 All right. Hello So welcome to chess. I have the pleasure of chairing the first session and in this session will have three talks on masking and I'll read all the author names because I was told I have to do that The first presentation is by Sebastian Faust, Vincent Grosso, Santos, Mirino del Pozo, Clara Paglia-Longa and Fronsa Xavier Standard and if X will give the talk about composable masking schemes in the presence of physical defaults and the robust probing model Okay so Thanks for the introduction and good afternoon everybody I would say in brief this is a paper about masking physical defaults and composability So I will first take some time to introduce these notions and then try to explain What is the main contribution of the paper and why I believe it's interesting? So starting with masking Probably most of you know that but masking is a counter-major against such an analysis and the idea is that If you have a leaking device you are going to split any sensitive variable in the leaking device into D shares and Do all the computations in the device on those shares only And ultimately what we want with masking is something called noisy leakage Security represented at the bottom of the slide and in this model we give the adversary a leakage trace or a measurement trace that could be for example the power consumption of your implementation and In this trace we are going to find some leakage samples about the manipulation of each and every share In this model it's well known that the number of traces that you need to recover the key or to recover sensitive information is inversely proportional to the mutual information between the sensitive value X and the leakage vector L and Ideally the goal of masking is to bound this mutual information Such that it's lower than the mutual information between one single share and the corresponding leakage samples Waste to a power D and this power D of course gives Exponential security increase So this is what we want to ultimately sometimes. It's not very convenient to do proofs or analysis in so concrete models So we also have more abstract models and I will mention two of them One is what we call bounded moment security Which is easily explained with an example here on the left So the idea is that rather than looking at the full distribution of the leakages We are going just to look at the statistical moments of the distribution So this for example is the distribution of a single bit that we encoded with two shares So we have the green and the purple distribution And it's quite easy to see that the mean vector of these two distribution is exactly the same and In general what we want with bounded moment security is that any statistical moment of the leakage distribution up to the order D minus one is independent of the secrets. That's the best thing that we can have and And Eventually even more abstract is of course what we call probing security and in this case We directly allow the adversary to probe wires within the implementation And in this case what what we can hope at best is to have any set of D minus probe independent of the secret and This means we have a quite large variety of model Ranging from the noise leakage model where we have a kind of physical and quantitative view of the security and probing security which is abstract and qualitative and What's nice and very interesting is that we have connections between these models and in particular. There's a very important result by Duke Jambovsky and first at your crypt four years ago Which showed that if you have probing security and that on the top of it You can guarantee that your leakage samples have some kind of independence condition and are sufficiently noisy Then this implies noisy leakage security And this is nice because it means when you want to reason about masking implementation You can start reasoning in this abstract model and you will actually have consequences in the real world So that that's all for masking and and then the next step or what we are really interested in in this paper is What can go wrong when we mask? And in particular when we do computation, so I will take the example of multiplication between two values a and b And then a first issue that can that can happen is that we have a lack of randomness which can break this independence condition This is easy to explain with an example again So if we want to multiply two shared secrets and let's say we play with three chairs We need to compute all these partial products. So a 1b1 a 1b2 and so on and Then we do a compression stage because we don't want to blow up the number of shares So for example c1 is the sum over the first line and then it's easy to see that if you probe just c1 This equals a1 times b1 plus b2 plus b3. Let's say we work in gf2 Then we have directly information on b because if c1 equals to 1 we know that both a1 and b have to be equal to 1 Which is a problem. So this breaks probing security The way we mitigate this in practice most of the time is by adding randomness or what we are going to call refreshing gadgets and This of course is a quite abstract problem. So this we can analyze in the probing model and Then the next problem we want or the next issue we want to look at is something called physical default So it's a quite general problem. I will be specific to one example here And again the problem is that we can break the independence condition due to that So let's take the example here on the right We have a function a combinatorial function f that is manipulating three shares x1 x2 and x3 And in this case in certain technologies or in fact in most technologies It happens that we don't compute instantaneously this combinatorial function So for example transient values or what we call glitches many times it can recombine the shares and as a result a Single leakage sample this li here is going to leak about all the shares at once or for example About the product of the shares So this is a physical problem that will be easily detected in this bounded moment model And the way we avoid it or we can avoid it in the literature is to add one more property and for example In a threshold implementation what was proposed is to use an uncompletedness property The idea is that we will share the function as well in such a way that no function is manipulating all the three shares So we can never leak completely the secrets And that's interesting because despite the problem is physical the property that we need to prevent it is quite abstract And that means we can also reason about this in this probing model Okay, so next I have to say a few words about security definitions and composability or scalability So what we want to do is to guarantee some security level for masking the first thing that we can do in the probing model is to have Q probing security and In this case as I said already We need that any Q tuple of shares in the implementation or in the protected circuit is independent of any sensitive variable So that's a minimum requirement The problem is if you know increase the size of your circuit Or if you increase the number of shares that that you would like to have in the implementation because you want to increase security Then testing probing security increases very fast Because essentially you have many many tuples that you have to try and and at some point it becomes impossible to test a full implementation So in order to mitigate that Different peoples and I will use the notations of Bart and co-authors at CCS two years two years ago introduced stronger security definitions or so stronger security notions for masking Which allows some kind of composability and the idea essentially is that we can now just look at the top part of the figure so the f1 function we will split the number of shares or the number of probes that the Adversary is using in two parts first you one which are on internal probes then q2 that are on output probes and We can say that a circuit is for example non-interference If any set of q1 plus q2 probes can be simulated with at most q1 plus q2 shares of each input and By simulated or by being simulatable what I mean is that if you take the distribution of the input shares and the probes This is supposed to be hard to distinguish from the distribution of the input shares and the simulation So that that's interesting even more relevant for what I'm going to discuss There's the notion of strong non-interference and in this case It's essentially the same except that we need to simulate Any set of q1 plus q2 probes with only q1 shares of each input And that gives you the flavor or the intuition that we have some kind of composability because what this definition Definition requires is that the simulation that you have to to build to the simulator that you have to build is Independent of the number of output wires that the adversary is observing So that creates a level of independence between the inputs and the outputs and that means if we satisfy this Definition for the top gadget we can combine it with the bottom gadget and there should be no problems with randomness Okay, so that's that's all for the background and now I can Define the problem that we wanted to tackle if I Simplify a little bit or quite a bit I would say on the one hand at this stage we had in the literature composable masking schemes That's most of the time in your physical defaults such as glitches and on the other hand We had threshold implementations or in general hardware oriented masking schemes They mitigate glitches But they were only proven uniform and uniformity is a property that's in nature is quite similar to probing security So the problem here is like with probing security that testing scales badly And What we wanted to do is essentially to design and prove masked implementations that are jointly robust again glitches and composable so In order to do that we had to refine the model and the security definitions a little bit So what we did and it's quite natural extensions I would say is to consider glitch extended probes and Here with the example the idea is that if you probe any value or in any output of a combinatorial circuit You will give the adversary all the input probes So for example here the probe P1 would give the adversary the values a b and c and There's an important technical remark which is despite we have these glitch extended probes We also need non extended probes on the the registers values right because we also have in the circuits memory elements, so registers And if if the adversary probes this one there will be no extension and since these two things are In the in the circuit they will be needed for the simulation too Based on that we can define a gadget as being glitch robust QS&I Quite naturally as well if it's QS&I in this glitch extended probing model And what's what's nice is that directly from this definition We can find some some intuitions that are well known in the hardware masking literature. So the first one is If you want to have robust gadgets against glitches We need essentially to minimize the shares fan in and for example if we take this example and the tree inputs were actually three shares That would be a very bad idea because a single probe would give you the three shares so this is typically something to avoid and Maybe something a bit less known is because more related to SNI This strongly suggests that if we want to guarantee this SNI security notion We will need that every output is stored in a register And if you remember the definition of SNI, this is because in SNI security You need the simulation to be independent of the number of wires that the adversary observes as outputs But if these outputs are extended it's going to be very difficult to satisfy and I will give an example of that Okay, so Yeah, there's many things that we can do with with this type of modeling What we did in the paper is a first step which was trying to prove an algorithm that would be Glitch robust and QSNI and Since we focus on hardware implementation. We were interested in circuits with a limited latency. So we looked at this Circuit which is the ISW multiplication in two cycles So it's very natural way to implement it. We have all the partial products on the right We have random values we saw that together and this is the partial products or the multiply and refresh stage What's very important is these registers in the middle. So that's an example with three shares We really need to store all these nine refreshed partial products into nine different registers And then in a second cycle we can do the compression step Yeah, that's it. So in this case what the adversary can do is Observe 12 glitch extended probes so he can observe any of the nine Uijs here just before they are stored in the register. So probing the the combinatorial logic He can do exactly the same with the the CI values So probing the wires here and finally he can probe the three stable output wires Which are called C0, C1 and sorry C1, C2, C3 in this case And in order to prove that this is to SNI what we need to do is to describe Simulator that's using only Q1 shares per input So the proof is a bit tedious I will just give two examples of simulation to Try convincing you that this is feasible and of course the interesting examples are the examples with these extended probes So what we can do is an example with two extended probes one is on this U12 value So just before the register and then did give these give the three inputs to the adversary So A1, B2 and R12 and For example, you can put another probe here That's also extended on the the outputs here one before it's in the register and this gives the three Values U11, U21 and U31 that are in blue And so these are two internal probes, right? So if we want to prove that this is to SNI we need to simulate with two shares per input This can be done as follows. So for example A1 and B2 for this We can use the first share of A and B because we have two shares a load For R12 it's random and untouched so we can assign a random value For U11 it essentially depends on A1, B1 it's written here So we can use a second share of B because we have it available U21 we use a second share of A and finally U31 It's protected by R13 which is a random value and it's untouched so we can also assign to random value So that's that's feasible for this example one thing that's maybe nice to look at is what happens if The C1 probes becomes an output probe and not an extended one So in this case the beginning doesn't change so we have a 1, B2, R12 and C1 is now non-extended So there's no extension of the probe and since this becomes an output probe We need to simulate with one share per input This is also feasible the beginning of the simulation is exactly the same C1 we can assign it to a random value because there's this bit R13 and Most interestingly what it shows is that simulation with one share per input would not be possible With an extended probe on C1 because if it was extended we would need a second share of A or B to do the simulation And in this case with only one extended probe or only one internal probe we need to simulate with one share per input So that's that's pretty much it based on that I will shortly explain what does it mean to be composable the idea is that once we have these similar these composable Multiplications we can take any implementation that we want we represent it as a combination of multiplications and additions or linear operations that would say every multiplication is going to be implemented as a qsnI multiplication with one input refreshed In an SNI manner or robust SNI manner of course and for all the linear operations We are going to perform their share by share and That was proposed in a paper by good as in Rivaan this year at your crypto It's a very simple way to compose and and then nothing can happen. We proved that recently And it allows you to build arbitrary circuits You can multiply dependent values and and you should not have any problem with glitches nor composition issues And of course what's very important is that this is a sufficient condition. It's not a necessary necessary one Right, so in order to have these very simple composition rules We ask a lot of randomness. We don't have the most optimized implementation But we can have something that scales at any order that we want Okay, so that leaves me time to conclude I would say the main contribution of Contributions of the paper are first this robust probing model Which allows analyzing formally and confirming the relevance of many design IDs in in this hardware masking literature I would like to insist that it's it's not only a theoretical concern despite it's using a bit of theory And for example, we show in a recent heat-print report that there are many higher order flows in Published designs so they are not very critical But they really show that despite the design IDs of these hardware masking schemes were quite good and most of the time correct at low Orders when you move to higher orders at some point Abstraction and then theories probably he needed to gain confidence and in answer to that We proposed first multiplication algorithm and implementation that we can prove robust against glitches and composable and this holds at any order And there's actually quite some other paper results in the paper I had no time to discuss so we'll just list them and we can discuss them as questions So there's something called glitch locality principle which shows that glitches do not do not go further than than the registers We describe actually a much more general model that doesn't only capture glitches But also transition-based linkages and couplings We also discuss what happens when when these different defaults can be combined together. How about does it get? We have an empirical validation for two-share and three-share designs and we have quite some results on threshold implementations Probably the most interesting ones is this discussion of pseudo composability Which shows or key which tries to explain why threshold implementations can succeed to Compose or nearly compose with very minimum randomness requirements That's it. Thank you Thank you All right So we have roughly a minute for questions and I'm really really curious who's gonna be the first one Who dares to raise the arm and get one of these microphones thrown at I? Have questions, but I have a microphone already you will be that's that's not funny. Ah, that's too close I Just throw it you can't talk with you. You are me. Okay. Yep. Yeah, that's what you see So in the robust in your robust Model probing model you assume that the adversary gets When you probe a variable it gets all the inputs Which are involved in this variable, right? Could that be a bit relaxed maybe depending on the expression of the variable? Or is it like tight in the sense that you could design a depending on the glitches Could occur each time that the adversary can get everything I Think it could be a bit relaxed, but probably it is risky. So we we find the paper to Two other papers one by Martin Lely one old paper by Fisher and Gamal who tried Sorry, strange noise who tried that to to have glitch invariant circuits And it seems that it's more or less. I mean this worst case that we consider here happens more or less all the time If you just do plain CMOS and then you can try to design other implementations Would be different Can we show that's for CMOS the the worst case happens most most of the time or all the time I think that's done in in this paper at space last year by Martin alien co-authors. Yeah Thank you More questions Okay, I have a quick question On your slide seven you showed the circuit with extended probes and normal probes. Yeah, and but my question is Why would anyone put a normal probe on C1 if I can just put an extended probe on the wire that enters C1 And that gives me more information. Yeah as an adversary I guess it doesn't make too much sense here, but in order to what it shows mostly is that When you want to prove SNI these output wires You can they are not counted as as the number of input shares that you can use to simulate So here we need to to simulate with only one share per input here We can simulate with two shares per input So we still need to show that there's a way to satisfy that and Essentially the only solution we found for that and I think this is tight is to put the output in a register So mostly this shows that the output should be stored in the registers if you want to compose and you have glitches Okay, thanks again. Thank you