 de l'étudiant. Merci Emmanuel. Merci. Nous continuons. Nous allons finir avec les techniques de sharing. Et après ça, nous verrons comment nous pouvons développer les techniques pour expliquer le processus de toute la compétition dans les processus sévélisés de l'étudiant. Je vais présenter quelques techniques de sharing. Nous allons conclure avec une introduction de la problématique spéciale qui est une nouvelle problématique adressée par notre communauté depuis 2012. Juste de conclure sur les techniques de sharing, j'ai précédemment dit que l'étudiant peut être seen as encoding with error-correcting codes with biometrics and the parameter of the sharing meaning the security D and the number of shares N are related to the parameters of the of the codes which is used. But there are also other techniques of sensitive data for instance I list here some of them so we can try to use multiplicative sharing. So why using multiplicative sharing for instance it can make sense if you want to process multiplicative operation on Z. Assume that you want to process you want to compute Z square and ok you want to compute Z square if you use linear sharing not Z square but Z cube if you use linear sharing you will have to to develop the processing of Z cube for all the shares but because the addition cannot be developed with respect to the multiplication law there is an issue, there is a difficulty complexity in doing that instead of sharing the value additively you can choose to share it multiplicatively and so if you want to compute Z cube from the multiplicative sharing you just have to compute Z1 cube Z2 Z2 cube so this is a way out to process with the multiplicative sharing the problem is that with the multiplicative sharing you cannot use 0 you cannot use 0 shares of course because if you use 0 shares then the result is 0 whatever Z and you cannot mask Z so there is a difficulty in applying this for Z if Z can take the value 0 ok ok there are also other techniques which can be used I list them here but not all of them are interesting we can just maybe I can just say a few words on this contour measure which is useful when it comes to protect asymmetric processing for instance the processing of RSA for electric curves we don't split of course the secret with the bitwise addition low but we split the secret with the arithmetic addition low and so everything I previously said must be adapted to this kind of operation last slide on the sharing there is also an interesting alternative to the sharing as presented in the previous slides the idea is quite simple you split Z into 2 shares always into 2 shares and so you could think that the security order the security achieved here is only 2 on adversari to observe the manipulation of Z0 and to observe the manipulation of Z1 can rebuild Z this is not true if you use a particular code with dual distance D so if you choose Z0 in some code C of dual distance D and if you choose Z1 in some code C in the same code you you can prove that all the moments all the statistical moments of this addition are independent of Z so they are constant whatever Z and so only the so you have to if it leaks according to the mean weight so in some model with positive information you have to rise the leakage at some power and so it force you to increase the amount of noise to decrease the signal to no ratio it's another way how to do that just to to ensure that all the statistical moments till till some threshold D are constants with respect to the shared data and become to be dependent on the shared data with the statistical movement of order D so this is another idea another techniques which have been proposed recently is the linear product sharing which can be applied in a different context and just a note if one of the victor in the inner product sharing is constant we have a sharing which is equivalent to the classical linear sharing so now that I know that I have many different techniques to share sensitive data the question is how to pair it on this sharing while ensuring that there is always my security at order D so once again I recall having the security at order D means that if I can defeat any adversary which is only allowed to observe D and not D ok so the the original ID I'm going to present has been proposed by Shaysa Wagner in the crypto 2004 paper and it was limited in this paper to GF2 but it can be straight forwardly extended to any finite field and I'm going to present you the ID so it starts from a Boolean sharing so the data Z the sensitive variable Z has been shared split into DEPLESS 1 shares ZI and now I'm going to split my processing for instance a block cipher processing into operations which are only a fine or a multiplication so I can do that always because any polynomial can speak like that so I have a finite field in which my processing is described and I'm splitting this processing into a fine operations and the multiplications for the affine operations are easy to get to get a secure processing so imagine so let us assume that I have first shares in order to process L to securely process L of Z from the shares I just have to process L on Z0 then L on Z1 and so on and I know by linearity that the sum of the shares gives me LZ so good it means that I can easily build a sharing of LZ from a sharing of Z and the complexity of this is only in D linear in the security order ok it is unfortunately much more difficult if I want to process a multiplication which is however a quite simple operation ok et Ishaï Saivakner a shown a way how to do that with complexity D2 meaning that it is D times slower than the processing of an affine function so ok we start with a sharing of I want to to securely process A times B I have from a sharing of A into D plus 1 shares and a sharing of B into D plus 1 shares and I want to compute a sharing CI of A times B so ok I'm starting by noticing that the sum the sum the sum of the shares CI I want to build because they must be equal to A times B can be developed like that and so I have that the sum of the shares CI equals the sum of all the all the cross-products A, I, B, I so the first thing I have to do if I want to I can do if I want to to securely process A times B is to process AI times BGI ok with that I am able to build these matrix so I do the processing separately so of course if I am manipulating if I am just manipulating first product separately I don't I still have my security because the manipulation here only leaks on each share of A and one share of B and this is true for all the elements of the matrix so manipulating the elements of this matrix does not does not introduce a flow with respect to my D-order security the problem is that here I have a sharing of A times B into D square D square elements and recall that I want a sharing into D elements so how to do that I could simply add the elements of each column and define C0 equals the sum of these elements C1 equals the sum of these elements and so on the problem is that if I do if I am doing that straightforwardly directly I have an issue because here B0 will factor A times A1 plus A1 plus A2 et A0 plus A1 plus A2 in this example equals A so I recover something which is dependent on A so I cannot add directly those elements so the second idea is ok I cannot add directly so what I am doing is that I am generating matrix of random values RIG so they are a sharing of 0 but instead of that they are totally random I am summing I am building the sum separately so it gives me this matrix and now I can sum the elements of each column why ? because I am protected by those random values and because those random values are random except that all all of them sum to 0 I have the independency and I need I am ensuring that if the adversary only observes C1 or C2 or C3 only observes at most 2 of the of the shared CI then he is not able to recover C he needs to have all the CI to recover C because this is the condition to have all the random values summing to 0 ok so this is the construction this is the idea of the construction by Ishaï Saivakner so we see that in order to secure one multiplication we need to process d square multiplications and we need to use d square d square random values actually Ishaï Saivakner shows that it is possible to reduce by 2 the cost in terms of random values just by by using an argument of symmetry in fact they use the same random values here and here essentially without decreasing the security and actually it will be shown in a paper tomorrow that we can still divide by 4 the randomness complexity and this is an open question to reduce at most as possible the randomness complexity of this scheme we know that there exist a scheme with linear random complexity but the proof is not constructive ok perfect I have a technique to secure the processing of linear functions I have a technique to secure the processing of a multiplication at any order d so I have a technique to secure any processing of a polynomial function ok because any polynomial function can be seen as a sequence of linear operations and multiplications so great if I need to securely process something like that the processing of s on x which is described like that then I can split this processing into additions scalar multiplications multiplication by constants into squares and the squares in characteristic 2 are also linear so good they are also linear in d and I have regular multiplications so the first the 3 first kinds of operations are linear so this is the operations I want to favor in my decomposition of the processing and only the regular multiplications what I call regular multiplications is a multiplication which is not a squaring ok a multiplication a times b which cannot be described as a squaring so the regular multiplications have complexity d square so I want so my goal will be to find decomposition of the polynomial function in a sequence of operations with the minimal number of multiplications because these are the operations which are costly ok and it leads us to define what we call a masking complexity of s which is simply defined as a minimum number of regular multiplications which are needed to evaluate s ok ok so with this definition brings 2 problematics the first one is how to compute the masking complexity of function s at least how to have bounds and the second problematics is how to find evaluation methods which are efficient for the masking complexity criterion for monomials it's once again it's related to something which is well known in the finite field ok in fact for monomials it's a month to look for what we call two addition chain exponentiation is a splitting of the exponent as a sequence of of additions and each term, each new term in the addition in the sequence must be the result of two previous terms so this is an addition chain and we add the term two addition chain because we also assume that we can multiply by two so we want to find an addition chain leading to the power we want to compute and which is as short as possible and to build this chain we start from one and we add a new element just by adding the previous one ok and for polynomials it demands to find efficient decomposition and several propositions have been done to efficiently split monomials while reducing the number of needed multiplications so a proposal is just an application of quite famous algorithm by Knut-Ev the second one is a proposal we have done in the paper in 2012 which is called a cyclotomic method and another one is due to Coron Roy Vivec and has been published in 2014 so I will present those techniques ok, our first the cyclotomic method so what I just introduced some notation I call cyclotomic class of alpha all the elements all the elements, the set of all the elements I can get from alpha by multiplying alpha by a by a power of 2 2dg modulo finite field size cardinality, magnet squad ok why do I introduce this notation this is just because if I can check that if I have processed an element of cyclotomic class c'est alpha then I can get for nothing all the elements of the same class why? because as beta is in the same class of alpha I know that I can compute x times x to the power beta just by squaring several times alpha ok, just because alpha and beta are in the same class and why do I say that this is for free I say that this is for free because squaring in a field of characteristic 2 complexity linear in the security order while my goal is to minimize the number of multiplications which have complexity in d square ok, great I know that all the elements of a cyclotomic class can be get once I have one representative one leader of the class ok, so what can I do so I have the decomposition of sx as a polynomial with monomials the power of x and first I start by grouping all the powers which are in the same class so I get this class so this class I can compute all the elements of this class multiplications because once I have x I can have x2, x4, x8 just by squaring and squaring is for free then I have x cube so I take all the elements of the class x cube so once I have x cube I can process for free x6, x12 etc, etc and so on so in fact I am splitting I am decomposing the processing of sx as the processing of linearized polynomial in a class cyclotomic leader and so the number of multiplications ok sorry and so the number of multiplications is only the number of multiplications needed to compute all the cyclotomic leaders so for instance here if I assume that I have only the class in my representation of the of the s box I have only the elements in the class of x x cube x5 and x7 then I just have to find a way I want to process all those powers with the minimum number of multiplications so for instance here I will have to go from x to x cube because I have to compute x times x square, x square is for free so I have one multiplication here to get x5 this is only at the cost of one multiplications this is x cube times x square and so on so essentially the number of non linear multiplications with this method is the number of cyclotomic classes involved in the representation of s and I removed from this count the cyclotomic classes of the 0 element f1 element which can be obtained without multiplications so this is one possible way I want to split processing into linear functions and multiplications while decreasing the number of multiplications another method is just an application of the Knut-Eva algorithm so it's very simple you start by splitting the powers into two sets the even powers and the odd powers ok great and now you factor by x so it cost you one multiplication and then you just have to reduce the to reduce the degree by replacing x square by x and now at the cost of one multiplication you have divided the total degree by factor 2 and so you can repeat this process several times so now you have two sequences each sequences can be split into two sub-sequences one for even powers and one for odd powers so the next step we require two multiplications and so on until some other air and it gives you 2 times 2 to the air multiplications to get the full decomposition and after that to finish you just have to process this power so if this power is too expensive to process you can continue to split the method with higher degree and so on great it gives you a method with 2 to the n minus air minus 1 plus 2 to the air minus 2 non-inert multiplications so this is another way out of multiplications ok, the last method I wanted to present to you is due to it starts from cyclotomic classes and it starts by building a union of cyclotomic classes of s cyclotomic classes so that all the powers in the polynomial representations we want to split these belong to the to the c plus c where c is a union of the cyclotomic classes ok then it gives me a set of polynomials p with powers only in the union of cyclotomic classes so this is not all the possible polynomials this is only a subfamilies with monomials only in c ok and now I will look at splitting of the processing of s like a linear combination of products like that plus a polynomial and so my question is the question we have to solve is to find to find t polynomials p i and t polynomials q i and t polynomials p t so that this equation holds this is a quadratic system so it's a difficult system to resolve but we can linearize it quite easily we just fix some polynomials here we choose to fix the polynomials q i at random we have linear system with so we have a system like that with 2 to dn 2 2 to dn equations and we want to find the polynomials p i and as the polynomials p i belong to p they are n times t plus 1 times n times s terms for each n at most n times s non-zero polynomials in each p i and I have t plus 1 such polynomials to find so I have t plus 1 times n times s unknowns to to recover 2 to dn equations great so if the necessary condition here is satisfied then I can I can hope to find to find a solution and actually what has been shown in the paper by by Corot Roy Vivec that this condition was sufficient in practice if the polynomial q i was generated at random and this is a very efficient method it can be seen that with this method which is heuristic but we have complexity in terms of multiplications which is the square root of 2 to 2 to dn divided by n times square multiplications which is a very important scenario and this is very efficient because we know I didn't I didn't explain that but we know that there is always a polynomial with evaluation that requires at least the square root of 2 to dn divided by n multiplications so we know that this is an upper bound and so the complexity of the method by cq is almost optimal in the worst case and with that you can so I give you a table here for some dimensions but just to illustrate so we know how to evaluate in a quite easy way the ISS box with four multiplications today and for the DES for one of the DES for all of the DES we know how to process them in three multiplications so this is quite surprising a function like DES which has no structure can be evaluated with only three non-linear multiplications by using this technique ok finish this part with last results which is quite interesting also this theorem says that if you want to evaluate a function H on the sum of D shares you can split this evaluation into the evaluation of H into the sum of subset of the shares and the size of this subset is just limited by the degree of H so it's quite it's quite a complex formulation but it simply says that if you want to evaluate H on D shares, whatever D you just have to know how to evaluate H on the sum of S shares where S is a degree of H so the degree of H is bounded it does not change so for instance if this is the algebraic degree sorry I forgot to give the definition of the algebraic degree the algebraic degree is defined as the rate of the power of the non-zero monoméals in his decomposition for instance the algebraic degree of the ISS box which is defined over GF 2 to D 56 GF 2 56 sorry as degree 7 algebraic degree 7 it has degree 254 but algebraic is degree 7 so here it's good it says that if the degree of H for instance is 3 the algebraic degree is 3 then you just have to know how to process H on the sum of 3 shares and not on the sum of D shares if you know how to do that you could deduce an evaluation for D shares so it's very interesting if there is a huge difference between the number of shares so the security on the order and the degree of H oh, there is a problem little problem the problem is that the complexity of this method is D times S so it is better it can be expected to be better the Isheï Saev Agner approach where I am splitting the entire processing into linear functions and multiplications so here the idea is to split the processing into linear functions and polynomials of degree at most F so this approach which is more general can lead to efficient to efficient constructions if S is small because the complexity of operating of applying this technique is D to the power S so at least for S equal to 2 so for functions of algebraic 2 for functions with algebraic degree 2 these functions give you a method this theorem give you an argument to split the processing into linear processing so the processing of an S-box to linear computation and quadratic computation not only multiplication but any quadratic function and it will cost exactly the same as the Isheï Saev Agner method with only linear and linear functions and multiplications ok to conclude this tutorial I would like to relax a little bit my model to make it a little bit more practical we have seen that if I am assuming that the adversary is limited to D observations and if I am assuming that only computation leaks meaning that if I focus on one operation I will observe something which is only related to this operation so to the input of this operation and the output of this operation so if I am in this model so I have quite interesting methods to secure the processing the problem is that this model can be seen as too idealistic as too ideal for instance and this is an observation which has been done in a paper in 2006 by Sefan Monger in the CoSource in fact it can appear that glitches effect what we call glitches effect occur what is the glitches effect the glitches effect is just to say that in the ideal model you assume that a gate is active only if the two input of the gate are simultaneously are there if you speed the processing into a sequence we assume that each gate associated to an operation is active only when the operation is needed but it's not true in practice in practice all the gates of a circuit are active every time so they can evaluate the output even when the two inputs of the gate are not already there so for instance this is the ideal model I'm assuming that all the gates act at the same time sorry sorry in the ideal model I assume that when this gate is active this gate is inactive and when this gate is active all the other gates are inactive but in the real model in the real life all those gates are active at the same time so when the processing here is done this processing is also done but not with the good input because the input is not already there so it is evaluated on something which has no sense in terms of the final output but which can be measured to to get an information about wrong processing it's a little bit like in multi-party computation going from the multi-party computation model with honest players meaning that the circuit you are analyzing is working ideally and is exactly processing the things that are described in your paper from the multi-party computation model with dishonest players where the players can deviate from the original protocol in the world in the world of circuits which means that the circuit you are analyzing is sometimes acting in some way you cannot predict unpredictable way so it's very it's very complex to define security with this kind of model ok I will not enter into these details so and this is however the purpose of the techniques called threshold implementation threshold implementations so let us formalize threshold implementation problematic so you have you have Z which is shared into D plus 1 shares Z i we can assume that the shares are additive the sharing is additive so for the bitwise addition and I need to also to consider Z i as a vector itself as a vector of coordinates so all the Z i belongs to some some field so for instance they belong to GF2256 so they can be viewed as vectors of 8 bits so this is essentially what I am writing here if here I have a byte I just want to have the decomposition of Z i in terms of bits ok so I write this matrix so I have the shares here so I am writing the column vector ok so this is the vector corresponding to Z0 the vector corresponding to Z1 and so on so what I want with a threshold implementation is to implement FZ and because Z is shared I know that processing FZ amounts to process F on Z plus 1 plus 2 plus Z2 plus Z3 plus Z4 here sorry Z4 remove it sexually not only against classical such-and-all attacks but also against classical such-and-all attacks in presence of glitches effects and so this can be stated in the TI problematic as the problem of finding t functions fi and t sets EI fi only operates on subsets on the bit coordinates and the sum of all the output of this function fi gives FZ ok but in order to deal with my glitches effects I have a condition of EI for security at order 1 meaning if I want to have an implementation which is secure against adversaries which is only allowed to observe one interpreted result so if I want that the condition of on the sets EI is that each EI must be such that for any row here I have at least one cellule and here which is missing in EI meaning that there is at least one element in each row which is not in EI if I have that we can see that EI is totally the elements in EI are totally independent of Z for sure because the sum of the Z gives Z if I remove a single element in each row it means that I remove one share of each coordinate of Z here and here and so I don't have enough sufficient number of shares to rebuild Z so if this condition is satisfied I am ensuring that EI all the elements in EI are mutually independent on Z so it means that FI is operating on input which is statically independent on Z so FI can do anything it cannot reveal information on Z because it is operating on input which is independent on Z especially if there are glitches during the processing they will not lead to a security flow because this glitch will only reveal something which is independent on Z so this is the core idea of special implementations so this is quite okay this is quite easy to satisfied this condition is quite easy to satisfied the second condition is much more difficult to satisfied the second condition is the uniformity the uniformity condition is just to say that the set the tuple of FI after the evaluation the tuple of FI like that gives you a new sharing of FZ so you start with a sharing of Z and after you have a new sharing of FZ for that in order to have a sharing remember that you have to have a sharing of of uniformity of independency for instance if you want a sharing secure at order D you have to ensure that all tuples of D of at most D-1 shares is independent of Z so it means that you have a sharing and this is in fact uniformity so this uniformity condition not only you have to find something like that but you have to satisfy that the outputs are essentially independent and the only condition on the input is that when they sum they call FZ so just an illustration of how we can see the threshold implementation problematics so the threshold implementation problematics you start with a matrix like that you start with a matrix like that and a way how to process a way how to define the set E1, E2, E3, E4 is just to for instance for E1 you remove the first column for E2 you remove the second column for E3 the third one and so on for E4 the fourth column and then you just have to define you just have to define the function Fi but you can do that in many different ways at the same time the papers focused on this representation on this splitting but all those definitions of the set AI works so now how to define the function Fi to define the function Fi you can you have also quite straightforward method you start with with the splitting of this function of this polynomial function which is seen as and you see this function as a multivariate polynomials in this EDI and to define F0 you take this polynomial this multivariate polynomial and you fix all those bits equal to 0 essentially it means that from the description of the multivariate polynomials you remove all the monomials which contain bit coordinates of the shares at 0 and so you remove all those monomials it gives you a subset of the monomials and with this subset of the monomials you define F0 now with the monomials which remains after this processing you do the same but now you remove all the monomials which depends on coordinates of the shares at 1 and so you ensure that F1 does not depend on the shares at 1 so it gives you a new a new polynomial and with the remaining polynomial after this operation you continue you remove all the terms depending of what you do and so on until it remains nothing in the multivariate polynomial and you have like that splitting of the function F splitting of the evaluation of the function F into Ft evaluation of functions Fi which apply only on a subset and these subsets are defined so that there is a total independency between the input of the functions and the shared value Z so this is the construction unfortunately it does not satisfy necessarily the uniformity property and actually it will almost never satisfy the uniformity property so this construction just to say that I can satisfy the first condition but it does not say how to satisfy the uniformity condition so for the uniformity issue in fact we have something which is not fully addressed at the moment this is the most difficult part to deal with in special implementation problematic there is no generic explicit construction working for NEF part approaches by exhausting testing and they are based on functions classifications with respect to a fine input output invariance just for information special implementation is a special implementation of the non linear part of the Ketchak hash function is given in the specification that's why many researchers are working on this subject because it has been proposed in the in the specification of the Ketchak hash function and it was possible for the Ketchak hash function because the non linear part has a very very low very simple algebraic description and for this very simple algebraic description it is possible to exhaustively test all the decompositions and and at least and even it's possible to do that by with paper and pen and it's quite easy just for your information this idea the principles of special implementation have been extended to any order in a paper by Bill Ginet and co-authors as a CRIP 2014 and and it has been linked to the classical problem of security in probing model in a paper at CRIPTO 2015 last year it has been successfully applied to the No-Keyon S-Box once again because the No-Keyon S-Box is very simple as a very simple and it's working in a very small dimension so it was possible to output a special implementation like that so here you have your our functions F1, F2, F3 and you can see that indeed F1 is only parameterized by X1 and X2 but not by X3 so F1 the input of F1 total independent of X this is also the case for F2 for F3 then after that you have a first set of registers and this set of registers is still a sharing of Fx so this is a sharing a good sharing and then you process a second step of the processing with a new threshold implementation G1, G2, G3 so here the No-Keyon S-Box has been split into the composition of two functions, two very simple functions F and G and the special implementation has been found for F and for G separately ok to conclude this tutorial we need so what I wanted to point out is that we need algorithmic con-term measures with formal proof of resistance and this is not only a need for researchers it's also a need for the industry we need to be able to guarantee a certain level of security even if the model is not perfect but of course we also need models, formal models fitting the physical reality of devices enabling relatively simple proofs so this is sometimes difficult as I showed you we have models which are good because they enable simple proofs but they are not as realistic as we wanted as we would like but we also have models which are quite realistic very realistic but with these models it's much more complex what I wanted to show is also that con-term measures must be efficient and resistant against powerful adversaries so this is always trade-off sometimes we we can accept some low level of security because we want something very efficient sometimes we are able to pay a lot in terms of efficiency because we want something very efficient and it also depends on the amount of noise in the device for instance it's much more simpler to attack old smart card for instance 20 years old smart card than attacking an AS processing running smartphone a lot of noise a lot of electronic noise and extracting the information is very complex in the case of mobile smartphone you have a low level of noise you have a very high level of noise you have a high value sigma because you have a high value sigma maybe you can tolerate a small masking order D because you know I show you that the security the security is sigma to the poverty and in the other part in the counterpart if you are working with old smart card maybe the amount of noise is very low so in order to achieve the same level of security you will have to pay a lot in terms of sharing order what I wanted to point out is that there is a lot of links between our problematics which can be seen as quite practical but there are a lot of links with other theories which are considered more theoretical like for instance error, no not error but multi-party computation or things like that techniques which can be used from visibility so there are a lot of connections also there are connections with efficient the array of efficient processing in short characteristics and so there are certainly many many ideas to take in visibility so once again we have a lot of many open issues improve the proof techniques automatise them so there are some studies which are done with respect to this problematics especially in Spain in the steam of Gilbert but other researchers are today interested by this improve the existing techniques and adapt them to such a context so this is once again related to formal proof reduce the randomness consumption of existing techniques so this is so problematic I didn't speak a lot during the tutorial but generating random with good quality is quite costly so limiting the amount of random which has to be used is important in terms of timing complexity Find efficient evaluation methods so it's more related to the attacks part and for threshold implementation one of the open problems is to find generic constructions to secure at least some families of polynomial functions at any order thank you for your attention and if you have any question to ask is there or here during the pose or tomorrow thank you so thank you Emmanuel for this very interesting and very broad tutorial so we have time for a few questions or maybe the questions can be taken offline no questions so let's thank the speaker again thank you