 Okay, is it on? Okay, welcome to the session on physical attacks and masking, the first part of it, there will be another session after lunch. In this session we have three talks, the first will be given by Toma SP2, if I pronounced it correctly, and he will talk about a simpler mitaka, which is a simple parallelizable, maskable variant of Falcon, and Toma will introduce his co-authors. So yeah, thank you for the introduction. So yeah, this is John's work with Pierre Alain Fouk, François Gérard, Mélissa Rossi, Akira Takahashi, Mehdi Tibouchi, Alexandre Wally, and Yonkyu. So first of all, let me make a brief panorama of where we are in terms of lattices for the NIST competition. Among the finalists, two of them are lattices-based, I mean finalists of Round 3, still waiting for the announcement for Round 4, whatever. On the one hand, we have the Falcon signatures, which is the hash and sign type signature based on the entry lattices. It's very compact and fast. However, by design, the range of admissible parameters set is very small. It's also quite hard to implement correctly, and therefore it's quite difficult to protect it against side channels, at least from a masking point of view. On the other hand, we have the dilithium signatures from the crystal suite, which follow the Fiat-Charmier-Witt-Abort paradigm from Lubashevsky and instantiated over generic modular lattices. So it has a larger bandwidth compared to Falcon, but it admits a wide range of parameters sets. It's easy to implement, and therefore it's easy to protect against section, or at least easier. Today, I'm glad to present to you our signature proposal, Mitaka, where we try to reach best of these both worlds. So we want a signature which is compact and fast, which enjoys this large range of possible instantiation to have a fine-grained security, possible security levels. But we also want it to be easy to implement and protect, so that it can be deployed. And also, we want it to be implementable on things arithmetic for constrained devices. So this signature is based on Falcon, so please allow me to get a bit back in time and present to you quickly the rationale of Falcon. So let's say it's a GPV-type signature, and let's say the motto of the author of Falcon, where to have the most compact signatures they could achieve. And if you want to do that, as it is a hash and size signature, you will have to sample in your base lattice. So they took the best preliminary sample we had, which is a plain sampler, but since they wanted it to be efficient, they implemented it as the so-called fast Fourier organization sampler from Duquesne-Prest, which is a recursive version over some towers of subfields. So I'm speaking of that because this choice of sampler forced them to use a very particular type of rings, which are a ring of integer of power of two cyclotomy rings, and they built that upon entrolaticism. So okay, it's very nice, it's very fast, it's compact, everyone is happy, but since we're using power of two conductors, if you look at what are the possible implementation on, let's say, cryptographically relevant dimension, we will have 512, and the next power of two is 1024, so quite fast. Moreover, this FFO sampler is really nice, and from a mathematical point of very satisfying, but it's quite complicated to implement and is therefore very complicated to mask without training those overheads. So to discuss a bit why we changed and what are the changes we meant to construct Mitaka, let me just introduce a parameter, which will be the quality parameter here designed by, okay, alpha, which is basically encoding the width at which you are allowed to sample using whichever sampler you want. So for the case of Falcons, this quality here will be something around 1.17. And since we're in a hash and send paradigm, the quality at which you can sample drives directly the security against forgery. So for Falcons, you have this 1.17 parameter, which gives you something which is NIST level one compiler compliant like 128 bits of classical security. Okay, so this complexity bottleneck, as I said, was this FFO sampler. So what happened if we replace the FFO sampler by something which is simpler and more efficient? So it sounds like a good idea. But as usually in computer science, like there is no free lunch theory, no free lunch everywhere. So basically, okay, you take a sampler which is simpler, but it's at the cost of having a width at which you get sample, which is larger. So it means that according to these quality versus security curve that your security drops. And if you just replace this nice FFO sampler by the hybrid sampler, and I will explain it a little bit later, you're having a huge drop in security. So basically this parameter alpha was dropped from 1.17 to 3. And now you're below NIST level one. So this is quite unsatisfactory. So we wanted to mitigate that drop. And to do so, we replaced the key gen procedure of Falcon. So we improve the key gen, so we get basis with better quality. And as it is a motto in lattice algorithm, if you want to solve a problem which is hard, if you take a better basis, basis with shortest vector, lowest orthogonality defect, then your algorithm will run better. So in our case, with our improved key gen, we are allowed to use these new keys into the hybrid sampler. And we were able to get quality which was better around two. And so we were able to recover this part of the loss of security. So since we've changed the sampler, we don't have this, we're not forced anymore to use this cyclotomic power of two. And now we can implement the wall signature above a wider class of cyclotomic rings, in particular one with smooth conductor. This is pretty great because now we have a lot of different choices in between 512 and 1024. Here are just the example for three smooth conductor. And so we can range quite nicely in between the two and we can reach all possible security level from NIST 1 to NIST 5. So for the comparison, Falcon were only instantiable on the top part of the curve. So now we have full range of possible choices. So all in all, we get a signature which is simple to implement thanks to this hybrid sampler, which is more efficient than Falcon, which is compact, almost as compact as the original one, versatile in terms of parameters, and which is maskable. And I will come to that at the end of the talk. Moreover, we can actually tweak again this hybrid sampler. And it allows to have an implementation in fixed point arithmetic, which can be interesting for constraint devices. So that was for the whole rationale of the scheme. And for the rest of this talk, I will focus on describing what is this hybrid sampler and how it's important for the security and on what we did for the improved key chain for all the other part I will let you refer to the paper. So to dive a bit into the details of the signatures, let me make a brief recall on how you construct hash insight signatures over lattices. So everything comes back to the GPV framework from again, and to hash message into within this framework, you first hash your message somewhere around the somewhere inside the ambient space of your public lattice. Okay, you have a point M, it leaves somewhere fine. Then what you do is you sample a Gaussian around the around this hash point M. And you want to sample a point which is not too far for reason I will explain. And then your signature will simply be the difference between the freshly sampled point and the hash. Now how to verify. So first of all, of course, since I said you're sampling a short vector, a vector which is close to M, sorry, this signature S must not be too big, it just could not appear. Then you also want, this is like functional verification, that the difference M minus S to belong to lattice because since you are doing Gaussian sampling in a lattice, of course you belong to the lattice. And then if these two conditions are satisfied, that's a valid signature. Okay, so now you can be like, okay, what's the relation with hard problems in over lattices. So if you look at the two conditions for verification, it appears that what you want to do to forge a signature is just to be able to find a close point to M inside the public lattice and close meaning by this S is too big. So what you are actually trying to solve when you are forging is a closest vector problem instance. So you want this close vector problem, approximate CVP to be hard in your lattice, otherwise you could just forge. And this means that you want the width at which you sample. So in this, in the, sorry, step two, to be small because if it's super wide, of course, like forging will become easy because your approximate CVP will be like with huge factors. You want to be able to small to sample sharp cushions. And if you remember the lattice algorithm motor, if you want to solve this hardware of sampling sharply in your lattice, you want to have a good basis basis with good qualities or short vectors and or a smaller thing that it affects. So all in all, your secret key will be a base, a good basis of the public lattice and the public key will just be whatever basis. So it should be hard of course to compute this a secret key from just an edge of public key. Of course, otherwise you're allowing to have a key recovery attack. And since you want a practical scheme, you want to, you want your secret, your public key to be easy to generate from the knowledge of secret key. Such a secret key is called a lattice trapdoor and generating trapdoors for sampling has been a very interesting challenge in the lattice committee for like two decades almost. Okay. So that's why this explains why we want to have this good basis, good trapdoors and why we want to sample. So now like how do we sample over a structured lattices? Okay. So for efficient Gaussian samples like polynomial time, the idea is that a lattice Gaussian sampler is a decoding algorithm, CVP solver, on which you add a randomization. So two well-known Gaussian samplers are known, polynomial time Gaussian samplers. One is the famous Babay-Rondoff technique, which is basically the following idea. If I take a point near a lattice and I write its coefficients inside this basis, the coefficients will be real or rational. And the lattice points will have exactly integral point, integral coefficients. So what you just do is take the coefficients, run them, and then you're done. Simplest algorithm you could imagine. Neat algorithm, which also exists, is so-called Babay nearest plane, which is a bit more tricky to implement, which basically take lattice hyperplanes and carefully choose close enough lattice hyperplanes and recurs to approximate your solution. And I say you want randomization on the top of that. So what do you do? For instance, for Gaussian sampler, you randomize this whole integral rounding thing. So if you just do that, you will have some little issues because your distribution will not be zero-knowledge with regards to the basis. But like I could show that if you do this randomization and add a tiny bit of convolution by some carefully chosen normal distribution, you have a perfectly nice zero-knowledge sampler. And if you randomize this Babay nearest plane, so it means that you're randomizing the hyperplane you're choosing, then you will get the Klein sampler, which is the one which is a basis from the Falcon signature. And in between, for structural lattices, we have a lot of space. And for instance, there is the Ducan-Pressed hybrid sampler, which is a trade-off for modules over rings, where this rounding, as I said, on randomization is now not done at the integer level, but it's done at the ring level. So somehow we are doing like block rounding instead of just rounding point-wise. Just to give you a rough idea of how these things compare, so this quality is the alpha I showed you on the graph a bit earlier. So the Pitered sampler randomization of Babay Randolph will have a quality which depends on the largest singular value of your input basis. So the Klein sampler, the randomization of Babay nearest plane, will have a quality which is related to the max norm of the Gram-Schmidt vectors of your basis. And the hybrid sampler, which is somehow a mixture of the two, will have a quality which depends to the largest singular value of some Gram-Schmidt organization at the ring level. So it's pretty current. So the Pitered sampler is very fast and simple to implement, just like how the Babay Randolph is very simple. However, it has the worst quality among the three. So the worst quality means the lowest security. The Klein sampler has the best quality among the three, so the highest security, but it's slower and more involved to implement. And this in-between hybrid sampler is a good trade-off when your ring, sorry, admits a good basis with nice geometrical properties and so on. So to fix a bit some ideas, if you try to, if you take out the ring, the convolutional ring used in N true, so cyclotomic power of two, you can compare more explicitly the quality you can reach. And you see that this Falcon sampler will have a quality which is constant, essentially, whereas the Pitered sampler will have a quality which depends, which grows on the power of one fourth of the dimension. And the hybrid lies actually in-between as expected. So it's pretty, up to that it's pretty nice. So as I said, so since we took a sampler which has a slightly worse quality than the Falcon sampler, we need to add something to be able to recover the security loss. So we call that from the first slide. So if this is like the case of Falcon here, just replacing by the hybrid sampler makes a huge drop in security because your quality also increase. So how do we improve the key gen? Okay. To understand how to improve it, first let me recall like what is the base key gen? So the entral lattice is constructed as follows. So if I take two elements in my ring R, F and G, I construct a public element A which is the quotient G over F mod Q. Okay. Then the entral lattice will be the priority check lattice associated to A, which means I take the orthogonal to the vector A minus one or other way to say it. I take the vectors U V such that U A minus V is congruent to zero mod Q. Okay. So I said that the trapdoor was a short basis with good quality with regard to the sampler process. So, okay. I already know some F and G's which are presumably small and now I want to complete this F and G in some basis of the lattice. So I can do that actually because this lattice, the lattice is fully determined, the entral lattice is fully determined by A or fully determined by F and G. And as such, knowing F and G allowed me to recompute some coefficient I can put here and here to have a basis. Very interestingly, this can be done very efficiently by applying some variant of Euclidean algorithm and using the geometry of the ring to have some efficient process. What should be remarked at this point is that I said that we want a good quality with regard to the sampling process. And the quality as a nice property that it can be computed only using F and G. We don't need to complete the basis to be able to have an idea of the quality. So what we can do to just have a sufficiently nice basis is I sample a bunch of F and G's and I complete the quality. For instance, for Falcon it would be something like that, for the hybrid sampler it would be something like that. And I will just wait until my good event happens. Oh, suddenly, yay, I have my good basis. So if you write that as an algorithm, absolute code, you will get something like that. You sample F and G gaussians with the norm you want to have and you wait and you do your quality check until you reach a good basis. So for Mitaka quality you can think that, okay, I can do exactly the same. I just replace the quality condition and I will get a nice basis. However, the reject and restart already happens quite often in Falcon and if you want to reach the Mitaka quality, so here, you will need a lot of restart. So this is not really acceptable. Since like having like generating gaussians and gaussians and gaussians all over will be quite expensive, what you would like to have is to reuse the randomness. So basically we can sample a pool of random vectors and then combine them by convolution to generate a larger pool of gaussians and then use the Galois automorphisms of the field because since everything is nice, we're working with our entrelates, we have cyclotomic fields, we have lots of free automorphisms and you will have a free blow-up of the search space. So you have a small pool of randomness, smallish, then you expand it and then you add the Galois automorphisms to expand it again. So you have quite huge search space and then in this space you can find better troubles in quite reasonable. So all in all, I said that Mitaka was actually maskable. So a quick word on that. So usually the standard security model is the standard attacking model is a T probing model in which you basically said that your attacker can probe T values at the runtime. Then the security you want to achieve with regards to this model is a T probing security and that you basically say that if the attacker can take T values, then these T intermediate variables should be independent of the secret. If they're independent of the secret, I can't recover any information on my secret, I'm happy. So to get an implementation of Mitaka, which is T probing, T probe secure, we use arithmetic masking. So the idea is here is inspired by secret sharing. So if I have a value I want to protect, say X, I will sample T plus one values independent, but conditioned by the fact that their sum is equal to X. So that if I take T values, if the attacker can take T values, he will just see random noise somehow. And then actually this arithmetic masking is linear. So every linear operation done in the sin signing parties is nicely compatible, but the multiplication can be slightly tricky. So since it's polynomial multiplication, we work in FFT domains so that we transfer the polynomial multiplication to be a point-wise multiplication. And then we use a standard multiplier. And then the interesting fact is that we can mask all this Gaussian generation process because if we use shares, which are actually Gaussianly distributed, if you sum Gaussian shares with the right parameters, you will get a Gaussian in the output. So basically we can use this nice stability property of Gaussians to have a masked way of masking the Gaussian generation. And to conclude with a bit of implementation results and practical things. So we did some experiments on a non-masked and non-constant time implementation, even though it can be made constant time with standard results in the literature. And it appears that we're using Falcon C as a reference code and also using some part of it, such as the FFT. We have a scheme which is roughly two times faster than Falcon. So it's not really a surprise because if you count the number of multiplication you're making in the wall sin signing algorithm, you have like half multiplication on each other. So to wrap up, and I will finish with that, we presented a variant of Falcon, which uses hybrid sampler and an improved key gen to have nice security properties. It's simple and efficient. It's compact, very versatile, and is maskable. So I thank you for your attention. Any questions? If you don't mind, I have a couple questions. You mentioned it was slightly larger than Falcon. How large are you compared to what Falcon does in terms of signatures? What? So can you repeat the question? Your signature size is much bigger, but not that much. Yes. So for Falcon, let's say Falcon 512, the signature size, if I remember correctly, is 666 bytes. And so if you implement Mitaka on 512, okay, maybe you can see because you're on that. Okay, so for the lowest security parameter, we'll have something which is around 700 bytes. And if you go up, you will have the whole range. I don't remember exactly for 1024, but yeah, it's like the, let's say 15% bigger. But actually, so as future work, we know how to reduce the size of the Mitaka signatures to have exactly or even be below the size of Falcon. Thank you. Any other questions online or from Doom? If not, let's thank them again.