 Hi, I'm Chen. I'm presenting the paper entitled Model Result Analytics Sidechannel. That's from a coding theory viewpoint. This is joint work with Vasant from Slasovia and the Olivia. Me and Vasant will jointly present the work. This is the outline of the talk. I will start with the motivation, then I will introduce the model. The third part, I will introduce an application of this model on an unprotected AES case. Then Vasant will introduce its applications on protected implementations including masking and the suffering. Last is the conclusion of the paper. Let's start with the concept of sidechannel analysis. There is a classic scenario in cryptography. I just want to send a message to Vop and she chooses to encrypt her message using some well-designed ciphers such as AES. This is Eve's dropper called Eve, who can eavesdrop this channel to harm the secure communication. The narrow sense crypto problem is to design good math algorithm to achieve this secure communication goals in the presence of the AES dropper. However, in the real world, the implementation of the Cypher will leak sidechannel information such as timing information, the power consumption, electromagnetic leaks to facilitate the Eve to break the claim security of the used algorithm. So it is much more difficult to achieve secure communication in the physical world. Now we introduce a very important class of sidechannel attacks called differential power analysis DPA. So we have we know this leakage traces and from this leakage point we know that it corresponds to such a computation that we know the plain text X and then X will be x or y by a secret key to get Z and Z will pass this S-box to get Y. If we guess K is zero then from the guess we can view the model M0 and compare L with M0 then we can get the probability that the K is zero. So then we exhaustively guess different values of keys and pick the most probable guess. This approach is also called divide and conquer strategy. Recently a very powerful very powerful sidechannel attack called sub-analytic sidechannel attack Saskka was discovered. The basic idea is to effectively update the messages. Let's also take this computational graph as example. So at the starting stage we may have a large amount of information on some values for instance we know the plain text P, plain text X and for this value Y we may have a very large leakage but for this desired secret key we know a small amount of information. So after the information propagation we know more about the intermediate values and the finder we could recover the key. We can extend the previous computation graph to form a new tool example for our purpose. We have three layers of computation. The first layer includes four S-boxes whose leakages can be exploited by the divide and conquer approach. If we only consider the leakage of the S-box output we have a univariate model otherwise it is bivariate. We can also have one round Saskka targets that cannot be exploited by the divide and conquer approach by summing the output of two S-boxes in the curious round and letting it be the input of another S-box. We can do the same to have a two round Saskka target as well. So a natural question is can any leakage be exploited? As suggested by masking security proof all the leakage samples in the implementation can be exploited. Is it true? For the divide and conquer approach it is definitely not true. Actually only the leakage from the first and last rounds of block ciphers can be exploited but the divide and conquer approach has the advantage that its security valuation is very easy. For instance for eight big devices if we assume for a bivariate leakage and assume that mutual information per leakage is epsilon bits or if we do normalization has lambda bytes then we can easily bound that the required number of choices is this. So for soft and static attacks the situation is much better. This is a very powerful attack. We call it nearly worst case attack as it has a performance close to the optimal one in the information theoretical sense. However Saskka also has some aspects that need to be further investigated. One main problem is that it is hard for security valuation. If you want to know its performance then you have to run the attack. The difficulty is two-fold. On one hand the attack result can be very heuristic and depend on the circuit representation. If the circuit has a lot of cycles then the result will not converge or even converge to a wrong value. On the other hand computing information propagation can be slow for instance for an n-bit XOR it may take time n times 2 to n. Actually this complexity is already very high for a 32-bit device. So the scope of this paper is to investigate the evaluation of Saskka. We propose a new model called local random probing model LRPM to bound the efficiency of Saskka. This model allows faster security valuations of Saskka. This model allows revisiting masking security proofs and the evaluation of actual implementations in a flexible manner. This model allows speeding up the evaluation of shuffling. Now we come back to the toy unprotected implementation shown in the previous slides. Actually we could represent it in a factor graph. We show it as an instance with three choices here. So the key variables are the divided conquer targets and the w variables and the b variables the Saskka target. The divide and conquer targets are connected by continuous channels. It means that for different traces the value will be the same. Otherwise for the Saskka targets it has one shock leakage. Another difference is that for the divide and the conquer targets we have bivariate leakage. For the Saskka target we have univariate leakage. The dark gray box represents the continuous leakage. In our example we assume that we have epsilon is 0.1 bits or lambda is 0.1 over 8 bytes per leakage. So the 2 LC box represents 0.1 over 4 bytes per trace. As Saskka will iterative update the message we need to design local information propagation rules to bound to the normalized information leakage on each edge. There are two pipe nodes, the variable nodes and the function nodes. For the variable nodes it's relatively simple with just summing the input value. So this is similar to measuring information from independent traces in design and conquer approach. For the function node it could be complicated. We approximate the probability distribution on each edge by a distribution from our Q and A ratio channel or a random probability model with a ratio probability at least 1 minus lambda. Then we will observe an erasure channel on the output edge with a ratio probability at least this value and from coding theory we know that the channel capacity of the erasure channel is at most this value. So we can use this value to bound the collected information on this edge. If we assume that the mutual information per leakage is 0.1 bits and with the model we know that when round Saskka the required number of samples is at least 27 and for two round Saskka it is 21. So we see that 27 is about 8 over 0.3 and 0.3 consists of two parts. One is from the bivariate leakage for the divide and conquer targets and 0.1 is the universe leakage for the Saskka targets. We see that the security of an implementation in the LRPM may decrease linearly with its circuit size for small examples. It is a confirmation of the masking secure proofs and it is independent of whether these leakages are exploitable by DC. However this is just very small examples with AES or known plain text case we will see that sometimes it is not true and big in beyond a few rounds it uses. Now we start the AES case study. So this is a factor graph of the first round first column of AES. So it's very complicated. We can do some merge to simplify the graph so we merge variables connected by a bijection. We see that Y1 is the XOR of K1 and X1 but as we know the plain text X1 so Y1 and K1 is connected by bijection and also Y1 is connected with Z1 with a bijection so we can put K1, Y1, Z1 as a new variable with one and it connected the leakages to this new variable. By the merging trick we hide it along the operation and the remaining is only the XOR operation. So we have a tenor graph in the coding literature and the graph is much more simplified. From this tenor graph we could define an adjacency matrix and we could also define an LDPC code by treating this adjacency matrix as a parity check matrix. If we think reversely we could define a cipher from an LDPC code thereby connecting the cipher design problem to a code design problem. We hope the tools in the LDPC code design could be helpful to design SASCAR resistant ciphers. This could be a good topic for you to research. We present the evaluation results of the AES case study. Our setting is we consider different number of rounds of leakage exploited because of the different deterministic parts of the leakage function including the random leakage model and the heavy weight leakage model. We consider different noise levels including lower noise regime and higher noise regime. We also consider the non plaintext or unknown plaintext scenario. So our general result is that the model prediction match the experiments and are conservative and the evaluation time of our LRPM is significantly shorter. This figure shows the leakage bounds and the success rates of experimental SASCAR was up to two rounds against an unprotected AES implementation in a non plaintext scenario. Here it's only 0.05 so we are in a lower noise scenario. We simulate this TA or divide and conquer attacks and the one round SASCAR and the two round SASCAR attacks. For the three cases we do the experiments in the heavy weight leakage model and the random leakage model respectively. And our conclusion is that the attack complexity is independent of the shape of the leakage functions. We also do the experiments in the higher noise scenario. Our conclusion is that the improvement of SASCAR over TA is independent of the noise. So this is particularly relevant in practice because we can then compute the constant factor between the conservative model and the real attacks and this will hold independent of the noise. We also run the model and the experiment in an unknown plaintext scenario with up to 10 rounds. Our results show that in the non plaintext scenario digging beyond the second round does not help much but in an unknown plaintext scenario leakages from all the rounds are very helpful. Hello, I will continue the presentation which protected into notation cases. And we start with masking. The energy of masking is to share the SASCAR x into several shares 0 up to 50 and then to perform the operation with other shares. So when an attacker wants to export certain information, you would encrogram information on each shares and then you need to combine this information to recover information on the SASCAR. And this can be represented which is the fact of work that is described in the left part of this slide where we have our SASCAR x there and then our shares there. We have our leakage information for work and then our combination function that will send information to the SASCAR. And this can be adapted in our logic model with the set of equations in the right part. So we assume we have the same amount of information on each share lambda per bit. So that is the information per bit. So it's less than one. And then we can estimate the information we send to from the combination function to the SASCAR value by raising this value to the 4B. And that is what we expect from masking proofs that the information decreases financially, which is the number of shares that you see. Of course, there is some total factor on the proof and we discuss some technicalities to reflect that in the paper. Now we can estimate the information bound from the encoding for several observations for any variation just by multiplying by n. So that is for masking the coding. Finally, we can also do one remark that now in masking the case as opposite to unprotected case, we don't have continuous leakage, we just have one continuous leakage. So once we have observations for encoding, we can look at what happened when we were in the variation. And usually horizontal affect events masking will target the notification algorithm, such as D-shy-shy-Vanian notification. This kind of algorithm takes two shares, two shares value as input and corresponding cross-point to it. So this cross-point will have some information about the sensitive value and the color of horizontal attack is to export this. So we look at how to estimate the bond of leakage from this internal product and we describe this in a question in our paper. So once again, go to the paper for more information, but here I've just described the estimation bond we get. So that is represented on the graph. On the x-axis, we have the number of measurements and on the y-axis, the amount we estimate, both axes that are in large scale and we look at different cases, different order. So in blue, we have for the 3, red for the 6 and green for the 9. And on the left part, we have the high noise scenario. In that case, we can see that the distance between the line seems to be similar from 3 to 6 or 6 to 9. And that's what we see. It's an impact factor when we add 3 to the order, we have the same impact on the leakage point. Now if we look at low noise that is on the right part, we can see that the distance between the line has smaller for 6 to 9 than from 3 to 6. And that's where we can take advantage of partial and actually it's what it was shown in horizontal attack against masking literature is that it's efficient or we can obtain more information when we add low noise sitting in high noise. It's much more complicated to express this information. In any one format we can do, it's that using a set of equations, it's quite easy or quite efficient to derive this graph. But when you have to implement the horizontal attack and to repeat the attack to estimate the success rate, then it can be quite contentionally intensive. So that is one main advantage we have to estimate our observation, but then we are way more efficient. We now consider another continuum that we're shopping. The main idea of shopping is when we have a set of same operations done on different parts of the state, is to perform in the Honda model. Typically when we have a block cycle like the AES and we have the X-Box failure, we have 16 times the same operation that is for the execution for the X-Box and we first use the first X-Boxes that would correspond to that point in the price. Then we do the second operation and we know at which time at which point in the price it should correspond and etc. The main idea of masking is to perform this operation in one model order such that we start maybe for the X-Box 3, so this is error and then we will do the X-Box 5 and then the X-Box 1. So when an adversary has to attack such traces, you don't know at which point it should obtain the leakage for our SB1. So the idea is then to spread the information, the point of a test, overall the test cycle and see the number of operations we should have and this end to amplify the number. So we can consider different scenarios to attack a shoving. The first one is one with no information about the permutation. So basically we have to consider all the points and to sum up while doing an integral attack by summing all the points and to attack all together. So we call this okay as you need template attack and this will give us epsilon information on each point and the traces. The second case is that when we have some information in the permutation, since the permutation needs to be regenerated, then we can also observe this and then we can link the information from the permutation and the operation we get to have more successful attack and this is what we call DPDIC attack and we have another estimation of the information we have on the permutation and CMP. Finally we also look at third cases where for efficiency reasons sometimes we don't show a lot of operations but we start with a random index. So typically we just look at a random value and then execute the S-boxes in the order that we're starting with the not from one but from a different value and this is called a condom start index and this can also be an attack and since we have more structure in the shopping we can have more efficient attack and because this gives an RSE ingenuity template effect. Using total condom proving we can evaluate the catch for different scenarios. Distimulation can be completely efficient due to product revelation based on attack that require intensive multiplication. We draw a bond on the graph of the X-axis, we have the number of measurements and on the Y-axis we have our leakage bond. We have several graphs, so the blue line corresponds to the unprotected case that is given for our references and then in green we have the random start index attack then in those typically template attacks, so the one using information on the permutation generation and in black we have the attack we show things that when we don't use the permutation. From the left half we have the low noise scenario, in the white part we have a high noise scenario and in the paper we also get some intermediate noise labor and we have some observations we can make from this graph and that are similar to the one from shopping details here is that for low noise shopping is ineffective and that improves the security of your device. For low noise shopping starts to have an impact on the information leakage that has a random start index it's quite easy to do the enumeration then we have weaker security and finally for large noise all are shuffling the operation of similar impact and typically we supply the noise by the number of operations we need the number of operations and typically it's what we can see here for unprotected case we need so our full information 100 traces white for her shuffling then we done 1600. So we conclude our work we have proposed a new model called locally random probing model LRPM to boundary efficiency of SASCA this model allows fast security evaluation of SASCA this model prediction match the experiments and are consulted for an unprotected AES implementation this model could be applied to evaluate protected implementations such as masking and shuffling actually this model has been applied in some recent papers we hope that this research could set light on the systematic study of combined quantum measures again nearly worst case SASCA thank you