 Okay, the last paper of the session is efficient and provable white box primitives by Pierre Alan Fouk, Pierre Carpemann, Paul Kirchner and Brice Minot. And the talk is given by Pierre Carpemann. For the introduction, you can notice that some of the words in the title are similar to the previous talk. I assume that Andre would do a very good job of introducing the context so I can go a bit faster. But basically, we have the same objective, as was said before. We want to have a block cipher or something that will be incompressible. So this will somehow we can define it in a rather intuitive way. Let's say we have a block cipher, matcal e, taking a key, plaintext sending a ciphertext. And we want to define an incompressible implementation of these ciphers. It's going to be this mat VBE, like just a program. And what we want is that if we've just given the implementation, it's hard to define another implementation, e-prime, that give the same answer for all input outputs and that this program is much shorter. So the size, basically, of e-prime is much smaller than the size of e. Of course, we can relax a bit, like saying we don't need that e and e-prime need to be exactly the same. They can differ on some negligible size of the input space. And also we can say that this compression needs to be at least by effector c. So to say I really compress, I need to compress by axis. So this is basically the kind of thing we want to do. And for a moment, for now, we will just for a while define it as a rather encryption schemes because it is more convenient for what follows. But it's just the same. We just add some operating mode and some randomness and now we will define a white box encryption scheme as being a pair of encryption schemes. The first one takes a key split into key key prime, randomness, place text, and sends it to the stifle text. Then we have this other implementation of the scheme. And these two schemes are related by a white box compiler, which takes a value from the first domain k, sends it to the second domain t, which takes place of k for bb. And then what we want is that the relation with this compiler is that e and e, bb, are the same when the first parameter is k and the compiled version of k. And for these to be useful in our context, we want these two domains k and t to be of very different size and typically we want to take a small k, like 128 bits, and a much bigger t, like for instance 2 to the 16 bytes, or even b. And in our context and in everything that also Andrea presented, these domain t for the white box implementation of the cipher can be thought of as a set of tables. So that's what we will assume for now. And this is what's been used for instance as a space spn box and also in the schemes I will present. So now we have this white box encryption scheme definition and we should know how to attack it. So what does it mean to attack this kind of scheme? So we have black box attacks, which are really typical. We just fix somehow like the instance by picking a certain k. Then we have something that purely classical, like a symmetric encryption scheme, we just attack it as we usually do. So we're not really interested into that for this talk. And then we have white box attacks and we can somehow divide this in two kind of attackers, which define us somehow two strategies to compress. So our goal is given e and c of k to try to find a smaller e prime. So we can do this in two ways. The first one is given c of k trying to get k. So this is what we will call the compiler adversary. And then we have a implementation adversary that doesn't really try to compress this c of k, but simply this c of k is a big table or a set of big tables. And what this adversary tries to do is to use fewer table inputs than what we would want. So basically saying I have this big table, but I don't need this entire table to encrypt, I can just use a smaller part. So then we have two kind of strategies to decrease the size of the implementation. So, well, now we actually don't really want to attack in this. Well, this work was not about attacks, but rather building secure systems. So how can we protect against all of these adversaries? So against compiler adversaries, there are two ways that Andre presented the first one that have been used so far. The first one is to build dedicated block ciphers and then to tabulate them. So that's what's been done for SPN box, but typically and also ASASA two years ago. And then an attack is just to attack these small block ciphers. So basically you use tools from Symmetric Crypt Analysis to assert that this is a secure or not block cipher. So ASASA got broken, SPN box hopefully will not be. And then there is another strategy which is the one used in space that Andre also mentioned and that we use in this work. Is that we start from a secure block cipher like AES and we just somehow take an output and crank it or not. So then we rely on the security of this big block cipher to to say that we cannot easily find the input from the output. Okay, and then implementation adversaries are a bit trickier in the sense that what we would want is to show that we have enough unpredictable accesses to the tables so that an adversary cannot easily say I only need this part of the table to reach a full functionality or a significant functionality. So this is a bit harder to show. There is no easy way or at least easy methodology as before. Okay, so now the goal is to define a provably secure schemes in the sense that we have some kind of provable arguments against these attacks I mentioned. So and also we wanted to have rather a family of schemes for which we can pick an implementation set because probably we want to be able to do that for concrete applications and then now we go back to focusing more on the primitives that can be used to achieve this So the global strategy for this design is first to get rid of the easy adversaries from all of the black box adversary and the compiler adversaries and then we focus for the rest of these implementation adversaries and in this case we define a security model well actually true And we can use these models to prove that the contractions are given reasonable assumptions So well the first two adversaries I won't mention again in this talk Because black box adversaries basically if we get our entire scheme We can always sort of make it a secure against black box adversaries by sandwiching a yes But this may seem a bit like over killer But actually it's quite natural given our constructions and then well The resulting scheme is never going to be less secure For compiler adversaries we do what I just mentioned briefly. We just take a yes with the secret key counter We put that into a table and then if we cannot recover the a yes few plaintext ciphertext pairs then this should be Okay, so consider this to be done for now and Now we really want to tackle a implementation adversaries and for this we first define a security model One of the you have a variant Paper and now for this we assume that the encryption right back encryption team uses table Okay, it's basically defined by this security game. We have some parameters and we have a challenger b which takes uniformly some tables from these table space Then the adversary a can adaptively query the table on some input, but not the entire table picking s inputs But you can get the answers now then be picks all of the remaining parameters of the scheme and Send this to a and a wins if you can and so Now we're going to do this Well, you can use it to define a security Are interesting that the adversary shouldn't Okay, well, it was written. I didn't mention it on the slide before it Was called a weak model and the source of weakness in this model is because we are assuming that the adversary behaves in a certain way namely that the adversary strategy is Take the table outputs input outputs and to keep only some of them but it's still it's way of compressing the implementation is by For getting some elements of the table So this looks like a reasonable strategy, but in all generality, we can assume that the adversary best strategy Can be done like this. So we also have a strong model that I almost mentioned for the rest of the talk But you can generalize somehow this strategy by saying that the adversary will Define an arbitrary function from this table space and will then later ask The challenger to give to apply this function to the table you picked Then the restriction is that these functions should preserve some of the entropy of The challenger stable so you can ask anything but not Then we can have some the rest of the game something. Okay, so Now I will first define the couraure-de-bois family, which is mapping from some randomness to a key the idea of this kind of what this kind of Primitives can be useful in a white box context that The actual session key you use has to be defined through this function So if you forget about this function that you don't know exactly what the key At some point of the entire protocol you force people to use a function that needs a lot of space and So we have this construction our requirements, and we can probably take your in this So the what does it look like we have first a compilation phase where we just tabulate a yes with the secret key on This defines a table with the two to the right where you can choose Now how it works is that we use our input Just a randomness and we use that For the seed of a yes counter with some well for the key of a yes counter And then we use some counter and we produce basically a sequence of random values That will be indices on which we access this So we get these table values outputs we arrange them in the metrics We generate some more randomness and we compute these Which is the result of them so that's how it looks back on a picture We get ER so a yes typically parametrized or You get the outputs of some counter values into this we get them into tables of Get it out put together everything in some sort of hash function that also uses some additional To the random input and this The RC Okay, so the idea of this your scheme and how to prove that it's a good one Is that if we don't know one of the input to the tables? Then we shouldn't be able to say anything about the output So now how to prove that this indeed works that the scheme There is that we can show If the adversary is restricted to access to store only s values of the table then show that Bond one extra value that it doesn't have with high So that's the number of table total table that needs to be accessed is basically what we need to compute for a given security And the security level will be set to be the output size of 128 bit minus The log of the total number of tables that are kept by the adversary because this would correspond to the adversary just Computing the scheme for some input Storing the values what the results then for getting everything and then with s bits of memory basically you can always just Compute on some random inputs. You will have some Probability greater than 2 to the minus So well That it's too Right away, but basically that also tells you that there is a strictly minimal number of rounds that are necessary That will be the ratio of compression or Be less than 2 to the minus delta of the security Otherwise you have some sort of generic Okay, so then what we actually show is that for this construction if you add just one more round that this Strict minimum number of rounds then you can reach the security level that we So I will not detail the proof, but Depending by events counting how many how often those bad events kind of kind of combinatorial magic So that's what it looks like Concretely if you use 16 bit input tables, then you need 57 or a security level With this compression ratio Okay so actually For this construction, it's also possible to show that it's secure in this more in this stronger model where you don't assume so much about the strategy of The way to do that is to explore the similarities between this entire kind of incompressible model bonded storage model Where somehow the goal or quite similar so unsurprisingly similar agreements can be used and for this proof Okay, so Now we briefly mentioned a puppy cipher family, which is now a typical block cipher Which has similar properties as one which can be in some parts a sequence being a sequential version of this Okay, so I will skip this because there is a picture Basically, that's what's being done Message and the message is split in two halves one half is split further into some smaller chunks of the size of So input size of some tables These go to the tables the output of the table is 64 bit all of these are exorc to the left So basically that's a one round five spell and between each of the rounds. We have a full call to be a guess That is supposed to mix everything. So for instance for puppy cipher 24 we do this 34 times and At the end we get the uncorrected message So now we also need to fix the how many rounds of this construction are necessary to be to reach a given security level And the proof is similar to what but it's a bit more complex because now the inputs are not Independent as before as generated by a through the random function because they're changed through these sequences of permutations, so Yeah, it's a bit more work There are different details in the paper. So this is how many rounds table accesses we need for variance variant instances Okay, so I will go quickly over in So If you look at the construction all of the individual components or We have table accesses that somehow we need in those settings and that are going to be well not necessarily efficient, but well we have to pay for that at some point and The given number the number of cable accesses we need is a near-minimal So it starts back And also we have some kind of parallelism that we can get especially for color they want And also we purpose a more aggressive version of puppy cipher where we don't do full a yes So those are some quick results Basically so for the puppy cipher we get from 175 to 1460 cycle provides for these Depending on the table size so well if it fits in cash It's going to be reasonably efficient if it's in RAM, of course you have to pay a lot more You have a lot of variance also between these table calls if you reduce the number of areas cause it's going to be a bit faster Core otherwise a bit faster too because we get this parallelism between the table accesses Yeah so Okay, and I will skip this okay, and this was just this one slide saying that Well, the and I also gave figures for his construction and in the last talk and the thing is that we were using slightly different settings for our Implemented performance measurement, so nothing It's quite not ready to compare exactly How it can be I mean which one is the most efficient? So probably we need to look at this a bit more. That's something that should be done now Okay, so that the end of my talk and So I'll put an engraving of some quality one the right and the seventh cutest puppy according to Google image Any questions? I don't know. I mean I first look at the other audience to give the chance all the people to ask a question So a small thing which I'm not sure I understood correctly when you are putting this extra AES In order to defeat for example black box attackers You use a key do try to hide that key in any white box way or you just give away the The key in the AES Which you put in the middle So this key would be in the white box sense this key Well, it's not protected. It's really like actually we can no but then you cannot claim that you have That you are secure in the black box model if you think about it as being known No, no, but in the well, it's not known in the black box In the black box model this key secret that would correspond also to this okay So these keys are completely secret in a black box sense. So that's why that's why I said also This happens naturally for the construction in a black box way Those are secrets. So what you get in the white box? It's a Completely open you don't make any attempt to hide it From the another okay, any other questions Okay, let's thank all the speakers of the session We will have the coffee break till five past six part five past four which is in 25 minutes