 from low randomness to low noise rate, or probe isolating multiplication with reduced randomness and security against horizontal text. It's worked by Gaetan Casiers and François-Savier-Standard, and Gaetan will give the talk. Okay, so thanks for the introduction. Not shown. So, this is about section attacks. So, I guess you all know about power analysis attacks. Standard DPA, if you want to take it, you take one point of interest, and you try to attack it, and then from there you try to recover the key. So, this basic approach, and we can do better. Basically, the idea would be to take more samples from the leakage trace so that you get more information, and you try to need less leakage traces to recover the key. And this is the whole fields of horizontal attacks. There are many ways to do it. And only they know, because my goal is to protect against those attacks. So, the standard way of saying is masking. That's very common. This Boolean masking, same as Itamar has shown. And then if you compute on sharings, you can expect that you have some protection. But what is the impact on horizontal attacks on these Boolean masking schemes? That's a question that was first taken by Battistello-Coron encoders, and we want to improve on that work. Because they did the first qualitative analysis and proposed the first contour measure to improve the masking scheme against those attacks. And we want to go further in that way by first making the analysis more quantitative. We develop an automated tool to take a mass sequence and analyze to which extent an horizontal attacks can break it. And then based on the insight that you gain from that tool, we can design a better protected multiplication gadgets. So, my tool will be first, I will discuss the mass gadget that we'll analyze, then introduce the local random probing model in which we work for analyzing those horizontal attacks and then show some result that the security bones that you can get from there and then the gadgets that you can build. So, mass gadgets will take, as an example, the end gates because it's the more complex gadgets, linear functions are easy to implement usually. So, this ISW, you can see that we take shares. We multiply them to be the big matrix of partial products. We have, like in this example, nine shares. We want to compress that to three output shares. We need to absorb them and add some randomness for it to be secure. So, we can analyze this process as a three stage. First, to generate a matrix of pairs of shares, then you make a product out of there and then you compress. And using this analysis, we can see how we can change every one of those three stages to build auto-multiplication gadgets. So, for instance, if you change the latest compression stage, you can try to use less randomness. Or, if you change the product stage to not be a simple product but a more complex operation, you can gain auto-security property, for example, to get easier composability, such as spiny property. Or, what's of interest of us today is this matrix generation stage that you can modify to improve resistance against horizontal attacks as Batistello encoders have already shown. So, what is this local random probing model? Before introducing the model, I need to introduce an attack which is the soft analytical side channel attacks which are based on factor graph and the belief propagation algorithm. These algorithms come from the field of error-coding code decoding and the idea is basically how to recover that's great information about some variable of interest when you have some statistical information about many variables that depend through some equation that you know. You could do it through full application of the base formula but it's too expensive. So, the belief propagation algorithm is an approximation for that. The way you do it is that you put all your variables in function node in a graph, like the blue one there, and you put all your operations in function nodes like in red. And then, you can try to make your information about the distribution of the variable align with the information that you know from your equations. Basically, you propagate information from the variables to the function. For example, you take the Xor between X and X1. If you have some information about X and X1, you can get some information about X2 and you can join it that with the first information that you add from the leakage trace. And then, you iterate this process until it converges to the information that you want to have that is hopefully the secret you try to attack. So, this is the model for the attack and now we can try to model this as a way to evaluate the security. So, we go from the random probing model, which is a model that we use in security proofs for masking, like between the T probing model that we discussed quite a lot in the previous days and the noise leakage model, which is like more close to the physics modeling. So, this random probing model is basically you have all intermediate variables in your computation and you leak each of those with some probability, directly the value or with some probability, you leak nothing about it. And the local random probing model is this random probing model and we add one additional assumption is that the adversary is not able to compute a full base interference and is rather using belief propagation to mount the attack. Using that assumption, we can actually reuse the belief propagation algorithm but instead of using it for an attack, we can use it for security evaluation. The way we do that is that instead of propagating distributions, we propagate information that are carried by the distribution so that the belief propagation algorithm for information becomes somehow a model of belief propagation for the attack. This algorithm in the end, you give it as input all the information that you can extract for each of the variables in the trace and it gives you as an output the information that you can recover on the sensitive variable and then you success rate for the attack. So that's the roof ID of the model. I know present some, how we can apply it. So let's take as an example, this again ISW multiplication gadget. There we have two shares and on the left, we have the factor graph. So you can see you have quite many operations. What's important there is that you can see that we have thick edges and those actually corresponds to each time we use a variable into an operation. And this means that this is a computation and if we ignore about static power analysis, it's basically we can assume that computation leaks and computations means number of operation you perform with some variables. And so we will make the assumption which is a kind of false case assumption that your information that you recover about each of the variable is the number of times you use the variables times the nose level or the information that you get for one operation. Now, let's look at the results for the ISW multiplication. We can see like for three different number of shares. The horizontal axis we have the nose. So on the right, we have few nose. On the left, we have eye nose. And on the vertical axis, we have the security level. So if you are on the top, we have just no security and as we go off to the bottom, we get to very high security level. First observation, we can see that we have asymptotic slopes to the left and those corresponds to the masking order. And this is quite in line with this proof. So we can see that this is nice. And then we can jump to the second observation which is like the most interesting for us is that if we look at the point where we start to having some security like the time the line goes and leaves like the top and starts going to the bottom, we see that this point shifts to the left as we increase the masking order. In practice, this means that if you increase your number of shares, you cannot do so indefinitely. Otherwise, you will end up having no security at all. So if you want to do so, you should ideally increase the nose level. If that's not possible, we have to rightfully choose your masking order to maximize your security. And this does not correspond to maximizing the masking order. So that's first observation and that's quite knowing because this means that if you have some fixed note level, let's say for software microcontroller off the shelf, we have a nose level and you can do not much about it. So we would like to have gadgets that for some nose level quite low on the right, we would like to be able to still have some high security. So we'll try to build better gadgets. So we look at this metrics generation stage. On the top, we have the inputs to that stage and on the bottom, we have the outputs. So for ISW, we simply replicate the data. We just do no operation, this is externally cheap, but each input shares goes there in D times. And then this means that we'll use that share D times and you will leak a lot about it. So how can we reduce that? The idea of Battistello encoders was to refresh there. If you do it properly, you can still preserve the proper functionality of the gadgets and you add refresh. This means that you will add randomness in there and therefore make it much harder to recover the data. And as an example, you use only each input shares at most log of D times and not D times, which hopefully will increase the security level. And what we realize that if we look at this presentation of three, we can do better. They just add a second refresh on each of the layer of the tree and then what we get is that we have only a constant number of uses of each of the input shares of each or each of the intermediate variables. So that might even get a better security level. And indeed, if you look at the output of the evaluation, we see that going from the blue of ISW, we can go to the red of one gadget per layer to the green of two gadgets per layer. And that's indeed quite a significant improvement. So it looks like achievable goals. Another way to look at it is more theoretical. It's based on the concept of noise rate. So noise rate is how much do you need to increase your noise as you increase the masking order in order to keep some security. So there, if we look at the point there, we see that if we double the masking order, we need to double the noise level. So we say that the noise rate is one over D. If we look at gadget with one refresh in the tree at each layer, we can see that it's not quite a source. Actually, sorry, we get one over log D noise rate, which is much better and gives like too much easier to get high security level at low noise rate. And finally, if we look at our gadgets where we have two refresh per layer, it's even better. At some point, it looks like we have a noise rate of one. So this is only heuristic evaluation, so we have no proof for that, but it looks like this gadget could have a noise rate with this one. And the very nice thing about this gadget is that it works for like an Ibulian masking would like to do that is usually for bits and not for IO the fields, contrary to what you see in theoretical literature where there exists gadgets who have like this nice noise rate, constant noise rate, but you need to go to very large computational fields. So this is like, for example, expensive to implement a multiplication in that field. And before concluding, I would like to look at another metric that we are interested in, which is on this Y axis, the cost in terms of operation and randomness that you need in there. So we have like, this is quite broad evaluation. We don't go into any specific implementation. It's just abstract evaluation to compare things. So do not take this as the perfect performance result. You should like specialize it for an implementation, but this is giving trends. So compared to previous graph, we are fixing the vertical axis to this 40-bit security in this case and we keep the same horizontal axis. And then we can put all our gadgets and varying number of shares on this graph. We can observe quite a few things. First, if you want to go to the right of this graph, that is noise level, it's just impossible to do it using the ISW gadgets. You need to use other gadgets, such as the one that is refreshed in the matrix generation of trends stage. Then you can see that indeed, ISW at some point, if you increase the masking order, it becomes worse. So you should be careful to not too much increase your masking order. And finally, we can see that despite ISW being somewhat suboptimal in the low-nose region, it's quite good in the high-nose region. So you should not drop it completely. And this is quite interesting, this graph, because this shows the trade-offs that you can do as an implementer. If you are implementing hardware, you can choose your noise level. If you want to increase the noise or reduce the signals, you have many techniques to do that, but this is cost. On the other hand, masking and all the operation and randomness that you need is another cost. And this graph basically shows you that you can choose your security level. You can change it like, for example, for 40-bit to 60-bit security and can get this map and choose what point you prefer to be in as a trade-off for the implementer. So to conclude, we have been analyzing those horizontal attacks for masking schemes, and we went from this qualitative analysis to a more quantitative one, which allows us to get good insights about multiplication gadgets that should be, and this gives us a new one that we think is quite relevant to do. And finally, we show that trade-off between noise and randomness or computations that you can do as an implementer. By the way, there is another part of the paper which is about composing those gadgets using piney property and reducing the randomness for those security level, but I did not present it there. Thank you for your attention. Okay, there's some time for questions. Thank you for the presentation. Short question. From your opinion, how difficult it is to prove the conjecture you have. This is the first part of the question, and the second part is to prove the conjecture, do you think that we need your new model, the local random probing model, or can we prove it in the classical random probing model? So first of all, if you want to have a real proof, you cannot do it in this local random probing model because this is somewhat of a new mistake model. There is no formal definition of what is this local random probing model, like for instance, the result that you will have depends on the factor graph that you choose. So I've shown in this graph that we have somehow the edges that correspond to the operation that we have, but if you had a refresh there, actually if you do a big chain of refreshes, and if you have perfect information on the output shares, and if you try to propagate back information to the input shares, you will see that you lose quite a lot of information, but actually you have knowledge that this is only refreshing, so you have perfect information. This, why you cannot make perfect proof in this model, and then as a second hint about how to make this proof, that is still a tall and in your paper, you add those SNI refresh gadgets inside of the multiplication. Those are quite nice to do formal analysis, but they are expensive, and since we know that inside those gadgets you are not really interested in composition property, we went to simpler gadgets that are not SNI, and that helps us to improve the performance. So maybe to make the proof, you would need to go back to SNI refresh gadget, but I have no idea about that. Thank you. Okay, another short question. If not, let's thank the speaker again.