 Hi everyone, I'm Maria Caramolteni and I'm a PhD student at the University of Milan. I'm going to present the paper titled on the Spectrum Features of Robas Provinci Security that has been written in collaboration with Victoria Zacharia. This presentation starts with an introduction about the context in which take place our work. Goes on showing its main theoretical contributions and some applications to well-known schemes. After some reasoning about complexity and scalability of our method, I conclude with some possible future works. Our work addresses a formalization of Provinci Security, which I'll describe briefly now. We consider a circuit handling some secrets and an attacker that tries to recover some information about these secrets, placing one or more props on its wires. As pointed out by some recent works in the Provinci Security framework, this topic has some lacks from the point of view of the mathematical formalization when glitches are taking into account. The main aim of our work then is to give some of these missing theoretical formalizations as I will try to explain during my presentation. Let's start with some well-known definitions relating to the Provinci Security. A circuit or a part of it that is called gadget is the Provinci Security given at most props. It is impossible to derive information about the secrets. In this slide, there is an example of two very simple circuits. The one on the left is Provinsecure. Then everywhere an attacker places a probe, she can recover any secret. On the contrary, on the right, there is a basic circuit that is not one Provinsecure because if an attacker places the red probe as in figure, this probe can give to her an information correlated to the XOR of the shares and then she is able to know the secret. An evolution of the Provinci Security concept is the Dino Interference. A gadget is then interfering if given at most the props. It is possible to derive information about at most the shares of any secret deal. In this slide, there is an example of a gadget that is one non-interfering. Then the attacker can place the red probe on any wire in the circuit but she can recover information of at most one share. For example, she can recover only the share of zero. Finally, to ensure composability of the gadgets, I introduce the concept of this strong non-interference. A gadget is this strong non-interfering if given at most D1 probes placed on internal wires and D2 probes placed on output wires. Then the attacker can derive information about at most D1 shares of any secret. The one non-interfering gadget presented in this slide before is not one strong non-interfering because the red probe placed on the output allows to know the share of zero. Instead, this circuit is one strong non-interfering. On the left, there is an example of an internal probe placed on this circuit. In this case, the attacker can recover the share of zero with an internal probe. On the right, there is an example of an output probe which gives no information to the attacker. With the nominate robust, the probing security analyzed when some physical defaults happen that can give some additional information to an attacker. In this scenario, the probes are called extended. And in literature, three different types of extended probes have been defined. The extended probes that model glitches, those that model transitions, and those for the coupling. In our work, we take into account only the case of physical defaults caused by glitches. In the following slide, I'm going to explain why we decided to study possible developments in this direction. Many works that have been published about this topic highlighted a lack of mathematical definitions of robust probing security. Then our work tries to fill this gap in two ways. Firstly, from the research standpoint. So previously, the composability problem has been solved through some instance-by-instance approaches and tools. For example, Max Verif is a state-of-art tool that faces the composition problem. It takes as input a fixed configuration instance of a gadget and it declares if it is robust probing secure or not. We try to give an improvement in this context, building conceptual tools and rules to derive a general solution to common problem patterns. Secondly, from the developments standpoint, existing tools are based on syntactic models that generally are efficient but need some validations. What we propose is a new approach modelled on the exact theory of Boolean functions, giving further verification tools to check the gadgets' composability. We are aware that our method has some limits on the computational complexity due to the exponential size of the studied matrices. And it will be a future direction of improvement. Our theoretical contribution is based on the theory of Boolean functions. And in particular, we exploited the Wosh matrices and their properties. From them, we define the vulnerability profile of a function, but mostly, we are able to compute the vulnerability profile of a composition of functions, giving some rules to verify the security of this composition. For this purpose, we also introduce a classification of extended probes to deal with the hardware gadgets' composability. Then, as just told, our contribution is based on the theory of the Wosh matrices. It's possible to define a Wosh matrix for any Boolean function, and by sparse, any Wosh matrix describes the result profile of a Boolean function. Each element in this matrix is computed through the equation presented in this slide. From the Wosh matrix, it's also possible to derive another matrix called the correlation matrix, substituting any non-zero element by one. In this slide, there is an example of a function and its Wosh matrix with gamma, we denote the spectral coordinates of a variable. In this matrix, it's easy to note that, for example, the XOR between the two shares, the two outputs, O0 and O1, gives information about the XOR of alpha 0 and alpha 1. This correlation is highlighted by the pink circle in the matrix. We define the compact representation of the correlation matrix as its reshaping, computed, compacting the spectral coefficients, and take it into account only the number of shares of its original variable. So from the matrix, in the example in this slide before, we compute the compact representation in this slide. Alpha, rho, omega, and phi are called the compact spectral indexes of the input, randoms, outputs, and probe respectively. The pink element, highlighted in this slide before, now is represented by the blue element in this matrix. And it shows that two shares of the output give information about two shares of the input. This new matrix gives us the information that we need to define the probing security of original function. But it is more handy than a Wosh matrix, thanks to its smaller dimension. And its easy handling is clear above all when we deal with composition of functions. In this slide, we introduce a definition that is useful in the following slides. The vulnerability profile of a function is the tensor product of the regular Wosh transform of the function and its probes, multiplied by the Wosh matrix of the duplication function delta, called delta. Here in this slide, there is the representation of the vulnerability profile of a single function on the left, and the vulnerability profile of a composition of two functions on the right. In addition to the new method created to reason on the probing security of gadgets, in our work, we give a clear classification of extended probes. At first, we define a pure probe as a probe that is placed on a wire, and that gives information about all the inputs of a function computing that value. In this slide, there is the vulnerability profile of a composition, and the red arrows point the pure probes. A composite probe is a probe placed on a wire in which flows the value computed by the composition between more functions. As an example, we consider the same gadget as before, and the red arrow points the only one composite probe in this gadget. An output probe is a probe placed on an actual output of a function, and it's important to note that during composition of functions, these probes can produce some new probes. Red arrows point the output probes of the same function. Finally, an internal probe is a probe placed on an internal wire, and it cannot produce new probes when composing functions. Note that a probe can be pure or composite, but not both, and it can be internal or output, but not both. In the following slides, I'm going to present some application of our theoretical tools, just exposed, and in particular, we analyze the robust probe insecurity of two well-known multiplication gadgets, also proposing for one of them some improvements that allow it to become robust, the strong run interfering. At first, we analyze the construiting masking scheme that is a multiplication gadget that has been developed to provide the probe insecurity and protection against glitches. The number of shares is the plus one, and we call AI and VI the shares of the secrets. The secrets are A and B, and CI, the shares of the outputs. Every CI is computed in logic cone, and the ancient cons share only one random bit. Moreover, internal bit in a cone preserves uniformity. The whole computation is decomposed in free layers called non-linear refresh and compression. The latter two are separated by registers. In this slide, there is an example of this scheme when D is equal to three. It has been proved in previous works that this scheme is not robust, this strong secure for D greater or equal to three. To improve this scheme and make it robust, this strong secure, sorry, and make it robust D-proven secure, we analyze this problem through the previously defined classification of extended probes. We can note that in this scheme, there are two types of probes, pure internal probes placed on the outputs of a refresh layer. Each one giving information about one share of A, one share of B, and two randoms. Composed output probes placed on the outputs of a compression layer, which one giving information about the D inputs of the last layer. Leveling as a CI the output composite probes, we summarize in the table in this slide, which pairs AI, BJ are covered by every output probe. It's then clear that given one of the output probes, an attacker needs to recover only the two random bits from the adjacent cons through pure internal probes to find the secret B. In this slide, this reported an example when D is equal to three. Here, if an attacker places the three random probes on C0, R0, and R4, she can recover the secret B. In our paper, we give a first solution that allows to reach the robust the strong security, the robust the probing security for this multiplication scheme. We exploited the non-completeness property to reorder the inputs for each con. In such a way that not all the shares of an input are ended in a single con. In this slide, there is an example of a solution when D is equal to three. Here, no output CI handles all the shares of a secret and the scheme is robust free probing secure. To verify it, we compute the compact correlation matrix for this scheme. And this matrix aligns that our solution is robust free probing secure, but not still robust three, three strong non-interfering. Indeed, the Red Circus suggests that with two internal probes and one output probe, it's possible to recover three shares of one secret. To reach the robust the strong non-interference we increase the number of randoms between adjacent cons. This time, the compact correlation matrix for D solution aligns that now the scheme is robust free strong non-interfering. In our paper, it's proved that D solution can be generalized for any D, adding an amount of randoms in very fresh layer. The second scheme that we analyze is a domain oriented masking. Another multiplication gadget proposed to reach the probing security using relatively few randoms. Another time, the number of shares is D plus one and the AI, BI and CI are the shares. This scheme with independent shares is called domain depth in which so-called cross terms are masked by random bits. Before the compression phase, partial solutions are saved in registers. In this slide is reported this scheme with D equal to one. As proved in some previous works, this scheme is not robust this strong non-interfering for any D. From the compact correlation matrix is clear that with one output, one output probe, an attacker is able to recover information about one input share, showing that the scheme is not robust this strong non-interfering. The solution is to add an output register and we verify through the compact correlation matrix that this solution reaches the robust this strong non-interference property. To conclude this section about the applications, we know that to ensure the robust this strong non-interference property, we do as follow. As first in our last solution of the construiting masking scheme, we add random bits to the previous solution scheme that one with non-completeness property. After to the domain depth scheme, we add some output registers. So for example, if D is equal to three, to CMS, we add the four randoms and no register. While to domain depth, we save the output bits in four registers, one register per bit and we don't add any random. This suggests that there is a trade-off between registers and randomness when we are working with robust strong non-interference. The randomness ratio between domain depth and the last construction of CMS is the one reported in this slide. In the last part of this presentation, I show an analysis about the complexity and the scalability of our method. About complexity, we know that when the number of variables increases, the large number of elements in the WASH matrix makes in practical the complete computation of the compact correlation matrix. We propose some solution to face to this problem. Store only the rows that refers to single outputs and probes, compute on demand the remaining rows by using convolution, exploit the sparsity of the correlation matrices. Now I present our analysis about the scalability of a new method. The figure in this slide shows the comparison between the estimation time to compute the correlation matrix of our method and the time needed to apply must vary tool to key that is the non-linear function of ketchup protected by domain depth scheme. It's clear that when the increases, also the complexity of our method becomes higher. But also it's possible to note that the gap with a state of art efficient tool is not so large. The figure in this slide shows a further analysis of estimated time to compute the compact correlation matrices for other well-known multiplication gadgets. In conclusion, we propose an alternative view of robust probing security, introducing a new mathematical framework and approach based on the watch matrices. We also study a classification of extended probes to deal with gadget composability. And we apply our method to two multiplication gadgets with the aim to analyze both and to improve one of them. Some future works could be, for example, find some more efficient computations with the use of sparse matrices properties, inquire the minimum number of randoms to achieve robust, distronged interference, and investigate the ring structure of multiplication gadgets, maybe studying a more efficient refresh layer. Thank you for the attention. And if you have any question, you can also write to me at my email address.