I see no difficulty in cryptanalyzing this linear masking, e.g estimating Z(k,m) from side-channel signals L1, L2 and L3.

Let O1, O2 and O3 be the parameters of the side-channel models for L1, L2 and L3 resp., e.g. mus and sigmas for Gaussian models (why are the authors so reluctant to introduce parametric side-channel models?)
You just need to write down the joint direct pdf for a single encryption:

p(L1,L2,L3|U1,U2,K,m,O1,O2,O3,I)=
p(L1|U1,U2,k,m,O1,O2,O3,I)p(L2|U1,U2,k,m,O1,O2,O3,I)p(L3|U1,U2,K,m,O1,O2,O3,I) (conditionally mutually independent noises)
=p(L1|U1,O1,I)p(L2|U2,O2,I)p(L3|U1,U2,k,m,O3,I)

p(L3|U1,U2,k,m,O3,I)=p(L3|U3,O3,I)

with U3(U1,U2,k,m)=Z(k,m)^-1.(U1 XOR U2) by eq.4

That's it! The rest is given in 2008/208 that deals with arbitrary masking schemes:

p(Z|M)=sum_U1,1 ... sum_U1,N sum_U2,1 ... sum_U1,N integral_01 integral_02 integral_03...

the real thing.

Of course, if you ignore relevant papers, reject your masters (e.g. Shannon) and don't use the proper tools, it's more difficult.

F. Pautot

Sorry, read 2008/508 instead of 2008/208 in the previous post.