 to the session on Masking Security and Efficiency. It's hard to read. Thank you. So there's three talks. The first talk is Reducing and Masking Implementation as Effective Security Order with Setup Manipulations and an Explanation based on Externally Amplified Couplings. So the work is by Ithama Levy, David E. Belizia and Ithama will be giving a talk. Thank you for the introduction. Do you hear me? At the back? Okay. So yeah, I will talk about, maybe it's too loud. So I will present our work and it was important to know that it was supported by the ERC SOAR project and the reassure project. So the motivation is clear. Masking is well understood. Such an analysis measure and basically we split a sensitive variable into these shares where D minus one of those are random and we do the computation on the shared values only and we have the independent assumption where we need to fulfill which basically means that we need that the shared induced leakage will be independent and then they will merge linearly into form the total leakage from the device and basically if you will take a simple example with one bit shared across two shares and we draw the conditional leakage distribution then we will get two scenarios according to the secret and we see that the mean is independent in the secret whereas the second the statistical moment depends on the secret and actually this scales up quite nicely in masking so if we will have D shares then we will need to estimate the D statistical moment and basically that means that the data complexity of an adversary grows exponentially with D and however and we denote by the lowest key dependence statistical moment the security order and concretely though it is quite hard to achieve those designs as we saw in the session yesterday so we have glitches which means that different shares might have different propagation delays within the system and we have memory transitions where a shared might be loaded into a register and then in the consequence cycle we might have a value which depends on a different share loaded to register and then we might have some leakage induced from this register which merge the shared and basically these type of non-idealities can be kept under control in the synthesis or design time so for example threshold implementation can use non-completeness to prevent from glitches propagation and transition based leakages can be mitigated by doubling registers or adding refresh etc so we denote those by a logical recombination since they can be prevented and formulated as logical conditions and sorry and so recalling yesterday session 6 in this talk I will talk about something else which is called couplings it was recently reported by Tomadek Knud okay so basically it implies that we have some electrical dependencies between the shares in our design they can be resistive or capacitive I will talk about it in a second so with this motivation we understand that we have some defaults such as glitches and transitions where we know how to handle them we even have tools to do so such as masquerade for Elmo for simulation however at the physical level we have those couplings and basically we don't know their extent how we can handle those so I will start my talk so what are couplings? basically it's electrical dependencies between shares within the design they can be capacitive so mainly it will be affected by the distance between the shares they can be resistive so mainly dominated by the power grid of the device and the distance again between the shares the problem is that those couplings induce glitches which are not so linear and not so nice and they are all ultra technology dependent so it is quite hard to formulate and model etc so what we can control really depends on the platform if it's software or hardware but basically mainly the distance between the shares the shares and the power grid of the device so in the context of site channel analysis tomatic node put forward that even when these designs are implemented correctly in respect to glitches and transitions masking can really suffer from those couplings and how we show that it was by placing shares in different locations in the FPGA so basically tweaking the distance between the shares by that to get more or less coupling and in some cases it was hard to get significant couplings so they needed to iterate a share in order to increase its leakage and then to get more coupling so typically those kind of tweaks is something which is quite hard for an adversary to do right once a design is made and designers will typically aim to prevent so this led us to quite a natural question even though we understand these couplings are practical is there a real threat without internal amplification so can we do something from externally so we saw this basic example and let's talk about physics so basically an on resistance in a standard technology so the current which is flowing to a shared the resistance, the effective resistance which it's implies something like 0.1 to 1 kilo standard power grid on a device is maybe two magnitudes of order smaller so basically our ideal model of an ideal power network which fits this distribution works quite nicely in a standard case so we ask ourselves can we as an adversary add something externally to break this symmetry so basically we wrote down like basic and simplified equations and we see that the leakage with such an external let's say resistor will induce some linear factors and the recombination factor what we denote by beta and it will be multiplied by some non-linear element okay so in this case we will get non-symmetric distributions which means that we have some information in lower statistical moments okay so we had some approximations here but basically if we write down the equations and try to understand what we are doing then if we want to get more amplification we can either reduce the external voltage however this has some negative effects for example reducing the voltage will imply to reduce the signal to noise ratio and then some point even the device will simply not work so we can alternatively increase the external resistance in order to get more couplings so if we do that at some point the device will not work again we might need to simultaneously increase the voltage to put the device in a functional mode so the message here is even with this simplified model there is no trivial answer to understand what is the worst case scenario it highly depends on the physics and for a certification lab basically this implies that the exploration space is quite huge for those couplings and then we try to generalize the model to these shares and to see what we get so we wrote down the equations and as expected we got that the leakage will depend on all statistical moments now this is not something not expected because we actually solved Maxwell equations and even with this simplified model we can expect that all statistical moments will leak and the only question is what is their extent or how can we get these amplitudes to be significant so our goal was to examine whether setup manipulation can reduce the effective security order and our explanation to that is based on these externally amplified couplings and the approach we used was to try and falsify this phenomena and to see what we get and to understand whether the amplitudes of these lower statistical moments can be made significant to reveal information and we wanted to move on from a detection-based approach which was taken in previous work to an exploitation-based approach and for that we used moment-correlating profiling DPA and the sole reason is that with moment-correlating profiling DPA we can actually see the contribution of each statistical moment and to see if we can get effective information out of it we had two test cases of software and hardware and in the hardware case we examined the AES-128 domain-oriented masking design on a Spartan-6 Sakura G board and on the software side we used a two-shared bit-slice implementation of the Bar-Fetal design on an Atmel Cortex-M4 device so these are commercial off-the-shelf devices and we didn't yet explore these effects for AES-6 or specialized devices and so you have all the information here and in the paper things which are important to note is that we used quite aggressive external resistance external voltage levels basically it means the device was on the verge of not functioning correctly in some of the scenarios so this is not like standard resistors and voltage levels that you would work with these devices and moreover we needed to keep the measurement environment quite clean and noisily and monitored and we needed to remove many of the onboard capacitors to get our hypothesis to work well so one last point before some results is that the hardware implementation was an S-Box parallel design so we couldn't really get to see the distributions because they are very complicated however on the software side we had like this nice and serial implementation which means that we can actually pinpoint a point in time and see the distribution for example for one bit licking so as I showed earlier these are the modeled conditional leakage distributions where the situation is ideal the power grid is perfect and then we took our software implementation and we had like a no-omplification scenario so one-ohm standard resistor standard supply voltages and we collected data and draw the distributions and tried to see what we get so we see that our distributions on the right side on the measurement world were quite symmetric and very similar to the modeled world whereas when we started to amplify so we used quite aggressive values like 20 ohm resistors with 1.55 volts as a supply we see that we get the asymmetry required in the distribution on the right lower side of the screen so basically this gave us a bit of assurance in the model that we have and the effect that we see with externally amplified couplings and from that we moved on to some sanity check so this is just one voltage scenario 1.2 volts we see on the left a t-test of the first order and on the right a t-test of the second order and we have many curves here so the set of curves with the baseline notation there is just different measurement equipment that we see and when we tweak the internals of the hardware design so the spacing between the shares we see this blue curve which then shows us that with an internal amplification we can get something from the device and then when we aggressively play with the external setup we can get significant leakage from the device and then going to a moment correlating profiling DPA we see here the first moment in different scenarios according to, as a function of the number of traces so first of all we see that there were cases that we weren't able to retrieve the secret key and after amplification we were able to retrieve the secret key and not only that we increased the correlation values by a factor of 10 which then explains that it was done with far less traces and there were cases where we already saw some leakage in the first moment maybe there is some internal amplification already in the device but when we do aggressive amplification we get it far faster and far stronger with stronger amplitudes and to conclude this set of experiment we perform the success rate across 100 experiment in different external voltage and resistor sites so you see here the success rate across the number of samples and so from the right hand side which means we do not touch the device we work in nominal conditions to the left side you see that external amplification is significant the success rate goes to 1 quite fast okay so on the software side we see quite similar results actually on software we do expect that we will get significant internal amplification because if you think about it in a software design there is a shared resistor that goes all the way to the ALU so basically it means that you already have some internal amplification to work with so an open challenge and I will conclude with that is that we only checked of course the second order and we don't know really how it would scale for more shares so we know how the distributions look like for three and four shares and then we plugged that into our model with some reasonable values for external amplification and we looked on how it's supposed to behave and clearly we will see that there is some asymmetry in the distributions and we can expect that there will be some information to extract the only question is how significant can we make the amplitudes of these couplings so with that I will draw some conclusions so set of manipulation can be or external amplified coupling can give a significant impact can lead to a significant impact on the security order not only on the noise level as we traditionally assumed and we demonstrate that off the shelf devices are sensitive so it leaves open directions to understand whether it also goes for ASICs or specialized devices and how would actually the security order reduction scale with D for this kind of effect and relating to the talks from the masking session yesterday I think it is an interesting open problem to see how we can actually model external or extended probes that really reflect such an adversary and things we can do I mean this is already something quite hard to model so it is an open challenge and relating to the earlier talk that we saw in the previous section on leakage attacks so basically I think that this is a very relevant thing because if we have such amplification it will be far more easy to verify and its effect will be more relevant on leakage currents of devices and I will conclude my talk with that so please if you have questions So are there any questions? Yes? Thanks for your presentation You made all your measurements through power consumption measurements? Again I didn't hear you Sorry? If you can repeat I didn't hear you You made all your experiments with power consumption measurements? Yes Do you have any idea how you could do that for like your amplification and your analog processing for electromagnetic measurements? For which kind of measurements? E-M measurements So basically you need to be active in some sort so if you need to put something on the power lines to generate this amplification and you want to do it with E-M then you need to somehow bypass you need to generate amplification with E-M if it's on the power grid so on the power grid you can do that also with capacitance if you have a capacitance on board then you can affect the capacitor to generate those kind of behaviors but if you strictly speak about E-M in the conventional way I don't think it's possible to do that Time for another quick question I have one Are your data sets available freely? Again please Are your data sets freely available? So there is no data set right? It's just designs But measurements Yeah but measurements it's easy to get right? I mean yes of course it's easy to upload With that let's thank the speaker again