 Okay. Next talk is a paper by Okan Sekar, Abraham Fernandez Rubio, Reiner Steinwand and Thomas Eisenbard. And Okan will give the talk. He will speak about extending glitch-free multi-party protocols to resist fault injection attacks. Hello. And thanks for the introduction. Today I'll give you a small talk on our paper. And as you can see, this is a joint work with Abraham, Thomas and Reiner. So as we all know, the physical attacks on empathic systems are a real threat. So if these devices are just run some crypto algorithm, these devices are vulnerable as we all know. So let me introduce our adversary in this presentation. Eve will be our adversary. And what she can do, she can do side channel attacks, fault injection, probing and glitches. And as you all know, even in the simplest case, what she can do is she can just do some simple DPA and get the secret information very easily. So what we need to do is we need to just protect these implementations. So we can do this in two different categories. One of them is side channel contamination and the other one is fault injection, of course. As I'm likely in the previous presentation, we saw that side channel countermeasures can be listed as masking. Some examples are private circuits building and polynomial masking threshold implementations. And the fault injection countermeasures are redundancy, irritation and infective computation. So of course we need to combine these countermeasures. And in the literature, there's several countermeasures, combined countermeasures which can combine those different operations. So what we're going to do in this presentation is we will introduce polynomial masking based countermeasures. And I will just introduce to our scheme. And I will introduce you why do we need an error-preserving multiplication. And of course I will give you some security and performance analysis. And if you have time, we will do some application on AS. So our combined countermeasure based on the Shamir-Sikhot sharing. So what the Shamir-Sikhot sharing scheme is, is that just a polynomial-based secret sharing which requires evaluating a secret polynomial into n different points. And yeah, you can see some example in here, which is a degree two polynomial. And this two polynomial can be represented by three points. And here you can see that our F0 is shared by three points. So we have a secret reconstruction, of course. We have two different representations. One of them is the coefficients. The other one is of course the points. And we are going to use, of course, the secret shares are the points itself. So what do we do, what happens if we increase the number of shares? Now we have four points. And if we try to interpolate these polynomials and do some calculations on it, we will see that the highest degree term is zero in this case. So what happens if the if, if successfully inject the fault to the system? Now in this example, she can just inject the fault to the third share. And when we try to interpolate these four points, what we're going to see is that this highest degree term is none zero. So we will use this fact in our computations and we will try to detect errors using those coefficients. So in the MD scheme, we can see that the coefficients between d plus one and n minus one are the error detection terms. So as I thought, we would just stick with the, stick with the points. So we need to just define some of the operations using the points. In the simplest case, if you would like to do some addition, when we try to add two secrets, we just need to add the addition or add the secret, add the shares of each player. So we can just define the affine transformation and the sequering easily. But the most interesting case is the multiplication. So in this example, we will see a three-one scheme. And when we try to do a computation and when we try to, when we try to multiply two secrets, what we see is in the first step, we will just multiply the first corresponding shares. Now as you can see, this is a three-one scheme and the F and G are actually a line in this case. And when we multiply two lines, what we get is a degree two polynomial, and that means we cannot use the H as the output shares. So in the second step, we do a randomization step. And in this step, each player just to generate a random degree D polynomial whose coefficient is the, is the calculated value. And then they reshare this polynomial and each player gets three different values and they actually add this together. So what happens if the EVE successfully injects a fault? And as you can see, the fault actually propagates until the second step. And since the QIs are just a random polynomial, random degree D polynomial, what happens is when we try to interpolate this polynomial, the output is always the greater, greater less than D. So that's why we need to, so that's why the error propagates until the second, until the first step. And then second step is always a valid degree D polynomial. So we need to try, find a way to protect the implementations. So first of all, what is our ideas? What are our aims? And we only, we only detect the faults. That means we don't want to correct the, correct the faults. That means that the only, we only look at the output, if the output degree is greater than D. So, and also as I told you, we have the point space and we have the coefficient space. We can just do an interpolation and do the fault detection, but that this is going to leak information, so we don't want to do that. And we would like to have an error-proseving multiplication. That means if EVE successfully injects a fault in any step of the algorithm, the degree of the, degree of this shares should be always greater than degree D in any step, so that we can do, if you would like to do a fault detection in every step, we should be able to detect the faults. And lastly, we would like to have infective computation. That means if the fault is injected, when the output is generated, the EVE should not be able to get any information from it, and it should be randomized. So what is our solution? And we introduced our error-proseving multiplication scheme in this case. It starts as the same as the previous one. Just a reminder, in here we have the error detection terms from F and G are degree between D and N, and from the H we have between 2D and N. So as I told you, this starts as the same. And we actually update this QI using some error information from the F, G, and H. And in this last step is the same. So what is our main idea? The main idea is if the fault is injected again, it propagates until the second step, and in the third step, in the final step, the fault should be propagated into the other states. So how are we going to update this QI and utilize the error detection terms? We actually defined our new variable called EIJ. EIJ is just a share of error detection term of H or F and G. So how it is calculated? When each player just calculates its last share, their output, inherently, when they get all the shares and calculate its corresponding output, they actually get one coefficient from H or one coefficient from G and F. So if you look at the previous example, what we see is the first share gets an error detection term from H, and the second share gets an error detection term from F and G. And again, luckily, I have this very theoretical background for the TSNI security notion. Thanks for the previous presentation. And we all know that TSNI security notion is a standard way of proving security, again, proving attacks. So what we did is we defined, we just extend this notion to a TSNI ND notion, and we actually show that T-PROPS and some of the output shares is simulatable by the input shares. And that means in using our error preserving multiplication, we show that T-PROPS bring no information to adversity, because these shares are all the uniform and distributed, and that brings nothing. So what about our fault detection? And we saw that we defined a new notion called error propagation. As I told you, we just, our aim is to only detect the fault. So this notion states that if the input is faulty, the output is, the probability of the output is also faulty. Now, if you look into the propagation, probability of a finite and squaring operation, this is one. However, it's in the addition and the multiplication is close to one. But since we used an error propagated, and we assume that we show that error is propagated, we can just insert some fault detection operations so that this probability becomes one again. So what is the cost of our operations? And as you can see, this is the previous version, and this is our error preserving multiplication scheme. And the most cost of operation is the second part, in which we generate some degree D polynomial and evaluate this polynomial into other shares. So what is the cost of our operation is just the calculation of the EIJ. And so, for the example, I would like to look into the first part of the AS box. This is one of the AS box. This is one, a fine transformation and some sequence of multiplication and squaring. So what we did is we just get the previous algorithm and we just changed the multiplication with the error preserving multiplication and add two refreshing mask operations. So what Eve can do right now? Eve can just using t-probs. She can just get the intermediate variables. But since we proved that our scheme is secure in TSNI notion, we can say that these probes will bring no information to Eve. And secondly, she can just inject some faults to the input or within the algorithm itself. And we actually showed that in the 4.1 scheme, we showed that the error propagation of this algorithm is this number. So in conclusion, what we did until here, we defined a new multiplication engine, in which the information about the fault remains as a part of the shares and the error propagates through the algebraic operations. And so that we can delay in our error detection as late as the final recombination step. And we can use the, yeah. And also we defined a new fault detection and recombination gate. And for which we can do a fault detection and also recombination. And as I told you, we can just inject or we can just put the fault detection algorithm in clever way off so that the fault propagation becomes one and we can detect the fault in any step of the algorithm. And also we, using recombination gate, if the fault is detectable until the end of the algorithm, we said that the effective computation is ensured. So, and also we proved our scheme is secure in ISW programming model. And using the refreshing mask operation, we're actually able to increase or extend the security notion of the proofing scheme to the TSNI notion. And we examined or analyzed our fault detection properties of our scheme using a new notion called propagation. And also we implement these algorithms in the proof of concept C implementation AS1128 on ultra-low power architecture ARM Cortex M0. And we actually include full leakage analysis, including higher order moments. And we show that this is a flow for the constant execution flow with constant memory accesses. And the code is available. You can just download and play with it and we will be very happy. And thank you for listening. Thanks for the talk. Questions? It's very soft. I tried it. Over there, Emmanuel. Yeah. Thank you. Yeah. Thank you for the talk. Seeing a fault as a glitch, is there a chance that you could use the approach presented in previous talk to prove the security of your scheme? Even in presence of faults and also using the composability notions? Yes. So we actually just... So the previous scheme is actually just proven to be glitch-free. So what we did is we just implement some fault preserving operation to that so that we can say that this scheme can be used as a glitch-free and also fault-preserving. Am I understanding the question correct or...? You prove the security of your scheme with the notion of verbousness of propagation. Is it a formal... Do you succeed to prove formally that there is no leakage? Yes. So we show that our new multiplication scheme is TSNI. So it's to be proven against T-props. And since we... And we know that the combination of those operations can be... Of course, using some conditions can be used, for example, in the X254 case. We show that actually this combination of operation can be seen as a T-secure and T-probable model using refreshing mask operations. So it is not only enough to show that the individual operations are TSNI. We need to add some refreshing mask operations. So that's why we introduce refreshing mask operations. And we will be able to theoretically prove that our scheme is actually secure in T-probable model. Thank you. Another question. I have one. Can you go back to slides? I think 17. Earlier, 13 maybe. That graph here. One down. So why does this error only distribute into two parts? Why don't you distribute it everywhere? In here, so we look into the highest degree terms of the H and the F-exor G. So in this case, this is, for example, for one scheme. And from H, we only get the highest degree term, which is the H3. And for the Q1, it actually gets the error detection term from G-exor F. So that's why it's... So we only have two error detection or two zero coefficients, if there is no fault. So we can only utilize those coefficients. So that's why only two of them gets... It's a fault information. Okay. Other questions? No. Let's thank the speaker again. Thank you.