 Hi, my name is Christoph, and since it's quite late, I will make it quick. This talk is about fault attacks, and so let's have a start. Let us assume we want to protect block-self against implementation attacks. What can we do? First, we can use masking to protect against side-genar attacks. To force an attacker to use higher-order side-genar attacks, and then, for instance, we can add redundancy to protect against fault attacks, and try to force an attacker to use multiple faults per execution to attack the primitive. Or as it turns out, an attacker can also use CIFA, which manages to attack such protected implementations just using one fault per execution of the block cipher, which typically does not really care about the protection order of the primitive or the redundancy used. So what is CIFA? It's the union of statistical fault attacks and ineffective fault attacks. So what is cool about CIFA is actually this slide, which I will skip since it's late. What you might care about is the question, how hard is it to find a useful location to fault in your implementation? Here you see an example of a mask-IS implementation software. Here you see the instruction needed to compute the second-to-last S-box layer. And if you are able to set one byte to zero during the execution, you can use any of the black locations to mount the fault attacks, so approximately 70 percent of these instructions are susceptible in order to mount an attack. And if you consider that setting one byte to zero is a two-hard fault model, you can also, for this specific implementation, flip one byte, set one byte to zero, or randomized one byte, or randomized one byte, or even skip an instruction. So if you want to know how this attack actually works, you can read the papers, which will be presented at this year's chess and Asia Crip. Thanks.