 Okay, so coming to the next talk, the second talk of the session is the first on side-channel attacks. It's called Higher Order Sidechannel Security and Mass Refreshing. It's a joint work by John Sebastian Coran. I'm going to approve Matthew Révent and Thomas Worsh and Thomas Soskeling. We'll talk now about side-channel analysis and more specifically about Higher Order Sidechannel Contra-Messure that has been proposed by Révent and Proof in 2010. We will show weakness in the position and we will patch it. At the end of the talk, I will derive some properties that we want to see in an S-box for an efficient, for instance, secure them against side-channel analysis. So a little bit of history. Side-channel analysis was introduced almost 20 years ago already and seen then a lot of attacks being proposed in the literature. So basically, the idea of side-channel analysis is to use not only input and output of crypto-primitive but also some information that you can have through a side-channel. So by observing the device learning of crypto-primitive, you can gain information about its internal state and gain break the cycle more easily than classical crypto-analysis. So we will mostly talk about higher order side-channel analysis meaning that we will consider that the attacker is able to serve several internal states during the cryptographic execution. While the main counter-messures against side-channel analysis are the masking techniques, shuffling and whitening. We will talk about masking here which is certainly the most secure way to contract side-channel analysis but still pretty expensive in practice. Shuffling and whitening are cheaper techniques but don't enjoy security proof as a masking technique. Shuffling is randomizing the instructions and whitening is adding some noise to the side-channel analysis. So while our side-channel masking or sharing counter-messures, the basic idea is instead of manipulating the intermediate variable of a safer, we will manipulate them through a sharing of them, a secret sharing of them and that way I have a manipulation that is independent from the secret. What was nice about this masking technique is when an intermediate variable is manipulated through D shares, observing the D shares in order to break the safer, in order to gain information about the secret because it has a complexity that is exponential in the order, in the number of shares. With respect to Sigma, Sigma will be the standard deviation of the measurement noise in my talk. Masking counter-messures have security proofs that are done into the probing adversary model that I will define here. So a D probing adversary is equal to observe the intermediate variable without considering any noise and if a counter-messure is secure against such adversaries then a real adversary needs at least to observe D plus 1 intermediate variable in order to attack. So there have been some composition of counter-messures that can be proven and recently some of these counter-messures can be applied for any order D, so any number of shares. So more formally what is a higher order masking scheme, it's a transformation of a cypher capital here that transforms it to a new cypher, a semi prime that takes a sharing of its inputs and output a sharing of the output. Such that any family of D intermediate variable is independent of this. While usually the sharing of the encoding of the variable is done based on a linear encoding with respect to the field, to the cypher field, final field. So the linear transformation of the cypher are usually easy to mask to handle through this encoding but the non-linear paths of the S-boxes are hard to handle through the S-box. So how do we mask the S-box to the higher order? So this original work from Ishaishi and Wagner in 2003 at crypto and the main idea is to write the S-box as a polynomial function and divide it into an elementary operation in the field like in F2 for the original paper but it has been extended to any field like even proof in 2007 and then process each of these operations one after the other. The sharing that we use is a bitwise addition meaning that the shares of a variable X together give the variable X and well each of them is independent of the sequence. So for the linear transformation the handling is easier I just said. We just have to apply the linear transformation to each of the shares individually and then we get the output that is the share of the real output of the function. So the non-linear part though so the multiplication in the field actually then we will have to design a specific algorithm so this is what I've been doing in 2003. So let's consider two inputs A and B that are shared and we want to define the output C that is a product of A and B and in a shared manner. So we can see that to compute this output we have actually to compute each of the product of the different shares of A and B and I give an example for TDA equals 2. So all the different products are here in this matrix form and what the algorithm designed the ISW algorithm follows these different steps. So we first add some of the of this shared product of shares and in order to do this computation here that are actually dependent to two shares of the same variable and then introduce a weakness in the operation should not be manipulated as such we will need to have some random values. So these three fresh random values here that we add here to in order to aneurysm and here it goes we have here each of the intermediate variables that will be computed by our secure multiplication in such a way that if we follow the bracket in order to do the operation in the right order then we have all the manipulations are secured to this order. At the end we have the output shares of the multiplication the three shares of C. So this algorithm has been proven to be secured to the D-order 2 order and extended to the D-order by providing proof in 2010. So how do we use such algorithm in order to secure the AES? So to secure the AES both of these AES. So nonlinear part of the AES is a power function. The inverse function in the field of 256 elements can be written as the exponentiation to the power 254. So first we divide the exponentiation in multiplication and squareings. The squareings are linear operation in the field so we will do them three orderly. Mitrification though are more complicated we will use the scheme that we just saw. Well what is easy to see right now is that when we have an AES box written in polynomial form we want to reduce as much as possible the number of multiplication and increase the number of squareings respectively because they are much more efficient to describe. Remind proof show that the exponentiation to the power 254 could be done using only four multiplication and this was both and this is optimal. Well the overall algorithm looks like this that computes the full AES box, the nonlinear part of the AES box. We have the four multiplication here, the second multiplication. We have some squareings or two to the power J which are linear operation and we also have some refresh mass operations. This operation is needed for one reason is that the sequence multiplication needs to have independent shares as input. The first input and the second input must have independent shares and if there was no refresh mass then the shares would not be independent anymore and then the security would not follow it. Well what I've been proposed by Hibana proof is to use this very simple refresh mass function. Well from a shared variable z we want new shares, z prime. Well we just have to look over all the shares, add a new random to each share and accumulate the new randomness to z0 for instance. That way we keep the shares equal to z and we have a new mass, new shares. Well this is from this, actually this is the origin of the flow that we will see right now. We will consider the first three operations in our experiment session which is a squaring or refresh mass and second multiplication. In fact what we show in our paper in that if we combine some internal value of the refresh mass with some internal value of the secret multiplication then we can create something that is dependent on the secret and we don't need as much as d plus one intermediate values. So we'll try to show that. So if we look at the d over 2's iteration of the loop which also the refresh mass will have the z0 that looks, that is the sum of z, the sensitive variable, the sum of half of the new shares of z and the sum of the second half of the old shares and well in fact by definition the old shares are the square of the shares of the initial value example. Now if we look at the second multiplication we have seen already that it will handle all the product of the different shares of its input so somehow if we manipulate this intermediate value this is the product of the shares of z and the product of the shares and the shares of x. So what we have if we gather all this information we have something we have d over 2 intermediate values here plus one intermediate value here from the refresh mass. If we gather them all together then we have something that is dependent to the secret and there is only d over 2 plus 1 intermediate value. So we have something that breaks the disorder security. So how can we overcome this issue? Well one way would be to use a much more complicated refresh mass and we believe that this would hold higher security and avoid this problem of higher order attack. However it's pretty hard to prove and also it's very expensive because we had this expensive security condition here. So we went another way instead of replacing the refresh mass we will actually gather together the three operations here and make one simple operation which is actually this function h that is a product of x by x to the power 22j. So how will we do that? We first write the output of this function h as a combination of the different input shares and we come up with the application of h to the different shares plus the application of this function f to each pair of shares. This function f is actually a delinear function and has the nice property that we can write them as a sum of application of h. What is this interesting? This is interesting because we will be able to do the secure compilation of h only using the function h and without using any multiplication in the field. So we can tabulate this function in memory and then apply it very well in an efficient way when the multiplication in the field can be costly. So a brief look at the secure version of the function h. So we have a shared input a. All these are different values that we have to evaluate in order to compute our output c. We will follow the same path as for ISW scheme here and we want to secure this operation here. So we have seen that they can be written like this. So we will add the random depth for that and we will need a little bit more work than before so we will go into this function f. We have seen that they can be written as a sum of h function and we need to secure this operation and we will do that adding a new randomness again. So we need more randomness but on the other hand we only have to use this function h that can be evaluated efficiently. So and finally we have the output shares of our operation. The security can be proven to the depth order. So this is what we do in the paper. And what we get finally is a whole exponentiation to the power of 254. Look like this. With two secure h functions and two secure multiplication with three power square ends. So we can show that on standard platform it is more efficient than the old version, the revamped version and also more secure. So to conclude we propose a security enhancement of the revamped proof masking scheme. But if we want to go a little bit further we don't have yet a global security of this scheme. We need to take all the cipher implementation into control. We only have some part of it. Each part of it is secure but we have to show that the composition of each of them is also secure. Under efficiency we found out some way to compute the secure s-box more efficiently. And the question that we might ask is can we do better? Can we have a better expression of the function to the power of 254? A better expression would be whether there is less multiplication and more square ends or h functions. While this goes also on the discussion of how to design a cipher in our days maybe if we can take into account such constraints then we will have ciphers that are more efficient when dealing with section assets. Thank you for your attention. Thank you very much. Are there any questions? We have time for one or two questions. But I have a question. In the paper you say there is an absolute overhead of 600 bytes compared to the revamped proof proposal. How much is the relative overhead compared to that proposal? It's 600 bytes and how much is it? It didn't need any ROM. I think the revamped proof implementation didn't need any ROM. So we are asking the same question in RAM. But in RAM I think that it didn't need any ROM. There was no pre-computation. Any other questions? If not, let's thank the speaker again.