 Okay, so thanks for the introduction. So I'm gonna talk about private multiplication. And before I go into more details, I will start with the basic crypto to introduce leakage. So I will first start by discussing a bit security models in crypto. And usually in crypto, what happens is that we have these ideal security models in which we have these adversaries that is modelled as the grave all here. And that makes some queries to a crypto system C for which only the code of the system is actually a public. And so you can make query X and get C of X. But in particular, what we assume is that everything that is inside the box is perfectly hidden. So for instance, if there is some key, the key is perfectly hidden in the box. So the problem with these models is that at some point we want cryptography to be implemented and when we implement crypto, we implement it on physical devices. So for instance, computers or laptop or stuff like that or more generally the cloud. And the thing is that these devices being physical, we have also physical leakage. So for instance, what's quite easy to get is the running time of the crypto system but also some other physical measures. For instance, the power consumption or similar measures. So the thing is that actually in the real life, the adversary could make use of this leakage. And so you want to actually for the real application you want to think about the adversary as someone being quite powerful and being comfortable with leaking information. So in for this talk, what I will assume is that the crypto system is some circuit here. So an arithmetic circuit. And so I will assume that the adversary has some good here somehow and is able to listen to the computation of the circuit. And so if the circuit is run on this inputs XYZ for instance and some intermediate computation like CU and some output S, then the adversary is able to learn some noisy information about all the values on the wires. So for instance, some function of F plus some noise and the same for all the other intermediate computations. So this model is called the noisy leakage model. It was introduced by proof and rega in 2013. And so this is a model that makes a lot of sense in practice, but as you can see already with this very small circuit, it's a model that has a lot of variables. It's quite messy already. And there are some parameters as well. So this function for instance, but also the noise. So this is not a model that we really want to use for proving a theorems because it's quite messy. And so the good news is that actually we don't need to use this model to prove things in this model because this model is actually equivalent to another model, which is a deep problem model. And this is a result due to the inverse key and force in 2014. And so we are going to use in this paper this problem model that was introduced by Ishaes and Wagner in 2003. So okay, so what can do an adversary in this deep problem model? Simply it can ask for exact value on the wires in the circuits. So for instance, it can ask for the value of y. It can ask for the value of u and the value of s, but no more than three values for instance. And so in the deep problem model, the adversary can ask up to the exact wire values. So now everything is quite clean because you have only exact values and you have also a bond number of values. So this would be a lot cleaner to make proofs. Okay, so how do you do something in this model? So the idea of this paper and in general, when we want to design a private circuit is that we have an arithmetic circuits and so we want to be able to secure any of the gates of the circuits. So let's start with an addition. So securing an addition against such an adversary is actually quite easy. So I will call you have an adversary that is able to learn up to the wires in the circuit. So what you are going to do to secure an addition of a plus b, you will just first start by completing an additive sharing of a and b, otherwise you can just ask for the value of a or b. And then what you want to do is also output an additive sharing of a plus b. So actually what we can do as a circuit is just use as a circuit. You can just use a circuit that will have some pairs of shares. So this is how you do an addition and now the question that remains is that how you do a multiplication and if you can compose everything to make the circuit private. So this is the purpose of this work and so let me define a bit more formally what I want to do. So we have this multiplication over gfq and so the input of the circuit that we are going to design is the additive sharing of a and b. And so we have some circuits that will perform some multiplication and addition. So an arithmetic circuit and this circuit will take some additional randomness here. And of course the output of the circuit for correctness what you want is that the output is also some additive sharing of a and b. Of a times b, sorry. So okay, so I've defined what I want to do but I still haven't defined anything about the security that we want. So as I said, the purpose of having this input, this share of the input, the share of the output is that you can compose everything quite nicely. So for instance, if you have this circuit that is composed of addition and multiplications, the fact that if you want to make it secure at order one, for instance, so again some adversaries are able to ask for one wire. Then what you'd like to do is just switch every gate to a secure version. So each gate now takes an additive sharing a two additive sharing of the inputs and outputs a two additive sharing of the output. And so in theory, the composition works fine because each gate outputs what is supposed to be fed to the next gate which is a two additive sharing of the value. The question is what kind of security you need to do that. And so the thing is that if you assume the security is some notion that just guarantees security on fresh shares then if you compose this is no longer fresh shares because the only fresh shares in this composed circuit is these first shares. These shares are actually shares of the output of this gate but they are computed from the shares here and they are not really fresh shares. So what you want somehow is to be able to say that if you have some problem on this gate, for instance, then you are able to come up by to simulate this probably here from the fresh shares here. And you are guaranteed that this fresh shares doesn't give you any information about the inputs. So somehow you want some form of simulation of any problem here from the inputs here. So this is actually exactly the notion that we want and that we use. So the notion is called non-interference and it say that any set of t less or equal to d, so any set of at most d from the in the circuit can be simulated from at most t of each of the inputs. So for instance, to each trade that if you have shares here on this gate, then this gate being, if this gate is a Ni, so this is actually the security notion here, then you can simulate this problem here by using one of these two inputs, one of these two shares and one of these two shares. So for instance, you can simulate it using E0 and F1. And now this E0 is also an output share of this gate that is also Ni and then you can simulate E0 from one of these two shares and the same for F1. For instance, like that. And now what you know is that the first probe that you had here can actually be simulated using these shares of each of the inputs. But since these are fresh shares of the inputs, these shares do not give you anything about the actual values of the inputs. So this is what we want. So actually for general composition, if the circuits have not found out one everywhere, you need something slightly stronger but I will not go into the details about that. I don't really need that for the talk. Okay, so let's go back to what we want now that we have the definition. So we have this private circuit for multiplication that we want to define. And so there are two things that we want to restrict in this circuit. So the first thing that is interesting, so there are two measures of complexity that we want to limit. So the first measure of complexity that we want to limit is the randomness complexity. So we want to capital hard to be as big as, to be as small, sorry, as possible so that the circuit remains simple and we don't have to generate a lot of randomness. And the second thing we want to restrict, of course, is the size of this circuit. So for instance, in particular, we want to avoid to have too many multiplications because usually multiplications are more expensive to perform. So for this talk, I will only focus on the randomness complexity. But actually in the paper, we also addressed the arithmetic complexity of the circuit. And so I will briefly mention it at the end of the talk with the main part of the talk will be only on randomness complexity. So once again, we want to know how big capital hard is as to be. So this is not the first paper that addresses this question. So there are already mainly two papers. Maybe there are some more. I'm sorry if I don't say them. But so the main papers, I will talk about a state of the art is the first and same paper by H.I.C.I. and Wagner that define actually the probing model. And so in this paper, there is already a construction for a private circuit for multiplication that has a quadratic randomness complexity. So to be secure at order D, you need to add in the circuit, you need to add roughly D square over two random elements. And so last year with the same set of orders, actually the same orders than this one. We propose the construction that has the randomness complexity. So we have D square over four elements for having a secure multiplication. And we also proved in the previous paper that if you work with bits, so if you work over GF2, then actually there is no way to do better than a linear randomness complexity. And actually we will prove precisely that there is no way to have a randomness complexity that is strictly less than D plus one. So in particular there is no way to have a randomness complexity that is D for instance. And so the thing is that this lower bound that we had in the previous paper is crucially realized on the fact that we are working on GF2. And so in this paper, the question we answer is whether you can do better working on larger fields. And the answer is actually that you can. And so we propose a construction in this paper that actually has a randomness complexity that is linear and that is actually below the previous lower bound that we had. And the good news now is that we are somehow optimal because we also proved that even if you use an extremely large field, then there is still a lower bound that is linear. So you can do better than D over two random elements and we have a construction that achieves the random elements. So once again there is no contradiction with the previous results, with the previous lower bounds. The reason is that this new construction relies crucially on the fact that we are using larger fields. But the side of the field, I will discuss them. I will discuss it briefly actually. It's not, for practical cases, it's not too bad. It's actually even pretty good. So let me explain what I will talk now in the rest of the talk. So the first thing I would like to address is how we prove security for our construction. So I will explain an algebraic characterization for the security, for the non-interference security that I defined earlier. And after I will explain how using this algebraic characterization, we can break the GF2 lower bound. So the linear lower bound we had before. And at the end of the talk, I will briefly mention some other results. So I will briefly mention about the linear lower bound that I just explained on the previous slide. And I will also talk about a construction that has a better arithmetic complexity. Actually, it's not perfectly correct. It has just a lot less by linear multiplication. The arithmetic complexity over hold is not better. Okay, so let me start with the algebraic characterization. So once again, we want to build such a circuit that takes the shares as input and outputs the share of the product. And that takes some additional randomness. So the share of the outputs, so we want to compute A times B, so the sum of the CI should just be the sum of the AIBJ. So what we assume we make some restriction on the circuit, we assume that at any point in the circuit, there is no fancy stuff going on. So all the computation that are going to happen in the circuit will be either linear in the input, so the AIBJ and RK, or will be a linear in this cross products AIBJ that we need at the end of the computation. But there is no term of the form, I don't know, like AI to the 20 and BJ to the three times some RK to the four, for instance. There is no weird term appearing because this is the kind of term you will need to remove at the end anyway. This is still a restriction, but this is a restriction we make. So given this restriction, actually what happens and what's quite easy to see is that any computation that appears in the circuit will have these forms, so there will be a part that is linear in cross products, so something built by linear in A and B. And also, of course, there will be some part that is linear in A, linear in B and linear in R. So all these matrix here and these three vectors here are just constant vectors. There might be also some additional constant, but you can just avoid it. So given this property, this is also the case that any sum of probes has the same form. The reason is that everything is linear in this expression, so if you sum such a two expression, you will still have the same form. So now let me explain you how we can prove security thanks to this nice algebraic structure. So the thing is that actually we can prove that and we prove that a circuit will be a secure, will be a non-interference if there is no set of probes that satisfy a certain condition and this condition is described here. So we say a set of probes satisfy our condition, so which is a very accurately named condition one. The set of probes satisfy this condition if and only if the sum of the probes that are inside the set of probes can be written as before, so this by linear part, this linear part in A and linear part in B, but without a linear part in R. So the sum of the probes should not depend on any randomness. Plus there should be some other condition that is satisfied by either the matrix M with mu as an additional column or either with these matrix M with mu as this additional row. And we should ask for either all the rows of this matrix or all the column of the second matrix should be non-zero. So actually it's quite easy to see the reason for this condition, at least to see why these are necessary conditions. So let's say that you have a sum of probes that satisfy the condition previously defined, so the sum of probes doesn't define any randomness and such that all the rows of this matrix of this matrix are non-zero. So if you write the sum of this expression here precisely what happens is that you have the shares of A here and the matrix M here times the vector B and once again the share of A here times the vector mu plus this term in B that we don't really care about. So the thing is that A0 is going to be multiplied by this line of the first line of M and the first time of mu. And as this matrix as non-zero rows, it means that either one of these or this one will be non-zero. And this means that this expression of S here will depend on the value of A0. So this function here, if you fixed all the other value for when you fix A1 to AD and all the B then this function is actually not a constant function of A0. So in particular if you want to simulate perfectly this sum S, then you need to probe the value of A0. And this is actually the case for any other A of the AI, you just need to take a different row of M and the different component of mu. So in the end what happens is that if you want to simulate this sum here, you will need to query all of the AIs. And then since NI security asks that you should be able to simulate a set of probes using at most D of the D plus one shares, this sum cannot be simulated. This circuit cannot achieve NI security. So this is the reason of this algebraic characterization. And now using this algebraic characterization we can actually use it quite easily to prove security of construction. So now let me explain you how you can build a construction that actually achieves linear randomness complexity. So the idea is going to be to use a probabilistic method. So what we are going to do is we are going to pick the random elements. So R1 and Rd. So these are going to be the random elements that we are going to use for making the computation secure. And we are going to define a huge family of algorithms that computes correctly the multiplication of A times B. So we define for each construction is defined as via a matrix here gamma that is a matrix of our GFQ of size D plus one times D. And the construction works, each construction work as follows. So each of the shares that will going to be output are a sum of on the rows of this matrix. So the first share is a sum of all the A0BJ and the same for every of the other shares. And so to make the computation secure what we do is we just add some randomness between each of the column of this matrix. And so between the first two columns we just add some randomness that only depends on the first R1. And we just use some constant factors in front of these R1 random elements. And the constant factor comes from the definition of the construction that is the matrix gamma. And so we do this between first, the first column and the second column we just use the randomness R1. So everything here is constant. And after we use only randomness R2 and for the last one we just use randomness RD. And so for correctness, we just ask that the randomness comes out when you sum all the shares. So you want the sum of the gamma I1 to be zero and the same for every of the columns here. And actually what we can do now using the algebraic characterization is show that the condition one that we need to be, we need not to be satisfied by the construction, by any set of problem in the construction can be described as some algebraic condition on the matrix gamma. And now what we do, this is where the probabilistic means.com we show that if the field is big enough so we have an exponential bond in the side of the field. So if the field is of size D to the D plus two, then there must exist a matrix gamma such that there is no, such that one of this construction is actually secure. So as you can see the bond is actually very bad in this case because for already for small cases this might be huge for the side of the field. But actually what we show in the paper is that we implemented the practical cases so for small order of D. And actually for small order of D, for for instance for D equal two or D equal three, you actually just need a field that has only eight elements. So actually this is very good for practical implementation because working with GF-8 is actually quite nice. Okay, so let me just give you a brief insight about the other results before I conclude. So as I said, so we have the previous construction that achieves a linear upper bond, but actually this upper bond for the construction is actually also almost a lower bond for the randomness complexities because we prove that there is no way to achieve security of any field with a randomness complexity that is smaller than the other two. So we are actually already asymptotically optimal. And so as I said earlier in the talk, we also achieve a construction that has a better complexity in some sense that only requires a linear number of binary multiplication. So what we do is we use a Karatsuba algorithm or less and we just replace a lot of binary multiplications by multiplication by constants. And so once again, as I said, even though the bonds on the side of the field are quite large in the paper, the theoretical bonds, we have implementation for practical cases and all the implementation actually works on small fields such as GF8. So let me sum up. So previously we're known these two constructions, the ISW construction that had the complexity of D squared over two and our previous construction that had complexity of D squared over four. And there was this lower bond over GF2 of the lower bond of D plus one. And now if you allows us to the use of larger field, then what happens is that you can actually break this lower bond and you can get a construction that has only these random elements and this construction is actually optimal asymptotically. And second thing is that depending on the cost of, we now have three different algorithms for performing the private multiplication. So depending on the cost of either the randomness generation or the cost of a binary multiplication, you can either use the previous algorithm that had the complexity D squared over four, randomness complexity D squared over four, or if the cost of randomness generation is actually very expensive, you might prefer to use the linear randomness complexity algorithm. And the last thing of course is if it's the multiplication that is extremely expensive and the randomness generation is actually not too expensive, you can use the last algorithm, which has only linear multiplications. So with this, I'd like to conclude my talk and thank you for your attention. Thank you.