 Hi everyone, my name is Mathieu Rivain and in this video I will talk about proving security through input-output separation and revisited casilinear masking. So this scary title is the result of a joint work with Damoon Goudardzic, Thomas Prest and Damien Verneau and this is a pre-recorded video for chess 2021. So this work is about security against side channel attacks and in particular power attacks, electromagnetic attacks and we use the widely used term of masking and our goal is to provide formal proofs for masking implementation and with that through the Proving Security paradigm. So our contribution in this work is to introduce a new masking composition approach. So we show that with a new property that we call input-output separation. So if we have this property for refresh gadget plus some Proving Secure Operation gadgets, then we can obtain what is called Rejun Proving Security for the composition. So this iOS is a simple and new notion that we introduce. Proving Security is weaker than standard composition properties and Rejun Proving Security is stronger than Proving Security. So our main contribution is to provide this new composition approach and then we instantiate it by showing that an existing refresh gadget is actually iOS. So we actually provide a variant of this gadget and we also reconsider an existing Casilinear masking scheme and present some extension of this scheme and apply our composition approach to this scheme. Okay so let me briefly introduce masking. So the principle of masking is to encode a secret variable X as a vector with n coordinates such that so those coordinates are randomly distributed in such a way that they satisfy this decoding relation. So summing up all those coordinates we recover the secret variable and this sum is interpreted on a finite field k. So this vector is called a sharing. The coordinates are called the shares and in this presentation we denote the number of shares by n. So actually in this work we consider a special form of sharing where the shares are also multiplied by constant coefficient so that the decoding relation actually consists in computing the inner product between a vector V of constant coefficient and the sharing and we recall such sharing V sharing in this presentation. Okay so in order to model cryptographic computation we use an arithmetic circuit model. So we consider a computation as an arithmetic circuit over a field of finite field k. So such a circuit is composed of input gates and output gates and then we have operation gates so addition gates, multiplication gates, copy gates and additionally we also consider random gates. So random gate just outputs a fresh random value over the field. So then we have this concept of gadget. So a gadget is basically a small circuit which computes the same operation as a gate. So for instance an addition on the field but it computes that on sharing. So a gadget taking input sharing of x and input sharing of y will compute an output sharing of z where z is the result of the original operation. We also consider a special kind of gadgets which are known as refresh gadgets. So a refresh gadget take an input sharing x so this is a sharing of a variable x and output a sharing of the same variable. So it just preserve the decoding relation but with fresh randomness. So formally what it means is that we should have statistical independence between the two sharings knowing the uncoded variable x. So in this work we consider what we call standard circuit compilers. So such a compiler take an input circuit so the circuit that we want to protect with masking and compile it into a new circuit where each original wires is split into n wires carrying a sharing of the original variable and each gate is replaced as a gadget by a gadget of the corresponding gates. And then we just add some encoding of the input so each input is encoded as an input sharing and then each output sharing is decoded as an output and then we get functional equivalence between the original circuit and the gadget circuit. So let me now recall what probing security means. So we consider a circuit with initial input encoding and final output decoding and so it can be a circuit based on sharing and gadget but it could be some other type of circuit. So in this work we consider sharing and gadget but more generally probing security means that we consider an adversary that can place a number of probes on the circuit. So it means that the adversary gets the values of each wires on which a probe has been placed. So the adversary gets this tuple of wire values and here I just want to stress that this tuple can be seen as a function of the inputs and the internal randomness of the circuit. And we'll say that circuit is T probing secure if this tuple can be perfectly simulated without any knowledge about the inputs. So this in particular implies that the distribution of this tuple of wires is independent of the input of the circuit and this should hold for any T tuple of wires chosen by the adversary. So in this work we consider the region probing security notion so this is stronger than T probing security and this notion consider an adversary that can place up to T probes in each gadget or in each region of the circuit. So formally it should be possible to divide the circuit in region and each region should be should be able to tolerate up to T probes. And we don't talk about T region probing security we talk about R region probing security where R is a rate parameter. So actually what we require is that each gadget should tolerate the leakage of R time the number of wires in the gadget. So it means that we have a rate of R leaking wires among the gadget. So why do we care for region probing security? That's actually because we have this reduction, this security reduction from region probing security to what we call random probing security and then from random probing security to noisy leakage security. So P random probing security consider an adversary that gets the value of each wire in the circuit with probability P. So each wire has a probability P of leaking its value to the adversary. Then the noisy leakage model consider that each wire will leak but some noisy information not the plain value but some noisy information about the value carrying by the wire. And so we have a reduction from region probing security to random probing security using the channel bound. And then this P probability which is a kind of leakage rate parameter is approximately the leakage rate of the region probing security. So here this approximation means that we have a small constant scaling. And then we have these results of Duke-Jembovsky and Faust which show that from P random probing security we also obtain delta noisy leakage security where the delta parameter is also a kind of leakage rate and it also approximately equal to the leakage probability P of the random probing model. So we also have a scaling by some constant. And what is nice with this reduction is that this noisy leakage model is actually more realistic to capture power and electromagnetic leakages. So that's why we are interested with this notion of region probing security because from the standard T probing security we don't have such a reduction. We can have such a reduction that is really, really, really non tight. Okay, so let me now introduce the issue of composition. So the idea is to use different gadgets achieving some composition properties. So there's composition properties are basically stronger than probing security. And the requirement is that when we compose the different gadgets into a full circuit we want that the probing security or region probing security is inherited from the composition properties of the gadgets. So there's composition properties are stronger than probing security. So an example of such composition property is the strong non-interference SNI. So this notion specified that from T1 internal probes on a gadget and T2 output probes, so probes on the output shares of the gadget. It should be possible to perfectly simulate those probes from T1 input shares. So we have those internal probes transferring to probes on the input. And those probes on the output are somehow blocked by this composition property. And from this notion we can get probing security for the full circuit. So assuming that we just composed SNI gadgets together, then we get n minus 1 probing security. And this notion can also be used to get region probing security. It's just a trade-off between the number of internal probes, but we can have some probes on older gadgets. Okay, so let me now introduce our composition approach. So our approach is to only require a composition property for the refreshed gadgets. And then all the other gadgets only need to be probing secure, which is weaker than standard composition property. And we use full refreshing. So we introduce a refreshed gadget on each connection between any two gadgets. And if this refreshed gadget satisfies the iOS property together with uniformity, which specifies that the output sharing of a refreshed gadget should be a fresh new sharing of the variable. Then from those two properties for the gadgets, for the refreshed gadgets, we simply need the other operation gadget to be probing secure. And we obtain the region probing security. So let me now explain what is this input-output separation notion. So we consider T internal probe on a gadget. And we want to be able to perfectly simulate those T probes from T input shares of the gadget and T output shares of the gadget. So we can show that iOS is actually weaker than previous composition notions. So it is weaker than the SNI notion that we just introduced. So we have to assume that the gadget is SNI, but also uniform. But uniformity is a really basic and standard notion for a refreshed gadget. So a gadget which is SNI and uniform is also iOS and uniform. But we have also weaker notion of composition, like NI, so not strong NI, just NI, non-interference, which also implies iOS. And also probe-isolating NI implies iOS. So it means that we can, we might be able to design refreshed gadgets, which are iOS but which are not SNI and NI are probe-isolating NI. And that might allow us to design more efficient refreshed gadgets. And actually, I would present just after an example of iOS refreshed gadgets, which is not SNI, for instance. So we have a composition theorem. So it states that so we prove the region-perving security. So let us assume that we have TR probes on each refreshed gadget and TOP probes on each operation gadget. Then by the iOS properties of the refresh, all those probes can be perfectly simulated from TOP plus three TR probes on each operation gadget. So we can just remove the probes on the refresh and keep probes on operation gadgets. And by the iOS property, this transfer to this number of probes. And then since the refresh gadgets are uniform, the input of one operation gadget, which is the refresh output of the previous operation gadget, these input sharing and output sharing are independent. Their randomness is independent. So thanks to this property, we can basically consider the simulation for each operation gadget separately. So what we have to do is just to perfectly simulate this number of probes for each operation gadget. And assuming that the operation gadget achieves prepping security for this number of probes, then we can complete this perfect simulation from nothing basically. So this way, we obtain our composition theorem. Okay, so let me now introduce this iOS refresh gadget. So we consider a refresh taking any input shares and producing enough shares. And so we will first apply one refresh block to the full sharing. Then the sharing is divided by two. And each half of the sharing comes into separate refresh block and so on until we reach the last layer where each block takes two input shares and produce two approaches. And now let's see the principle for those refresh blocks. So for the last layer, we simply, so each block will simply pick one random value, add it to one of the shares and subtract it to the other share. So this way we keep the consistency of the sharing. And for the previous layer, we simply double, we apply the same principle, but with two random values. So the two shares that will come into the same block will be, we will add to the shares each of the random values. And the two shares that comes into the other block, we subtract them the two random values. And so on. We do this for each layer. So for each layer on the left, we basically double the number of random values and add the random values for what comes into one block and subtract the random values for what comes into the other block. So this is a refresh gadget that was proposed by Battistello, in the long version of the chess 2016 paper. We just generalize, I mean, we introduce a small variant of this gadget. So one difference is that the refresh gadget of Battistello et al relies on twice more number of layers. And our other extension is just to generalize this gadget to handle B sharing. So for any vector, and this simply adds some scaling multiplication by constant before subtracting or adding the random values. Okay, so let me now turn to Casilinear masking. So in this work, we also extend a previous scheme that we proposed with Damoun Goudarzi and Antoine Jou at Asia Crypt 2018. So this scheme enjoys a Casilinear complexity. So its complexity is n log n, where n is the number of shells, against n square for most of the previous probing secure schemes. We proved the random probing security with leakage rate, which is quasi constant. It is in one over log n. And this scheme is originally defined over a prime field with the prime of this form. So that's basically filled where we have the n roots of unity, which enables to use the number theoretic transform. So our extension of this scheme enjoys any base field. So it can work on a prime field of any form. And we provide a proof in the region pairing model, which is more general, because the region pairing security implies the random pairing security, as we saw before. We still have the same leakage rate. And we also patch a flow in the security proof of the scheme by applying the iOS approach. So here I won't go into detail of this flow, but we did a shortcut in the original proof. And so it's not clear that it actually translates to an attack, but we did an implicit assumption, which we cannot do actually. And this is fixed by using the iOS approach. So let me recall the principle of this scheme. So this scheme is based on v-sharing, where the vector v is of this form. So for the value omega, the vector v is composed of the powers of omega. So omega to the 0, omega to the 1, omega to the 2, and until n minus 1. And such a v-sharing of x satisfies this relation. So to decode the sharing, we compute its inner product with the vector v. So we have this relation. The sum of the shares xi times the power omega i give x. And this sum can be seen as a polynomial where the shares are the coefficient of the polynomial and the polynomial is evaluated on omega. So in order to design a multiplication gadget for this scheme, we rely on this polynomial representation. And what we do basically, so from two sharings, so a sharing x and a sharing y, we compute the product between the two associated polynomials to get a vector of coefficient t. So then by definition, if we evaluate this polynomial into omega, we have the product between the polynomial of x evaluated in omega and the polynomial of y evaluated in omega. And this, by definition, is the product between the two plane values. So here, we have, so this vector t is actually a sharing of the output product. But it is composed of twice more shares than the original sharing because the degree of this product polynomial is double. Okay, so in order to recover v-sharing of the product, we do this compression stage. And it simply consists in splitting the t-sharing into two halves. And the second half is scaled by omega to the n. And then we just sum the two vectors. And we can check that this way we obtain a v-sharing of the product. And to see this, we can rewrite this sum of two n elements as a sum of n elements where we merge the tn plus i coefficient with the ti coefficient and just put this scaling by omega to the n. Okay, then to compute this multiplication gadget, we have first this polynomial multiplication. But this can be performed efficiently by evaluation, interpolation approach using a fast Fourier transform. And then we obtain this t-vector and we apply this compression procedure. And that's it. So the full scheme is based on sharewise addition, subtraction, and copy gadgets. So those gadgets are inherently proving secure. And the multiplication gadget that we just saw. So this gadget is composed of sharewise blocks, FFT blocks, and refresh blocks. So it means that we only have refreshes and blocks which are composed of sharewise operation and FFT blocks. So we can apply the iOS approach using an iOS refresh. And in order to get the full region proving security, we need to assume that the FFT blocks are proving secure. So at this stage, we have a security reduction. The proving security of FFT block implies the region proving security of the full composition. Okay, so from that point, a possibility is to use the statistical security approach that we introduced in our original paper. So just in a nutshell, the principle is to pick a random omega over the field k. And we'll have proving security ensured by the randomness of omega. So assuming that the FFT algorithm is linear, which is the case for the entity, for contour or gal matter FFT algorithms, then we can show that n minus 1 probes in the FFT can be perfectly simulated with this probability. So we have to make this term legible to obtain some good security level. And more precisely, we need to take a field with approximately this number of elements. So it should be n times 2 to d lambda, where lambda is the security level. So ultimately, that means we need to have a few elements of lambda plus log n bits. So that's what we can do to get security. We have to solve the open problem of finding some FFT algorithm, for which we can prove the proving security for any arbitrary field. Okay, so just quickly, so we also apply our scheme to AES and IMC and provide some estimation of the performances. So we basically count the number of gates that we obtained for the mass circuit. And we also compare with a more traditional approach using the HSI Wagner construction. So all the details are in the paper. I'm a bit out of time here. So I would just quickly show the result that we obtained. So for AES, we see that we are always more efficient in terms of number addition and randoms, and get more efficient in terms of number of multiplication after about between 32 and 64 shares. But we have to keep in mind that the AES feed is too small to ensure security for our scheme. So we should take an extension of this field, which might imply some slowdown factor. And for MIMC, we have comparable results where we also see that after between 32 and 64 shares, we are always more efficient on the different number of operations. And this time, we are already on a large field, which allowed to use the statistical approach for the proving security of the FFT. Okay, so with this comparison, I end my presentation. So I hope you enjoyed this video. And if you have any questions, do not hesitate to contact me by email.