 Good afternoon. So I would like to start with the fifth session of chess which is the first post quantum crypto session. It consists of four talks. The first talk is practical CCA2 secure and master ring LWE implementation by Tobias Oder, Tobias Schneider, Thomas Puppermann and Tim Genesu and Tobias will give the talk. Thank you very much for the introduction. Let's first start with the motivation of this work. There's currently the NIST post-quantum standardization project going on and quite a lot of submissions to NIST based their security on the ring LWE problem. That is a lattice-based problem and LWE is short for learning with errors. So that means if you research side channel countermeasures measures for ring LWE you can apply these countermeasures to a larger number of schemes not only to a single scheme. In this field there's also some previous work by Oscar Reparaz et al. from chess 2015 and Pico Crypto 2016. But in these two works they only cover the plain ring LWE encryption scheme that is only secure against chosen ciphertext attackers. For many use cases you also want to have security against chosen no sorry the the plain ring LWE encryption scheme is only secure against chosen plain text attackers but for many use cases you also want to have security against chosen ciphertext attackers. So the difference is that in a CCA setting the attacker has access to a decryption oracle and can use such a decryption oracle to break the crypto system. And if you want to convert a CPA secure scheme into a CCA secure scheme you can apply the Fujisaki Okamoto transform and that is a generic transform that means that you can apply to any scheme it only assumes that the failure probability of the scheme is negligible. And for ring LWE you can assure that by choosing the parameters appropriately. There's also a tweak by Tagia and Unruh to achieve post-quantum security for the Fujisaki Okamoto transform and one challenge with the transform is that it requires an expensive re-encryption during the decryption. What that means I can show you in this figure so let me walk you through the components at first. In the CCA decryption we have the CPA decryption but as I just mentioned also the CPA re-encryption and that is especially crucial for ring LWE because in ring LWE based schemes the encryption is always much much more expensive than the decryption. That means a CCA2 secure scheme has quite some overhead compared to a CPA secure scheme. And there are also some hash functions and then we are basically done with the conversion. To summarize the contribution of our work we could say that we present a microcontroller implementation of a CCA2 secure first-order mask ring LWE scheme. We chose the ARM Cortex M4 microcontroller as target platform that has constrained computing capabilities and memory resources and of course for microcontroller implementations you have to take care of side channel attacks. In this work we applied countermeasures to timing attacks by making sure that our implementation has an execution time independent from any secret value and we also applied masking countermeasures. You already heard a few things about masking countermeasures earlier today. For this work Boolean and arithmetic masking is relevant masking means that you split a secret value into multiple shares and then you have to recombine these shares to get back the secret value. If you don't have access to all the shares then you cannot recombine them. The difference between Boolean and arithmetic masking is basically the way in which you combine these shares. For Boolean masking you apply the EXO operation and for arithmetic masking you do modular addition. Okay so let's have a look at which components we need to apply masking to to secure ring LWE. At first there's a PRNG or the hash functions required by CCA2 conversion and masking that is already known from the literature so we could rely on that but then we also have the polynomial multiplication that is usually realized with a number of theoretic transforms because the entity allows to reduce the complexity from n square to n log n so that is nice but that is also very simple to apply masking to because this is a linear operation and you can apply the entity to each share separately. So these two things we have basically straight this is straightforward to cover. What is interesting is rather the binomial sampler and the encoding and the decoding so the binomial sampler is used to to generate noise or error polynomials that are required by the ring LWE encryption scheme and because of this noise that is introduced in the scheme you also have to have an encoding and a decoding scheme. Let's first have a look at how to apply masking to the encoding so the idea of encoding is that the input is a bit string basically the message as a bit string and then you want to transform this bit string into a polynomial and you can do this by multiplying each bit of the bit string with a constant. The constant is chosen in such a way that the difference between encoded zeros and encoded ones is the maximum distance so you usually pick it as half of the modulus and in case the modulus is odd you also have to round the result. If you want to apply masking to that the straightforward approach would be to do this with each share separately but there's one problem because as I just mentioned the modulus can be odd and if you want to apply the number theoretic transform it also has to be odd then you cannot just add the shares because in the case in the case that both shares are equal to one then your result will also be off by one because of the rounding. So what we do is we compute the end of both shares and add this result to correct this error and of course we cannot just directly compute the end of two shares but we split them into sub shares to securely compute the end and we also use fresh randomness to sum the cross products. So that's the encoding and we also have a look at the decoding. For the decoding the input is a coefficient from a polynomial and there are some coefficients that are distributed around zero and some coefficients distributed around q half and q is the modulus and this is because of the encoding as we have seen just before and the output is just one single bit so we want to extract a single bit of information and our approach is to use the sign bit to extract this bit of information and to do so we have to shift the distribution of the coefficients from something like this to something like this where every coefficient that should be decoded to a one has a negative sign and every coefficient that should be decoded to a zero has a positive sign and you can easily extract the sign bit if the values have a Boolean sharing but the input in our case has arithmetic sharing and therefore we also need to apply arithmetic to Boolean conversion. We chose an arithmetic to Boolean conversion that works with the power of two modulus and therefore we also had to shift the modulus to a power of two and then we could easily extract the sign bit and mask the decoding and that's about it. So what is missing is a binomial sampler and the binomial sampler works as follows that you have two bit strings and you calculate the hamming weight of both bit strings and subtract the hamming weight and then the result is a binomial sample. If you want to compute the hamming weights the insecure way if you have two shares would be to compute the XOR of both shares and then sum the bits but of course you cannot do this without leakage. So what we did is we expressed the XOR operation in terms of arithmetic operations as you can see on the slide and then you can split the you can put the first bit to the first share and the first the second bit to the second share and then what is left is again the end of two shares and we have already seen in the encoding that you can compute this by splitting it into sub shares. So we have masked all the components let's come to the evaluation. We did some practical experiments in this figure you can see the t-test evaluation of the masked decoding plotted over the number of measurements and the blue line is the first order t-test evaluation that always stays below the threshold of 4.5 and the dashed red line is the second order t-test evaluation that at some point because of the noise it goes a bit up and down but at some point it shows a rising trend in the plot. So this is what we expected because we applied the first order countermeasure and so leakage at the second order is what we expect. We also evaluated the performance on the Cortex M4. We chose the parameters in a way that they fit the new hope NIST submission and the interesting part is the CCA2 secure decryption because that is where you have to apply the masking to that is where you use the secret key and you can see that the overhead factor is almost six when you want to apply the masking and why is that because if you remember in the beginning I told you that you have to perform a re-encryption in the decryption and that re-encryption alone is 90 million cycles out of 25 million cycles and in the re-encryption you have to sample three noise polynomials and sampling each time costs six million cycles so the sampling alone adds up to 18 million cycles out of 90 million cycles that means that is the most costly operation and the the best target if you want to apply further optimization. Okay let's conclude the talk. We present the first masking of ring LWE based scheme that also covers CCA2 security and we also have theoretical proofs for our proposals and we did some practical experiments to have even higher confidence. Especially we have a new mass decoder and encoder and a new mass sampler and for future work it would be interesting to also look at higher orders and that's it thank you very much. Any questions? So maybe a question from me. So these techniques how well would they carry over to schemes which do not have an entity so for instance plain LWE? Well because the entity is not really hard to mask as I mentioned you can just apply the entity to each share separately and this is quite easy so the difficult parts are rather the sampling and the encoding and the decoding so it depends if you for example have a different distribution then you might need a different approach for masking the sampler and it's similar with the encoding and the decoding so I don't think that the entity is the the thing that determines is it hard to apply this masking to to another scheme or not. Any other question? If not thanks to WIOS again.