 Okay, the last talk in this session is on private circuits with quasi-linear randomness by Vipo Goya, Yuval Ishai, Yifan Zong. The talk is recorded. Enjoy. Hello, everyone. My name is Yifan Zong. Today I'm happy to introduce our work, Private Circus with quasi-linear randomness. This is a joint work with Vipo Goya and Yuval Ishai. The notion of private circuits was introduced by Ishai, Seihai, and Wagner in 2003. It is a simple abstraction of leakage-residient computation. Informally, a private circuit should be secured against leakages of T-ware values chosen by an adversary. In this work, we consider both the stateless and stateful private circuits, which we give details as follows. Suppose f is a function that we want to compute. It takes as input x and outputs y. A stateless private circuit for the function f contains three parts. The first part is an input encoder, which encodes the input x to x hat. Then a circuit c takes as input x hat, computes the function f, and outputs the encoded result y hat. Finally, an output decoder decodes y hat and outputs y. The security requires that any T-ware should reveal no information about the input x. To rule out trivial solutions in which the encoder or the decoder computes the function f directly, we consider the canonical encoder and decoder by default. Confidently, the canonical encoder splits each input bit into T-plus-one additive shares, and the canonical decoder computes each bit by adding up a group of T-plus-one bits. A stronger variant of private circuits, referred to as leakage-tolerate private circuits, does not have input encoder or output decoder. The security requires that any T-wares reveal at most the same number of input and output bits. With the leakage-tolerate solution, we can obtain a leakage-resilient private circuit by using an encoding scheme that is secure against T-programmed tags such as the canonical encoder. In particular, we can also jointly encode all input bits with less randomness. In the stateful model, the circuit maintains an internal state. In each epoch, the circuit takes a public input x and outputs a result y in clear. A concrete example is an encryption circuit where the internal state is the secret key, the input is the message we want to encrypt, and the output is the safer text. The security requires that in every epoch, any T-ware values should reveal no information about the internal state. The notion of private circuits is attractive for theoretical study due to the simplicity of its model in the sense that the computation model is just binary circuits, and the class of leakage functions contains all sets of T-ware values in the circuits. A lot of works have shown that we can bootstrap from this minimal notion of private circuits towards resisting more powerful leakage classes such as AC0 leakage or bounded communication leakage. On the other hand, private circuits gain popularity as a practical method for higher-order masking countermeasures that protect embedded devices against realistic set-channel tags. In this work, we are interested in the randomness complexity of private circuits, which is a natural theoretical question for this notion. The study of randomness complexity can also be motivated by the fact that generating fresh randomness is expensive in practice. In the scenario where the randomness is provided as a part of the input, reducing randomness complexity means reducing the size of the input. In some cases, this can be translated to an improvement in the communication complexity. For example, when we build a leakage resilience hardware for proof verification, the prover may be responsible to provide fresh randomness used in the hardware. Therefore, in this work, we consider the following question. How many random bits do we need to securely compute a function with circuit-sized s against t-proven attack? The work I-SW03 first gives a feasibility result based on MPC protocols. It requires t-square random bits for each modification gate, which adds up to t-square times s-random bits for the whole circuit. The work Ikl-plus13 introduces the notion of robust random generators. Very informally, it is an implementation of a PRG such that the implementation is secure against prover attacks. Relying on robust PRGs, the authors achieve t-cube times log t-s-random bits, which is almost independent of the circuit size. A recent work CGT20 further reduces the randomness complexity to t-square times log t-s. We will provide more details about their techniques later. In this work, we show that any function computed by a boolean circuit offsets s admits a t-private circuit with a canonical encoder and decoder, which uses all of t times log t-s-random bits. This represents a factor of t-improvement compared with the previously best-known results. We also extend our results to the following scenarios. First, when using a random-sufficient encoder instead of the canonical encoder, we achieve out of t times log t-s-overall random bits. This is optimal after log-resomic factors. Second, we show that same bound applies for leakage-tolerate private circuits. And finally, we also show that the same bound applies for the stateful model of private circuits. Here, the randomness complexity is for every epoch. In the following, I will first discuss the construction in previous works, analyze why their constructions fail to obtain further improvements, and give the general idea of our construction. The first construction is given in ISW03. The idea is to compute an additive sharing for each variable value. For example, for variable value x, the goal is to compute x1, x2 to xn, such that their summation is equal to x. In this way, any t-shears are uniformly random and independent of x, and any t-proven attacks reveal no information about the input. Now, the problem is reduced to evaluating addition gates and multiplication gates. For addition gates, we can simply add up the two input additive sharing. For multiplication gates, we first compute the multiplication between every two shares, one from each input additive sharing. Note that the summation of this n-square multiplication result is equal to x times y. We then transform the multiplication results to an additive sharing of x times y. The construction in ISW03 requires to consume all of t-square random bits for each multiplication gates, resulting in all of t-square times s randomness complexity. To reduce the randomness complexity, the work IKL plus 13 considers the randomness locality of a circuit. Confidently, a circuit C makes an L local use of its randomness if each variable value uses at most L random bits. For example, say somewhere w is equal to x times y plus c, plus r1 times r2 times r3 plus r4. Here, x, y, z are input bits of c, and r1 to r4 are internal random bits. Then the where w uses four random bits. Now, for a set of t-var values, they together use at most L times t random bits. Then we can replace the fresh random bits by L times t-wise independent random bits without changing the distribution of the variables in w. Ideally, this allows us to reduce the randomness complexity to L times t times some logarithmic factor in the circuit size. However, one problem of this problem is that we need to use a circuit to implement the generating process of these random bits. In particular, the circuit of PRG may be vulnerable to probing attacks. To overcome this issue, IKL plus a team proposes the notion of robust PRGs. Informally, a robust PRG is a circuit implementation of a PRG that is resilient to probing attacks. As a result, we can use a robust PRG to repair the desired random bits. The work IKL plus a team shows that the randomness locality of the basic instruction is t-square. Therefore, we need to use t-cube-wise independent random bits. The authors also show the existence of a robust PRG that uses all of t-cube times log t as random bits. As a result, they obtain a t-private circuit that uses the same number of random bits. A recent work CGZ20 reduces the randomness locality of the basic instruction to t, leading to the effect of t improvements in the randomness complexity. We know that this approach appears to be difficult to be the t-square bound. Intuitively, the randomness locality of a private circuit cannot be smaller than t. Adversaries can prove a wire value and all random bits used for this wire value, which may leak information about the input. Then the random source should be at least t-square-wise independent, which requires at least t-square random bits. Our work does not follow this approach for de-randomization. Here's an overview of our idea. In the first step, instead of using additive shear rings to protect the wire values, we choose to use a t-private encoding scheme to protect the wire values. We show that such a t-private encoding scheme only needs a tail of all of t-random bits. Here is a tail of big O notation omits logarithmic factors. In the second step, we show that the computation of the t-private encoding scheme can be reduced to constructing a leakage-tolerate axle gadget. Finally, we construct a randomly-sufficient leakage-tolerate axle gadget, which only uses tail of all of t-random bits, which solves the problem. We first discuss our auto-construction, a t-private circuit via axle gadgets. Suppose tail c is a circuit that computes the function F. In AS of the O3, the construction compiles such a circuit by computing an additive shear ring for each wire value. Our idea is to use a strong t-vice independent PRG to protect these values. Consequently, suppose t is a strong t-vice independent PRG that takes u1 to um as input and outputs r1 to rs. We mask each wire value wi by ri. Then the goal is to compute wix or ri for all i. Together with u1 to um, this can be viewed as an encoding of the wire values. Note that by the property of a strong t-vice independent PRG, any key bits are uniformly random, revealing no information about the input. To compute each mass speed, we further require g to be linear. In this way, each output bit is a linear combination of the input bits. For example, ri may be equal to u1 plus u3 plus u4. We use the support of ri to denote the set of these random bits. Observe that wix or ri and all bits in the support of ri can be viewed as an additive shear ring of wi. At the first glance, it may appear similar to the idea in AS of the O3. However, there are two key differences. First, the number of shares may vary for different wire values. This is because the number of shares depends on the size of the support of ri, which may be different. Second, the shares among different additive shear rings are naturally reused, and there is no need to do de-randomization. In particular, it is known that there exists a linear and strong t-vice independent PRG that uses held of all of t random bits. Now we discuss how to compute each mass-bit. For an addition gate, suppose the two input shear rings are w1 and w2, and the goal is to compute the output shear ring w3. We only need to compute w3x or r3, since the rest of shares are just the input random bits of the PRG. Observe that w3x or r3 is equal to w1x or w2x or r3. Therefore, we only need to compute the summation of bits in the joint size of the shear ring of w1, the shear ring of w2, and the support of r3. This problem can be solved by using a leakage-tolerate xr gadget. For a multiplication gate, similarly, we only need to compute w3x or r3. We follow ix of the r3, and first compute multiplications between every two shares, one from each input additive shear ring. Then, w3 is equal to the summation of these multiplication results. Similarly, to the addition gate, to compute w3x or r3, we can compute the summation of bits in the joint size of the outer product between the shear rings of w1 and w2, and the support of r3. Again, this problem can be solved by a leakage-tolerate xr gadget. Therefore, our other construction works as follows. We use a linear and strong T-by-independent PRG to protect the variable values. Then the goal is to compute the max-bit wix or ri, where ri is the s-output bit of the PRG. We show that the computation of the max variable values can be done by using a leakage-tolerate xr gadget. In the next part, I will discuss how we construct leakage-tolerate xr gadgets. What we want to construct is a leakage-tolerate private circuit that computes the xr function of n-input bits. We start with the following simple construction. Assume the xr gadget has access to a random additive shear ring of zero, say they are r1 to r4. We mask it into the bits xi by ri and let gi denote the results. Then we use an addition circuit to compute the xr of g1 to g4. Intuitively, the security follows from the fact that g1 to g4 forms a random additive shear ring of the output bit y. Therefore, if any inner wire is probed, the simulator can probe the output bit y and generate a random additive shear ring as g1 to g4. Then the simulator can simulate all inner wires in the circuit. In other words, probing inner wires of the gadget is not better than probing the output bit. However, this simple construction requires all of n random bits we need to de-randomize the basic construction. As we have discussed, the generic approach that relies on random locality does not work. This requires us to find a new approach to de-randomize r1 to rn. Our starting point is the following simple observation. For a set W of t-wire values, we hope that the random bits r1 to rn satisfy the following condition. The distribution of values in W when instantiated by using r1 to rn is identical to that when instantiated by using uniformly random additive shear ring of zero. In this way, any of those three that can only probe t-wires cannot distinguish these two instantiations. To better understand this condition, we first write down the inner wires of the circuit. Suppose the addition circuit first computes g1, x, or g2, g3, x, or g4, and then computes the output bit. Recall that each ti is equal to xi, x, or ri, where xi is an input bit and ri is a random bit. We can write down all the variables as follows. These variables are marked by the following random values. For the first layer, g1 is marked by r1, g2 is marked by r2, and so on. For the second layer, g1, x, or g2 is marked by r1, x, or r2, g3, x, or g4 is marked by r3, x, or r4. For the last layer, the summation of g1 to g4 is marked by summation of r1 to r4, which is equal to zero. We define a set A that contains these marked random values and refer to this set as an access set. Now we obtain the following condition. For a set W of t variables in the access set A, we want that the distribution of values in W when instantiated by using r1 to rn is identical to that when instantiated by using a uniformly random additive sharing of zero. To realize such a sufficient condition, we consider to use a set of random generator to prepare r1 to rn. With more details, we define the notion of robust parity sharing generators. Let's say an implementation C of a function g is a robust parity sharing generator with respect to an access set A if it satisfies the following three conditions. First, the output of the circuit should form an additive sharing of zero. That is the summation of all these is equal to zero. This condition ensures the correct means of the basic construction. Then we require the circuit C to be secure against probian tags in the leakage tolerate sense. In this way, they only need to focus on the output bits, since any probian tag towards the implementation can be reduced to a probian tag to the output bits. Finally, for the given access set, which consists of r1 to rn and linear combinations of r1 to rn. We require that the distribution of any T variables when instantiated by r1 to rn should be identical to that when instantiated by using uniformly random additive sharing of zero. The notion of robust parity sharing generators can be viewed as an extension of the robust T-wise-dependent PRG introduced in akl plus theme. First, we require the output bits to satisfy that there's a mission is zero. Second, those three can access to the output bits by learning not only a single output bit, but also a linear combination specified by the access set. If the access set only contains the output bits, a robust parity sharing generator degrades to a robust T-wise independent PRG. In our work, we use the probabilistic measure to show the existence of a robust parity sharing generator, which uses out of T times log T and random bits, when the size of the access set is bounded by out of N. Combining the basic instructions for the XR gadgets and a robust parity sharing generator, we obtain a leak-tolerate XR gadgets which computes XR of N bits and uses the same number of random bits. And the only problem is that if we use fresh randomness for each XR gadget, the randomity complexity will become linear in the circuit size. To overcome this issue, our solution is to use a single PRG to prepare random bits for all XR gadgets. We refer to the new PRG as multi-phase robust parity sharing generator. Let me give a quick summary of our results and the main techniques. In this work, our main contribution is the construction of private circuits that uses out of T times log T as random bits. To achieve our result, we first give an outer construction where we use a strong T-wise independent PRG to protect variable values. We show that the problem of computing the max variable values can be reduced to constructing leakage-tolerate XR gadgets. Then we focus on constructing randomity efficient leakage-tolerate XR gadgets. We start with a simple construction which requires a linear number of random bits in the input size. To de-randomize the basic construction, we give a new sufficient condition for the random source. We introduce a new notion of PRG, robust parity sharing generators, to prepare the random source required by our new sufficient condition. By using the probabilistic method, we prove the existence of a robust parity sharing generator that uses out of T random bits. Combining the outer construction and the inner construction will obtain our main result. Thank you. If there are questions, we have one of the authors here. If not, then thanks for attending the session and see you later.