 Hello to everyone, my name is Lorenzo Spignoli and I'm going to present you Segurware Shuffling in the probing model. A joint work with Professor John Sebastian Coron, the University of Luxembourg. So, we are in the side channel area where essentially the implementation are not always true black box. In fact, some adversary may gain some information or recover some sensitive data by monitoring the physical properties of the device. The very first approach for that was discovered and fixed. That is, whenever a new attack was discovered, then a specific control measure for that specific attack would have been found and implemented. This until in 2003 is Shai Shai Wagner came out with a new model formalizing and grouping all such side channel attacks. In their model they provided security notions now considering an adversary which can probe a bounded number of wires in the circuit. They provided some security notions in terms of a transformer taking a circuit C and resulting in a new different one C prime, which has to respect to properties soundness and privacy. Soundness guarantees that C and C prime will have the same input-output functionalities, while the privacy states that the view of every adversary probing at most T wires in the circuit can be simulated from scratch. In their paper they proposed a construction for both perfect privacy and statistical one. They achieved the first case the perfect security against T probes through the now well-known masking control measures, which is along the circuit now the gates are not dealing directly with the sensitive data A rather than with the end-out-of-end secret sharing. So, whenever a gate processes, computes some operation, such gate will deal with the shares independently. In the box you can see an example of it, I choose the multiplication. In fact, the output is a set of N shares, CIs, and such CIs are computed considering some part in part of some input sharing part with some other variables, but with the probability that with the property that Xoring all the output shares, the result will be equal to the multiplication of the original signals A and B. They achieved perfect security against T probes with a number of shares equal to 2T plus 1. The only disadvantage of it is the cost, which is quadratic in the number of shares and in turn in the number of probes. In fact, in order to improve such complexity, they relaxed a bit the notion of privacy notion, allowing now to the adversary to recover the information, some secret leakage with some non-zero and very small or negligible probability. As we will see, the transformer will work in two steps, but at the end of the second they will still achieve worst-case security. They will with almost linear complexity, but still such construction is considered unpractical. In fact, our contribution will be a proposed variant of wide shuffling contra-measure from ASW, which will achieve linear complexity in the RAM model. We also provided an implementation of it, and as you can see from the figure, our shuffling contra-measures on long range will work much better than the classical masking, with a crossing point around 6,000 probes. So, let's present the construction for the statistical privacy. As I mentioned, the transformer will work in two steps. The first one will consider a new security definition, the average case model, or formally the random probing secure, where now the adversary cannot choose which wide he wants to probe, rather than each wide of the circuit will leak independently with some probability P. They showed that applying the classical masking against now not T, but K probes, where K is the security parameter, and choosing P equal to an omega of 1 over K, then such circuit C prime is indeed P random secure, and the proof for that relied on the channel of bound. In the second step, the transformer will expand the intermediate circuit C prime into a larger one, and in sort of sense sparser. So, in this way, only a small part of the total wires in the circuit will actually take care of the computation. In particular, each wire I in the circuit C prime and carrying a signal Y will be replaced in C prime with a set of new L wires, where all of them will take care of some dummy values, let's say dollar sign, but for one, which actually will be the useful part of the computation, and it will take care of the signal Y. Which wire will take care of the signal, it's chosen at random, uniformly at random. So, in this way, with T probes the probability of the adversary of recovering the signal, the original signal, is of course P equal to T over L, and the proof of the security is based on the fact that if C prime is secure in the P random probing model, then C prime prime will be secure against T probes. Going a bit deeper in the final circuit C prime, essentially each one input gate is pretty straightforward. Instead, the operation which requires two inputs need a little bit of more attention. In fact, to compute the operation between VI and VJ, one must put the signals in the same consecutive position. In the EESWV, they use the sorting network to achieve such property, which has a cost of L log L, and from such cost depends the overall complexity of big O T log T for security in the worst case model against T probes. And exactly in this part of their construction that we propose a variant, and essentially we will modify how to achieve this adjacency property, and we will improve the overall cost of logarithmic factor. How we did that is essentially the main difference with the EESWV construction is now explicitly compute the position GI of each signal VI. In fact, thanks to that we can generate at random a new index, J prime prime, we have called the shuffling index, and we can secretly shift both the inputs. In this way, shifting the inputs with the delta of J prime prime minus GI, in this case automatically we will have in the same consecutive position both the signal VI and VJ. Of course we had to slightly change the proof since now the adversary can probe directly the signal position. The trick here of our proof relies on the non-adaptivity probes of the stateless model. In which the adversary must commit, must declare in advance which are the T probes he want to read and learn. So now the adversary, yes, can learn such index, but when he learn it it's too late. He cannot change the chosen, the corrupted wires no more. So the probability of learning the signal will still stay T over L as in the EESWV construction. And that's a figure representing the new gates and summarizing essentially my explanation. So as I told you before, we have a running time of big O of L in the random model instead of big O of L O of L as introduced and presented in EESWV. You can see from the table the comparison between the time complexity and the circuit complexity. And also our control measure has the small advantage of being much easier to implementing practice. So now as a last contribution we also provided a construction for the stateful model. A stateful circuit is essentially a circuit with a memory cell and such a memory cell can be seen as a gate which will output the previous input and store the correct input for the next execution. For example you can see a stateful model as an external input and output wires. For example in a block cipher like IS such state will be representing the key of the protocol. So now we are dealing with more execution and so the adversary can move its probes between the executions and also we can judge the movement of such probes according to what he has seen from the output of the previous one. So it requires some more contra-measures. In EESWV each memory cell is simply perfectly t-private transformed. So with the classical perfect secure control measure with number of shares to t plus one that makes the overall cost of the circuit to three to the three log t times the number of the memory cell as represents the number of the memory cell. Our contribution for the stateful model will take into consideration a randomizing network. It's one of the cases where the picture it's a better explanation of any words but I will still try my best. Essentially it's a network composed by log two OVL layers and in each layer they let's call it each hemp layer the information in the ETH and E plus two ANTH wires are swept with independent probability one over two without probability. That's not enough. We needed to implicitly compute the index position for our proof since if you remember in the stateless model each gate will generate and process explicitly the index position of the set of L wires. To avoid that we simply add the cyclic shift which will not change the overall cost and make such index position implicit. Essentially that's how we dealt with every cell and we can save a quadratic cost. In fact our complexity will be quasi linear times of course the number of memory cells and the proof which that's t statistically private essentially it's based on the fact that the swap is performed for all the layers and in this way at the end of the last layer the output index is randomly distributed so the adversary cannot take advantage of any computation. And I think we are in the conclusion part so essentially to summarize we propose to you a first improvement for the wire shuffling control measure an improvement which is somehow practical even if with a crossover point at around six thousands. And I will conclude with sort of thought for mind such implementation is still completely unpractical for embedded system for example like smart card. And the open question is can we still save and make it practical even for that devices reducing the random in the circuit so using pseudo random generation and the cop set of L locality and with that I think yes that's all thank you very much and see you online at the conference.