 probing security. It's a co-authored by Claude Calais, Emmanuel Prouf, Mathieu Rivain and Thomas Roche. Thank you for the introduction. So yeah, I'm going to present you a joint work with Claude Calais, Mathieu Rivain and Thomas Roche entitled Algebraic Decomposition for Probing Security. So first let us make things concrete and let us assume that we have implemented the iOS S-Box AS S-Box processing on a 8-bit architecture, for instance an 8051 architecture. And during the processing of this S-Box on a plaintext bytes x with a key byte k equal to 1, we measure the power consumption. So in x-axis here you have the time of the processing, then you have the value of the electromagnetic emanation during this processing and you have the density in the z-axis. So this is what we measured. This is the distribution of the electromagnetic emanation during the processing of this value when x ranges over the byte values. So this is what we measured for k equal to 1. And if we do the same for k equal to 2, we see that the distribution of the electromagnetic emanations is different and this is the same for k equal to 3 and for k equal to 4 and we can do that for all the values of the byte and we will see that the distribution of the electromagnetic emanation during the processing is different and this is exactly this kind of difference where we are going to use in order to discriminate the key bytes and to recover the value of the key byte which is manipulated by the device. Okay, the main observation here ends is that the efficiency depends, the efficiency now, the efficiency of such an attack which will use, which will try to exploit this information leakage depends on the amount of noise in the measurement. Concretely, if you, if we model the leakage as a sum of a non-non-function applied to the manipulated data z plus a Gaussian noise, then we see that what makes the attack efficient or inefficient is the amount of noise or if the noise is Gaussian, the solid deviation of the noise in the measurement. So based on this remark, we have a quite natural strategy to defeat such an attack which is to increase the noise or in other words to decrease the signal to noise ratio. For that, we have two straightforward solutions. First, the first solution is to increase the standard deviation of the noise in the measurement. For instance, concretely by adding white noise during the processing. So when you are going to process, for instance, the ASS box, you are, you're going to make some electronic noise in order to, to, to hide the sensitive signal. Another solution is to force the adversary to incel decrease, decrease the signal to noise ratio. And for that purpose, the, the nice idea is to split the data into different shares. For instance, here are D shares Z1, Z2 and ZD. And instead of applying the, the processing directly to Z, you're going to apply the processing to all the shares of Z and then to combine, to recombine them, to, to recombine those processing in a clever way in order to find a sharing of, of your processing on Z. So if you are, if you share the data Z into D shares and you manipulate both shares at different times, then you can, you, we can model the leakage as D different leakage, L1, L2, LD. And because all those shares, all those information, all those information are needed to rebuild Z, the adversary will need to combine all those leakage all together in order to recover information on Z. And then you're going to, you're going to multiply in the intuition is that he's going to multiply different noise all together and then to decrease the signal to noise ratio. Okay. So now that we, we know that we, we, we have a good strategy to decrease the signal to noise ratio, we want to define a secure, secure implementation based on secret sharing techniques. The first ideas was, the first idea related to this was, was proposed by Gubin and Paterin in 99 and in the, at the same time by Shari, in 99 in the crypto paper. The sonnet of this approach in a more formal way is that if you split a bit into D, sorry, if you split a bit into D, D plus one shares and you manipulate those bits at D plus one different times, then the number of leakage samples you need to distinguish the tuple, the D plus one tuple of leakage related to the sharing of zero from the D plus one tuple of leakage is related to the sharing of one is lower bounded by, by, by sigma to the power D, where D is the number of D is D plus one is the number of shares and sigma is the noise standard deviation. Okay. This, this, this formal, this formal ambition has been, has been generalized and, and to, to, to, to, to define some, some, some model in which we, in where, where you can, you can prove the security of a scheme. So to prove the security of a scheme based on the sharing techniques, we usually use what we call the probing adversary model, which has been introduced by Shari Saivakner in 2003. So these models assume that, which is quite classical that only computation leaks, which is an assumption introduced in the paper of Michaeli and Raisin in 2004 at, at TCC. And so the idea is that if, if you can show that no D tuple of intermediate results depend on a secret parameter, then you get this lower bound. So you can show that you, you, you, you will, you will be able to prove that the number of leakage samples needed to, to distinguish the, to, to discriminate, to, to apply a discriminate, an attack by discrimination is lower bounded by, by this, by this. And we, you can also show that if you are, you have this lower bound, then the amount of sensitive information leaking on the data which has been previously shared is lower bounded by sigma 2D, 2D, 2 times E. The issue with that model is that, is that the proofs are difficult. And actually they only, they only exist for very simple schemes. So we know, as I'm going to show you, we know how to, to, to apply linear processing to something which has been linearly shared. We also know how to process a multiplication on two, on two data which has been additively shared. And we know how to, to prove that the scheme is, is secure in the, in the probing model. But for more complex, for more complex schemes, we, we don't have a, or we have very complex proofs. What I can say also is that recently automatic tools have been introduced which can be, which can be used to help or to, to get proofs for, for schemes in the probing model. Okay. So the problematic when you want to, when you want to, to apply a, to apply a function on something which has been shared is the following one. And you want to get security in the probing mode, in the disorder probing model is that for any function f, and any security order d, you want to define evaluation methods that build, that will build a D-sharing of the output fx from a D-sharing of the input x. And you want to define the scheme such that no D-tuple of intermediate results during the processing is depends on x, or fx. So this problematic is related to secure multi, secure multi-party computations, circuit processing in presence of leakage, also related to efficient polynomial evaluation. And the data sharing itself and the, the, the issue of processing something on, on, on that, on data which have been shared is, is related to polynomial sharing issues related to polynomial sharing or, or processing when error correcting codes are used to, to share the data. But here we're just going to use the additive sharing, the additive sharing I already showed you. So as I told you, we know how to process a linear function on something which has been shared additively. It's very simple. So you have the D plus one shares of x, and you want to apply l. You want to securely process l on x. You want to deduce a sharing of l of, of lx from a sharing of x. It's simple. You just apply l to all the shares of x, and you get the D plus one shares of lx. Okay. For the multiplication, it's quite simple also. You, you have D plus one shares of x, D plus one shares of y. So you first process all the products x, y, time, times y, g, y, g. And then you have to define a way out to securely process the sum, which is simply the sum of all the products of, of x, i by the shares of y. And then you will have one share for each x, y. So D plus one shares in, in total. And you will have a sharing, you will have a sharing of, of the product. And so this is a very simple way out to present the, the sharing of, of the multiplication, but you have a smart, smart, smart scheme proposed by Ishaissa and Wagner, which, which do that by reducing the amount of randomness needed to, to get the security. Okay. So you know, we know how to securely process linear, linear, securely, securely apply a linear function on something which has been shared and deduce from it a sharing of the output. We know how to securely process a multiplication. So basically we, we know how to, to, to process any, any in the polynomial, which can be split into a processing or linear processing and multiplications. So if you, if you have to securely process a net box s from f, from f2 to dn to f2 to dm, we, you just have to, to represent it to, to, to have the algebraic normal decomposition of, of, of the polynomial. And then to evaluate this in a secure way, you just will have to secure the processing of additions, squaring, but the squaring is linear, the squaring over f2 is linear for, for the bitwise addition. So it's okay, it's a linear processing. And you will have to process scalar product, which is also linear. So for all the schemes you will, you will apply a secure, for all those processing, you will apply a secure processing, which has a complexity, linear complexity in the security order d. Only for the, for the, what we call the non-linear multiplications, meaning the multiplications which are not squaring, which are not squares, sorry. You will need the scheme with complexity quadratic in the, in the, in the order d. So it gives you a game to play, which is you have a function f to process and you, you will try to find splitting a decomposition of the function f into processing, into a sequence of operations, which minimize, which minimizes the number of non-linear multiplications. So this is the game, the game we're going to play, which has been played in several papers. I give you a function, a polynomial, and you try to find decomposition of the processing, which minimizes the number of non-linear multiplications. So for monomials, it amounts to look for, for a short two-edition chain for the, for the exponentiation. And for polynomials, in fact, you can apply some, some previous works, which have been, which has the, which have been done by Knut and Ev. So in 97. But we also proposed in a, in paper in 2012, method based on the, on the processing of cyclotomic classes. And recently, Coronroy and Vivek proposed the method I'm going to present, to present in the, in the coming slides. So this is the most efficient method we know today. So the idea is, so you start from the, from the algebraic, algebraic expression of the polynomial, of the S box, viewed as a polynomial. And you take all the non-zero coefficients of the, of the monomials in this expression, and you build S cyclotomic classes, C Y, C I, sorry. So that's the, the set of all the exponentiation here is included in the sum of the union of the cyclotomic classes, plus itself. Okay, what is the idea of using cyclotomic classes? The idea is that if you, if you, if you, if you succeeded to, to, to get a more, an exponentiation. So if you process an exponentiation of one element in a cyclotomic, in a cyclotomic class, then only by processing linear, linear operations, you will succeed to recover all the, all the exponentiation in this cyclotomic class. So you just pay for one exponentiation per cyclotomic class, and all the other powers are, are for free if you assume that linear processing is, is, is for free, which is, which is the implicit assumption. So now that you have the union of cyclotomic classes, you define all the set of, the set of all the polynomials you can build by only keeping, by only taking monomials with powers in, in C. Okay, this is the first step. Then you fix T polynomials in P. So you fix or you randomly select T polynomials in P, in the DLP. And you, you search, you look at, you search for T plus one polynomials P i, so that the, the function you want to evaluate S can be split into this, this, this sum of products. Okay, so this is, this is a heuristic approach. The number, what we, what we know is that the number of nonlinear multiplications N is exactly S, so the one multiplication for each cyclotomic class, then T, which is the, the T, the T multiplication there. So the number of nonlinear multiplication for each S is, is lower bounded by, by this. And what, what is shown in the paper of Coron-Roy Vivec is that the lower bound is always, is always achieved. So from a linear algebra point of view, the Coron and Roy Vivec method amount to solve this linear system. And where the unknown are, are simply the coefficients of the T, T plus one polynomials P i. So you have then T plus one times N times the number of elements in the union of cyclotomic classes unknowns and two to DN equations, which gives you a lower necessary condition. And in practice, once again, the condition was sufficient. So with Coron-Roy Vivec method, you have, we have a complexity, which is two to the N over two over N times D square operation. So the number of nonlinear multiplications. And in practice, okay, you, you see that for, in the, in the worst case, to evaluate a polynomial from f two to D8 into, to f two to D8, you need only 10 nonlinear multiplications. For N equal to six, you need, in the worst case, five nonlinear multiplication, which is shown in the paper of Coron-Roy Vivec is that for the DES S boxes, you can, you can do, you have a decomposition with only four nonlinear multiplications, which is quite, quite a nice result. Okay, so in, in the, in, in our paper, we, we started by generalizing the Coron-Roy Vivec method. So, in fact, set of, set of the art methods, split processing into linear multiplications and, sorry, into linear functions and multiplications. And then they try to minimize the other, the, the multiplications. Here we propose to split the processing into functions of low algebraic degree. So we extend the, the nonlinear multiplication to low algebraic degree. So these, these approaches links with the threshold implementation issues. Before presenting the, the, the, the methods, I just recall that the algebraic degree of a polynomial is the greatest, I mean, weight of the power of its monomials. So just to, to, to illustrate, the degree of a polynomial of RGF 2 to the N is bounded above by 2 to the N, whereas the algebraic degree is bounded above by N. So just to make things clear. And the new problematic, so which is, which is targeted in the, in the paper is to split the evaluation of a function F, defined over GF 2 to the N, into the smallest number of functions of algebraic degree S, strictly lower than, than N, and actually less, less smaller than N. The implicit assumption is that we have efficient methods for degree S functions. Okay. So how do we extend the cornyard Vivec approach? So instead of building a set of union of cyclotomy classes, we first randomly generate R degree S polynomials, F i. And then we derive new polynomials G i just by composing the functions F i, one after another, one after one. Once we have done that, we randomly generate T polynomials Q i, so that they are, they can be seen as the sum of linearized, linearized polynomials or on the G i polynomials. Okay. And now the counterpart of, of Coron Roy Vivec approach is to find T polynomials P i of algebraic degree S, and also F plus one, linearized polynomials L i, so that the splitting of the polynomial S can be easy one. And so if you have a look on this formula, you see that we only processed degree S polynomials. So if we assume that we have efficient methods to evaluate such polynomials, then we have an efficient decomposition of the, of the processing of S. So we also can rewrite our, our, our problem as solving, solving a linear polynomials, a linear system like that. We also have a necessary, necessary condition. Unfortunately in practice, we didn't achieve, we didn't achieve the Zellwauband. But we, we, we succeeded in having some good, some good decomposition of, of some worst case, good decomposition of polynomials. For instance, for n equal to eight, if we split the processing into quadratic functions, into processing of quadratic functions, then we, we can, we can process any polynomial into F2 to D8 with only 11 evaluation of quadratic functions. And if you, if we use cubic functions, then we, we, we have only to process for cubic, cubic functions in the worst case. Okay. So I, I say that I told you that we need to have efficient methods to evaluate degree S function in order to apply the, this approach. So I will not have time to present the two approaches, but I can present one of the approaches we, we give in the paper. So the basic idea is that if you, so illustrate for the case of quadratic function F, so function F of algebraic degree two, is that if you evaluate quadratic function over vector space of dimension three, at, at, at most three, then the sum of the values taken by F in this vector space equals, equals zero. So you have these, you have these equalities of F of X equals this one. And all the elements in this sum give you a sharing of the output, F X. So here you have seven elements. So you have a sharing of F X into seven shares. And it can be shown that you need two elements in this sum to give, to, to get information on X or F, F of X. If you want to increase the security under, you just have to split EI here into three shares. And then you will have exactly the same, the same equality except that you replace EI by three part of the sum of its three shares. And you will have a sharing of F X into three, into seven shares, but with security order three. And we can extend the idea at willing for any, for any polynomial and for any security order. Okay. We presented a second, we present in the paper a second, a second strategy to, to evaluate the degree F function, which is efficient if S is small. So I will not have time to present it, but it can be seen in the paper. What we do is better than the set of the arts if, if we, if you want to evaluate the quadratic function, it is better than the set of the art if you want to evaluate cubic function for we secrete orders equal to two or three. Yeah. And it is better that the set of the art functions for, for, for, for small dimension and equal to four and equal to eight. Whereas, yeah, if the ratio between the cost of addition and the cost of multiplication is, is for n equal to eight is lower bounded by five. So to sum up to, to conclude, we extended in the papers the, the approach presented by in the, to split polynomial evaluation into processing of polynomial of algebraic degree above and lead by S. So further research could be, for instance, to improve the method and to find other, other ones, maybe to get lower bounds or to show that the lower bounds we, we have