## Sunday, March 6, 2016

### Paris Crypto Day (Part II)

The afternoon session of the Paris Crypto Day was just as interesting as the morning part. Here is a summary of Romain Gay, Sonia Belaïd and Alain Passelègue's talks.

Romain Gay -PhD student at ENS- presented his EuroCrypt 2016 paper (joint work with D. Hofheinz, E. Kiltz and H. Wee), which introduces a public-key scheme based on the DDH assumption. The work also considers the security loss of the construction and positively answers the open question of finding a tightly secure, pairing-free, CCA-secure construction that is based on the DDH hardness assumption. Aside from not using pairings, the novel construction is also efficient in terms of the number of elements that are needed to represent the ciphertext.

The following table compares the new PKE scheme with previous CCA-secure works1:
 Reference |ct|-|m| Loss L Assumption Pairing CS98 3 O(Q) DDH no KD04 2 O(Q) DDH no HJ12 O($\lambda$) O(1) DLIN yes LPJY15 47 O($\lambda$) DLIN yes AHY15 12 O($\lambda$) DLIN yes GCDCT15 10 O($\lambda$) SXDH yes presented work 3 O($\lambda$) DDH no

Sonia Belaïd -PhD from ENS Paris- gave a presentation on the use of masking to defeat power-analysis attacks. The theoreticians of the audience welcomed the presentation, since it brings into light side-channel attacks, used in the real world. A power analysis attack works by tracing the electrical consumption of a hardware implementation of a cipher to recover sensitive variables. Common algorithmic countermeasures include fresh re-keying and masking, the presentation focusing on the latter technique.

Masking breaks a sensitive variable (one depending on the key and on the public data) into t+1 components, known as the masks (or shares). Precisely t variables are generated uniformly at randomly, while one variable is obtained by composing the others. Commonly, boolean, additive or multiplicative field operations are used for compositions. The protection gained through the usage of masking as a technique has direct consequences in the efficiency: the running time of algorithms depending on large states, such as Keccak, can be significantly increased.

Following Sonia's talk, Alain Passelègue (also a PhD student at ENS Paris) presented his EuroCrypt 2016 paper (joint work with S. Belaïd, F. Benhamouda, E. Prouff, A. Thillard and D. Vergnaud). Alain's talk followed the ideas introduced in the previous one and focused on a model whose aim is to analyze the power of masking, the d-probing model, in which a sensitive variable is broken into masks but an attacker can learn up to d variables. The goal is to construct generic masking schemes that are provably secure in the d-probing model.

Specifically, the question asks for the value of c=ab (a, b and c are bits). a and b are given as input shares and we need to find the minimal number of random bits needed to securely compute a share of the bit c. This introduces a scheme that obtains a share of c using the sum of the products of the input shares. Another significant practical contribution, is an automated tool for finding attacks against masking schemes, which is also described in detail in their work.

Overall, the Paris Crypto Day was a good chance for the members of the crypto community around Paris to present their work and exchange technical ideas. To see a summary of the morning session talks, check Paris Crypto Day I. Please check the official webpage for the future editions.

Notes

1. |ct| and |m| denote the number of group elements representing the ciphertexts and the message, respectively.