 So I'm Guillaume Barbier. I will present a joint work by Alberto Batistello, Jean-Sébastien Coron, Emmanuel Prouf, and Rina Zitoun, which tackles the issue of horizontal side channel attacks on the Ishae Saeba-Gnar masking scheme. So the agenda of the presentation is this. So first I will start by sitting the context of the application of their attack. I will describe briefly the first attempt they made and then an improvement of this attack, which renders it quite more efficient. Then I will describe some practical experiments they have led. And finally, introduce the control measure they propose to support this kind of attack. So first, the application. Well, I believe everybody here knows that an implementation of a crypto algorithm on an embedded system is prone to side channel attacks. And that towards such attacks, you will need to add some control measures. And one quite obvious control measure in this case is masking with random values. So we are dealing here with the case of higher order masking. So we will consider that the secret, the sensitive value X will be split among n plus 1 shares, which are both randomly. And the remainder of the algorithm will manipulate those random shares. In recent papers, it has been shown that a sufficient condition to support an attack, side channel attack on such value is to ensure to split the sensitive value among a sufficient number of shares, which should follow this route, with the sigma here being the standard deviation of the measurements that are taken when observing the algorithm execution. So the question the authors want to tackle is what happened when the number of shares grows? And can this be a security issue in the end when it grows too much? So more precisely, they tackle the issue, the problem of secure multiplication. So this is the case where you want to multiply two values that are represented by each by n plus 1 random shares. And you want a process that will output n plus 1 shares that recombine will lead to the product of X time Y. So one nice way to achieve this is to use the Isha'i-Sa'i Wagner scheme from crypto 2003, which has been extended by Rivenproof in 2010, RHS, on multiplication of a GF2 to the K for any K. So this algorithm goes as follows. In the end, you will draw random values that you will use to manipulate each small product of the Xi times the Yj. This is used to build a matrix that is represented here. And then you can recombine all the lines of the matrix to output the n plus 1 shares that could be used to form the result of the multiplication X time Y. So let's go for the attack. So what the authors remarked is that in this algorithm, each value of Xi times Yj is manipulated once. But each value of each Xi and each Yj is manipulated n times. n plus 1 times actually if I continue with the same notation. You can see here that Y1 is manipulated in this product, in this product, and in this product. So this is the case where n plus 1 equals 3. So the idea is to take advantage of this. So what we observe when we take the side channel leakage, when the algorithm is executed, is a different leakage depending on each value. So we will consider a standard I mean white model with a Gaussian noise. And you will see that we have a leakage depending on the value of Xi, a leakage depending on the value of Yj, and a leakage depending on the value of Xi times Yj. You can remark here that the standard deviation of the Gaussian noise here, noted here, is different in both cases. This directly comes from the fact that we can observe n manipulation of Xi and n manipulation of Yj. So by averaging this observation, we can reduce the effect of the noise. So in the end, the intuition for the attack is that when you observe, when the share you want to retrieve is 0, you will see, as I put, always 0 when you observe the result of the multiplication. And if the share is equal to 1, you will observe the same value for the multiplication than the one you observe for Yj. And this can be retrieved in the leakage you analyze. So the authors think that should be a nice trick to manage to distinguish whether Xi is equal to 1 or to 0. So the attack principle is really a template attack indeed. So you have two phases. In the first phase, you will take the measurement and build the templates relative to the manipulation of each value, of each sensitive variable, each share actually. And in a second time, you will try to use the template you built in the first step and the leakage you observe in the attack step to find the value of the share you're trying to find. So the question is raised now is, how do you find Xi? So from the template you built in the first phase and the leakage you observe manipulated the value of Li, you can build the probability density function of the leakage Li for the different values of Xi. And then for each Yj, you can do the same for the share Yj. And you can also do the same for the product Xi times Yj. So in the end, you got three different probability density functions for the Xi for all the Yj and for all the products Xi times Yj, which can be retrieved in the relative to the leakage you have observed in the three cases. Yes, and from the probability density function of Lj and Lij relative to the manipulation of Yj and Xi times Yj, you can retrieve the joint probability density function of observing Lj and Lij knowing that Xi is equal to a certain value. So in the end, if you can retrieve the density function relative to observing all the leakage for one Li and all the Lj and Lij relative to this Li, which we can compute like this. This is more formally the algorithm for the attack, but this quite says the same as the previous slides. So finally, you will consider, as the good hypothesis for the secret share, the value that maximizes the probability of the function we have just seen. So in numerical simulations, this gives the following figures. So you can see that depending on sigma, we express here the number of shares that is required to find the share with a probability over then one half. So we can see that even when there is no noise, we need to have 12 shares to be able to find back, to find each sensitive share with a good probability. And when the noise is one, which is maybe not quite much, we already need 284 shares to be able to find back the sensitive shares. So this gives the trend of the evolution of the number of shares required, depending on the noise. You can see that we are several hundreds of shares to get some good probabilities of retrieving all the shares of the secret. So these figures seem quite high. So the authors, they try to improve this attack. And actually, what they do is they thought, well, we find the probability density function for each xi in the first step. Why not reuse these results to repeat the attack, but on the y side? So using the trying to find the probability density function for the y in the first step, then to repeat this again, and again, and again until either the probability is converged or a given number of iterations is achieved. And actually, that gave quite good results. As we can see here, that we are now, I forget to say, the previous slide was for the case k equals 4. And the results here are shown for both case k equals 4 and k equals 8. And we can see that from the 284 of the previous case, we are now down to 21 or 25, depending on the case. And the number of shares here required to achieve some good success rate is now down to maybe 100 or 50, even in some cases. So back to the initial question. The question was what happens when n becomes greater than this bound here? And well, the answer to this is related to the value of n that is required for the attack to work. So essentially, the attack is a second order attack because we use the value yj n xi times yj. It has been shown that the value n to be able to mount this attack should be of the order of the variance of the product, of the variance of the two ligatures, the two ligatures that are used. And in our case, this goes to sigma squared, the sigma we use in the first place, just because of the square root of n factor divisor we have seen in the beginning. So that tells us that if n is greater than sigma squared times the constant, then our attack should be working. The attack should be working. So we get to this condition, and we notice that we still have a gap in between those two figures. Anyway, I will go to the practical experiments. So they took the measurements on an 80 mega 328p processor. And this is relative to a move operation of a given value into a specific register. And we can see on the figures the different ligatures that have been observed, the SNR of the SNR here. And we can see that we can spot some quite interesting points of interest. This is the curves representing the variance for each value of x. And this is a zoom of the figures here of the older signals around the point of interest that we can see. And this has been achieved by using 200,000 observations. So one thing that has been quite interesting to learn about the leakage of the components they were using is that they have been averaging the signals that we have seen here for the different values of amine weight of the value x that was used. And we can see that the leakage we observe here is really, really correlated to the amine weight of the value. We can really see nine different points with the amine weight of 8 on the top and the amine weight of 0 on the bottom. So then only the first version of the attack is presented here. So that was the one with the 284 shares required. And actually, it works pretty much better in reality. As we can see that even on 10 shares, around 10 shares, the average position of the correct share is really good compared to the other possibilities. And if you consider, in addition to this, the possibility to use an adaptation of a key enumeration algorithm, this should really do the work. And in comparison with the numerical experiments, we can see that we were up to 21 when sigma equal to 1 for the numerical experiments. And that the experimental value we obtain is more close to 10 for a standard deviation value that is way greater than the simulated ones. So one idea of the authors to explain this difference is that the numerical experiments only use one point, whereas the practical experiments use 11 points of interest. So maybe this information may improve the results. So to face this attack, they propose a countermeasure. So going back to the first algorithm for the second multiplication, we can split the algorithm in two. And in the first phase, we can see that we compute the matrix that is used with all the products of the x-item, y-j. In the second step, we introduce some randomness, and we compute the final matrix with the products and the x-alls with the random values. The problem comes from the fact that there is no randomness at this step. And so they just add some source of random in this algorithm with splitting the input into two blocks and to recursively execute the matrix multiplication with adding some mass refreshing all along the way. So in the end, we can see that every single value here manipulated during the algorithm is only manipulated twice under the same mask. So we can see here that y1 and y1 here is manipulated with the same mask, whereas on the other time, the mask is different. So there should not be any relation between them. So to conclude, this paper presents an horizontal side channel attack on the Ishae-Saïv-Agner adaptation by Brevenproof for second multiplication. So the first attempt was not really efficient, but the improved attack gives quite good results. The experiment has been led with success. And we learned from this that when the order n of the sharing becomes too important, then this might not be really good for the security, actually. In the paper, they provide a proof of security of the new countermeasure, but only against n probes. And they want to do that for the case of n square probes, which the case with n probes was the case for the countermeasure of the attack, actually, to study what happens when n lies between the two bonds we've seen, and to improve the efficiency of the countermeasure, and actually that has been done already with some respect, and you can see the results on the e-print version of the article. That's it. Thank you for your attention.