 Hello everyone, my name is Okan Sekar and today I will talk about our joint work with Thomas Eisenbart and Maasai Liskevich, a white box masking scheme resistant computation and algebraic attacks. So before going into the details, I would like to give a small history of Pallantry, the seeing stones by J. R. R. Tolkien. These magical stones are created for many purposes, but the simplest intention is to communication in Middle-Earth. However, these stones are dangerous as they are possessed by Sauron the Dark Lord. So one of the most important victims is Saruman the White. He was corrupted while using or trying to use a device by the whispers of the real owner of Pallantry the Dark Lord. So now Sauron owns the device and can read the user's minds and can see memories even if the deepest secrets are not secure anymore. So what we can see from here is Sauron as the adversary in this scenario owns the device. You can inspect your memories and can manipulate your minds with his whispers. So now let us consider this example in our setting. As an adversary, we have the same purpose as Sauron, revealing the sensitive information. When we compare the capabilities of both two cases, we see a similar structure. So while Sauron can inject thoughts by whispering and see your mind, our adversary can inject thoughts and can inspect memory. What can we do then? The only thing that we can do actually are strengthening our implementation. And now we would like to quote this beautiful line from earlier works. When the attacker has internal information about a cryptographic implementation, the choice of implementation is the sole remaining line of defense. And this is why we need white box cryptography. So this model is used to protect secrets purely in software where we can actually think about the environment as hostile. And one of the examples is one of the rising services today, the streaming services. This can be music, gaming, or video. So also mobile payment systems can be seen as an example. However, today all the academic proposal has been practically broken. So in this work, we tackle this problem and propose the first combined masking scheme that can resist state-of-art white box attacks, computation, and algebraic attacks, which we give the details in the following slides. So we analyze two security notions in cryptography, which we show that they're actually incomparable. The first one is probing security against computation attacks and prediction security against algebraic attacks. We give concrete constructions for arbitrary orders of computation security and first and second order prediction security. Moreover, we prove this security of these constructions. To give this proofs, we need to provide a novel security definition and a novel composable to prove for prediction security, which we extend actually from the previous work. Moreover, we supported our results with the verification tool by Biryukov et al, which is for prediction security and mask variant for probing security. And finally, we provide a proof-of-concept AS implementation to analyze the overhead and security features of our design. So let's deep dive into the state-of-art attacks on white box systems. The first attack is based on a well-known physical attacks on embedded devices. As you know, the embedded devices that run a cryptographic algorithm are vulnerable to physical attacks. An adversary can use such an information, such as power, timing, or use an active attack to implement a fault injection. In a very basic scenario, the secret value can be revealed using a differential power analysis. And this idea is later applied to the white box system in 2016. So the idea is actually the same as the such analysis. And the only difference is actually the source of traces. In this version, an adversary can simulate the power traces by softer execution traces. So these can be memory accesses, intermediate values, or written or read values. So these attacks can be found on the GitHub page, such as Marvels. And you can reproduce these attacks on nearly all white box systems in the literature. And this actually shows us how impactful these attacks are. And of course, as a net-natural approach, we're actually trying to find the contract or how to contract these attacks. And what we can do is to take a look at the good old masking. So let's recap the Boolean masking here. So here, you can see we have x2 until x1 are randomly selected. And the final share is actually represented as in this equation you can see in here. And finally, we denote this secret sharing with n plus 1 variables. And the main idea is actually simple. As you know, every n tuple is indeed independent of the secret. So this is the main idea of the counter measures against such analysis. However, we cannot just rely on masking because the strength of the masking is actually related with the noise within the implementation. And a differential and DC adversary can produce noise-free traces. And of course, that's why we need some more additional noise acceleration sources such as shuffling or control flow obfuscation. These methods are introduced to increase the noise in a masked white box implementation. So now let us take a look to the algebraic attacks, which is another hit for the masking on white box systems. So this is introduced by two different teams against famous other ink pointers, the strongest design in white box context in 2017. So the idea is to first finding a window that contains the secret sharing corresponding to a value that can be predicted. And the question is to finding a linear combination of the nodes that gives you this predictable value. And this linear combination actually reveals the sensitive value. Of course, if we increase the order of these combinations, for example, if we look for quadratic combinations of your nodes, this will result in a higher order algebraic attacks. OK. While we are thinking about how can we implement masking on white box systems, the algebraic attacks should break our every hope. As you can see from a previous slide, we don't need to consider the masking order. The attack works on every order as long as the masking is linear. Therefore, the Boolean masking, no matter what the order is, is indeed vulnerable to first-order algebraic attacks. So we have seen two main attacks, and now let's take a look how can we define security against these attacks, which actually gives us the foundations of our design. So let's start with the probing security, the easy one. This is a well-known model introduced by Isha et al. Very briefly, it implies that the adversary obtains t-intermediate variables per execution, where t is a fixed integer. And our goal is to prove that every set of t-intermediate variable is independent of the secret. And the second notion is against algebraic attacks. It's a quite new notion. And in this case, adversary can obtain all intermediate variables, but can only use a deed-order combination to combine them. So if you think about our previous example in the against other pointers, what we actually do looking into the linear combination. So that means our order is first-order combination, which is linear combination. And therefore, that's why the Boolean masking is actually vulnerable to first-order algebraic attacks. And here, again, for our security notion, our goal is to show that the probability of distinguishing two sets of plaintexts by looking at deed-order combinations of the circuit nodes should be negligible. So this is an important notion for us. First of all, it is seen in the previous slide. It's quite new, like two years old. And it provides security against a very powerful trait on whitebook design. And maybe this might be a keystone for the next generation of masking. Therefore, we would like to have a closer look at this model. So as we described earlier, this model analyzed the behavior of a function, fc. That means all the deed-order combinations of the circuit nodes from this highlighted area. And this area is actually gives us a target. And fd to the c means that we're looking to do every deed-order combinations of the nodes, as you can see in this slide. So if d equals 1, that means we are only looking at the linear combinations of these nodes. If d equals 2, we're looking at the quadratic combinations. We can just multiply two nodes and add the rest of the shares. So it's the main idea. Now let's consider two inputs, x and x prime. And the main idea is to finding a function from fd to the c such that this function is constant or high-bias when the input x and y servers are for the x prime. So let us recap it again. We would like to find a function such that, in a very basic scenario, for an input x, this function should be constant. So this is our encoding function. And this is our circuit function. And when we think about this, this circuit node is a combination of our encoding, which you can think about as secret sharing function. This should be a constant function. So if an adversary cannot find such a function, that means that the prediction security, I mean, the main idea is this. So the prediction security requires every function from your set should have low bias. Although one of the notions indeed covers the other, they are actually incomparable. Let's take a look at the first example. We have the Boolean Masking example here. As we discussed in the previous slides, we know that an end-order Boolean function is actually vulnerable to algebraic attacks. And we know that it's actually secure against probing attacks if it's applied correctly. Now let's take a look at the minimalistic quadratic masking by Birik Faital. So here you can see the decoding function of the scheme is as in the slide here. And it is proven as it's secure against first-order algebraic attacks. However, when we think about the sharing, we can see that the sharing of x0 is 3 out of 4, which implies that the probability of the final share is equal to the x, which is secret, is 3 out of 4. So thus it is actually not secure against probing attacks. So as a result, what we can see is there is no comparability between probing security and prediction security. And we need both notions in our proof. And this is the main reason why two countermeasures were proposed on top of each other to prevent both attacks in the earlier rocks. So what we learned from these two attacks is the following. First of all, we need a regular secret sharing to eliminate computation attacks. And secondly, we need to increase the decoding order at the same time to gain resistance against algebraic attacks. So now let's remark the Boolean masking as in this left-hand side. Now the question is, how can we increase the decoding order? So the idea is simple. We need to share a single share. So let's say Xura in this example. We would like to represent Xura with a multiplicative masking such that Xura is a product of d plus 1 random variables. And the rest of the shares actually stays the same. And we denote this masking by an ND masking scheme. So before going into an example, we would like to take a look at the encoding and decoding function here. So here, instead of having an n plus 1 random variable, now we have d plus 1 random variable for multiplicative representation and n minus 1 variable for just selected randomly. And the last player's share is actually calculated by a product of your multiplicative represented share and the rest of the Boolean, rest of the linear shares. And now the interesting thing is here our decoding function. As you can see, what we did is actually trying to increase the decoding order. Here you can see the degree of our decoding function is d plus 1. And now let's take a look to an example where n equals 3 and d equals 1. And here you can see the Boolean masking on the left hand side. And you can see that we increased the decoding order by representing X0 tilde plus X1 tilde. So this was our data transformation. Now, as a regular masking scheme, the data transformation is followed by gate transformation. So we provide the secure XOR and a refresh mask gadget. And the foundation of these gadgets are actually the same as a Boolean masking. So, however, now we have to be careful of the intermediate variables that actually represent X0 because, yeah. And let's take a look at the basic example of secure XOR operation. Here you can see every share besides ZM is share-wise. And in order to secure the correctness of the gadget, we need a variable u. And here you can see the concrete constructions for first and second order XOR gadget. And using a similar ideas, we can transform and refresh mask operation for our purposes. And for the details of this gadget, we would like to refer to the paper. So what about the cost of this transformation? And what is the overhead? So here we can see three main parameters that we would like to take a look. These are number of XOR and and required randomness. As you can see from the XOR example, we have a special subscript ui and ux representing the number of and and XOR operations within this special variable that we defined in the previous slide. And observe that for d equals 0, the gadgets are actually become the regular secure mask operations. For the XOR gadget, of course, we are actually increasing the total number of shares, which gives us a linear increase and the cost of the operations of u. And as you can see from the highlighted values, for ux and ui, this can be 1 and 2 as in this example, as you can see here. These are actually small values for XOR operation. For the end gadget, again, the complexity is n square. But now the main overhead comes from this specific variable, v. And for refresh mask, we actually see a similar pattern. Of course, now we need more randomness for in order to define this operation. And we interpret these results more at the end of our presentation when we take a look to the AS implementation. OK, until now, we reconstruct our scheme. Now we would like to focus on how to prove the security of our design. Let's take a quick look at how the proof techniques are working in our settings, starting from the probing security. So as a caveat of our scheme, only a subset of shares is actually uniformly distributed. As you can see, XOR is actually biased. Thus, an adversary can predict XOR with high probability. So therefore, we are actually losing one probing security order in order to gain algebraic security. So in our proofs, we see these nonlinear shares as public values accessible by the adversary. And therefore, the simulation for our simulation base proof can also access these values. And we show that an end is, and this scheme provides security against n minus 1 order attacks. And moreover, we supported our results with the verification by mass graph. And these verification codes can be found publicly available. Now let's take a look at the prediction security proof. And the main idea is simple, as we describe in the prediction security definition. We need to show that every linear combinations of our circuit should have low bias when input is fixed. That is, the nodes are a function of your nodes, or your combinations of your nodes should be a function of PRNG or your randomness source. So it is all of this shown that due to linearity, composition is actually easy to prove. And therefore, the adversary cannot distinguish any sets of inputs. And for our first order gadget, we use a tool provided by Birikov Auto to verify the security of our design. And the interesting thing is, you can see the bias bound of gadget. As you can see, these are actually independent of your linear masking order n. And now let's take a look at the second order security. The idea is quite intuitively extended. Now the combinations that we need to take care are become quadratic. And moreover, the first order bounds should be much lower than the previous bounds. And again, the idea is what we said before, the adversary cannot distinguish any sets of inputs. However, one thing that we need to take care of, of course, the combinations, composition. However, the quadratic composition cannot be extended in a trivial way, as we need to consider combinations from two different circuits. So if we think about the second order combinations from two different circuits, that's by linearity, as in the previous result, this can be done easily. However, when we think about the combinations of two first order combination from two different circuits, when they add them together, or when you combine them together, now that needs to be special attention. So we proven our pruning two-fold. First one is parallel composability, and where the gadgets are operated in parallel. And the second is sequential, as in this figure. So therefore, we have proven the composition in parallel order and gauges the circuits that operate in parallel and circuits that operate in sequential order. So what we've proven at the end is the composition of an arbitrary circuit. So how can we interpret these results? So this will be the main results here. So the probability of an adversary to distinguish two sets of plain text is less than 2 to the minus 128 if the window contains at least 1.5,000 random notes. So these random notes can be supplied to the circuit in a very basic manner. You can think about this, the random dummy notes. These notes don't need to be act in your circuit, but there has to be some random notes so that the adversary will not be able to have a window that contains the secret shares and less than 1.5,000 random notes. And that's why we need an additional obfuscation there on top of every white box design. In the final part of our presentation, we would like to take a look at the proof of concept AS with a performance comparison. So here we can see that this light blue line corresponds to the previous approach where two different masking schemes are needed to combine to get the desired security level. And now the bottom blue line corresponds to the regular masking scheme without a nonlinear component. Now we can combine from our intuition from the overhead and see that due to the structure of our scheme, it is efficiently increasing the security order in the dimension of N. You can see. However, still the nonlinear order is actually the bottleneck of our scheme. For the randomness course, you can see that again, we have the light blue line corresponding to the previous approach where two masks are needed. And the bottom blue line corresponds to the where there is no nonlinear component. For the randomness course, we see a similar structure also and better results with respect to using two different masking at the same time. Now in conclusion, we have proposed the first masking scheme that combines linear and nonlinear components to achieve resistance against both computation and algebraic attacks and prove the security in both probing and prediction security notions that are incomparable. We provide a first and second order prediction security for concrete constructions of N1 and N2 masking schemes. We have provided a proof of concept bitwise AS1 to any implementation of the leakage and performance analysis. Thank you for your attention. If you have any questions, please feel free to feel free to contact us. Or if you're interested, you can find more details on our e-print. And if you would like to take a look to the verification code or analysis code, please feel free to go to visit our GitHub page. And here, you can download our mask verifier code and analysis and also the AS1 to any implementation. Thank you.