 So the third talk of this session is on masking additive and multiplicative masking for probing secure polynomial evaluation methods. It's from Axel Mathieu Mayas and Michael Quiskwater and Axel will give the talk. So hi, thank you for the introduction. So in this paper we were interested in polynomial evaluation methods which are very relevant methods for masking when S-boxes can be represented as polynomials. And therefore providing fast and secure methods, in this case, results in efficient and secure masking schemes. So we do that using a mix of additive and multiplicative masking. Now in the context of side channel analysis, information leaked through the physical leakages of a running device because the data and physical leakages are dependent. Now masking is a popular method that prevent this correlation by randomizing physical leakages. The countermeasure splits every sensitive variable into several shares and secures the processing of the shares through every internal operations. Now when the countermeasure is applied with more than two shares, then the masking is said to be of higher order which has been proved to be a sound countermeasure in several security models. Now in our paper we proved the security of all of our constructions in the probing model which has been introduced by Ishai Sain Wagner in 2003. In this model, an adversary has access to T-intermediate variables and tries to recover any sensitive information from the set. And therefore what we call T-probing security is achieved if any set of T-observation is independent of every sensitive variables. Now there are two important security notions concerning probing security. There are the TNI and the TSNI properties introduced by Bartonale in 2015. The TSNI property is very convenient since it allows transformations that satisfy this property to be composed safely, which is very convenient to prove probing security. Now usually masking schemes uses additive masking. And what it means in practice is that every shares has to be split into T plus 1 shares such that the sum of the shares is equal to the original value. Now in this case the processing of linear transformation is very efficient while the processing of multiplication is much more expensive. Now the first probing secure masking scheme that uses additive masking has been proposed by Rivain proof in 2010. The idea was to express the ASS box as a power function which rely on linear transformations and multiplications, namely square and multiplications. Now their approach has been extended to the generic case by Carlenal in 2012. They proved that any NB test boxes can be represented as a polynomial function over a binary finite field, which evaluation also rely on linear transformations and multiplication. And therefore since multiplications are very costly to process in additive masking, several works have then tried to optimize the number of nonlinear multiplications that are involved in the polynomial evaluation method. Now some other masking scheme use even other encodings. And some others can even use several encodings simultaneously. So this is the case of GPQ which is a masking scheme for power function that has been introduced by Genelinal in 2011. This scheme mixes additive and multiplicative masking. Now the idea is that linear transformations are very efficiently processed in additive masking while multiplications are very efficiently processed in multiplicative masking. However, using a mix of additive and multiplicative masking comes at a cost. It requires to secure the processing of a Dirac function because multiplicative masking is only defined for nonzero values. Then it also requires to secure to provide secure transformations to switch from an additive into a multiplicative masking and conversely. Those transformations are respectively called AM to MM and MM to AM. Now if we take a closer look at how GPQ works to evaluate a power function, it first requires to compute the secure Dirac function in order to get a nonzero element before converting it into a multiplicative masking with the AM to MM transformation. Then it processes the power function very efficiently since a multiplicative masking is used. And finally it converts back the power into an additive masking and removes the Dirac to obtain the desired power. Now the first contribution in the article is that we have proved this scheme for power functions to actually satisfy the TSNE requirements. Now since this scheme is one of the most efficient scheme for the AES, which is a power function, the natural question is how to extend GPQ to evaluate polynomials very efficiently. Of course there are issues because adding manomials is not efficient in multiplicative masking and converting every manomials back into additive masking before adding them is also not efficient because the conversions AM to MM and MM to AM are very costly. Now we provide two TSNI proposals that achieve this goal and uses additive and multiplicative masking. The first method is based on the cyclotomic method by Carly and Al in 2012. And the second one is based on our first proposal and on the CRV method proposed by Coron and Al in 2014. Now let's start by our first proposal, the alternative cyclotomic method by a quick reminder of the cyclotomic method. See it relies on the notion of cyclotomic class, which is very convenient since every powers whose exponents lie in the same cyclotomic class can be derived very efficiently with squares only in additive masking, this is also very efficient. Now therefore every manomials of some polynomials can be split into several distinct sets and by doing so it is possible to express any NB test box as the sum of some linearized polynomials whose monomials belong to a same cyclotomic class. However the method still requires to derive at least one power for each distinct linearized polynomials first and this step is very expensive in additive masking. So our first proposal deals with these steps using a multiplicative masking and this is our alternative cyclotomic method. So it still requires to process the secure processing of a Dirac function in order to get a non-zero element and then it computes the AM to MM transformation in order to get multiplicative masking then it processes one, it evaluates one manomials per distinct or each distinct linearized polynomials in additive in multiplicative masking which is very very efficient. Finally it converts back those powers and those powers only into an additive masking with several use of MM to AM transformation and finally it can evaluate the linearized polynomials whose monomials belong to the same cyclotomic class very efficiently since an additive masking is used and the evaluation of S of X is completed only with linear processing using an additive masking so the red arrows on the figure shows that we only use a multiplicative masking to derive only a set of few powers and since the conversions are very costly we only have a few transformations to compute which is also very efficient. Now we have proved that the alternative cyclotomic method is TSNI. We also have implemented our solution, our approach and the original method directly in assembly language for 8-bit architecture for S boxes of size 4 to 8 at practical orders 1, 2 and 3. And what the table shows here is that our proposal is more efficient nearly three times faster than the original method for NVTest boxes of size 5 to 8. Now let's move to our second proposal the alternate CRV method by a quick reminder of the original method proposed by Coenal in 2014. The idea of this method is to express any n-box as sums of products between polynomials where the monomials of the PI and the QIs belong to a pre-computed set of powers whose exponents lie in a union set of L cyclotomic classes. Now the evaluation is done in two steps. First it requires to evaluate the QI and the PI's which require L-2 multiplications and in order to have at most L-2 multiplications to process this step the set of the union set of cyclotomic classes has to be chosen very carefully. Now it completes the evaluation of S of X with K minus 1 additional multiplications. So in this method there is a trade-off between L which is the number of cyclotomic classes from which the polynomials PI and QIs are generated and K which is the number of product between polynomials we need to do. Now since our first proposal the alternate cyclotomic method evaluates polynomial very efficiently we can evaluate the PI and the QI with it. Moreover our method is TSNI, it has been proved to be TSNI and therefore it can be used inside the CRV construction very safely. And since our cyclotomic method outputs the evaluation of polynomial in an additive masking therefore the evaluation of S of X is completed in additive masking which is unchanged compared to the original method. Now since we use our alternate cyclotomic method for the first step we have more choice of cyclotomic classes and also we can consider larger sets for the evaluation of the PI and the QIs. And by doing so we were able to derive new parameters which improves even more the performances of our solution. We also have proved that the alternate CRV method is TSNI. Now regarding the performances we also did some implementation directly in assembly language for 8-bit architecture. And the performances are done for N-bit S-boxes of size 4 to 8 like for the alternate cyclotomic method at orders 1, 2 and 3. And what the table shows now is that our proposal is more efficient than the original one by nearly 30% for S-boxes of size 5 to 8. Now to summarize our contribution we have proved that the GPQ scheme actually satisfies the stronger property in the probing model which is the TSNI requirement. We have also extended GPQ power function masking schemes to evaluate polynomial functions which results in an alternate cyclotomic method which is three times faster than the original one. And this method satisfies the TSNI property and therefore can be safely plugged into another larger construction which is the CRV method. And it results in an alternate CRV method which outperforms the original for more scenarios we addressed. We also proved that our second proposal satisfies the TSNI property. Thanks for your attention. We have time for questions. Thank you for the talk. Can you comment on how you perform the secure evaluation of the Dirac function at high orders with efficiency? Yeah, we did implement that using bit slicing which is a bit tricky because you cannot perform a secure Dirac function without bit slicing very efficiently so we had to do bit slicing. Okay, thank you. Any other questions? Let's thank the speaker again.