 Merci pour l'introduction. C'est la ligne de l'enjeu. Je vais commencer avec quelques mots d'introduction. Je vais essayer de motiver le sujet, expliquer pourquoi je pense que c'est important. Puis, décrivez ce que je veux dire par l'accès à l'accès à l'accès à l'accès à l'accès à l'accès à l'accès à l'accès à l'accès à l'accès. Et le reste de la taux sera principalement expérimenté. Les simulations, le software protégé, les hardware masques et la conclusion finie. Alors, c'est une histoire. Je pense que c'est une picture que vous savez plus ou moins. C'est un DPA standard. C'est ce que nous faisons quand nous essayons de récover des informations par exemple de l'exécution de l'exécution de blocs cypher. On a un XBox à la première phase. Donc, un XBox à la première phase. Et bien, si vous regardez ces attaques, ce qui est important, c'est qu'il y a beaucoup de détails. Donc, typiquement, vous avez besoin d'une sorte de measurement et de pré-processing, pour que vous achetez de données que ce soit informatif que possible. Et puis, vous avez une sorte de prediction et de modélisation, qui est essentiellement où vous essayez d'arriver quelque chose sur les valeurs internales de votre implementation et de connecter cela avec les liens physiques. Et puis, il y a usually un phase d'exploitation qui est essentiellement comparé à toutes vos predictions avec les liens actuels que vous avez mesurés. Et cela vous donnera des informations sur le subkey. Et si ce n'est pas suffisant, et ce sera le prochain talk, vous pouvez faire post-processing et commencer à faire l'immigration ou l'estimation de l'exécution de blocs cypher. Et dans ce talk, je vais juste vous concentrer sur cette petite partie, qui est la modélisation de la fonction physique. Et je vais d'abord essayer d'arriver pourquoi je pense que c'est important. Et pour ce purpose, je pense qu'on peut commencer par cette notation, qui est la modélisation. Et ce qui est important ici, c'est que quand vous regardez cette modélisation, vous avez un peu de hypothèses que nous faisons. L'une est explicite. Nous faisons une hypothèse sur le key. Et c'est ce que nous voulons récover. Mais il y a un peu d'assumption implique sur le modélisation, sur comment l'exécution physique. Et bien sûr, si nous voulons extraire toute l'information, ou si vous êtes dans l'évaluation de l'app et vous voulez faire une bonne évaluation, vous avez besoin d'une modélisation idéale pour être parfaites, pour que vous puissiez vraiment avoir le maximum perfect, la possibilité d'attaquer. Donc, comment nous dealons avec ça? Pour les clés, c'est facile. Quand vous faites un attaque, vous essayez de les mouler. Parce que c'est généralement un sub-key. C'est quelque chose que vous pouvez tester. Mais je dirais que si vous pensez sur le modélisation, c'est beaucoup plus difficile. Comment pouvez-vous essayer toutes les modèles physiques pour votre implementation? Et ça, je pense, c'est plus ou moins à un point que Matthias Wagner a donné quelques heures auparavant à Cosez, où il a dit que vous avez toutes ces attaques que nous avons publiées dans la littérature et qu'il n'y a pas de manière d'évaluation de l'app, toutes les modèles. C'est juste trop long. Donc, nous devons trouver un moyen de restricter ça. Et ici, essentiellement, nous essayons de contribuer un petit peu à ce problème. Nous essayons de trouver un moyen de ne pas essayer toutes ces modèles physiques mais un couple de plus rélevants. Et bien sûr, si vous faites ça, vous pouvez dire, ok, c'est bien en théorie, c'est une bonne question mais peut-être, ce n'est pas le cas que nous avons un bon modèle et je voudrais argumenter que ça se passe tout le temps. Et je pense que c'est facile de voir. Chaque fois que vous avez un modèle qui s'exprime mieux que l'autre, c'est exactement la situation où nous sommes. Donc, c'était un exemple où j'ai ploté le succès de l'attaque qui était juste une combinaire S-box mais en ce cas, c'est bien, c'est bien, c'est bien, c'est bien, c'est bien, c'est bien, non mais China un rapport qu'on entend, c'est bien, c'était domicile pour la sortage, osoique et aimant, c'est bien, c'est bien. Donc, directional d'였습니다, il est fait, c'est bien. La ascense à tes active� si ça pollutionera, on va se faireathi elevenagert mais si tu prends quelque chose de masque, si c'est juste la preuve de stock, probablement la distribution de liqueur n'est pas juste de Gaussian. C'est une mixture de Gaussian, c'est quelque chose d'autre. Donc, encore une fois, pour être sûr, le modèle est bon. Et si nous pensons que c'est un modèle bon enough, nous pouvons d'abord nous demander ce serait le modèle optimal, et c'est exactement ce que nous ne trouverons pas en réalité. Donc le modèle optimal serait la situation où j'ai une distribution bleue, c'est la chose que je ne sais pas. Je n'ai pas d'analytique formulaire pour ça, mais c'est quelque chose que je peux mesurer. Et je vais utiliser le mot sample. Vous pouvez sample la distribution, obtenir de nouvelles mesures, mais vous ne savez exactement comment ça fonctionne. Et c'est votre modèle estimé en red. Le modèle est parfait, si votre modèle estimé correspond à la vraie distribution de liqueur. Donc, comme je l'ai dit, ce n'est pas going to happen, car nous n'avons pas cette distribution bleue, donc la théorie pourrait dire que ce modèle est epsilon close to optimal if some statistical distance between the estimated model and the true distribution is bounded by epsilon. And in fact that would be very nice. If we had that, that would be extremely convenient because this epsilon would exactly tell us how much do we lose in terms of information or eventually in terms of success rate if we don't use the optimal model. Problem is we didn't change much because I still don't know this blue chip distribution so how can I compute the distance between an estimation and something I do not know. It doesn't look easy. So that was the problem or essentially what we tried to solve with this certification paper. And I think the key idea that we tried to exploit is if we want to see something about this issue we need to distinguish two types of errors that we can have in the model. One is estimation errors you just don't have enough measurements and one is assumption errors. You assume your distribution is Gaussian and it's not. And of course we call that estimation errors they are relatively kind type of errors because this is something that always decreases if you measure more. And now I'll just try to give you some intuition why this distinction between estimation errors and assumption errors tell you something about whether your model is good or not. So imagine this is... Right? So this is a true leakage distribution and this is something we do not know. It's in blue. But what I can do is I can build a model for that and then I can sample the model and the true chip distribution and I find something like that after N0 samples. So in red we have the model samples in blue you have the true chip samples and I'm asking you whether this model is good in predicting the chip. So I don't know for you for me or essentially I don't know why because at this point my number of samples is not sufficient so what happens here is estimation errors dominate and what this tells you is usually you just need to measure more. But if you do and you take N1 samples that are much larger you will eventually end up with this type of thing so my red curve is my Gaussian assumption for the model. The blue curve is my true leakage distribution and I think it's easy to see here what the model is is not exactly predicting what we have so we lose information and that means really if you have this situation you need another model because it's likely that you lose significant amount of information so what's nice is that this reasoning tells us more or less what we could define as a good enough model and essentially it's a model for which the assumption errors are small in front of the estimation errors given the number of measurements that you made. Ok, so concretely how does it work essentially what we will try to do is more or less the same as previously but the very important parameter is this N here. It's essentially telling whether the model is good I'm not able to do but telling whether the model is good given a number of measurements that I make this is now possible so I do the same I'm going to do that taking advantage of cross validation which just means I try to make efficient use of my measurements so each time I take most of the samples to build the model one part of the sample to test the model and I will just do cross validation to exploit all the samples for testing and eventually the important thing is we will output a p-value that depends on N and as usual a small p will indicate that most likely the model that we are looking at is not correct and I think that's pretty much what we want and the very cool thing is that this N it's the evaluation lab limit if you're an evaluation lab and you tell yourself I have money to make one week of measurement this is your N, you have one week of measurement but given this week of measurement you want to be sure that you exploited this information properly and that's what we do here you build a model and you test whether the model is good enough it will never tell you the model is perfect and most likely the model is still incorrect what it tells you is that if you have only one week of measurement you can try to improve the model but it's useless because all the improvements that you can have they will be hidden by estimation errors anyway and there's of course a drawback the big drawback of this approach is it's extremely expensive because we need to characterize all the sampling distributions of the model so doing this approach was quite long at least that was the main criticism that we got so we tried to find a way to simplify this and doing it in a completely sound manner is not very easy so easy certification very simply stated that the idea that we wanted to use is rather than comparing distributions which is long and difficult why not comparing moments and then it's very simple I have my estimated model I pick up n samples from this I estimated a moment of order D I pick up n samples which means I measure n times I estimate the moment and I test the quality between these moments so what is good the big plus is it can be done with very simple univariate tests that probably everybody in the diodens has been using, typically t test if you make a Gaussian assumption or something you can go for higher order testing of the moments but given the number of samples that we usually have this is probably good enough the big minus obviously is this theoretical sound, no because it exists you can find two distributions they are different but their moments are exactly the same so is it a problem I would say maybe conterexamples that we are aware of they look quite involved and I'm not sure they exist in the literature or they will correspond to what we have in practice also if you look at what we do concrètement, most of the time that's exactly what we do we do leakage detection, higher order attacks and that is just based on estimation of the moments which is not a good reason maybe the approach that we use at the moment for our evaluations are not completely sound and we should question ourselves but at least this gives some incentive to look at that ok so as usually when you have something that's not completely sound the best thing that we can do is to look what we can learn out of that that's what we did first with simulations so how does it look this is a simulated example on the top of the figure you have in blue, the sample distribution so this is a chip that we simulate and in red we have a biased model here it's very easy to see you have an error in the means what do we see here on the second line the estimation of all the moments we see that indeed the means are different on the second line the p-values so this guy is telling us very rapidly impossible that this model is actually predicting the true chip distribution because we see there's a big difference in the means and we can do that for the variances we can do that for the skewness we can do that for the kurtosis what's interesting is of course it easily generalizes to mass implementation because typically this type of Gaussian mixtures that we have here this is what we would observe if we have masking ok that's simulation still not reality so the next step was to look at what happens for real and first on protected software because that's exactly what we did 2 years ago at your crypt so we wanted to repeat these experiments and we looked at again and protected a yes implementation in a very kind at Mellivier microcontroller and this is what we get so these figures they are pretty much like the p-values figure so I'll just explain the upper left one this is for Gaussian templates and for the beam the y-axis you have 256 values and these are the 256 templates that we built if we try to attack the output of the s-box so these are our 256 models and the x-axis is the number of measurements that we used in the evaluations and in this case we made an evaluation of 56,000 measurements what do we see is not much for the mean, not much for the variance and that's pretty good news because that's essentially what we concluded 2 years ago Gaussian templates were good enough in explaining this particular implementation and we had a problem with linear regression because with a linear basis the model was not good enough and here again we see clearly big errors this model is not good, we need to change it so good but maybe less good or surprising at least if we look at skewness and kurtosis then we see there's a little bit of something but at some point it seems that for some of the templates we don't predict the full distribution nicely so that's annoying because typically it could be inconsistency between the previous approaches and the simplified one which is totally plausible one case we compare full distributions we are sound in this case we just estimate moments so it's a much simpler problem and we were wondering what happens here and what we wanted to do at this point is of course to say ok maybe we have an error in the skewness or kurtosis but maybe there's just nothing useful in these statistical moments so the question becomes do these errors lead to something and to answer that what we did is an additional test based on something very simple again which is moments correlating DPA so I guess you all know CPA where you do correlation between the mean values and your actual leakage moments correlating DPA you do the same but higher order so you correlate higher order statistical moments with leakage samples here squared to a certain power raised to a certain power and the cool thing in general with correlation is that we have this nice metric intuition the number of samples that you need to attack your implementation is inversely proportional to the square of the correlation coefficient so what do we have first look at the top figure this is the value of the moments correlating DPA for the mean for the variance, skewness and kurtosis and good news we see there's very little information in the skewness and the kurtosis which seems very reasonable for un protected implementation but now we see it the results of your report 2014 so that's nice what we have on this figure is exactly the same moments correlating DPA with Gaussian templates and linear regression the only difference is that the moments are the ones that are produced by these models and here it's nice as well because we see now okay we saw that there was a problem with linear regression and indeed we see that the amount of information that I have in the mean values produced by linear regression is less than the one of the template attacks and obviously I also see there's a little bit of information in the variance and this is lost when I do linear regression because we have this pulled variance or covariance matrix so that's nice and maybe it's still not very surprising or not very useful so we wanted to move to something more challenging and that was the mass hardware implementation so one nice way to implement masking in hardware we took this example and that's what we got I will take this line again so this is Gaussian templates no problems in the mean, no problems in the variance clearly errors detected in the skewness and also in the kurtosis and this time it's interesting because it's a masked implementation so there should be information there so what did we do again moments correlating DPA what do we see oh good news no information at all in the mean first order secure and then we see that we have information in the variance skewness and kurtosis and I don't think we can say that this is negligible information so here we really face a situation where this tool is telling us well you did Gaussian templates but in fact this is not enough you should find something else if you want to extract all the information and again maybe slightly expected because Gaussian templates they only capture mean and variance as we know we have higher order moments if we mask but I think it's still nice to have this incentive now clearly it tells us that for highly protected implementation or just protected implementation we need more complex models to explain what we see and there was just a paper by Tobias Schneider about what is going to happen about exactly that cool so conclusion I think the main conclusion is simple right it's less formal clearly but probably more efficient and more intuitive tool it's more efficient because essentially it's what you need to do with profile CPA many times it's still costly so I don't claim I would do that for all the points of your implementation so I would still combine this with POI detection but if you have a couple of points of interest and you want to test a model there I think it's perfectly feasible with current means and the nice thing is it provides hints about the information loss these moments correlating DPA tells us do we lose a lot, do we lose little which we have not at all as an intuition when we were using full distributions we have a prototype open source code so if you want to try exactly these experiments univariate and so on that's on this web page and of course there are open problems I think the big one is how do we efficiently deal with in the same time highly multivariate attacks just as the previous talk and higher order distributions that's something I don't think we have good tools for this at the moment I think in general it's a hard problem the other thing seems questioning is this question we have model based estimation or moment based estimation we have distribution based estimation is it enough to just look at statistical moments and maybe just a PS nothing like all these assumptions of course it never happens if you do non parametric pdf estimation so if you go for kernels for example then you just have estimation errors maybe it's easier but probably in the cases that we face it's extremely expensive and I just wanted to conclude with this slide which shows that in the end we have a kind of nice separation between engineering challenges like measurements and preprocessing so be sure that what we do is good for this part of the attacks because it's highly heuristic so this we need continuous progress but for all the rest like for prediction for modeling, for key animation we reach the point where we have nice tools that are telling us am I good enough is what I'm doing sound in a certain way and that's it, thank you