 Hello, I'm Weijia Wang. I'm going to present the work entitled Efficient and Private Competitions with Code-Based Masking, joined with Pierre-Rick Maou, Gintong Kassiya, Frank Zawa, the VIA standard. Here I list what I'm going to present. First, I will give the background and motivations of this work. Then I will present the Code-Based Masking, which is my contribution of this work. At last, I will show a very nice property of Code-Based Masking, which is back to the efficiency called cost arbitration. Here, I'm going to use one slide to give a short introduction to the side-channel attack. As we know, a cryptographic primitive has to be implemented and will run in a given environment, which may have some side-channel leakage, such as power consumption, running time, or fault information, and so on. For example, we can implement a cryptographic primitive on a chip here. Let's take plain text as input and output some separate text. During the computation, an adversary may utilize the side-channel leakage to recover the circuit key inside the chip by using some statistical analysis. We usually call this type of tag as side-channel attack. Masking is one of the most investigate countermeasures against the side-channel attack, where each circuit-dependent sensitive variable is randomly encoded into several shares. Here, I present more details about the masking scheme. A masking scheme is made up of two ingredients. The first one is called encoder, and it encodes each circuit variable CX into a number of shares, such as any DCS are independent of X. So we can see that the encoder provides the security of the circuit variable such as a key. Besides, the cryptographic primitive usually is a computation from input to output. So we need to secure the computation, which requires the second ingredient, the private computation. Here, I give an example. So we want to compute X plus Y times Z where X, Y, Z are circuit variables. What we can do is to transform each elemental operation into their mass correspondence, whose input and output are both shares. Here, addition is transformed to addition gadget, and the modification is transformed to the modification gadget. After those transformation, we can transform an unprotected computation to a protective one. Ensures that any D-intermediates are independent of the input circuit. We call this kind of security as D-privacy or D-probate security. So in the private computation, there are variable gadgets, and among them, the most important one should be the modification gadget. So this is the basic idea of masking. We are interested in two types of masking. The first type is a detailed masking or called boolean masking if it works in a field which is characteristic too. The encoder of a detailed masking ensures that the sum of shares gives the circuit like this. This type of encoder is quite simple, which makes the corresponding private computations quite efficient compared to other maskings. Another type of masking is called code-based masking. Its encoder is more complicated than and covers the detailed masking. Here, it encodes several circuit, the key into shares together by using a linear code. And it is a generalization of many previous masking, such as inner product masking, direct sound masking, polynomial masking, and so on. Why we generalize the particular masking to the code-based masking? It is because there are several more rates of the code-based masking. The first more rate is about the security. It has better security that can decrease the information leakage. And some previous work shows that it has somewhat better security in the low-noise condition. The second more rate should be about the fault resistant. As we have shown above, the encode of the code-based masking encodes several circuit together by using a linear code. And linear code can provide the fault detection property of the shares. So this is a second more rate. The third more rate should be about the versatility. It is a generalization, I mean, code-based masking is a generalization of many other masking. For example, boolean masking, inner product masking are special cases. And the study on the code-based masking can be specific to any specific masking. Despite the more rate of code-based masking, it has several challenges. The first challenge is about the generic private computation applicable to any code-based masking, which now is still unknown to the best of our knowledge. For example, the medication gadget for the DXR masking is still unknown. And the second challenge is about the performance. And we know that the code-based masking is more complicated, which makes it less efficient than the boolean masking. So how to reduce the implementation overhead is another challenge. In this work, we tackle those two challenges by proposing two contributions. First, we provide a medication gadget for any code-based masking with respect to any linear code. Secondly, we will show a very nice property of the code-based masking called amortization, where we consider multiple medications in parallel. The more medications a cryptographic implementation has and the better performance it will be, then we will present our code-based masking scheme. As we mentioned before, the masking usually is made up of two indegranded, the encoder and private computation. For the encoder, we propose the generic encoder. And for the private computation, we propose the medication gadget, which is the most important component of the private computation. Before we provide the generic encoder, we start with the encoder of the additive masking. For example, the circuit is a bit here, CX, and assume that the number of shells to be three. The encoder first generates two-bit R1 and R2, and then it compute X plus R1 plus R2 and set it as the first shell. Then the second shell should be R1 and the third shell should be R2. If we rewrite this procedure by using a linear code, we have this finger. The left vector is a combination of X, R1 and R2, and which can be regarded as the message of the linear code. And it is multiplied by a fixed matrix here, which is the generating matrix of linear code. And the result should be the code word here, which is a vector of shells. We have three vector actually. So the generic encoder can be regarded as the generalization of the both encoding procedure. So where the circuit is a vector of finite, vector infinite field here. And so as the randomness R, then the generic encoder calculate X times G, which is the matrix plus R times H, which is another matrix. It results a vector of N-shears here. So here is a finger corresponding to the linear code. The left part is similar to the addition masking. It's a combination of X and R, of the, I mean, a combination of the circuit and the randomness. Then the red part is a generating matrix, which is a combination of H and G. And after the medication, the result should be a code word, which is a vector of N-shears here. So this is our generic encoder. This type of encoder generalize the encoder of different masking by specify the matrix. For example, if we set the generating matrix A like this, we will get the encoder of Boolean masking. Then if we set the generating matrix A like this, we will get the encoder of the inner product masking. Then if the generating matrix A is like, sorry, is like this, we will get the direct sum masking, where the G is K times N, rather than N times, rather than one times N. And then if we further generalize the direct, the encoder of the direct sum masking, we will get our generic encoder. The element can be the element in the finite field, rather than only bit. And the generating matrix is no longer square, it can be a re-angle, which provides the nature of property of fault detection for our generic encoder. So now we have the generic encoder. The other step is to provide a medication gadget in regard to the generic encoder. Similarly, let's start with the Boolean masking and we consider the ISW medication, which is quite famous in the community of said channel cut measures. So the input are two vector of shares here and here. First, it computes the output of the input shares resulting in N times N matrix like this. Then we have to refresh this matrix for the six of security. At last, we sum the columns of the matrix and gives N shares as a result. So here I give a concrete example. See the number of shares between. So after the auto product, we have a matrix of three times three and we perform the refresh. In the refresh, we generate the random variables and add them to the entries of the matrix. Here we add the R1 on this entry and so as it's symmetric entry to a diagonal. Then we add R2 to this entry and so as it's symmetric entry to a diagonal here and also R3 to this entry and this entry. So we can see that the reflection is actually symmetric to a diagonal of the matrix. At last, we sum the element of every row to get the result. From this procedure, we can see that the scheme uses the auto product then refresh and decompress strategy. In the following, we will generalize this strategy to the code base masking. We also note that the compression of the code base masking is quite simple. It just sum the element of every row thanks to the simple encoder of the code base masking. So if we consider the code base masking, the encoder is more complicated, which will make the compression become more complicated. Here, based on the above intuition, we illustrate the medication gadget. First of all, the input are two vectors of shares. Gear and here. Then we perform the auto product as a boolean masking resulting in a metric of this one. Then we perform the reflection also as a boolean masking. After that, the compression becomes different because that the generic encoder is more complicated. So in detail, first, it will multiply each row of metrics S by a distinct metrics. So first row is multiplied by M1, second row is multiplied by M2, and so on. Here, it should be noted that the metrics M1 to MN are fixed metrics and can be pre-competited from the generating metrics A and due to the limit of time beside the existence of the. Here, I don't explain in-depth about the metrics MS. Further details can be easily found in the paper. And then we get the metrics T here, whose entries are there-less, except for the first M columns. Then T is multiplied by the generating metrics A here. Resulting in a metric W, then we have to perform the second refresh. Yes, we have to refresh in our medication gadget, which is slightly different from the ISW scheme. And then after the refresh, we just sum all the rows of the metrics K to get the result. So overall, this medication gadget follows our product here, then refresh, then compress strategy. But the compression is more complicated than the boolean masking because of the generic encoder. And the two refresh here and here, which randomly the metrics is R1 and R2 provide the deep-robin security of this scheme. And actually the security can be even stronger. It is actually the DSNI, where the composition of several gadgets is also deep-robin security. Next, we would like to introduce another property of this mask, this medication gadget, the sum of the metrics T here, the rows of the metrics T here, actually get the circuit result, which means that at this stage, the internal metrics is a technically masking of the result. And we can see that the rest part from here to here of the medication gadget is actually a transformation from the addictive shares to the shares of code-based masking. This property enables the efficient mask linear transformation that is integrated with our medication gadget. And also it should be noted that at this stage of the computation about the security, we may still have more addictive shares than D, because the number of rows of T here should be larger than D plus one. So the security order at this stage may be larger than D. At last, we would show the cost optimization of the code-based masking. Let's consider the randomness usage of fully masking and the code-based masking. For the ISW medication, which code-based masking, it actually requires D times D plus one divided by two random variables for only one medication, where D is a security order. And for our medication, which code-based masking, it actually requires two times N times M random variables for K medications. I mean for multiple medications. And the two here is because of we have two reflections depth. So if we set the X as an MDS matrix, then the value of, then the number of random variables should be two times D times D plus K, where D is a security order, and K is the number of medications. Then when we consider the number of random variables for medication, the value now should be, for the ISW medication, it should be D times D plus one divided by two because here for the fully masking, there is only one medications. But for our schemes, this number should be two times D times D plus K and more importantly, divided by K. So if K is large enough, the code-based masking may use less randomness than the boolean masking. Here is a finger showing the randomness cost of 16 medications in parallel. The red curves here, here, and here shows the randomness requirement for the medication of code-based masking, which define the value of Ks. And the blue curve shows the random requirement for the ISW medication for the boolean masking. And we can see that indeed for single medications corresponding to the case of D equals one, the code-based masking is not as efficient as the boolean masking. But if we increase the number of medications, for example, if the number of medications is 16, which means that K equals 16, then the randomness requirement generally become less than the boolean masking. This observation is called omitization because the cost is optimized by multiple operations. So, finally, I would like to discuss our future work of our scheme. First of all, we think we can further, we think our scheme can, having the complexity of our medication can be further reduced. We give the first feasible result in this work that is applicable to any linear code, which already have some decent performance because of the omitization. But we believe our scheme can be further optimized by using some specific linear code. Secondly, we think the possible better for resistance is another promising future work. And in our work, the thought-resistant property only holds with shares or code words. It is still an open problem to maintain this property during the competition or more specifically during the medications. Finally, we think software and hardware implementation of our scheme is another promising future work. That is, thanks for the listening.