |I| < d − 1.To prove (i), we show that there is a bijection between the outcomes of {P (0,d)→(s0,s1) (α i )} i∈I and {A i } i∈{1,...,d−1} , which directly implies the result.Let V = Vandermonde d (0, α I ) be the d × (d + 1)-Vandermonde matrix and V be the (d + 1) × (d + 1)-matrix where we add a first row of (0, 0, . . ., 0, 1) to V .To show that V is invertible, we use the Laplace expansion and expand along the first row.The resulting determinant is (−1) d+2 •det(Vandermonde(0, α I )) and thus not zero, as all α i are distinct and non-zero.Clearly, we have V • (s 0 , (A i ) i∈{1,...,d−1} , s 1 ) = ((P (0,d)→(s0,s1) (s 0 , α i ), s 1 ) i∈I ), as the first row of the matrix V is of the form (0, 0, . . ., 0, 1).Hence, the described linear transformation is a bijection on F d+1 .In other words, for any outcome ((p (0,d)→(s0,s1) (α i )) i∈I , s), there exists exactly one outcome ((a 1 , . . ., Since V is the identity function in both the first and the last coordinate, it follows that for each (s 0 , s 1 ) ∈ F 2 , there is also a bijection V s 0 ,s 1 on As {A i } i∈{1,...,d−1} is a set of uniform independent random variables independent from s 0 , s 1 , so is Similar to the proof above, Lemma 3 implies that (ii) holds true as any set of at least d + 1 points allows interpolating the underlying polynomial, which in turn gives both the first and the last coefficient.
As the system is thus under-determined, the secrets (s 0 , s 1 ) cannot be identified uniquely.However, once either of these secrets is known, the system has only d unknowns and can thus be solved uniquely since the equations are linearly independent.
We stress here the differences between Item (i) in Lemma 6 and in Lemma 4 and Lemma 5.In the case of embedding a single secret, random variables in a set of size t ≤ d are independent.However, due to the possible dependency between the two secrets, we can only guarantee this independence for sets of size t ≤ d − 1 when embedding two secrets.Hence, to guarantee security against an attacker allowed to make t probes, we need use a polynomial of degree t + 1 (instead of t when considering a single secret).To embed a second secret for a fixed security order t, we thus need to increase the number of shares by one.However, as discussed in the introduction, this is a much smaller overhead compared to the alternatives of parallel or sequential computation of two identical gadgets.
More than two secrets Finally, it might also be possible to embed more than two secrets using a similar approach.This would require the aforementioned complicated relations between the support points, as discussed in [LD04].Furthermore, a very useful property of the lowest and the highest coefficient of a polynomial is the fact that the lowest (resp.highest) coefficient of a product p • p of two polynomials is exactly the product of the lowest (resp.highest) coefficients of p and p .This is not true for the other coefficients due to the convolution of the indices used in polynomial multiplication.Hence, embedding multiple secrets seems to require a much more complicated multiplication.

Computing on Two-Secret Sharings Against Passive Attackers
In this section, we will generalize several known algorithms secure against passive attacks into a unified algorithm and show that our double-sharing approach can be used easily while still giving security against passive attacks in this context.To do so, we show that the unified algorithms are also (S)NI.For the analyzed circuits, we would only need to consider addition and multiplication; however, we will show that our approach can also easily support other operations that we believe to be useful when designing parallel gadgets.
In the following, we always consider double sharings.For the sake of readability, we will thus write [s 0 , s 1 ] d instead of [(0, d) → (s 0 , s 1 )] d and, similarly, Share d (s 0 , s 1 ) and Open(v I ).As discussed in Section 3.2, to guarantee security against a t-probing attacker, we need to use at least a polynomial of degree d ≥ t + 1 here.

Share-Wise Gadgets
We first analyze the security of any share-wise gadget, i.e., those corresponding to linear functions ϕ 0 and ϕ 1 .For the sake of simplicity, we consider the addition gadget ϕ i (s 0 , s 1 , s 0 , s 1 ) = s i + s i as a running example.As we can easily perform the addition by adding the shares of the sharing as shown in Algorithm 1 where Hence, it only remains to prove leakage resilience.

Algorithm 1: Addition-Gadget
Input: Degree-d shares of s 0 , s 1 as (F i ) i∈[n] and shares of s 0 , s 1 as .
Lemma 7. Algorithm 1 is t-NI for n > d when using polynomials of degree d ≥ t + 1.
Proof.It is easy to see that the NI property follows from the fact that the gadget is share-wise, and the new double sharing does not affect the NI property.Each probe Q i , F i , and G i can be simulated with F i and G i .This observation immediately results in the NI property because each probe can be perfectly simulated with at most one share of each input sharing.
Note that this proof is not limited to a specific share-wise transformation in Algorithm 1, and also holds for any other share-wise transformation φ with Q i ← φ(F i , G i ).Hence, the claim holds for any share-wise gadget, as mentioned at the beginning of this section.
The Frobenius Optimization A very useful optimization for the computation of certain exponentiations was first presented by Roche and Prouff [PR11].Let p be the characteristic of the field F underlying the arithmetic circuit that we aim to protect.The method of Roche and Prouff then allows computing the operation x → x p in a very efficient manner.In contrast to the packed secret sharing of Grosso et al. [GSF14], our approach can also use this improvement.Such operations are, for example, very useful when considering the AES s-box, where an efficient squaring operation is very helpful when computing the GF(2)-affine transformation.It requires the support points α i to fulfill a condition called stability over Frobenius automorphism, which says that for every support point α i , there is some support point α j(i) such that α j(i) = α p i .
Consider the polynomial p ∈ F[x] of degree d that embeds two secrets s 0 and s 1 , i.e., and the following polynomial embedding the exponentiation of power p on both secrets s 0 and s 1 : Note that if the coefficients a 1 , . . ., a d−1 of p are distributed uniformly at random, the coefficients a p 1 , . . ., a p d−1 of p are also distributed uniformly at random, as the mapping x → x p is the Frobenius automorphism in fields of characteristic p.Hence, we only need to consider how to obtain a sharing (V 0 , . . ., V n−1 ) with V i = p (α i ) from the sharing (V 0 , . . ., V n−1 ) with V i = p(α i ).Fortunately, this can be done simply by setting V j(i) = V p i , which is a completely share-wise operation.
To see that these shares indeed describe the desired polynomial, i.e., V j(i) = p (α j(i) ), one can easily verify that Here, the last equality is due to the identity (a + b) p = a p + b p in fields of characteristic p, which is sometimes called freshman's dream.Now, due to the stability condition α j(i) = α p i , we have Hence, from a sharing (V 0 , . . ., V n−1 ) of the secrets s 0 and s 1 , we can compute a sharing (V 0 , . . ., V n−1 ) of the secrets s p 0 and s p 1 in a share-wise manner, using at most 2n • log(p) field multiplications.

Non-Linear Operations
Non-linear operations, however, are more complicated.For example, while two sharings [s 0 , s 1 ] d , [s 0 , s 1 ] d of two degree-d sharings can still be multiplied share-wise, the product polynomial is of degree 2d, i.e., Hence, a subsequent step is required that reduces the degree back to (at most) d.As the degree of is increased to 2d, we need to require n > 2d to guarantee correctness of the computation, just like in the classical BGW scheme [BGW88].Nearly every solution on how to handle non-linear operations when using polynomial sharing follows this basic principle: First perform a share-wise computation to obtain a high-degree encoding of the correct value and then perform a degree reduction.We call such gadgets BGW-like.The remaining solutions (such as Grosso et al. [GSF14] or Wang et al. [WMCS20]) improve the performance by changing temporarily to an alternate encoding.However, these alternate encodings typically do not have the same resilience against active fault attackers compared to the polynomial sharing and are thus vulnerable to active attacks.To the best of our knowledge, the only non-BGW-like approach that changes to a fault-resilient encoding is due to Berndt et al. [BEF + 23].As our goal is to protect against passive and active attacks, we thus focus on BGW-like gadgets and on the LaOla-gadget of Berndt et al.
Before focusing on concrete gadgets, we introduce the auxiliary gadgets ZEnc d n and sZEnc d n based on the two algorithms in [BEF + 23] that will be useful when describing the gadgets for non-linear operations.The first algorithm shown in Algorithm 2 generates a random zero sharing, i.e. a random polynomial g such that both g 0 = 0 and g d = 0.This is, however, not SNI, due to a lack of sufficient independence between the output shares.However, one can extend this to achieve independence by multiple executions as shown in Algorithm 3. Note that Algorithm 2 has a slightly different structure than the identically named gadget in [BEF + 23], but as all intermediate values are the same with only their order changing, this has no impact on the security.

BGW-Like Gadgets
While there is a variety of different non-linear gadgets, we first concentrate on a subset of them, all having a similar structure that goes back to the original work of Ben-Or, Goldwasser, and Wigderson [BGW88].
In general, the computation performed by these gadgets can be grouped into two different phases: In the first phase, the non-linear function is computed locally on each share.While this produces a correct result, it also increases the degree of the underlying polynomial.Hence, in the second phase, a degree reduction needs to be performed.We generalize this construction such that we allow the following representation for a sharing (Q 0 , . . ., Q n−1 ): Here, the share-wise operations (ϕ0,ϕ1) i,j are a compact description of both phases of the computation.Hence, each output share Q j depends on a linear combination of the share-wise operations This approach is sufficient to model many different functions ϕ 0 and ϕ 1 .Examples for interesting functions ϕ 0 , ϕ 1 that we believe to be useful with (Q 0 , . . ., Q n−1 ) ∈ [ϕ 0 (s 0 , s 1 , s 0 , s 1 ), ϕ 1 (s 0 , s 1 , s 0 , s 1 )] d are given in Table 1.Some of these functions allow multiplication, i.e., the computation of (ϕ 0 (s 0 , s 1 , s 0 , s 1 ), ϕ 1 (s 0 , s 1 , s 0 , s 1 )) = (s 0 • s 0 , s 1 • s 1 ) while others allow re-combinations of the secrets, i.e., (ϕ 0 (s 0 , s 1 , s 0 , s 1 ), ϕ 1 (s 0 , s 1 , s 0 , s 1 )) = (s 0 , s 0 ).
A formal description of this algorithm is given in Algorithm 4. Note that because of the very general modeling, share-wise operations can also be represented this way, though this has some overhead in comparison to the straightforward computation discussed in Section 4.1.
// share-wise transformation and reduction Lemma 8. Algorithm 4 is t-SNI when using n > 2d shares and polynomials of degree d ≥ t + 1.
Proof.Let t 1 be the number of internal probes and t 2 the number of output probes with t 1 + t 2 < t.We first have to find input sets I and J of size at most t 1 and afterwards construct a perfect simulator that can simulate all t probed intermediate and output variables only using elements of I and J. Depending on the intermediate variables that are probed, the two sets I and J are constructed as follows: • If F i or G i is probed, add i to I or J, respectively.
• If any value is probed during the computation of (ϕ0,ϕ1) i,j (F i , G i ), add i to I and J.
• If r j in loop i (denoted in the following as r i,j ), some intermediate value of ZEnc d n (denoted in the following as Qk i,j where k ∈ {1, . . ., d − 1}), or the sum with the share-wise transformation (denoted in the following as Qd i,j ) is probed, add i to I and J.
According to our selection, we add at most one index to I and J for each internal probe and, therefore, |I| ≤ t 1 and |J| ≤ t 1 .
We now construct the simulator.Note that whenever a coefficient r i,j is required for the simulation of other variables, it will be sampled by the simulator.This will fix the value of r i,j .
1.The simulation of probed variables F i , G i , and the internal probes in (ϕ0,ϕ1) i,j (F i , G i ) are straightforward.Since i ∈ I, the share F i is a known value and we can perfectly simulate F i .The same holds true for G i , since i ∈ J. Similarly, we can simulate all internal values of (ϕ0,ϕ1) i,j (F i , G i ), as i ∈ I ∩ J and (ϕ0,ϕ1) i,j (F i , G i ) only depends on public values and F i , G i .

If Qk
i,j with k ∈ {1, . . ., d − 1} is probed, the simulator has to simulate the value Qk i,j = k l=1 r i,l • α l j .All unknown r i,l with 1 ≤ l ≤ k can be sampled uniformly at random, allowing a perfect simulation.

The simulation of Qd
i,j is solely depending on Qd−1 i,j and (ϕ0,ϕ1) i,j Like before, if any of the r i,l with 1 ≤ l ≤ d − 1 is unknown, it can be sampled uniformly at random.Further, since i ∈ I ∩ J, the value (ϕ0,ϕ1) i,j (F i , G i ) is known.This allows a perfect simulation of Qd i,j .
4. Let's consider the case that Q j,i is probed.The value is computed as Qd k,j or can be rewritten as Qd k,j if Q j, with < i has already been probed.In the latter case, only the simulations of Qd k,j where < k ≤ i have to be considered, otherwise all of them are needed.
• If for all necessary k (either k,j can be perfectly simulated as shown in step 3, which in turn allows the perfect simulation of Q j,i .
• Else, there is at least one unknown Note that this implies that, for any l, no r k,l was probed or sampled in a previous step of the simulation.Hence, ( Qd ) and all r k,l .Since r k,l are uniform random, the tuple ( Qd k,j ) j∈[n] represents a d − 1-wise independent set of random variables.Recall that the number of allowed probes t is by definition smaller than d and each probe consists of at most one of the random values.Consequently, Q j,i can be simulated by a value chosen uniformly at random since it is randomized by the sum of Qd k,j .
As could be seen in step 4 above, Q j,i can be simulated without any index being added to I or J.The simulation is hence independent of the selected inputs, and the probed output shares Q j = Q j,n−1 can be perfectly simulated.
To show the generality of this approach, Table 1 does not only consider the BGW-like multiplication (corresponding to the last row of the table with gadget (s 0 • s 0 , s 1 • s 1 )), but also various permutations of secrets to merge and permute multiple secrets in one polynomial that we believe to be useful when designing parallel gadgets: The gadgets (s 0 • s 0 , 0) and (0, s 1 • s 1 ) multiply the lower or upper secrets, respectively, while the (s a , s b ) gadget allows, depending on the choice of a, b ∈ {0, 1}, to generate a output sharing containing any secret of the first input in one and any of the second input in the other position.Additionally, the sole gadget (s 0 , s 1 ) with only one input refreshes this input sharing without changing the secrets. 1 when using n > 2d shares and polynomials of degree d.

Lemma 9. Algorithm 4 is correct for all instantiations of
Proof.In the following, we will prove that the output Q j of Algorithm 4 describes the polynomial value of α j as given in Table 1, so Q j = n−1 i=0 q i α i j with q 0 and q d as is stated in the table for the respective gadget.For a specific j, after each loop iteration over i in the first loop of Algorithm 4 we get , we consider the gadget as gadget with only one input sharing.
(ϕ 0 , ϕ 1 ) and this finally results in the output Qd i,j .Hence, we get For correctness, we are interested in q 0 and q d , and only consider the term • We first analyze the computation of (s 0 • s 0 , 0), (0, s 1 • s 1 ), and (s 0 • s 0 , s 1 • s 1 ).Using the latter as an example, the gadget computing the secret-wise multiplication of the double sharing is initialized by

and this results in
Since the (unfaulted) polynomials (F i ) i∈ [n] and (G i ) i∈ [n] have degree d with d i=0 f i x i and d i=0 g i x i , respectively, it follows that the share-wise multiplication (F i • G i ) results in a polynomial of degree 2d such that the highest monomial is (f d g d )x 2d and the lowest one is (f 0 g 0 )x 0 .With Equation (1) it immediately follows that This proves the correctness for (s 0 • s 0 , s 1 • s 1 ), the correctness of (s 0 • s 0 , 0) and (0, s 1 • s 1 ) follows with the same argument.
• When considering (s 0 , s 1 ), the proof is similar to the previous one except for the fact that there is no share-wise multiplication and the secrets are still described by the monomials of degree d and 0. Hence, the instantiation , and we get • For the (s a , s b ) gadget with a, b ∈ {0, 1}, we initialize

and this results in
With Equation (1), it immediately follows that . This proves the correctness of all (s a , s b ) gadgets with a, b ∈ {0, 1}.This concludes the proof.

Protecting AES
In the following, we will show how our approach can decrease the cost of masking when considering the block cipher AES-128 compared to using the classical BGW-gadgets.This cipher consists of ten repetitions of a round transformation on an internal state of length 128, which is interpreted as 16 elements of GF(2 8 ).Each round begins with a key addition AddRoundKey that adds the current round key (also of length 128) to the internal state.Then, the non-linear SubBytes operation is applied to every byte of the internal state.The SubByte operation first applies the function y → y 254 to every byte, followed by an GF(2) 8 -affine transformation τ A , which can be expressed as A derivation of this is described, e.g., by Roche and Prouff [PR11].Finally, two linear transformations, called ShiftRows and MixColumns are then applied to the internal state.More concretely, for these linear transformations, the elements of GF(2 8 ) are put into a 4 × 4-matrix Then, ShiftRows transforms this matrix into the matrix a 0 a 4 a 8 a 12 a 5 a 9 a 13 a 1 a 10 a 14 a 2 a 6 a 15 a 3 a 7 a 11     .

Table 2:
The number of calls to different gadgets to mask the different operations of AES when operating on B ∈ {8, 16} polynomials.
Table 3: The number of field operations of the different gadgets when using n = 2d + 1 shares.For the squaring operation, we use the Frobenius approach of [PR11].
Finally, MixColumns multiplies each column of A with a fixed MDS matrix M to obtain the matrix A .Following the approach of Roche and Prouff [PR11], which is also used by Seker et al. [SFRES18], we can now compute the number of additions, affine operations, squarings, and multiplications which are needed for each operation within a single round.A summary of this is shown in Table 2 which depends on the number of used sharings.To represent the 16 elements of GF(2 8 ), we require B = 8 sharings when using our double sharing approach and B = 16 otherwise.The running times for the individual operations when using polynomials of degree d and the minimal number of shares n = 2d + 1 are shown in Table 3.
Combining all of these information means that a masked version using polynomials of degree d that does not use our double sharing approach needs about When applying our double sharing approach, both AddRoundKey and SubBytes are easily handled, as the computations of each element of GF(2 8 ) are independent of each other.For MixColumns, we need to be more careful, as the computation now mixes different elements.However, all elements that are mixed come from the same column, the computations for each column are independent of each other and all elements from one row of the resulting matrix are computed using the same row of the MDS matrix.We thus group the secrets such that each of the eight double-sharing polynomials contains two secrets from the same row: The element from the first column will be encoded together with the one from second column and the element from the third column together with the one from the fourth column.More formally, if a polynomial encodes two values a i and a j , then (i, j) ∈ {(0, 4), (5, 9), (10, 14), (15, 3), (8, 12), (13, 1), (2, 6), (7, 11)}.
The only complication when keeping this structure of the polynomials comes from the ShiftRows operations.However, it is easy to see that both the first and the third row keep this structure, as the elements are not shifted at all or shifted by two (where a simple swap of the polynomials is sufficient).To handle the second and the fourth row, we use the (s 1 , s 0 ) and (s 1 , s 0 ) gadget of Algorithm 4 to combine the two sharings such that the secrets are shifted.For the second row, containing the sharings [a 1 , a 5 ] d shared in f and [a 9 , a 13 ] d shared in g, the (s 1 , s 0 )-gadget instantiation on inputs f , g gives a new sharing containing [a 5 , a 9 ] d and the (s 1 , s 0 )-gadget instantiation on inputs g, f gives a sharing of [a 13 , a 1 ] d .The fourth row can be computed accordingly.Hence, we now have the proper presentation of the double-sharing polynomials where MixColumns can be computed.Each call to Algorithm 4 takes time Hence, the total number of field operations using our double-sharing approach for polynomials of degree d and the minimal number of shares n = 2d + 1 is Note, however, that due to the need to increase the degree of the underlying polynomial by one when using the double-sharing approach, we need to compare T nds (t) with T ds (t + 1) when considering security against a t-probing attacker.As can be seen in Table 4, a simple calculation then shows that the double-sharing approach already outperforms the single-sharing approach for t = 4.By contrast, the packed secret sharing approach of Grosso et al. [GSF14] only started to outperform the single-sharing approach for t ≥ 10.

LaOla Gadget
In [BEF + 23], the authors give a new multiplication gadget, called LaOla.This gadget does not fall in the class of BGW-gadgets, as it aims to avoid the doubling of the degree of the intermediate polynomials.To do this, LaOla first splits a polynomial f with degree d that embeds a secret s into two polynomials f and f of high degree, i.e., deg(f ) = deg(f ) = d.However, the sum of these polynomials has lower degree, but also embeds s, i.e., deg(f + f ) = d/2, and f (0) + f (0) = s.This operation is called SplitRed.After this was performed on f and g to obtain f , f , g , and g , one only needs to compute the polynomial of degree d that embeds the secret f (0) • g(0) in a share-wise manner.In this section, we show how to (slightly) modify the multiplication gadget of [BEF + 23] to also allow to use double sharings for this more efficient gadget.

Algorithm 5: LaOlaMult
Input: Degree-d shares of s 0 , s 1 as (F i ) i∈[n] and shares of s 0 , s 1 as (G i ) i∈ [n] .
The gadget SplitRed is also further modified to accommodate for the fact that we only consider passive attacks here; the resulting gadget is shown in Algorithm 5.In total, we modify Later on, when we also consider active attacks, we will also consider the remaining entries.For the sake of completeness, the complete description of SplitRed can be found in Appendix B.
The following lemma shows that SplitRed can then compute two multiplications in parallel: = s 1 , and g 0 + g 0 = s 0 , g d/2 + g d/2 = s 1 such that both addition polynomials embedded within (F i + F i ) i∈ [n] and (G i + G i ) i∈ [n] have degree d/2.Hence, the share-wise multiplication (( results in a polynomial q i x i with degree d and q 0 = s 0 • s 0 , q d = s 1 • s 1 .Taking into account that it holds this results in the claim of the lemma.Note that the polynomial q(x) described by (Q i ) i∈ [n] generated in line 3 of LaOlaMult does not change q 0 = s 0 • s 0 , q d = s 1 • s 1 because it is a polynomial with degree d − 1 and q(0) = 0.
Next we argue, why the parallelization of LaOlaMult does not affect the security of the gadget.For this reason, we analyze the security of SplitRed first.
Lemma 11.Algorithm 6 is t-NI when using n ≥ d + 1 shares and polynomials of degree Proof.The only differences to [BEF + 23] are the modified (public) constants i j := (λ i,0 + λ i,d α d/2 j ).Hence, the proof is the same as in [BEF + 23].The gadget SplitRed is the only modified part of our multiplication gadgets.Since Lemma 11 proves that the modification does not affect its security, we get the following result.
Lemma 12. Algorithm 5 is t-SNI when using n ≥ d + 1 shares and polynomials of degree d > t + 1.
Proof.The only difference between our gadget the one in [BEF + 23] is the modification of the public values in SplitRed.Hence, it only remains to prove that our modified SplitRed has the same security properties as the original one in [BEF + 23].In particular, [BEF + 23] shows that LaOlaMult is t-SNI if SplitRed is t-NI.In Lemma 11, we argue why our modified SplitRed is t-NI as well.

Computing on Two-Secret Sharings Against Active At-
In this section, we consider active adversaries that can probe as well as induce faults.As before, t will denote the number of allowed probes and σ the number of allowed faults.Recall that the multiplication of two shares raises the degree of the embedded polynomial.We continue considering polynomials of degree d; so as to not lose any information before the degree reduction of the product polynomial, we require n > 2d in the case of BGW-like gadgets or n > d in the case of LaOla.Additionally, to be able to detect σ faults occurring during the same run, our analysis requires n > 2d + σ for BGW-like gadgets and n > d + σ for LaOla as well as d > σ.

Error Propagation
When considering active attacks, i.e., the introduction of faults, there are roughly two possible approaches that make use of redundancy within the sharing.In the first approach, one tries to correct the errors introduced by the faults.In the second approach, one tries to detect the presence of errors.A common technique to detect the presence of errors is called error propagation.Intuitively, this technique aims to guarantee that once an error is introduced, it spreads fast and wide.This way, an active attacker can not hide the presence of this error by, e.g., faulting the error-detection routine.
In this work, we also focus on error detection using error propagation.We will show that simple modifications (the addition of an error propagation polynomial) of the gadgets described in Table 1 allows to embed two secrets in a secure manner in the presence of faults.One can think of the error term added by the induced faults as an additional error polynomial ζζ(x) that is added to the original unfaulted polynomial f (x) resulting in the faulty polynomial f (x) = f (x) + ζζ(x).In the following, f (x) (resp.g(x)) will thus always denote the polynomial resulting from a non-faulted run of the computation and f (x) (resp.g (x)) will denote the (possibly faulted) new polynomials.Due to the highly symmetric nature of the polynomial sharing, it is easy to see that all shares F i behave the same.Since there are no ordering requirements regarding the public support points (α i ) i∈I , all effects that an attacker might gain from faulting some arbitrary positions I ⊆ {0, . . ., n − 1} with |I| ≤ σ can also be obtained by rearranging the values of (α i ) i∈I such that the faulted positions are now {0, . . ., |I| − 1}.We thus assume throughout this section that the faults ζ are induced in the first σ shares, which gives the following equation . . .
If any ζ i for i ∈ {d + 1, . . ., n − 1} is non-zero, the degree of the error polynomial increases and in turn the degree of the faulty polynomial f (x) does so as well.
Lemma 13.Let f = f + ζζ be the sum of a degree-d sharing (F i ) i∈ [n] and a polynomial ζζ = ζ0 generated by ω ≤ σ faults.Then f has degree at least n − ω.
Proof.The faulty polynomial f (x) is the sum of the original polynomial f (x) and the error polynomial ζζ(x).The latter is generated by n points, ω of which are the induced faults, while the others are zeros.By the theorem of algebra, a polynomial having at least n − ω zeros either has a degree of at least n − ω or is equal to zero.The latter is only possible if the induced faults Z i = 0 for all 0 ≤ i < σ, which would imply that f (x) = f (x), i.e., ζζ = ζ0.
By requiring n > 2d + σ or n > d + σ, the degree of such a faulty polynomial is consequently higher than the degree of any unfaulted one when the attacker can only introduce σ faults.Hence, by adding a completely random polynomial of degree d to the current polynomial and interpolating the coefficients d + 1, . . ., n − 1, as described by Seker et al. [SFRES18], the presence of the introduced faults is easily detectable.
We want the gadgets to also preserve the at most σ faults induced by the active adversary.Our goal is to achieve error propagation such that if a fault is induced at some point in the computation, with high probability, it will either be preserved throughout making the output shares invalid or disappear, leading to the original unfaulted output.
As shown in [SFRES18], for the gadgets regarding the linear operations addition or the exponentation to the power of p over a finite field of characteristic p, or affine transform, if the inputs of the gadgets are faulty, this error is propagated to the output of the gadget with a high probability.The argumentation is easily transferable from Shamir's secret sharings to our double sharings.
However, non-linear operations again require more complexity as they include a reduction step that necessarily loses information (e.g., in the form of the coefficients d + 1, . . ., 2d for the BGW-like gadgets).It is thus vital that we preserve the important information about the occurrence of a fault.To assure this, we follow the gadget design of [SFRES18, BEF + 23], and embed this information in the output of a gadget by adding some error propagation term to the shares.Intuitively, one can think of the added error propagation term as adding some polynomial ζρ(x) to the polynomial defined by the output of the gadget without error propagation q(x).We require the following properties of the error propagation polynomial ζρ(x): 1.If no fault was introduced into the computation, ζρ should be zero.
2. If some faults were introduced into the computation, ζρ should have a degree higher than d with high probability.
Using these properties, we thus know that the sum q (x) of the original (possibly faulted) polynomial q(x) and the error propagation polynomial ζρ(x) has degree at most d iff no faults were introduced into the computation (with high probability following property 2).
In order to avoid confusion between the adversarially chosen fault polynomial and the error propagation polynomial, we always denote the former by ζζ and the latter by ζρ.Hence, we have Here, • denotes the operation performed on the polynomials by the gadget.As usual, linear or affine operations are easy to handle, as the respective fault polynomials simply add up.Hence, there is no need to propagate the errors explicitly.In the following, we thus concentrate on how to construct the error propagation polynomial for non-linear operations.

Two-Input Non-Linear Gadgets
We first start with considering the two-input operations presented in Table 1 and choose the error propagation polynomial such that its shares consist of the highest coefficients of the product of the two input polynomials.If no fault was induced, the coefficients should be zero and, hence, not change the computation result.If, however, a non-zero fault did occur, we will show that with high probability, at least one of these coefficients is non-zero.Hence, adding the error propagation term will most likely change at least one share, invalidating the whole sharing.
More formally, given the (possibly faulted) input shares , the error propagation term we add during the computation is We call this method multiplicative error propagation as it adds the error of the share-wise multiplication.We stress here that this error propagation is independent of the secrets contained in f and g and independent of the specific operation of the gadget.The reason for this is that the only goal of the multiplicative error propagation is to forward the higher-order coefficients of f and g (which can only be non-zero due to a fault) to the output of the non-linear computation.Hence, it can be used for all two-input gadgets of Table 1 regardless of whether the gadget itself computes a multiplication, though they have different success probabilities.The new gadgets employing the error polynomial are denoted by a subscript +.For example, (s 0 • s 0 , 0) + is the implementation of the multiplication gadget where the error propagation term is added to the specific instantiation as The complete error-preserving operations can then be computed with the gadget instantiations of Algorithm 4.

Correctness
We first observe that the addition of the error polynomial does not change the correctness of the gadgets on unfaulted inputs.
Lemma 14.Given one of the two-input (ϕ 0 , ϕ 1 )-gadgets introduced in Table 1, let the result of the operation on some polynomials f and g without error preservation be denoted by (Q 0 , . . ., Q n−1 ) and the ones of the operation with error preservation using the (ϕ 0 , ϕ 1 ) +gadget from Table 5 as (Q 0 , . . ., Q n−1 ).If n ≥ d + σ + 1 and using polynomials of degree d, then for any Q i , we have where h k denotes the k-th coefficient of the polynomial h = f • g .
Proof.Following the algorithm where Q k,i denotes the loop iteration results using , we get For all i ≥ σ, the statement follows immediately since, for all k, we have E k,i = 0.For i with 0 ≤ i < σ, with Equation (1) we have The shares of the error propagation polynomial ζρ(x) are thus (h n−1 , . . ., h n−σ , 0, . . ., 0).It is easy to see that this lemma implies the correctness of our construction.

Proof. Recall that
is the version including the error propagating term.For the (ϕ 0 , ϕ 1 ) + -gadget, we rely on the correctness proof for the (ϕ 0 , ϕ 1 )-gadget in Lemma 9, therefore, it remains to prove that the added error propagation terms E i,j • F i • G i do not change the outcome as long as the inputs that share the two polynomials f and g are unfaulted.As can be seen in Lemma 14, the value added to a share is generated by the sum over the error propagation terms and results in either h n−j−1 or zero depending on the index j of the share.Since f and g are not faulted, they are both of degree d and h is thus of degree at most 2d.Due to the construction of the error propagation terms, only the coefficients between h n−1 and h n−σ are added.Due to n > 2d + σ, we know n − σ > 2d.Hence, all added coefficients are zero and the output is thus correct.
In the next segment, we give a security analysis for the case that the attacker introduced faults into the computation.To do so, we follow the approach described in [BEF + 23].First, we prove that, given a faulty pair of input polynomials, if no fault is induced in the gadget, the output polynomial will with high probability also be faulty.Then, faults in the gadget are considered and we will show that all of those faults can be modeled with faults in the input or the output shares.Combining these aspects shows that our gadgets are fault robust and, due to the analysis of the previous section, this allows us to conclude the security against combined attackers.

Faulted inputs without faults in the gadget
In the following lemma, we consider the scenario where at least one of the input polynomials f or g is faulted, i.e., at least one of f = f or g = g does hold.We also assume that no faults are introduced by the attacker during the computation.
denote the input sharings of the two-input error propagation (ϕ 0 , ϕ 1 ) + -gadget of Table 5 and let (Q i ) i∈[n] be the output sharing.If n ≥ d + σ + 1, n > 2d and the polynomials have a degree d, then at least one of the input polynomials is invalid due to the insertion of at most σ faults affecting ω ≤ σ many share indices, and no faults are introduced during the computation of the gadget, either the faults are ineffective meaning q = q or the coefficients q n−ω+1 , q n−ω+2 , . .., q n are uniformly and independent randomly distributed elements of F. In the case of a multiplication gadget, one of these elements is guaranteed to be non-zero.
Proof.For the output polynomial to be faulty, the error propagation polynomial ζρ(x) should have a degree higher than d.Using Lemma 13, it is sufficient to show at least one of the added coefficients h j is non-zero.At the same time, if all of these coefficients are zero, the error propagation polynomial itself would be zero.Note that the faulty product polynomial h is the sum of the original product polynomial and its own error polynomial ζζ h , i.e., h (x) = f (x) • g (x) = h(x) + ζζ h (x).The coefficients of h (x) are thus computed by For n − σ ≤ j < n, this gives h j = ζ h j .We thus have the following equation system for the last σ coefficients Since the support points α i are pairwise independent, the columns of the submatrix of the inverse V −1 are by construction [MS58] linearly independent.Hence, V −1 has full rank.
Multiplication: For a multiplication gadget, this property has the following very useful implication: The error propagation term mirrors the computation done by the gadget exactly.Hence, ζρ(x) and ζζ h (x) directly depend on the same values Z H i .Thus, if Z H i = 0 for all 0 ≤ i < σ, we know that the product polynomial q equals the unfaulted one q, as q Consequently, this gives us perfect security for the multiplication gadgets as injected faults either can be identified due to an increased degree of the output sharing or the faults become ineffective, i.e., they lead to the same output as their faulted equivalent.
Other gadgets: For other non-linear gadgets that do not compute a multiplication operation, the connection between the error propagation polynomial ζρ(x) and error polynomial ζζ h (x) is not as strong unfortunately.Furthermore, such general (ϕ 0 , ϕ 1 )gadgets might not even have any ineffective faults and thus allowing the adversary to influence the error propagation terms in such a way that the output might be a valid sharing of the wrong value.
To show that this can only happen very rarely, we will now analyze the probability that an adversary can set all necessary Z H i to zero.In our multiplicative error propagation, Z H i can be concretely computed by where Z F i and Z G i are zero for all i ≥ σ.To zero out Z H i , the attacker needs to choose As the adversary is non-adaptive, they have to choose the respective faults Z F i and Z G i before the run of the computation.Hence, due to the uniform distribution of F i and G i , if at least one of Z F i or Z G i is non-zero, the probability that Z H i = 0 for a given i is |F| −1 , as there are no non-trivial zero divisors in fields: Because the number of indices i where Z F i or Z G i is non-zero is ω, the probability that Z H i = 0 holds for all i is at most |F| −ω .This concludes the proof of the lemma, as it implies that the coefficients q n−ω+1 , . . ., q n are uniformly distributed.

Non-faulted inputs with faults in the gadget
In the following lemma, we consider the scenario where none of the input polynomials f or g is faulted, i.e., we have f = f and g = g, but a fault is introduced by the attacker during the computation.To analyze this situation, we make use of the notion of fault invariance introduced in Definition 5, which guarantees that all faults introduced during the computation by the attacker can be pushed either into the inputs or the outputs of the gadget. 1 are fault invariant with respect to F + .

Lemma 17. All gadgets introduced in Table
Proof.As all faults in F + are additive faults, linear and affine operations are trivially fault invariant.A close inspection of the (ϕ 0 , ϕ 1 )-gadget presented in Algorithm 4 reveals that the only non-affine operations can appear in the calculation of (ϕ0,ϕ1) i,j (F i , G j ).But, all concrete instantiations in Table 1 share the property that they are the only non linear operation in the gadget.Hence, all faults before the operation of (ϕ0,ϕ1) i,j can be moved to the input of the gadget and all faults after the operation of The correctness follows with the same argument as before.Because of its degree, it again suffices to only consider the highest σ coefficients and setting h (x) = f (x) allows to adapt the previously stated lemmas to also hold for this gadget.Note that because here Z H i = Z F i and f (x) is invalid, at least one of the highest σ coefficients of h (x) in Lemma 16 must be non-zero.
It follows that all gadgets introduced in Table 5 can be easily changed to propagate at most σ errors with high probability.

LaOla Gadget
It remains to analyze the LaOla multiplication where its instantiation (∼) i,j (F i ) is called for the two input sharings (F i ) i∈ [n] , (G i ) i∈ [n] separately.Again, the approach as well as the necessary proofs is very similar to the ones in Section 5.2 and Section 5.3.We thus only provide a sketch: Proof sketch.As in Section 5.3, we will define (∼)+ i,j (F i ) to have the error propagation term E i,j • F i .Hence, we have (∼)+ i,j (F i ) = (λ i,0 + λ i,d α d/2 j + E i,j )F i .In the computation of Algorithm 5 with the adjusted instantiation, let the outputs of the SplitRed gadget be , and G i i∈ [n] which describe the underlying polynomials f i x i , f i x i , g i x i , and g i x i .Because of the added error propagation term, we also have The same structure also holds for G i + G i with F i + F i and G i + G i being the output shares of the unmodified SplitRed gadget.Since the LaOla multiplication now computes their product, it follows that where h k denotes the k-th coefficient of the possibly faulty polynomial h = f • g.The correctness of using this instantiation follows with the same argument as in Lemma 15, while the proof of its robustness is similar to Lemma 18.

Combined Attacks
The previous sections considered attacks against purely passive probing attacks (Section 4) or purely active faulting attacks (Section 5.2, Section 5.3, and Section 5.4).Here, we consider combined attackers that can simultaneously perform probing attacks and faulting attacks.Using combined attacks, an adversary can try to lead the computation to a wrong result or to break the secrecy of the protocol.In [BEF + 23], it was rigorously shown that standalone leakage and fault resilient constructions do not imply resilience against combined attacks.We follow their approach and use their observation that those constructions remain secure against combined attacks when they are fault invariant as well.
Proof.Lemma 18, on the one hand, shows that all constructions are σ-fault-robust.On the other hand, Lemma 8 and Lemma 11 show that the presented gadgets are (S)NI.Hence, all gadgets are secure against standalone probing and faulting attacks.Furthermore, Lemma 17 shows that all constructions are fault invariant, and consequently, Lemma 1 implies that they are fault-resilient (S)NI as well.Finally, Lemma 2 allows us to conclude our theorem about the security of our constructions.
In essence, we can leverage the same constructions as presented in [BEF + 23] to concurrently compute two functions, requiring only minor adjustments to the public λparameters.This improvement only incurs the cost of one additional share, which almost halves both the run time and the cost of randomness.

Conclusion
In this paper, we introduced the concept of double sharings, i.e., embedding two different secrets into a single polynomial sharing.After we proved that embedding a second secret only requires to add another single share to guarantee perfect security, we studied how to extend existing single-secret gadgets to the double-sharing setting.We first focus on gadgets using a BGW-like approach of local computation followed by a degree reduction and show how these gadgets can easily support computations on double sharings.Afterwards, we showed how to extend the recent LaOla multiplication gadget to also work on double sharings.After studying the security of these gadgets against purely passive attacks, we showed how to extend them by introducing error propagation polynomials to also prevent active and combined attacks.
Our construction shows how one can drastically improve the cost (computational and randomness) of existing solutions using polynomial sharing when considering parallel computations and still guarantee security even against very strong combined attackers.The only overhead compared to the single-secret setting is the fact that we need to increase the number of shares by one.
We only presented the foundational work of double sharing in this paper.A very interesting follow-up work upon this would be to perform a practical evaluation of our method, applied to a real-world scenario.As we also guarantee security against combined attackers, this would also require to develop a meaningful simulation of such attackers to obtain relevant experimental results.
In this work, we only consider t-probing attackers.However, as discussed in [BEF + 23], the LaOla gadget also guarantees security in the region probing model [DDF19].As our analysis basically mirrors the original analysis of LaOla, the corresponding double-sharing gadget will also be secure in the region probing model.Another interesting question is whether one can extend our approach beyond two secrets.Due to the special properties of the lowest and highest coefficients of polynomials, we were able to easily extend existing gadgets.Hence, such an extension seems to require the development of completely new gadgets.
to the output of the gadget as in [BEF + 23].Formally, moving the linear transformation of an additive fault e on an intermediate value (e.g.(a + b) with input values a and b) such that the fault ((a + b) + e) can be described as a fault on the input ((a + e) + b).Hence, the intermediate fault can be moved to the input a.The same holds for outputs.
Definition 1 (NI [BBD + 16]).A circuit G is t-NI if for any set of t 1 intermediate variables and any subset O of output indices with t 1 + |O| ≤ t, there exists a subset of indices I with |I| ≤ t 1 + |O| such that the distribution of the t 1 intermediate variables and the output variables in O is perfectly simulatable from I.
for any set of t 1 intermediate variables and any subset O of output indices with t 1 + |O| ≤ t, there exists a subset of indices I with |I| ≤ t 1 such that the distribution of the t 1 intermediate variables and the output variables in O is perfectly simulatable from I.
Fault invariance [BEF + 23, Def.8]).A circuit C is fault invariant with respect to a fault set F if for any T ∈ A(F), any intermediate value f in C R and the according value

Table 1 :
Instantiations of the different functions of Algorithm 4 to protect the gadgets against passive probes.The input sharings are (F i ) i∈[n]and (G i ) i∈[n]and embed the secrets s 0 , s 1 and s 0 , s 1 , respectively.The output sharing is (

Table 5 :
Instantiations of Algorithm 4 to protect the gadgets against active faults.The input sharings are (F i ) i∈[n]and (G i ) i∈[n]and embed the secrets s 0 , s 1 and s 0 , s 1 , respectively.The output sharing is (Q i ) i∈[n], and a, b ∈ {0, 1}.If(F i , G i ) does not use (G i ) i∈[n], we consider the gadget as a gadget with only one input sharing.
Shares of f 0 , f d as (F i ) i∈[n] .Result: Shares of f 0 , f d/2 as (F i ) i∈[n] and shares of f 0 , f d/2 as (F i ) i∈[n] such that f 0 = f 0 + f 0 and f d = f d/2 + f d/2 .