 Hello, welcome to the presentation of our paper Two Words Tight Run Improving Security. I will join to work with Guy Tancasius, Sebastian Faust, Fonk Swark-Savier-Stondair and me, Maximilian Olt. Before Guy Tancasius and I are going to present our results, we first want to give an introduction. In the classically good geography, we often use the black box model. Here, the adversary only learns about the input-output behavior of a cryptographic primitive. For example, the play-in-text ciphertext pair of an encryption scheme. But this is not the case in the real world. In the real world, the adversary can learn even more. The power consumption of a device might leak secret dependent data. For example, the key of an encryption scheme. The same holds for electromagnetic radiation caused by current flows. So, we have to think about how to model those leakages to provide security proofs. Even in the presence of such a leakage. To define our security model, we first have to decide on our computational model. Here, we use the arithmetic circuit, where each operation is described as a gate and all values are carried by wires. The advantage of this model is that also the internal values are carried by wires. So, we define all values. With the arithmetic circuit, we can define our adversarial model. We use the P1 and probing model, originally introduced by Ishae, Zahae and Wagner at Crypto2003. They assume that each wire leaks with probability Tp. The advantage of this model is that it's close to the real world, since it describes the continuous nature of leakage. If a value is used multiple times, it is also carried by multiple wires and the leakage increase. Now we can use the model to try to protect circuits against leakage. We take the example circuit of the previous slide and assume that it gets as input the secrets A and B. At first, copies A and multiplies it, which is a simple square operation and then it adds B afterwards. The result is C. So, to protect the secrets against leakage, we first have to secret share the values A and B. This we can do, for example, for n equals 2. So, A is shared into A0 and A1 and B is shared into B0 and B1. This means that all values look uniform at random, but A0 plus A1 is A and B0 plus B1 is B. Now we only want to compute on the masked values. This means that we have first to transform the simple square operation into a gadget which gets as input the masked values of A and outputs a masked value of A square. Then we want to transform the addition into a gadget which gets as inputs two shared values and outputs the shared values of the addition. Now you can see a value which only computes on masked values, but we can make the circuit even more secure by randomizing it. This we can do by adding randomness to the wires such that the correctness of the resulting circuit still holds. The resulting circuit Cx is a masked circuit where we have masked the input values into two shares. This we can do for any circuit and an arbitrary number of shares. For example, we could mask the ISS box into three shares. Let's consider the ISS box masking to two and three shares. Here you can see the security level of the resulting circuit. The security level depends on our leakage probability and tells us with which probability we cannot guarantee security anymore. The results you can see here are the results of Belaid, Rivian and Talib published at Eurekaup 2021. For the security level, we can also give a rake lower bound. With our results, we want to provide tighter proofs for the security level. This means we want to improve the security level for larger p. Here you can see our results for n equals 3. We will discuss our results after we have presented our techniques. So for our new techniques, we used a new definition, the Prop Distribution Table, PDT. In the following, we will first explain the PDT. Then we will give some composition results and explain how to compute them. And in the end, we will analyze the ISS box with our PDT. So let's define the Prop Distribution Table. For this, we will consider our circuit again. Here you can see our example circuit with leakage l. For the definition of the Prop Distribution Table, we have to distinguish between internal leakage and output leakage. Therefore, we split the l into lint and o. Our security proofs we will do with a simulator. So we also need a simulator to simulate the leakage. So let's consider an example. For example, the internal leakage a0 and a0 square and r and the output leakage c0. So the simulator has to simulate all four values a0, a0 square, r and c0. For a0, the simulator needs a0 as input. With a0, it can also simulate a0 square. And the random value r, it can simulate because it's the chosen uniform at random. Since a0 square and r are already simulated, the simulator also needs b0 for the simulation of c0. So finally, the simulator would say I need a0 and b0 for the simulation. As you can see, a0 and b0 are only one share of the secret a and b. The simulator does not meet a and b, and this means that the values or the input the simulator needs is independent from the secret a and b. Therefore, we can say that the leakage is independent from the secret. Remember that this internal leakage is only a special case. a0 and a0 square and r only leaks with a special probability. Since the internal leakage is randomized by the leakage probability p, we know that the simulator only needs this input wires a0 and b0 with a given probability p prime. We can compute this for all combinations of input values and output values. So we can compute the probability that the simulator needs scx in case of leakage o prime and internal leakage element. When we compute all these probabilities, we have a table. The resulting table is our prop distribution table. In detail, our prop distribution table pdt is a matrix where each column represents a possible output leakage and each row represents a possible input values which the simulator might need. For example, the pdt scx of a0, b0 and c0 is p51. This means that the leakage lint and c0 can be simulated with a0 and b0 with a probability p51. How to compute p51? We will explain after we have presented some pdt properties. Let's first consider the composition results of our pdt. The complexity to compute the pdt's is exponential with a number of wires. This means it's impossible to compute the pdt's for large circuits. But we can split the circuit into smaller circuits and compute the pdt's of the small circuits. Therefore, we need composition results. For this, we can distinguish between two compositions. The parallel composition where we compute two circuits parallel independently and the sequential composition where the second circuit gets its input, the output of the first circuit. We can compute both compositions to a larger circuit c and now we can think about how to compute the pdt of the c. Tier 1 tells us that we can compute the pdt of a parallel composition with a chronicle symbol and Tier 2 tells us that we can upper bound the pdt of c with the standard matrix multiplication. Using these two composition results, we can analyze our circuit example again. As you can see here, our cx can be described with the gadget g0, g1 and g2 and we can compute the pdt's of each gi. Now we can compose them together to compute the pdt prime and with Tier 1 and 2 we know that the pdt cx can be upper bounded with the pdt prime. Now we know that we have to split the circuit into smaller circuits to compute the pdt for large circuits, but we also should avoid too many approximation steps due to the approximation in Tier 2. That's why Gaetan-Casius will now explain us how to compute the pdt's for circuits efficiently. Let us now discuss how to compute those pdt's. So as an example we have here on the left the simple refresh gadget with two shares. So we'll first compute 1 and 3 on the pdt which is just one element of the matrix. So this corresponds to one set of probes on the output and one set of inputs that we use to simulate. So here we take the case where the output set is just a y0 probe and the input set would be just the x0 input. So let's now compute this pdt entry and in order to do that we'll iterate over all possible sets of probes and we'll sort them by size. So if we take this i equals 0, so an empty set of probes, 0 probe in it, we see the only probe is y0 and we don't need any input to simulate it just because y0 is x0 plus r and r is a fresh random so you don't need anything to simulate. y0 as it appears as a fresh random to the adversary. So this ci which is the number of sets for which we need x0 and exactly this x0 as inputs i prime set is still just 0 cases for now. Let's now move to sets of size one. The first set would be internal probe is just x0. So there if we have x0 as a probe, of course we need x0 to simulate it and we don't need x1. So we have a first set for which we need this i prime set to simulate so we increment ci to 1. Let's now look at another leakage set. Internal leakage is just a wire carrying the value r, the fresh random. And then you can see that if the adversary observes y0 and r, since y0 is x0 plus r to simulate correctly the y0, we can rely on the fact that r is a fresh random since it's already observed by the adversary. So we need x0 to simulate since we don't need x1 to simulate this. We need exactly the yi prime set to simulate. Then we can increment again this ci and we can do the same for the otherwise whose leakage value is r. And finally, if we lake x1, then we need the sets that contains x1 and not x0 to simulate so we don't increment ci. We can now move to sets of size two. A first set here requires x0 to be simulated but not x1. A second one here requires both x0 and x1 to be simulated so we don't increment the ci and so on and so on we iterate over all possible set of probes and we get this column of ci's. Once we have the ci's we can associate to each size of set of probability to be leaked which is p to the i times 1 minus p to the w minus i so w is the number of wires excluding the output wires in secret and we get the pd3 entry. So this works well however there is one main limitation is that we have to iterate over many many sets actually. There are two to the w possible sets of internal prob leakage and if the gadget becomes not so small like w can be 20, 30, 40 then it becomes infeasible to do. So our solution to this would be to not consider all the possible set but for each size i we sample a limited number of sets that's fixed in advance for instance 10 millions and for each of those sets we do as previously we compute the number of sets for which the inputs used for the simulation corresponds exactly to our i prime set under consideration and once we have this since we have taken the set randomly we can do a bit of statistics and get an upper bound ui such that ui is larger than ci with very high probability. And once we have this we can then compute an upper bound for pdt entry. You do it for all possible entries in the pdt's and you get an upper bound for the pdt. So once we have our pdt's we can then compose them as Maximilian explained before and we can look for case study. Actually we took the AES box as a case study or more precisely just the non-linear part of it which is the inversion in gf256 that is implemented in a quite common way for masking that is a multiplication and exponentiation chain so we have their multiplication gadgets exponentiation to even powers and also a few copy gadgets in case it's needed and then we had a few refresh to improve the security in well chosen position actually. So this is really based on state-of-the-art papers so we just take this implementation and based on this implementation we can compute the pdt's for all these smaller gadgets and finally using our composition theorem we have a big multiplication of these pdt's which gives us a pdt for the S-box and then from the pdt we can compute the security level which brings us to the results. Concretely this is the state-of-the-art so the rp2 paper as we call it and it is like for 3, 9 and 27 shares the security level and now we can see what we can have as a security level so for a different gadget because their implementation is slightly different but roughly it's quite similar we have all results for 3 shares as you already saw it so we can improve the results and we can also see that we can go to 6 shares and we have also a better security level so if we compare it with two main improvements the first improvement is on the minimum noise level that we tolerate that is the larger p for which we have some security that is the curve is lower than 1 so here we see that compared to the state-of-the-art we move a bit to the right so we improve this tolerated leakage probability and so on if you look at the slope of this curve this is related to the number of shares but also to the quality or tightness of the proof and here we can see that both if you look at the left this slope compared to ours we improve a bit the slope and then for 6 shares we can see that asymptotically we have kind of the same security order so the same slope as the 27 shares so that's a significant improvement in terms of reducing the number of shares that you need to achieve the same security level and lower number of shares means in practice better performance, lower cost for any kind of cost metric that be it like sacred size, computation time or whatever so to conclude we've introduced this PDT probe distribution table which is a new approach for the security in the random probing model for side channel then in this random probing model using the PDTs we can make a composition approach that allows to compute the security for very large gadgets based on smaller sub gadgets and finally we have a method that allows us to use to compute efficiently the PDTs and a particularity of this method that's quite new in the field is to use a Monte Carlo method to do that so a statistical approach so basically this method improves concretely with tighter bounds and also interesting characteristic is it is not tied to any masking scheme we don't introduce any masking scheme we just introduced a new evaluation approach that can be applied to many different masking schemes however there are limitations to this approach the first one is still the complexity computational complexity of this evaluation when you go to two large gadgets even our Monte Carlo approach is limited and it's not able to get tight enough results or good enough results to improve the state of the art and also it is not fully tied so we have some untightness in the evaluation of the PDTs or in the computations and so this is the first natural improvement process to try to improve still this tightness and also these composition stirrems they are quite nice when you compute on for instance a nest box size but we are still not able to perform this matrix product and so on for very large size gadgets such as a full AS so there is also an improvement point so thank you for listening to this video and you'll be very happy to take and answer your questions either live at the conference or by email