 Hello everyone, my name is Yifan Zhang. Today I'm happy to introduce our work, Private Circus with Quasi Linear Randomness. This is a joint work with Weibo Goya and Yuval Yishai. The notion of Private Circus was introduced by Yishai Sihai and Wagner in 2003. It is a simple abstraction of leakage-residual computation. Informally, a private circuit should be secured against leakages of T-ware values chosen by an anniversary. In this work, we consider both the stateless and stateful private circuits, which we give details as follows. Suppose F is a function that we want to compute. It takes as input X and outputs Y. A stateless private circuit for the function F contains three parts. The first part is an input encoder, which encodes the input X to X hat. Then a circuit C takes as input X hat, computes the function F, and outputs the encoded result Y hat. Finally, an output decoder decodes Y hat and outputs Y. The security requires that any T-wares should reveal no information about the input X. To rule out trivial solutions, in which the encoder or the decoder can pure the function F directly, we consider the canonical encoder and decoder by default. Confidently, the canonical encoder splits each input bit into T plus one additive shares, and the canonical decoder computes each bit by adding up a group of T plus one bits. A stronger variant of private circuits referred to as leakage-tolerate private circuits does not have input encoder or output decoder. The security requires that any T-wares reveal at most the same number of input and output bits. With the leakage-tolerate solution, we can obtain a leakage-resilient private circuits by using an encoding scheme that is secure against T-programmed tags, such as the canonical encoder. In particular, we can also jointly encode all input bits with less randomness. In the state-for-model, the circuit maintains an internal state. In each epoch, the circuit takes a public input X and outputs a result Y in clear. A concrete example is an encryption circuit where the internal state is the secret key, the input is the message we want to encrypt, and the output is the separate tags. The security requires that in every epoch, any T-ware values should reveal no information about the internal state. The notion of private circuits is attractive for theoretical study due to the simplicity of its model in the sense that the computation model is just binary circuits, and the class of leakage functions contains all sets of T-ware values in the circuits. A lot of works have shown that we can bootstrap from this minimal notion of private circuits towards resisting more powerful leakage classes such as AC0 leakage or bounded communication leakage. On the other hand, private circuits gain popularity as a practical method for higher-order masking countermeasures that protect embedded devices against realistic set-channel attacks. In this work, we are interested in the randomness complexity of private circuits, which is a natural theoretical question for this notion. The study of randomness complexity can also be motivated by the fact that generating fresh randomness is expensive in practice. In the scenario where the randomness is provided as a part of the input, reducing randomness complexity means reducing the size of the input. In some cases, this can be translated to an improvement in the communication complexity. For example, when we build a leakage-resilient hardware for proof verification, the prover may be responsible to provide fresh randomness used in the hardware. Therefore, in this work, we consider the following question. How many random bits do we need to securely compute a function with circuit-sized S against T-probe attack? The work ISW03 first gives a feasibility result based on MPC protocols. It requires T-square random bits for each modification gate, which adds up to T-square times S random bits for the whole circuit. The work IKL plus 13 introduces the notion of robust random generators. Very informally, it is an implementation of a PRG, such that the implementation is secure against prognotex. Relying on robust PRGs, the authors achieve T-cube times log T-S random bits, which is almost independent of the circuit size. A recent work CGD20 further reduces the randomness complexity to T-square times log T-S. We will provide more details about their techniques later. In this work, we show that any function computed by a Boolean circuit offsets S admits a T-private circuit with a canonical encoder and decoder which uses all of T times log T-S random bits. This represents a fact of T improvement compared with the previously best known results. We also extend our results to the following scenarios. First, when using a random efficient encoder instead of the canonical encoder, we achieve out of T times log T-S over all random bits. This is optimal up to log resomic factors. Second, we show that same bound applies for leakage-tolerate private circuits. And finally, we also show that the same bound applies for the stateful model of private circuits. Here, the random complexity is for every epoch. In the following, I will first discuss the construction in previous works, analyze why their constructions fail to obtain further improvements and give the general idea of our construction. The first construction is given in ASW03. The idea is to compute an additive sharing for each variable value. For example, for variable value X, the goal is to compute X1, X2 to Xn, such that their summation is equal to X. In this way, any T-shears are uniformly random and independent of X. And any T-proven attacks reveal no information about the input. Now, the problem is reduced to evaluating addition gates and the modification gates. For addition gates, we can simply add up the two input additive shareings for modification gates. We first compute the modification between every two shares, one from each input additive sharing. Note that the summation of this n-square multiplication results is equal to X times Y. We then transform the multiplication results to an additive sharing of X times Y. The construction in ASW03 requires to consume all of T-square random bits for each modification gates, resulting in all of T-square times S randomness complexity. To reduce the randomness complexity, the work IKL plus team considers the randomness locality of a circuit. Concretely, a circuit C makes an L local use of its randomness if each value uses at most L random bits. For example, say somewhere W is equal to X times Y plus C plus R1 times R2 times R3 plus R4. Here, X, Y, Z are input bits of C and R1 to R4 are internal random bits. Then the W uses four random bits. Now for a set of T-value values, they together use at most L times T random bits. Then we can replace the fresh random bits by L times T-wise independent random bits without changing the distribution of the value values in W. Ideally, this allows us to reduce the randomness complexity to L times T times some logarithmic factor in the circuit size. However, one problem of this pro-reset, we need to use a circuit to implement the generating process of this random bits. In particular, the circuit of PRG may be vulnerable to probing attacks. To overcome this issue, IKL plus Rdine proposes the notion of robust PRGs. Informally, a robust PRG is a circuit implementation of a PRG that is resilient to probing attacks. As a result, we can use a robust PRG to repair the desired random bits. The work IKL plus Rdine shows that the randomness locality of the basic construction is T-square. Therefore, we need to use T-cube-wise independent random bits. The authors also show the existence of a robust PRG that uses all of T-cube times log T as random bits. As a result, they obtain a T-private circuit that uses the same number of random bits. A recent work, CGZ20 reduces the randomness locality of the basic construction to T, leading to a fact of T improvements in the randomness complexity. We know that this approach appears to be difficult to be the T-square bound. Intuitively, the randomness locality of a private circuit cannot be smaller than T. Otherwise, an adversary can prove a wire value and all random bits used for this wire value, which may leak information about the inputs. Then the random source should be at least T-square-wise independent, which requires at least T-square random bits. Our work does not follow this approach for de-randomization. Here's an overview of our idea. In the first step, instead of using additive shear rings to protect wire values, we choose to use a T-private encoding scheme to protect wire values. We show that such a T-private encoding scheme only needs a tail of all of T random bits. Here, the tail of big O notation all meets logarithmic factors. In the second step, we show that the computation of the T-private encoding scheme can be reduced to constructing a leakage-tolerant axle gadget. Finally, we construct a randomness-efficient leakage-tolerant axle gadget, which only uses tail of all of T random bits, which solves the problem. We first discuss our auto-construction, a T-private circuit, via axle gadgets. Suppose tail C is a circuit that computes a function F. In S of the O3, the construction compiles such a circuit by computing an additive shear ring for each wire value. Our idea is to use a strong T-wise independent PRG to protect these values. Consequently, suppose T is a strong T-wise independent PRG that takes U1 to Um as input and outputs R1 to RS. We mask each wire value WI by RI. Then the goal is to compute WI X or RI for all I. Together with U1 to Um, this can be viewed as an encoding of the wire values. Note that by the property of a strong T-wise independent PRG, any T bits are uniformly random, revealing no information about the input. To compute each mass speed, we further require G to be linear. In this way, each output bit is a linear combination of the input bits. For example, RI may be equal to U1 plus U3 plus U4. We use the support of RI to denote the set of these random bits. Observe that WI X or RI and all bits in the support of RI can be viewed as an additive shear ring of WI. At the first glance, it may appear similar to the idea in SW03. However, there are two key differences. First, the number of shares may vary for different wire values. This is because the number of shares depends on the size of the support of RI, which may be different. Second, the shares among different additive shear rings are naturally reused and there is no need to do de-randomization. In particular, it is known that there exists a linear and strong T-wise independent PRG that uses held of all of T random bits. Now we discuss how to compute each mass speed. For an addition gate, suppose the two input shear rings are W1 and W2 and the goal is to compute the output shear ring W3. We only need to compute W3 X or R3 since the rest of shares are just the input random bits of the PRG. Observe that W3 X or R3 is equal to W1 X or W2 X or R3. Therefore, we only need to compute the summation of bits in the joint size of the shear ring of W1, the shear ring of W2, and the support of R3. This problem can be solved by using a leakage-tolerant XR gadgets. For a modification gate, similarly, we only need to compute W3 X or R3. We follow IS of the O3 and the first compute modifications between every two shares, one from each input additive shear ring. Then W3 is equal to the summation of these modification results. Similarly to the addition gates, to compute W3 X or R3, we can compute the summation of bits in the joint size of the outer product between the shear rings of W1 and W2 and the support of R3. Again, this problem can be solved by a leakage-tolerant XR gadgets. Therefore, our other construction works as follows. We use a linear and strong T-by-independent PRG to protect the variable values. Then the goal is to compute the max bits W and X or R i, where R i is the S of the bits of the PRG. We show that the computation of the max variable values can be done by using a leakage-tolerant XR gadgets. In the next part, I will discuss how we construct leakage-tolerant XR gadgets. What we want to construct is a leakage-tolerant private circuit that computes the XR function of N input bits. We start with the following simple construction. Assume the XR gadget has access to a random additive shear ring of zero, say they are R1 to R4. We mask it input bits X i by R i and let G i denote the results. Then we use an addition circuit to compute the XR of G1 to G4. Intuitively, the security follows from the fact that G1 to G4 forms a random additive shear ring of the output bit Y. Therefore, if any anywhere is probed, the simulator can probe the output bit Y and generate a random additive shear ring as G1 to G4. Then the simulator can simulate all inner wires in the circuit. In other words, probing inner wires of the gadget is not better than probing the output bit. However, this simple construction requires all of N random bits. We need to de-randomize the basic construction. As we have discussed, the generic approach that relies on random locality does not work. This requires us to find a new approach to de-randomize R1 to Rn. Our starting point is the following simple observation. For a set W of T where values, we hope that the random bits R1 to Rn satisfy the following condition. The distribution of values in W when instantiated by using R1 to Rn is identical to that when instantiated by using uniformly random additive shear ring of zero. In this way, any of those three that can only probe T wires cannot distinguish these two instantiations. To better understand this condition, we first write down the inner wires of the circuit. Suppose the addition circuit first computes G1, XRG2, G3, XRG4, and then computes the output bit. Recall that each GI is equal to XI, XRRI, where XI is an input bit and RI is a random bit. We can write down all the variables as follows. These variables are marked by the following random values. For the first layer, G1 is marked by R1, G2 is marked by R2, and so on. For the second layer, G1, XRG2 is marked by R1, XRR2, G3, XRG4 is marked by R3, XRR4. For the last layer, the summation of G1 to G4 is marked by summation of R1 to R4, which is equal to zero. We define a set A that contains this marked random values and refer to this set as an excess set. Now we obtain the following condition. For a set W of T variables in the excess set A, we want that the distribution of values in W when instantiated by using R1 to Rn is identical to that when instantiated by using uniformly random additive sharing of zero. To realize such a sufficient condition, we consider to use a set of random generator to prepare R1 to Rn. With more details, we define the notion of robust parity sharing generators. We say an implementation C of a function G is a robust parity sharing generator with respect to an excess set A if it satisfies the following three conditions. First, the output of the circuit should form an additive sharing of zero. That is the summation of all the Bs is equal to zero. This condition ensures the correctness of the basic construction. Second, we require the circuit C to be secure against probian tags in the leakage tolerance sense. In this way, we only need to focus on the output Bs since any probian tag towards the implementation can be reduced to a probian tag to the output Bs. Finally, for the given excess set which consists of R1 to Rn and linear combinations of R1 to Rn, we require that the distribution of any T variables when instantiated by R1 to Rn should be identical to that when instantiated by using uniformly random additive sharing of zero. The notion of robust parity sharing generators can be viewed as an extension of the robust T-wise-dependent PRG introduced in AKIO plus 13. First, we require the output Bs to satisfy that there's a summation zero. Second, those three can access to the output Bs by learning not only a single output Bs but also a linear combination specified by the excess set. If the excess set only contains the output Bs, a robust parity sharing generator degrades to a robust T-wise-dependent PRG. In our work, we use the probabilistic measure to show the existence of a robust parity sharing generator which uses all of T times log T and random Bs when the size of the excess set is bounded by odd of n. Combining the basic instructions for the extra gadgets and a robust parity sharing generator, we obtain a leak-tolerate extra gadgets which can use extra of n bits and uses the same number of random bits. And I'll make it a problem is that if we use fresh randomness for each extra gadget, the randomity complexity will become linear in the circuit size. To overcome this issue, our solution is to use a single PRG to prepare random bits for all extra gadgets. We refer to the new PRG as multi-phase robust parity sharing generator. Let me give a quick summary of our results and the main techniques. In this work, our main contribution is the construction of private circuits that uses odd of T times log T as random bits. To achieve our results, we first give an outer construction where we use a strong T by C dependent PRG to protect the bare values. We show that the problem of computing the marked bare values can be reduced to constructing leakage-tolerate extra gadgets. Then we focus on constructing randomity efficient leakage-tolerate extra gadgets. We start with a simple construction which requires a linear number of random bits in the input size. To de-randomize the basic construction, we give a new sufficient condition for the random source. We introduce a new notion of PRG, robust parity sharing generators, to prepare the random source required by our new sufficient condition. By using the probabilistic method, we prove the existence of a robust parity sharing generator that uses a set of odd of T random bits. Combining the other construction and the inner construction will obtain our main results. Thank you.