Is multiplicative blinding less secure than additive?

Question

It's easy to see that additive blinding (e.g., $x+r$ for secret x and random r) is perfectly secure in a finite field (this is a one-time-pad) and statistically secure for $r$ uniformly distributed in a domain sufficiently larger than $x$.

What I'm confused about is multiplicative blinding (i.e., $x \cdot r$) - in some places, I read that it's being used and is as secure as additive blinding, while in others it's stated that it is much less secure (e.g., multiplicative blinding less secure). Assuming, of course, both $x \neq 0$ and $r \neq 0$, is multiplicative blinding as good as additive (ignoring side channel attacks), and if not - what's the explanation?

Answer 1

In a finite field $\mathbb{F}_q$, both maskings are perfectly secure, provided that $x \neq 0$ for the multiplicative masking.

This is easy to see. The finite field $\mathbb{F}_q$ defines two groups: the additive group $\mathbb{F}_p^+$ (i.e., $\mathbb{F}_q$ equipped with addition) and the multiplicative group $\mathbb{F}_q^*$ (i.e., $\mathbb{F}_q \setminus \{0\}$ equipped with multiplication).

Proposition Let $\mathbb{G}$ be a group and let $\star$ denote the group law in $\mathbb{G}$. Given $x \in \mathbb{G}$, if $r$ is a uniformly random element in $\mathbb{G}$ then so is $y:=x \star r$.

Let $x \in \mathbb{F}_q$. We have:

• If $r$ is drawn uniformly at random in $\mathbb{F}_q^+$ then $x+r$ (where $+$ denotes the addition in $\mathbb{F}_q$) is uniformly random in $\mathbb{F}_q^+$;
• If $r$ is drawn uniformly at random in $\mathbb{F}_q^*$ then $x*r$ (where $*$ denotes the multiplication in $\mathbb{F}_q$) is uniformly random in $\mathbb{F}_q^*$, provided that $x \neq 0$ (that is, $x \in \mathbb{F}_q^*$).

Answer 2

Whether multiplicative blinding is drastically worse than additive blinding depends fairly strongly on:

• The ring are you doing the blinding in

• Whether you need to blind the value 0

The second is a fairly obvious, as multiplicative blinding doesn't disguise 0 at all.

However, it would appear that the slides that you quote the statement from actually falls into the first category. That is, the ring that the operation is being done is not the field $GF(p)$ for some prime $p$ (which, if you select the randomizer properly, does a wonderful job at blinding any nonzero value); instead, it appears to be the ring of the integers (or equivalently, if they're in a ring $GF(p)$ and they select the parameter $r$ so that $r|d| < p/2$). In that case, disguising $d$ as $rd$ (for some random positive integer $r$) is, in fact, insecure, because from the value $rd$, someone can eliminate any possible value $d$ that's not a factor of $rd$.

So, yes, when some person talks about multiplicative blinding being secure, and some other person talks about it being insecure, they're both right -- they're talking about different scenarios.

Answer 3

As fgrieu said in comments, $x\to x\cdot b\bmod p$ is just as secure as additive blinding. So we suppose that question is about $x\to x\cdot b$.

Here we suppose that factorizations time for $x\cdot b$ is negligible and examine brute force search for finding $b$:

• In additive blinding let $c=x\cdot b$, we should check all $b$ for meaning $c-b$.

So we need to $c$ computation in worst case.

• In multiplicative blinding let $c=c_1\times ... \times c_k$ , in best case when all $c_i$ are same then we should check all $k$ possible case for finding $b$.

With increasing $k$ and distinct $c_i$'s, time complexity became larger, but $k<log_2(c)$ so $2^k<c$ and this mean that multiplicative blinding is less secure.