 Hi everyone, I'm Richard from Delegate on Paris. In this video, I'm going to present our work on how to quantify information literature in code-based masking. This is a joint work with Sivan Kiyee, Claude Garlay, Cézanne Mélajev and Jean-Luc Danje. In this talk, we first give an introduction of code-based masking. Then we present our code-based theoretical leakage quantification. We apply it to the polynomial masking, which is based on Cézanne Mélajev's secret sharing, and show how the redundancy in masking can only increase the situational leakages. In situational analysis, a sensitive variable X is leaking in certain forms. In this case, leakage can be viewed as a combination of some function on X and a noise on N. Commonly used thinking is assuming variable noise is the additive of white Gaussian noise. So to protect the cryptographic implementation, one of the most well established contemporary masking. In particular, the masking provides provable security, and it is in the algorithmic level that it costs, increasing critically with the security order. Typically, in polynomial masking, let X be the sensitive variable, Y be the mask, and Z be the masked variable. In Cézanne Mélajev's ancient, it's in coding as follows. The first share is constructed by XOR with the secret, the sensitive variable, and all other masks. And the shares are random masks only. As we know, the Boolean masking can be generalized into the code-based masking from a coding theoretical perspective. Let Z be K pieces of information, and let Z equal to XG plus YH, where X has K pieces of information. Why has T masks and ZN be encoded into Z with ancients? G and H are to join two matrices of linear code C and D respectively. So we note that the only condition in code-based, in generalized code-based masking is that C and D has only zero codeword in the intersection. In addition, if N equal to K plus T, there is no redundancy, like in IPM and direct sound masking. Otherwise, if N is greater than K plus T, the masking is redundant. Here we give two examples, the Boolean masking and the inner product masking. On the left, the Boolean masking is simply encoding with holding XOR. The G and H are binary matrices with holding 1 and 0. On the right, in IPM, the first share is constructed in the product operation involving AFI. As we show AFI in the first column of H, comparing with the Boolean masking, holding 1 column is changing. And we can recover the Boolean 1 by setting all AFI equal to 1. So the Boolean masking is the special case of IPM. Next we'll present a brief history of code-based masking. Notice that there's references marked in blue are the first proposals. The first observation is that the liquid screening and the polynomial masking were proposed in 2011. And the original IPM was in 2012. At last, the most general case was proposed in chess in 2020. In this paper, I will focus on this general case and show how to quantify the information leakage. The connection between above masking schemes are showing bigger three. We highlight two groups. First thing on the left, we have a red shadow, including Boolean masking, inner product masking and liquid screening and also direct sunlight. They all have no redundancy. On the right, we have a polynomial masking, which is based on Shamian's secret sharing. It can be configured with redundancy in a bleach-free context. For example, two natural questions that raise how to measure information leakage in different schemes. And secondly, how to choose the optimal parameters or optimal code for each scheme. Before we move into details, we call some definitions and the transformation. The first one is the due distance. The due code, denoted as DPEP, gave a linear code D. The due code is that each code of each codeword array is orthogonal to all codewords in D. We also have some subfiant representation and code expansion, by which we can extend a linear code from a bigger finite file to a subfiant F2. Next, as a well-known notion is called Witte numerator, which denotes a linear code to Witte polynomial. We call it D of parent N, KD. It's Witte numerator as a follow-up. The coefficient of BI is the number of codeword of finite I. In particular, BD is called the case number of D. For instance, for the linear code 844, we have a B0 equal to 1, B4 equal to 14, and the B8 is 1. In addition, we can define the adjusted case number of two linear code C and D. So B prime D is the number of codeword such that the codeword are in code D, but not in code C. Next, we show how to measure the equation in code base masking. In this work, we consider two probing models. In the bit probing model, each probe only gets one bit of information, while in the word probing model, each probe gets a little bit of information. The corresponding security order are TB and TW respectively. So in side channel analysis, the leakage function sends a beta vector into a real value, which are denoted as procedural linear function P. Then the numerical degree is defined as the maximum number of coordinates of beta, which is the coefficient of Z power I in leakage function P. And some examples are as follows for MSB and LSB in differential power analysis, which is deleted, commonly denoted as DOM. Z power I is always the only one coordinator of one. In the halfway leakage model, each bit appears only once and returns the sum. In both cases, the degree equals one. And the last example has the second order leakage or is the product of first two bits. It has a numerical degree equal to two. Then by using leakage function P, we can define the side channel leakage as L equal to PZ plus N with Gaussian noise. Then the problem is how to explode the leakage. In side channel analysis, the distinguish is to check whether the leakage on the different value of X are different. And to whether the variance is zero or not. Therefore, we can define the SNR as the ratio between the variance of information and the variance of noise as in convention. Taking hamlet leakage into consideration, we have PZ equal to hamlet of Z with power D for high order moments. Then it can be decomposed as follows as in quotient six. The first part as a term so with a numerical degree smaller than D while in the second part, always the degree is acting equal to D. So we have the following theorem for SNR in code base matching. So it involves the due distance D and the adjusted number B prime D, which is depending on both the code CMD. So it is consistent with the secret order improving model. Next from information perspective, the mutual mission between the leakage and the sensitive variable X is computed by two entropy. The total entropy HL and the conditional entropy HL given X given as follows. So, then we have the following theorem for mutual mission in code base matching. In equation 8, we have a mutual mission between L and X equals zero when the degree of P is smaller than zero, which is consistent with probing model, probing security order. And if the degree of P equals the due distance, the mutual mission is a link to the due distance and the adjusted number as in SNR. Visually, we industry to the impact of due distance and adjusted the key number as in figure four. In particular, the slope of the course in log log representation is equal to the slope and the vertical offset is a link to the B prime D. An example of four-bit cases of tuition or PM is showing figure five, the slope and the vertical offset as expected. We also propose a unified evaluation for more for GCM in which the side channel security can be characterized by the due distance and the adjust the case number. In addition, the optimal code can be given by maximizing the due distance D and minimizing the adjust the case number B prime D. Next, apply our approach to SS based polynomial masking. As pointed out in chess 2018, the polynomial masking is connected to the read the Sonoma code. The is code is defined by choosing a polynomial with all the equals smaller than T and evaluate it on public point. Then we can show the connection explicitly. The genetic matrices of G and H are as follows. In particular, each share corresponds to an evaluation in as read the Sonoma code. Next, considering an instance with solutions and the T equal to one, which is a first order secure masking. G and H are as follows for the sake of simplicity and also because of the equivalent of linear code we can set F1 equal to one. And the other two parameters are F2 and F3 are equal to F power G and F power K respectively. And the sharing is as in portion 10 where we only have one random mask U1. So by applying F2 for mutual information, we can evaluate a different code in SS based masking. Clearly, the black curves give the best code and the approximation in similar to a more accurate one is the noise increases. We give an exhaustive study list in table one different code can have various due distance and just the kissing number as shown in the last column. We give the best cases of code for 3-1 SS based masking and comparing of comparing with the state of that we show a systematic approach to find the best code in addition, we show that some parameters are the worst, the worst cases and not to recommend it for practical use. In particular, for the first time away in the streets is the impact of both called the CMD in the citron resistance of GCM. At last we evaluate the impact of redundancy in coding in code based masking. Again, we recall the sharing in 3-1 SS based masking. We have a one share for redundancy. We want to compare the information carrying in the share in the situation and into out of situation by using information. The results are shown in figure seven. On the left, we have, we show that three combinations of two shares have the same due distance and on the right, we give one instance of combining combination that has a smaller due distance. Two observations can be made. Firstly, solutions always carry carry more information than two shares and secondly, the secret is determined by the weakest, weakest combination of two shares and the internal crisis is determined by T out of N shares in SS based polynomial masking. A similar, a similar result is shown in figure eight for different codes and different combinations. Finally, we conclude our talk. So in this paper propose a coding strategic approach to quantify the side channel resistance of the code, the base masking. We use both ASOA and MI as liquid matrix and propose a unified framework for evaluation and for choosing optimal code in GCM. So our, our open source in GitHub available by using following links. We also highlight that we want to show how to find the best code by presenting detailed investigation on the trace of single no basis for code expansion from a big identified to basically, basically five F2 improve, improve on September 17. Just after so when come to our talk and please check our paper for details. Thanks for your attention. Please contact me if you have any questions.