 So this talk is about masking the GLP lattice-based signature scheme at any order. And it's a paper by Jean Barthes, Sonia Belaïde, Thomas Esposito, Pierre Alenfouc, Benjamin Grégoire, Melissa Rossi, and Mediti Bucci. And Melissa is giving the talk. Hi. Thank you for the introduction. I'm Melissa. I'm going to present the work on masking. We decided to study how to mask a post-quantum signature scheme. So why masking a post-quantum signature? There have been numerous sectional attacks, again, lattice-based schemes today, because they use new features like Gaussian distributions or rejection sampling. And those two features are threatened by, for example, cache attacks, timing attacks, and differential power analysis attacks. And those attacks can recover the secret easily. For example, in AES, those kinds of attacks can recover the secret in minutes or even in seconds. So those attacks are very powerful. And for now, since those features are quite new, there are few contra-measures for now, and especially on signatures because of those new features. So since there is a call for concrete implementation, as you know with the NIST competition, those six schemes could be eventually used in industry. And so these cause strong contra-measures because, for example, they can be used as smart cards or in internet of things. And so this could be threatened by those kind of attacks. So that is why we decided to mask a post-quantum scheme. So I'll briefly explain how masking works for the people who don't know how. So masking is a contra-measure against a certain type of attacker model. So for a classical attacker model, the attacker used the inputs and the return value of the algorithm. But in masking, it protects against another kind of attacker model, which is called ISHA, SI, and Wagner model, which has been introduced in 2003. So it's a very powerful attacker model where the attacker gets access to the input value, the return value, but also he can pick some values inside the algorithm, so intermediate values. Those values are called probes. So it's also called a probing model. And so it's really proof-friendly because we get the exact values, the exact intermediate values. But it's not a really realistic model. There's another realistic model, which is called the Noisylicatch model. And it's a model where the attacker gets the input, the return value, but also he gets information, noisy information, about intermediate values. So he can get that with measuring the power construction, measuring the electromagnetic waves around the chip, which is running the algorithm. So this is a more realistic model, but it's hard to make proofs in this model. So what is done is that we prove the security in the ISW model and their reduction. So if it's secure in the ISW model, then it's secure up to a certain level of noise in the Noisylicatch model. So we proved the security of a post-quantum signature scheme in the ISW model. So masking is a contra-measure which is securing a scheme against an ISW attacker. So it's at an order D. And each sensitive value is replaced by D plus 1 shares. And the idea is it is impossible to recover the value without having all the shares. So it's a secret sharing. And then any strict subset of at most D shares is independent from the sensitive value. So each sensitive value must be shared into D plus 1 shares inside the algorithm. So we can see that it can be really costly in terms of performances. So in this paper, we provided the first provable mass implementation of a lattice-based signature scheme. And this at any order, it means that we take D as a parameter. And so for that, we introduced new techniques for masking lattice-based fiat-chamia with abort signatures, which is quite new because the masking schemes were mostly targeting symmetric cryptography. And so the fact that those algorithms are probabilistic was a challenge for this work. We provide also new proofs for masking probabilistic algorithm. So I'll first present the signature. Why did we choose DLP? And then I'll present the contra-measure and its proof. And finally, I'll present the performances because we provided proof of concept where it's an implementation of GLP mask up to an order D. So the GLP signature scheme has been introduced by Eunice Lyubasevsky and Popelman in 2012 in chess. It's the ancestor of bliss. And the lithium. The lithium is a candidate for the NIST competition. And it has no gaussians, only uniform distributions. So masking gaussians can be a challenge because masking the sum of discrete gaussians is not a discrete gaussian. So for a first masking, for a first step, targeting a scheme which used only uniform distribution was a good idea. So we just targeted this that used only uniform distributions. But still, there were some difficulties that didn't appear before. This scheme is a probabilistic algorithm. And also it relies on rejection sampling, which is a new feature. So we had to introduce new techniques for that. So now I'll present briefly how GLP works. So here is the key derivation. It uses this ring, ZP of x modulo x to the n plus 1. And there is also another RK here, which is the ring R with the coefficients in minus KK. So it's R with small coefficients, with elements with small coefficients. So the key derivation is really easy. It has five steps. So the first step is to derive the secret S1 and S2, which have small coefficients. So they are in R1. They are coefficient in minus 101. And then we derive A, which is in the big ring R. So it's a public value. And so we derive T, which is AS1 plus S2. And finally, the secret key is S1, S2. And the public key is AT. So we can see that this algorithm is based on the ring LWE-like problem. Because if we have AT, and if you want to distinguish it from random, we have to see if T is equal to AS1 plus S2. But actually, S1 and S2 have different distribution. And it's a ring LWE problem, where we have only one sample. So this problem has been renamed in the original paper as a Decisional Compact Napsack Problem. So now the signature. It's a Fiat-Chemir with a board signature. So it's an adaptation of a Fiat-Chemir identification protocol, which has commitment and challenge. So it has also six steps. The first step is to generate random, so Y1 and Y2, which are in RK, where K is 2 to the 14. And so there is a commitment value, which is computed, which is R, equal to Ay1 plus Y2. And this commitment is hashed to challenge C. And then Z1 and Z2 are computed as S1C plus Y1 and S2C plus Y2. And since the distribution of Z1 and Z2 can leak the secret, because it depends on S1 and S2, the idea is to use rejection sampling so to check that the distribution would not leak the secret. So all Z1 and Z2 that are too big are rejected, and the signature is restarted. With GLP parameters, the number of attempts before getting a right signature was around 7. And so finally, the signature is Z1, Z2, and C. To check if this signature is correct, we just compute the commitments, so by getting AZ1 plus Z2 minus DC, and check if it fits with the challenge C. So this was the algorithm. But now how to mask this? So we use a technique which is quite general, which has three steps. So first, we choose which algorithm are using the secrets to mask them. For example, here, the verification does not use the secrets, so we didn't mask it. So the signature and key derivation needed to be masked. So they are first divided into blocks that are called gadgets. And then each block is studied individually, and we prove one security property with each block. So we use several properties, so first, unmasked for non-sensitive parts, then non-interference. So it's non-trivial to understand property. So we prove that every step of every set of at most the intermediate value can be simulated with at most D shares of the input. This security property is a little bit stronger than the security in the ISW model. But this is needed for proving the security of the whole scheme and to compose the security. And so for this setting, we had to introduce a new security property, which is called non-interference with public outputs. So we select output, which are intermediate values, and we give it for free to the attacker. So we prove that every set of at most D intermediate values can be perfectly simulated with the public output and at most D shares of each input. So it's like giving some values that are output to the attacker. But we also prove that the control measure does not leak more than the output and that the output does not leak anything about the secret. And finally, there is a composition proof, which uses all the security property together and prove that the whole scheme is secure. So this was the method to prove the security in the ISW model. So for masking, the key derivation. So first, let's divide it into blocks. So for generating the secret S1, S2, we introduced a block which is called data generation, which outputs the number of trials before getting a correct masking. And then it outputs the masking of S1 and S2 in mask form. And actually, in arithmetical mask form. So the sum of each shares mod P is equal to the secret. So this is for generating the secret. For generating A, since it's a public value, it's generated not masked. And then we use an arithmetical step to compute T. And so it computes T in mask form. So the secret is outputted in mask form as being S1 and S2. And since T is a public value, it needs to be unmasked. So we use a block which is called full add, which is refreshing the mask and adding them together. And then it outputs T, which is the public value. And so we have the secret, the public key, which is 80, which is unmasked. So here is the block form of the key derivation. And so we studied each block separately to prove the security. And so we proved that H1 and full add are non-interference. And that data generation is non-interference with public output trials. And so with those security, we proved that the key derivation is secure in the ASW model. For the signature, it was a little bit harder because there were a problem with the commitment value, which is R, which is equal to A1 plus Y2. The problem is that we did not want to mask the hashing function because it would have been terrible for performances. And if we see the signature as an identification protocol, we don't see why R should be secret. So actually, we proved that masking the commitment was unnecessary and that it could be an output. So by proving that distinguishing RC pairs from uniform is a hard problem, even for rejecting these executions. For the final execution, we can see that we can recover C and R. So they're not sensitive. But for the rejected execution, it wasn't trivial to prove. So to prove the security of GLP sign, we did the same. We divided it into blocks. So first, we used the same blocks as for the key derivation, so data generation, which outputs Y1 and Y2 in mask form. Then we compute the same arithmetical block to get the commitment R. And since R was proved not sensitive, we unmasked it with the full ad block. And then we hashed it with the message to get the commitment, the challenge. And then with this, we can compute Z1 and Z2, so with using Y1 and Y2 in mask form. And after, there is a step which is the rejection sampling, which was a little bit complicated. So here is the rejection sampling step, which outputs the signature. So here is the GLP sign in block forms. So we started each block separately to prove the security. Here is the security of the blocks. So the green ones are non-interferent. And we can see that the hash function is not masked, because we proved that R is not sensitive. And so we also had to prove that the full ad at the middle was non-interferent with public output R. So to prove that, most blocks were quite classical for masking, but there were two blocks, especially that were new. So data generation and rejection sampling, so RS block here. For that, we used what is called conversion Boolean to arithmetic. So let's see it on the example of the rejection sampling. So we want to know if Z1 is in RK minus alpha. So actually, we want to know if Z1, which is the sum of all the ZIs, mod P, mod P, is lower than K minus alpha. And this is hard to do with this kind of masking, because it's the sum mod P. And it would be easier with a Boolean masking. So we used a work from Corom Cross-Shall and Vlana in 2014, which converts an arithmetical masking and gives a Boolean masking. And so we used this to convert it to the Boolean masking to get what we wanted, so to know if it was lower or higher than this value. So finally, here are the performances of our work. So we provided an implementation with several orders of masking. For example, for a number of shares, which is 2, the algorithm is 15 times lower. And it gets higher and higher. And for example, for four shares, the algorithm takes around 40 seconds. So for now, it's not really practical, but it's quite promising, because it was just a proof of concept, and it can be optimized. So it's proving that masking lattice-based signatures can be done. And so the code of this implementation will be published soon. And as I said, there is a margin for improvement of performances here. So in a nutshell, we provided a provable mask implementation of GLP Signature Scheme with new techniques adapted for the Fiat-Chemier framework. And this can be applied directly to Deletion. And actually, there is an implementation in progress, which will be published soon. And now we will study how to mask other schemes, like Blitz or Deletion G, which use Gaussians. So we need to find a solution for Gaussians. And also in those schemes, we are not sure that the hash function can be at-masked as in GLP. So here is the future work. So thank you for your attention. There are two links for the paper and blog article. So when you're masking trials, is that just the number of trials? Like the number of trials it took to run a rejection sampling? Because I haven't actually seen anything as to how that would help. It seems like the, I mean, as to how you would use that alone to provide an attack versus more detail about what's going on, what's actually happening in the trials. Which number of trials? The number of trials in data generation here? Yeah. Oh, okay. Here it's not masked, actually. It's outputted. Oh, all right. It's given for free to the attacker. It's not masked in any way, so just. No, this is not masked. I guess I'm, all right, so. It's a, yeah, and so. All right, let me send this to that, all right. And actually the number of trials is often one with this implementation, so that's. Thanks for the nice talk. So I was wondering, you said that Gaussian sampling makes it hard. Is it the sampling itself that make it hard or the computation of the rejection rates that gets involved computing transcendental function? Actually, those are two different hard problems. And for now we are just looking at how to just generate shares with that sum to something that has the Gaussian distribution. And for now we thought that we could use Gaussian, shares with Gaussian distribution, but actually, since it's a discrete Gaussian, it's different. So for now we might look at how to mask cumulative tables for this, and this would be a solution, but expensive solution. And for the Gaussian rejection sampling, for now we didn't look at that yet. Okay, so maybe it would be easier to work with binomial distribution, at least for the sampling. Yes, that's what we. But then the rejection becomes even more tricky, I guess. That's what is in this, for example. We have time for more questions. I just have one more general question, maybe. Do you know about other post-quantum techniques like code-based or isogeny or something like this? Is it easier or harder to mask? For multivariate cryptography, for now there is no masking. Hash-based, I don't know. And for codes, there were some words that used a code word as masks, but I don't know if there is de-order masking for this. Okay, thank you. So let's thank the speaker again.