Questions about the multiplicative mask on the field?

Question

I am considering a field $\mathbb{Z}_p=\{0,1,\cdots,p-1\}$, where $p$ is a prime. Suppose I have a secret $x \in \mathbb{Z}_p$ and a random mask $m \in \mathbb{Z}_p$. Prior answers show $y=x*m \mod p$ does not reveal any information about $x$ if $x \neq 0$ and $m \neq 0$. For the secret $x$, I know there are some ways to make it always greater than zero, such as adding a large bias. However, for the mask $m$, it is supposed to be randomly sampled from the field, I am confused about delibrately excludeing $m \neq 0$.

1. The masked element $y$ is in a different group $\mathbb{Z}_p /\ \{0\}$ than the original field $\mathbb{Z}_p$. I am wondering whether the computation of $y$ and the field element still holds correctness. For example, for an element $a \in \mathbb{Z}_p$, is $(mx+ma) *m^{-1} \mod p$ equals to $x+a \mod p$. I have this question because $mx+ma \mod p$ may results in $0$ that is not in the group $\mathbb{Z}_p /\ \{0\}$ and is the restoring by multiplying $m^{-1}$ correct? I have tried some concrete numbers and find it seems to hold.
2. Excluding $m = 0$ introduces a non-uniform distribution for $y$ over $\mathbb{Z}_p$, since $y = 0$ is impossible. Does this deviation from uniformity security guarantees, particularly in the context of the field operations?

---

Update: Since the original question may be ambiguous regarding the source of concern, I’ll briefly describe the protocol under consideration.

After masking a value $x \in \mathbb{Z}_p$ with a random mask $m \in \mathbb{Z}_p$, the product $y = x \cdot m \mod p$ is sent to another party. Along with this, two ciphertexts are sent: $\text{Enc}(a \cdot m \mod p)$ and $\text{Enc}(b)$, where $\text{Enc}(\cdot)$ denotes encryption under a homomorphic encryption scheme. The receiving party then computes: $ \text{Enc}(z) = y \cdot \text{Enc}(b) + \text{Enc}(a \cdot m) $. Note that the prime $p$ is also used in the plaintext polynomial ring underlying the homomorphic encryption scheme. The resulting ciphertext $\text{Enc}(z)$ is then returned to me. Upon decryption, I obtain: $ z = y \cdot b + a \cdot m \mod p $. Finally, I compute $z \cdot m^{-1} \mod p$, which yields: $ b \cdot x + a \mod p $. I’m interested in understanding both the correctness and security of this protocol.

P.S.: I know this may seem unnecessary since I could directly compute $b * x + a \mod p$, but please ignore that aspect for now.

Answer 1

In the context of the question, when we use "group", we must specify for which internal law (operation). The set $\mathbb Z_p=\{0,1,\cdots,p-1\}$ as defined in the question forms the group $(\mathbb Z_p,+)$. But the masking operation $x\mapsto y=x*m\bmod p$ operates in the group $(\mathbb Z_p\setminus\{0\},*)$, which is the multiplicative group of the field $(\mathbb Z_p,+,*)$. That field is commonly noted $\mathbb F_p$ or $\operatorname{GF}(p)$.

for an element $a \in \mathbb{Z}_p$, is $(mx+ma)*m^{-1}\bmod p$ equals to $x+a\bmod p$ ?

Yes. That holds for any $m\not\equiv0\pmod p$, any $x$ and $a$. It follows from algebraic rules in the field $\mathbb F_p$: distributive property, associativity, commutativity, properties of inverse and neutral.

However that property $(mx+ma)*m^{-1}\bmod p\,=\,x+a\bmod p$ must be used cautiously. There would be danger in masking $x$ and $a$ with the same $m$! For example, an adversary can compute the quantity $x^{-1}*a\bmod p$ from the masked quantities $y=x*m\bmod p$ and $b=a*m\bmod p$, using that $x^{-1}*a\bmod p\,=\,y^{-1}*b\bmod p$.

---

Following update of the question with description of the protocol:

In $\operatorname{Enc}(z)=y\cdot\operatorname{Enc}(b)+\operatorname{Enc}(a\cdot m)$, the $+$ and $\cdot$ operators do not operate on elements of $\mathbb Z_p$, much less are that field's operators. And the $\operatorname{Enc}(z)=$ part does not have it's standard meaning that encrypting $z$ yields the value on the right-hand side. What's really meant is $z=\operatorname{Dec}\bigl(y\cdot\operatorname{Enc}(b)+\operatorname{Enc}(a\cdot m)\bigr)$.

The protocol is correct if and only if $z$ obtained as above verifies $z\bmod p\,=\,y*b+a*m\bmod p$ for all $y,m\in\mathbb Z_p\setminus\{0\}$ and whatever $a,b$ are allowed. That's true if (and essentially only if) the encryption scheme is homomorphic for plaintext in the field $\mathbb F_p$. The question's statement "the prime $p$ is also used in the plaintext polynomial ring underlying the homomorphic encryption scheme" suggests that, but does not give an insurance. The encryption scheme needs not be fully homomorphic: we can implement $y\cdot\operatorname{Enc}(b)$ with $<2\log_2y$ homomorphic additions (except perhaps for noise considerations).

If $m$ is chosen uniformly in $[1,p)$, independently of $x$, and not reused for multiple uses of the protocol; and if the encryption is secure including with $p$ public, then nothing leaks about $x$ beside that it's not zero.