 Okay third and last speaker of this session is and I tried it I trained it a little bit cost us Papa Giannopoulos an amazing attempt thank you it's very polite of you and he will speak about low-randomness masking and shuffling and evaluation using mutual information thank you Benedict so like the rest of the talks during this session we will be discussing masking are the infamous countermeasure that can actually at least try to hide intermediate values from the prying eyes of an adversary now we will also be discussing shuffling of the countermeasure that actually likes to reorder cipher operations and confuse the adversary but unlike the previous talk we will not be extending the previous properties we will not delve deeper into glitching or glitch resistance we will be looking at randomness so as a quick overview of the talk we will discuss first that masking and shuffling actually are very painful when it comes to random number generation they take a lot of time to do that and we will propose some new countermeasure variants that actually recycle randomness they are better at it of course computational performance does not come free and then we will be discussing about pitfalls and formal security and how does recycling damage the noise amplification stage of masking and shuffling so let me get right onto it we will start with a quick introduction about masking and shuffling most of which has been already mentioned so masking is probably one of the most popular countermeasures in the community it asks the adversary to recombine shares and if you split it into eight pieces then it will become very hard to perform a recombination and we really it has the property of noise amplification and we really really like this property because actually it has an exponential effect in the number of traces you need to attack the implementation more importantly masking is very computationally demanding so if you implement this as a high Wagner then you are looking at quadratic randomness complexity there have been more recent works that have been improving on this bound from belay the tall but still even under this improved situations then you still have quite a big overhead that you are about to face and this conclusions and persists throughout masking most of its variants and sometimes go into higher-order threshold implementation so no matter what you do you will face the RNG cost now similarly shuffling is also quite widely deployed it permits blocks so if you are processing in a serial fashion the S boxes of a cipher and then you will go from one two three and four and you will permute their order perhaps three one four two and again the countermeasure performs no noise amplification in a different way than masking but still and of course it comes in with an RG overhead which is approximately K log K random bits if you want to shuffle K things around so from our experience so far implemented ciphers a protected ciphers in several devices we we have agreed that the RNG is quite a considerable performance over here just to give you some taste of the figures some people have tried to implement a second-order AES on AVR and they use the pseudo random number generator and these were the results like roughly 38% of the total computation time will spend on RNG or when we try to implement second-order present on an ARM Cortex M4 and we decided to use the true RNG that came in packed together with this device then we were in this situation so roughly one out of four cycles was wasted in RNG and if we go into even more extreme cases how about a fourth-order AES implementation that is actually quite fast because of neon assembly but does the terrible mistake of using randomness from the view random then the situation will be really ugly so of course this is a very naive case people won't really do that but at least it shows that if you do not put the required attention into RNG then you may face this situation like a very fast cipher and very slow RNG all right but we decided to do something about that so in this spirit we looked more into it and looked out into other works that were exploring this concept of reusing or recycling randomness while masking around and I feel the best way to explain this is through an example so like previous presentations let's take a look again at this size a high Wagner let's assume two multiplications both of them are second-order secure and both and they are completely independent from each other so if you feel like you can think of them as two different execution of a cipher or two different computations that they do not link to each other and in the first one you have to produce produce z equal x times y the second one sees equal a times b and in order to do that you can see the formula with the partial products and highlight it in green you can see the random numbers that are necessary that it is a necessity to inject them if you are to maintain security so the first step was yeah let's think very simply and let's try to reuse some numbers from the first multiplication store them perhaps in memory and then reuse them in the later multiplication so it would look a bit like this now instead of using T 0 and T 1 we'll replace them with W 0 and W 1 which we already have generated before you know to reduce the randomness cost by two numbers which doesn't seem a lot but if you put in like if you see the big picture the AES S box will have lots of those multiplications so in any case it will be beneficial on the long run then natural question that comes is like all right now you have a very strange gadget that consists of two multiplication gadget and you want to prove that this is secure in some sense so using the formal security tool by coron you can actually prove that this two multiplication gadget is to an ISO so far so good you're resting well the next step is to you know become a little bit greedy and try to recycle more so I thought yeah well why not grab all of them and use them in the second one they are independent it should be okay and this actually will reduce the random the randomness cost even more however once you throw again it the thing into the tool the tool will complain it will tell you this isn't secure for example check values at two XOR C2 I have found it to probing attack that can actually a to topple consisting of two intermediate values that can actually break the thing because W 1 and W 2 here and here will actually cancel out with W 1 and W 2 here so in the end we can observe that if you recycle excessively you will be hurting probing security even between independent gadgets the last step of this let's say search was to actually look around for efficient multiplication gadgets so we did try to look for a size a high Wagner gadgets of security order one two and three if you do not recycle using this gadget and two multiplications then you're looking at two six or twelve random elements needed in your computation while if you do recycle then you can drop it down to one four or eight so there is a well let's say 20 to 30 percent improvement in this situation it can be actually quite helpful given that R&G is often slow even let's say the more no randomness aware BBP gadget which was published by Bella Ed et al this already had in mind randomness and it already tried to reduce randomness but if you recycle on top of it you can still gain some nice margins and improve your situation alright so so far everything looks okay we can actually find non-interferent gadgets that actually recycle randomness and improve the situation but the problem actually starts when it we go we go away from the formal security and we move towards the noise amplification stage of masking so a reminder of the central limit theorem in our context at least let's assume that random number is being recycled and since it's being recycled you will emit several it will emit leakages multiple times let's say L1 L2 and LM all of them follow a normal distribution with a mean and standard deviation now if someone grabs those leakages and averages them then the new distribution will follow again and norm it will be again normal but the standard deviation will be divided by this factor over here so essentially I'm restating that someone who is able to observe those recyclings will be able to denoise the signal even if everything is fine even if the thing is probing secure it won't matter repetition will hurt you and this has been shown several times in the context of more horizontal attacks alright so in order to showcase this scenario and perform let's say more concrete noise analysis we define two adversaries so there is adversary C1 he's quite naive he doesn't see recycling and there's adversary C2 who can actually see recycle he can average and let's see how this will work out alright so here's the pitfall if you start from the solid red line over here then that is a third-order attack on using the naive adversary on something that actually is recycling but is recycling a modest amount of randomness and if you are compared to the actual situation you will see that the naive adversary cannot take advantage of it this is as good as attacking a third-order scheme without any difference now you will observe that the dust red line shifts to the right so an adversary who is able to see those repetitions he will be able to shift the curve to the right and reduce the security so the second observation is that we can actually exploit recycling to our advantage now finally if you move to the blue lines the first one is not recycling the second one is recycling a little bit so the dust blue line is moving to the right and if you really recycle a lot if you want to really cut down on the cost of RNG then you are moving towards a dotted line which is which may have a huge impact on security and finally perhaps the most important point of this graph is that this RRM this recycled randomness masking is actually a trade-off between security and randomness cost it's nothing more than that and it is very potent for the countermeasured designer to have such a trade-off in his hand that he can actually twist and turn a little bit on the randomness turn it up and down in order to fix the security that he aims for all right so we did talk about recycled randomness in masking we'll do the same thing in the suffering but it it is quite easier so let's take an abstract case of shuffling and here I have to shuffle three layers of a cipher and its layer has four blocks in it blocks could be anything like they could be whole cipher sections or it could be just assembly instructions or blocks of assembly instructions and the randomness cost to shuffling three layers independently and each one has four width will go around 24 bits of randomness if the formula is correct then a nice option is if you want to cut down on the randomness cost and we propose why don't you partition the layers instead of actually shuffling all four in columns well why don't you cut down a little bit and we call this partition shuffling with partition factor FP is equal to two and if you do that then you can recompute the randomness cost and it will actually reduce to 12 bits which is less than 24 so yeah we thought we got a small advantage over it all right so that's not the only options there actually quite a few one more is that instead of original shuffling we can actually do merge shuffling so we can merge the two layers so layer one and layer two used to be different but now we put them all together and we will shuffle them all together and we call this merge shuffling with merge factor FM is equal to two now again if you sit and compute the randomness cost for this then you have to shuffle two layers and this will again end up in approximately 16 bits which is less than 24 so again we feel that we got an advantage through our through our s as you might have already expected doing all those things increasing from let's say the original case where you do not partition and you do not show and you do not merge any layers and while shuffling and comparing to a case where you partition or to a case where you partition and show and merge then we will see a damage in the noise amplification stage of this thing so starting from the solid blue line this curve starts shifting to the right the more you merge and the more you partition or in general the more you cut down on randomness and of course it damages the noise amplification stage and once again I will restate the same thing that rrs is a trade-off that the counter measure designer has at his disposal and he can actually use it to make an implementation cheaper and less secure or the other way around so finally some future directions for this type of work and here I say towards parametric design for side channel counter measures I will explain this first and foremost we have demonstrated how to reduce the randomness cost in masking and shuffling and now I think it's time to start talking more about this random number generator I haven't seen that many open source implementations of this thing and I think it would be nice for the whole community to agree on what is actually required for an RNG used in masking or shuffling it will encourage more discussions I would encourage more discussions on this and more research towards this direction now second and perhaps more interestingly is that I would like to at least personally see more of a parametric approach when we design countermeasures and if for example in the modern countermeasures we just decide the order of masking we implemented in a device and that's it and up until let's say a few years ago we didn't have that many options there were several countermeasures people were implementing them but I feel that we start scratching more and more beneath the surface of those options so now instead of just the order of masking I can have I have so many variants to choose from I can choose X order masking that recycles random numbers merges a few layers and many more things so I have far more available options and compare what I used to so to close down this presentation I will start and I will attempt an analogy with actual architecture between shuffling and masking as countermeasure architecture and actual architecture so in the 70s or 80s it was the age of modernity and we used to have buildings that were built in the international style and the mantra was more like let's just pick the number of floors and then form service function that was the mantra of modernist designers and then like masking you just put many orders of masking in and that's it while I feel that now we have the ability to move towards a more parametric model so a bit like the turning torso in Sweden so which is essentially the same building but now we have a better understanding of structure so we can twist and mold it in a better form in a form that still serve function but in the form that optimizes the function itself and that pretty much concludes the talk so are there any questions questions for costas who wants the microphone it's really soft and don't be afraid all right I start so for the recycled masking you you require at some point that's basically basically pretty much everybody does that inputs or that these two operations that recycled they must be independent but for example if I implement an S-box I will have many multiplications that are not independent so then I need to add extra randomness to make them independent so that would be one option I think refreshing gadgets in between but then I would feel that this would defeat the whole purpose of it unless you have extremely higher order and the quadratic randomness hits you more than the linear randomness of the other gadgets but still I what I have in mind is different executions while storing in between the random numbers so you just you do one a situation you store those numbers and then you reuse them in the second iteration and then you have some sort of guarantee but of course this implies storage more questions comments no all right then we'll have a short break and we'll begin again at quarter past five thanks again to all the speakers of the session