 Hi everyone, I'm Abdel and today I'll be presenting our work accepted at EuroCrypt 21 on the power of expansion, more efficient constructions in the random probing model, which is joint work with Sonia Belaid and Mathieu Rivant. So in this work, we reason about the security of implementations against side channel attacks, which are attacks that derive information about the secret from measurements such as power consumption or electromagnetic radiations. And so the most deployed countermeasure is the masking scheme. The idea is to split the sensitive variable into n values that we call shares, and the recombination gives the original secret. And this actually helps to break the dependence of the secret with any set of n minus one shares, making it difficult to recover the secret as n grows. Now when working with masked variables, regular operations of addition, multiplication and copy over the field are not enough anymore. We need some building blocks which perform these operations over n-share variables. So this replaces each gate by a functionally equivalent n-share circuit that we call a gadget and adds a new gadget which we call a refresh gadget and it produces a fresh n-share copy of the original variable. Now below you can see an example of such an addition gadget with two shares. The idea is simply to perform a share-wise addition and make sure that the sum of the output shares are equal to the sum of the input shares. So to reason about the security of masking schemes in theory, the community introduced the idea of leakage models. And usually we prove that a circuit is secure in a certain model if the leaking variables do not reveal any information about the secret. Now these models differ with respect to their closeness to reality and convenience for security proofs. The most widely used one until now is the probing model, where we consider that during an execution there is a fixed number of T leaking variables. This has been challenged since it does not capture the reality of physical leakage due to horizontal attacks, for instance. Another one is the random probing model where each variable leaks with a certain probability P so the value is leaked with a fixed probability P. And the last one is the noisy leakage model where all variables leak a noisy function of their value, which is the closest to the reality. So it's actually a reduction property which proves that a circuit secure in the probing model is also secure in the other two models. Now the problem with the reduction to the random probing model is that it uses the turnoff bound and so the security parameter degrades as the size of the circuit grows so it's not very practical. So in this work we focus on the random probing model from which a tighter reduction to the noisy leakage model exists, and in which security proofs are still manageable. So this work is actually kind of a follow up to previous crypto 2020 work, where the authors introduce explicitly what random probing security is. They also define the notion of random probing composition to generate large circuits with overall security, but their essential contribution resides in the study of the expansion strategy. This strategy aims to arbitrarily amplify the security level of any RP secure circuit. While it has already been introduced in another work based on NBC protocols. Here the authors exhibit a more practical definition. Finally, they implement a verification tool called wraps, which aim to verify these properties for small gadgets with reasonable with reasonable time. In this work we dive deeper into the RP expansion strategy and provide a detailed analysis with tighter complexity bounds and relations to other well known security notions. We also introduced some generic constructions with improved complexities and which can be used for the expansion strategy for any number of shares. Based on this generic construction we exhibit concrete instantiations. So to secure any circuit see and achieve a security level kappa. This table provides a comparison of the complexity between the original NPC based work, the previous crypto work and our new three share and five share constructions. Now we are able to considerably reduce the exponent in the complexity expression, while tolerating slightly better, better leakage probabilities. The tolerated leakage probability is actually the maximum probability for which a gadget remains secure in the random probing model. So I will start with an illustration of random probing security. Now on the left you can see a toy circuit with the four types of gates that we usually use. In the random probing model, each wire leaks with probability p. So we consider a set of leaking wires as a random variable where each wire is added to the set with independent probability p. Considering each set of wires, we need to be able to simulate the distributions of these wires without the knowledge of the secret inputs. Now let's try that the wires are independent of the secrets. So this is the case we say that we have a simulation success. And if not, we say that we have a simulation failure. And this should occur with probability epsilon in the random probing model. So a circuit is said to be p epsilon random probing secure. If any set of leaking wires on this circuit satisfies this condition. In the random probing model, the expansion strategy allows gadgets to be composed and expanded to achieve arbitrary security levels. So the expansion strategy consists in using and share gadgets for basic operations that are random probing expandable and use them to replace a base circuit where each wire leaks with probability p. By an expanded circuit where each gate is replaced by the corresponding gadget and each wire by n wires carrying a sharing of the original wire. So doing so, we hope to replace the leakage probability p of a wire in the original circuit by the failure event probability epsilon in the expanded gadget simulation. If the simulation fails, then one needs the full input sharing for the gadget simulation, which corresponds to leaking the corresponding wire in the base case. So the interesting thing is that this expansion can be applied recursively until we attain a desired security level. This works as long as epsilon is strictly smaller than p. This introduces the definition actually of the maximum tolerated leakage probabilities that I was talking about earlier. So to do this, the gadgets should be random probing expandable. The RP expandability notion of a gadget ensures, first of all, it's random probing security, but it also guarantees that we can compose this gadget with other RP secure gadgets. So the idea is to be able to simulate any set of wires on the gadget, along with T output shares using at most T input shares. So if you have a circuit composed of a bunch of gadgets, as you can see here, and we fix the parameter T equal to two, for example, then we can actually go from the bottom level to the top level by simulating T outputs along with internal probes using T inputs. And then we arrive to the top most inputs of the circuit. So in addition, the RP expandability property also imposes that we get an independent failure event probability on each input sharing of the gadget, which is an essential condition for the for the expansion to to an arbitrary level K. So in addition, in the previous work that if a certain gadget is random probing expandable, according to the previous conditions with failure probability epsilon, then the K expanded gadget is also expandable with failure epsilon to the power K. So if you look at C with base gadgets which are all random probing expandable outputs a compiled circuit random probing secure with the failure probability reduced with respect to the expansion level K, expanding a circuit to achieve an arbitrarily large security level comes, of course with a certain cost. In fact, if you want to achieve a certain security level kappa using some fixed base and share gadgets, the complexity of the expansion can be expressed in terms of the size of the original circuit and kappa to the power E, where E is a function of two main parameters and D. So and max is essentially a parameter which depends on the complexity of the base gadgets. It specifically depends on the number of multiplication gates and the multiplication gadgets, and on the number of adding copy gates in the add and copy gadgets. So for example, if you use a standard multiplication gadget and max would be at least quadratic in the number of shares. Another critical parameter is called the amplification order D, which is defined as the size of the smallest set of probes for which we get a simulation failure. So if you take for example, the two share addition gadget that I showed before, and we fix the parameter t equal to one for the RP expansion. And we consider the output share C one, and the single internal probe share B two. It is clear that in order to simulate both probes, we would need both input shares of B and the share a one. But since as defined earlier, we need to be able to simulate all of the probes from at most T input shares, then this said w actually represents a simulation failure on input B. And this means that the amplification order in this case is equal to one. So why is this amplification order so important. It is because the failure probability epsilon can be expressed as a function of P, where the amplification order is the smallest exponent on the P term. So considering the expansion, we can pose this function a certain number of times, we hope to get the highest amplification order possible to reduce the failure probability as fast as possible as possible and thus reduce the overall complexity exponent E. But for a certain number of shares, the amplification order can be as large as some fixed bounds actually. There are two values which bound the amplification order. I will first illustrate a rather trivial bound. So if we consider an end share gadget with input A, then we can simply consider the set of probes as T plus one shares of the of the input, which would which would all of the T plus one shares for the perfect simulation, which is greater than T. So this represents a failure with respect to the value of T, which bounds the amplification order by T plus one. So this amplification order is actually bounded by another value by doing some observations on the output sharing. So if you can see a gadget as a black box with its output sharing Z and the input wires of the corresponding output gates. So let us consider the set of output shares as the first T output shares of the gadget. And then let us consider the set of internal probes as the two input wires to each of the remaining output gates. We can clearly see that both sets represent the full output sharing. So it is impossible to simulate the full output without knowing the full input of the gadgets. So this is a clear simulation failure case. And so for one input gadgets, the amplification order would be bounded by the size of such a set. For one input gadgets, the order would be bounded by half this value, since in this case, we need both full input sharing, which is a failure event on both inputs. So the independent failure events of the RP expandability notions have this amplification order. So if an MAP and RP expandable compiler with its three base gadgets would have this amplification order bounded by the minimum of T plus one and minus T. And so for a number of shares and the maximum amplification order achievable is equal to N plus one over two by maximizing both values of the minimum. So to construct generic gadgets with at which achieve this order for any number of shares. We call that achieving this maximal order reduces the complexity to its lowest values. So in order to do this we base our constructions on two ideas for add and copy gadgets we provide generic constructions on top of a refresh gadget, which leads to easier conception. It's easier to find refresh gadgets with good properties than to find whole add and copy gadgets. And as for multiplication gadgets we hope to find ones from the state of the art that satisfy the desired properties. So the construction of the add and copy gadgets on top of refresh gadgets are actually simple to see. Let's first start with the copy gadgets. So the idea is simply to execute a refresh gadget to independent times on the same input to produce two independent fresh copies of the input sharing. And we can prove that if the refresh gadget is RPE with an amplification order equal to D max, then the corresponding copy gadget also achieves the maximal amplification order D max. So the idea of this construction is based on splitting the probes on the whole copy gadget into two independent sets of probes on the left refresh and drive refresh gadgets. And then the simulation success case with amount to successfully simulating both sets using the underlying refresh gadgets properties. And so this is why achieving D max on the refresh allows achieving D max on the cut on the copy gadgets. So as for the addition gadget. The idea is pretty similar. So two independent refreshings on each of the input sharings, and then perform the standard share wise addition between them. So in this case, if the refresh gadget achieves the maximal amplification order D max, then the corresponding add gadget achieves at least this order divided by two. So the idea is like the one of copy, we would we would want to split the probes into two independent left and right sets of probes. But the only exception in this case is that we might have internal probes on wires, which were considered output shares in the original refresh gadget. But since in the internal probes we don't consider output shares, we need to rectify this case. So to do this, we can simply replace each probe on the output sharing by the two input wires to the corresponding output gates of the refresh gadgets. So in this way, we can simulate the original set of probes using the newly formed set of only internal probes on the internal refresh gadgets. Since in this case we might in the worst case double the number of probes, this leads to at most having the amplification order. So the generic result actually guarantees achieving at least have the have the maximal amplification order, but other particular constructions might be tighter and achieve the original desired maximal order. So having these two generic constructions for add and copy gadgets, we can start looking for multiplication gadgets in the state of the art and construct our RPE compilers. The typical example is by using the widely known ISW multiplication and refresh gadgets. So in our work, we prove that the ISW refresh gadget achieves the d max value of n plus one over two, which leads to in construction of the ISW based copy gadget with also the maximal amplification order. In that addition, we also prove that the particular construction of ISW based addition gadget achieves the maximal amplification order, which is better than the bound of the generic result presented earlier. However, the ISW multiplication gadget is only able to achieve the half of the desired maximum maximal amplification order. And actually the reason behind this is common to other multiplication gadgets in the state of the art. It is because of the direct product between the input shares that has performed in the beginning. So if you consider the set of probes formed of the product of t plus one shares of each input, a perfect simulation of this set W requires the knowledge of t plus one shares of both inputs. So this represents a failure case on both inputs of size t plus one. And since we have an independent failure event in RPE definition, this has the amplification order attainable by such gadgets. So in order to truly achieve the maximal order for the RPE compiler, we can use the ISW based adding copy gadgets but we would need another multiplication gadget. So actually we had some trouble finding a multiplication gadget from the state of the art and which achieves what we need. So in our work, we also introduce a new construction for a multiplication gadget inspired from other previous constructions. So I will show you here how our new gadget works for an example of three shares, but it generalizes to any number of shares. The idea is to first perform the cross product of the input shares and add to each product a freshly generated random value. This amounts to generating n squared random values for a number of shares n. Then we construct two vectors. The first one is the vector V, which is the result of performing a row reduction, a row wise reduction on the matrix of terms P. And the second vector X is the result of performing a column wise reduction on the matrix of random values. And so the output is then simply the element wise sum of vectors VNX. This actually allows to have each output share with enough random values in its expression to avoid trivial sets of simulation failures. Now you can see that in this gadget we also perform a direct product of input shares like other gadgets in the state of the art, which is, which isn't right if you want to achieve the really maximal amplification order for the reason I showed earlier. So to avoid this case, we provide a non-standard version of our gadget. It actually performs before performing the cross products. It refreshes the input B a number of times equal to the number of shares and so equal to the rows of the matrix of cross products. All this while using a refresh gadget satisfying similar properties as earlier constructions. Now interestingly, this strategy of first refreshing the input shares does not work in the case of other multiplication gadgets like like ISW, which is why we need it to find a new multiplication gadget construction. And we are able to prove that if the refresh gadget used achieves the maximal amplification order, then the new multiplication gadget also achieves the maximal amplification order. This amounts to achieving the desired order of n plus one over two, unlike the ISW multiplication gadget. And to the best of our knowledge, this is the only multiplication gadget with which achieves this maximal order. Now in this figure you can see a comparison of the evolution of the complexity exponent for three different RPE compilers. The first one is the purely based ISW compiler achieving half the maximal amplification order. The second one is using the ISW add and copy gadgets and our new multiplication gadgets achieving the maximal order. And the last one is a hypothetical compiler where we consider that we find add and copy gadgets with better complexities than the quadratic complexity of ISW so better and max values, lower and max values. And also using our new multiplication gadget to keep achieving the maximal order. We can clearly see that using our new multiplication gadget to improve the amplification order decreases the complexity exponent starting from a small number of shares compared to the ISW compiler. We can already achieve an exponent less than five for example with five shares construction, while this is only possible with the ISW compiler starting from more than 10 shares. It is useful to be able to use efficient small gadgets for the expansion, since we can verify the RPE property using automatic verification tool like VRAPS introduced in the prior work. Now, while all of these curves slowly converge to equal to two, the speed of the convergence is faster with the two improved compilers over the ISW compiler. If we consider new improved add and copy gadgets with improved values for Nmax, then the convergence is even faster with the pink curve. This illustrates the reason behind the finding constructions with maximal amplification orders and reasonable gadgets complexities in order to achieve high security levels with the lowest possible expansion complexity. With our concrete small RPE instantiations, we actually construct small refresh gadgets, which have better complexities than the ISW refresh gadgets. For the three share refresh gadgets, we use the gadget with only two random values with output sharing C. As for the five share construction, we use the so-called circular refresh gadget. Its name comes from the fact that to each output sharing, we add the random value r i and then the random value r i plus one. So to each output sharing we first start by adding the random values and then add each input sharing of a at the end to avoid having many failure sets in the gadget. So based on these two refresh gadgets for which we verify the necessary properties using wraps, we construct our add and copy gadgets, and we also use this refresh gadget to instantiate our new multiplication gadgets. So this brings us to the comparison table that I provided in the beginning of this presentation, where we can achieve considerably better complexity values with slightly better and comparable tolerated liquid rates. Now you can observe that the crypto construction crypto 20 construction does not achieve the maximal order for three share construction. While our three share construction construction does, which is one of the reasons why our case in our case we can achieve better complexities almost divided by half with three and five shares. And the upper and lower bound on the tolerated liquid rate and the five share construction comes from the inefficiency of the wraps verification tool on complex five share gadgets, and which outputs an approximation of this tolerated rate, which is why we have upper and lower bounds on the value of P in this case. You can see that for an almost equal and better liquid rated sometimes, we can achieve much better complexities than previous constructions of expansion in the state of the art. So in conclusion, we are able in this work to provide an in depth analysis of the expansion strategy and illustrate tighter security and complexity bounds for such RPE compilers. We are also we are also able to exhibit generic constructions of add copy and multiplication gadgets with near optimal complexities in terms of the two main parameters which are n max and the amplification order. And finally, we provide concrete instantiations improving on the previous complexities and tolerated liquid rates in the state of the art. In this work, only two works had explicit complexity bounds and tolerated liquid rates. But in this work, we are able to notably improve these complexity bounds while still tolerating like comparable liquid rates. So this would be the end and the end the conclusion of our work for EuroCrip 2021. And I would like to thank you all for your attention and hope to see you in future events.