 So, the next talk is by Takeshi Sugabara on three-shear threshold implementation of AES S-Box without the fresh randomness. Okay, thank you for the introduction and the first slide is overview background and also timeline of this study and that is about threshold implementation that there was an explanation in the previous presentation and this is a great fast order masking scheme and but there was a difficulty in realizing this three-shear and uniform threshold implementation for the standardized algorithms I mean AES and Kechak for more than 10 years. At chess 2017, Demon tackled the problem and proposed a very great technique called the changing of the guard and applying it to Kechak to realize three-shear and uniform realization of it and later the Vegana and Moradi use this technique to AES and realize four-shear and uniform realization of AES S-Box. This is also a big achievement because it is the first uniform realization of it but the number of shear was four and we want to go further and in this talk what I did is generalized this changing of the guard and using this generalized technique to make three-shear and uniform threshold implementation of AES S-Box. Okay, so let us begin with the threshold implementation and this is the idea is to implement cryptography while keeping shared representation of intermediate variables. So the share is a in this case I show a three-shear representation so the share is about triplet and some of them represent the original value and we get a set of mappings that maps share to another share that we call sharing and this sharing has some important properties to satisfy to be threshold implementation. So correctness means the output the output share represents the output of the target function and the non-completeness means each of these sub-functions get only a subset of the input share which is about security and another important property is just uniformity and if we say the share is uniform that means for each raw value or the possible shares should appear equally so this table shows a toy example of three-shear of 1-bit value so this raw value 0 has four shared representations and they have the same probabilities then we can say it is this share is uniform and this uniformity is necessary for security against statistical attack. We can also say that the sharing is uniform and that means the sharing preserves the uniformity about shares that means if the input share is uniform then we can get guarantee that the output from the sharing is also uniform but this uniformity is not so easy to satisfy and there have been no uniform sharing for this standardized algorithm as I mentioned earlier and if there is no uniformity we need to do some compensation and that is to make operation called re-masking in between two shares and this re-masking needs fresh randomness and that is costly in implementation otherwise if we have uniformity we can just skip this thing and that's why we want uniformity and this is the changing of the guard proposed by demon a chest two years ago and the idea is to use a neighboring input share for a kind of pseudo re-masking so this is the diagram of three share I'm sorry I'm changing of the guard sharing for three parallel mapping S boxes and the idea is get two portions of the input share I'm sorry input share and explore it with the neighboring output and this technique is applicable to bijective mapping and yes ketchup S box is bijective and so demon successfully making three share and uniform sharing of ketchup S box but it is not so easy to apply it to a yes S box that is because to reduce the number of shares we need to decompose a yes S box into let's say a series of operations like this one I show this is can write S box realized by field operations and in this kind of decomposition we almost always have multiplications as shown in the colored boxes and the multiplication of course has two inputs and one output so it cannot be bijective and that is the problem so I try to solve the problem and the basic idea toward a generalization is since it is difficult to convert the original mapping into uniform sharing so we firstly transform it to another form that has uniform sharing so that is the idea and the first trick I used is what I call expansion and what I did is to transform the target function psi into a bijective mapping using the facial network so this psi is the original function and this entire structure is the extended mapping and what I did is just add this extra input y and come extra it with the original function output and also add one extra output here and this facial network is a common structure for block cipher researchers and guarantees bijection bijective property of the resulting mapping and another good property about this expansion is that this expanded mapping always has uniform sharing this one is on shared representation and this one is shared representation and important thing is this facial structure is preserved in a shared representation meaning that this shared representation is also bijective and this bijective property is sufficient for the uniformity of the mapping because since this is the bijection the output is just a permutation of input shares so it doesn't change the distribution of shares but yes with expansion we can get bijective mapping but we cannot just directly feeding this to the conventional changing of the guard because the resulting function is a little bit different from the original one we have y added and what we really want is something I mean the one without y so we need y to be zero and we should get zero somewhere else then I use this second trick I call restriction and the idea is this unnecessary output the x that we will not use anymore to zero by using this now mapping and this is a kind of symbolic thing that maps anything to zero so it's essentially just an unconnected wire but anyway we convert this unnecessary output to zero and this zero is fed to the neighboring sharing and this restriction I mean the now mapping also has a uniform sharing I think this is a common technique in multi-party computation and what we do is just drop the first element from the sharing from the share and replace it with XP plus XC and we can easily verify that this share represent zero right so we can convert the share into zero inefficiently using this so this is essentially the proposed method so what we need is given a target function target mapping psi and extended into bijective mapping using face turn network and then put them now function to combat unnecessary run into zero and let us talk about how we can chain these functions with each other and let us talk with an easy case when we have the same input and output sizes and in this case the connection changing is very easy like as shown in this figure so we have three extended and restricted mapping and we connect with each other with 50% overlapping and the resulting map is a power application of this psi with some zero and conversion of this chain representation it's it to it into its shared representation is a it's straightforward straightforward we can just replace them one by one and get the the the shared representation of this power application of the extended and restricted mapping and this particular connection is important because it is it shows how this method is a generalization generalization of the changing of the guard this one on the left is the sharing we discussed in the previous slide and another one on the right is the demons changing of the guard sharing and actually they are the same they may look differently but try moving this left side things the up thing into left and this down thing on the right and they should look similar and actually they are equivalent so the the discussion I made in this presentation gives yet another proof to the demons changing of the guard with some relaxation I mean it also supports non bijective mapping okay so I also explain how the things go into be in the in the in case when the target mapping has different input and output sizes and this target function is complicated but the real one we need for a ESS box so this one has three input and two output and combating expanding it to is faster network is straightforward and also I'm applying now function is also straightforward but the changing is a little bit different from the previous one because we have different input and output sizes so we have some extra output zeros that we can use later the other way around happens when the output is larger in this case we need to add some extra zero to the input so managing this additional input and output is an essential thing when we try to apply this technique to a complicated target function so this is how I applied the technique to a yes box and this is looks complicated but yeah I don't have time to explain this detail but I did is get a four-stage can write S box and ex pundit it so that every stage becomes uniform for that purpose I had to add six-bit additional input and six-bit additional output so the data possibilities it's expanded from 8 to 6 and that is the major performance robot so this six-bit thing becomes the register overhead in the state register and also the approximation of initial randomness so the six-bit is added for each S box and we multiply it by 3 for three-shell representation and we have six I'm sorry 16 S boxes so this to 88 bits is what's that overhead of this proposed method and this is not small but it's better than conventional four representation in terms of circuit performance so I'm concluding this presentation so I propose a generalization of the changing of the guard that's also support non bijective target mapping and using this technique I could realize the first three-shell and uniform threshold implementation of ASS box thank you very much any questions I have one recently we have papers that optimize the circuit representation of the ASS box right so your technique will carry to carry over to another representation of a six box then just I can write representation that's that's a good question and I think yes what say but we need to what say for making it three-shell sharing that each stage should have algebraic degree of two so we need if we can make that kind of decomposition we can apply this technique so if there are no questions let's thank the speaker again