 Ευχαριστώ για την εξεγραφή. Πουγιά. Καλώς καλώς φέρατε, ποιοί. Είναι ένα σχέδιο δρόμο με Αγγελουσκιαγιασί και τον Χαλίου. Είναι η έγινα της πρόσφυγης. Από την πρώτη εξεγραφή θα μιλήσω την πρωτοκρότητα. Θα προσπαθώ την πρόσφυγηση της δημιουργίας και θα δώσω τη δημιουργία που θα υπάρχει. Θα δώσω τις εξεγραφές και την πρόσφυγηση. Πραγματικά, αν δείμοστε λοιπόν, θα δώσω θεωρεί. Έχουμε λοιπόν από κάτι πολύ σκότητο. Από πραγματικά, κάθε φορές σχεδιοκοδεία... Προσθεγεία για την εκκοδεία και η εκκοδεία... και μεταξύ στιγμη φορές γραφίες. Λοιπόν, για μία θελμία, πώς αυτά κόρες η εκκοδεία... πρέπει να είναι τελευταία. Από ένα παράγραφμμα της εκκοδείας, εξεγραφή της εκκοδείας, αν υπάρχει ένα βασικό number of errors over the codeword. The non-malable codes were introduced by Zbowski, Pietras and Weeks in 2010. This year we also have another journal version of their paper. Informally, the non-malability means that you cannot create correlated codewords, meaning that you cannot tamper with a codeword in a way that decodes to a message which is related to the original one. Of course, if it is different, right? So the tampering experiment that we consider is the following. So we have the adversary, we have a message which is denoted by S. First we encode our message and we get a codeword C and then the adversary applies a tampering function f on the codeword and we have a codeword C' and then the coding takes place. So the output of the decoder can be either like the original message or it can be a special symbol bottom which basically tells us that C' is an invalid codeword or it can be like a message S' which we say that S' should be unrelated to S. And more formally, this is like the execution that was considered in the previous slide. It's what we call the real-world execution in which the adversary interacts with the codeword over the message S, the private message S. And then on my ability means that for any such adversary we have a simulator. The simulator interacts with the adversary without having access to S and he's able to produce a view which is indistinguishable from the real view, from the real execution and of course the adversary cannot distinguish between the two worlds, right? And since the simulator does not have access to S this gives like privacy over the message. So the main application of normalable codes that was like proposed in the original papers is like for having like for achieving tampering resilience against physical attacks. So let's say you have any cryptographic hardware, it can be a smart card that computes like some functionality G over private state S. So it could compute let's say digital signatures over like a signing key S. So the standard adversary, the black box adversary he's like querying the hardware, the functionality with input X and receives the output of the computation. This is the black box adversary but of course in reality the adversary can be much more powerful because he can exploit physical properties of the implementation and he can mount like attacks that we call physical attacks. So the community has like put significant effort like in modeling such attacks. So one way to model them is like considering attacks against the memory of the cryptographic hardware. So in this setting the adversary gives input X to the functionality and he can also issue like a tampering query F and he receives the output of the computation G over X but evaluated over the tampering memory value which is F of S. And the main goal is like to infer information over the private state or like to compute stuff that he wouldn't be allowed to compute without tampering. So non-malable codes provide a straightforward way to protect against such attacks and the solution is very like simple. Basically what we do is like if this is the original functionality with private state S what we do is like we encode our private state using a non-malable encoding scheme. And the compile functionality G hat first needs to recover the original methods so it first decodes S hat and recovers S and computes the original functionality over S and X. Of course this requires that the computation is trusted but this is like different line of work like modeling attacks against the computation is not considered like in this work. So any attack against the memory here like any application of a function F here can be simulated without having access to the original private state. Unfortunately we cannot achieve like security against any tampering function class. For instance consider the function that first decodes. The code word like applies any function like to the methods like plus one and then reencodes. Then the resulting code word is highly related right so we cannot achieve security against any class that contains F. So over the last years there have been many many papers that consider different models. Apologies if like you have a paper and it's not siding in this slide. So we have like split state functions. We have permutation bitwise tampering and many others. So in this work we consider partial functions. So the idea is that we allow the adversary to access arbitrary subset of arbitrary subsets of code word locations with specific cardinality. So before like in split state functions let's say you put like some structural restriction on the way the adversary is accessing the private memory but he can access the entire private memory. So he can override let's say the code word but there is a restriction for instance in split state the attacker who tamper with the left part of the memory he doesn't have access on the right part of the memory and symmetrically for the other part. So here there is no structural restriction and the adversary is allowed to choose code word locations. So as in any coding scheme we want efficiency like is measured by the information rate of the encoding scheme which is actually the message length over the code word length as the message length goes to infinity. And we also in this paper consider another measure of effectiveness that we call access rate which actually reflects the adversarial access. So it is actually the number of code word symbols or bits that the adversary is allowed to access over the total number of code word bits or symbols. And again we take the limit. So ideally we would like rate one for both of them. So the main question that we try like to answer in this paper is like if we can have like efficient non-mallable codes meaning high information rate that while allowing the adversary to access almost the entire code word we can have a high access rate. So I will give some motivation behind the model first because the attack that I described like some slides before does not apply in this setting. Fully like decoding and then encoding does not apply anymore. So this trivial attack that I described does not apply. However the fact that we allow the adversary to pick the locations carefully it allows for like potential attacks. So if let's say you use a primitive to like encryption to build non-mallable codes then the adversary if he carefully chooses the locations he can choose like a secret key and like something else and ciphertext. So if you use hash he can choose like to alter the hash and the pre-image. So he might be able somehow to create correlated code words or to break security. Secondly partial functions is a model that complies with real-world attacks like with attacks that we have seen that can recover the private state of the primitive by doing like only small modifications over the private state of the primitive. The third point is that the passive analog of this model when the adversary is not modifying code word location but he is only reading code word locations implies all or nothing transforms which is a primitive that was introduced by reverse in 1997 and has numerous applications. So all or nothing transforms say is like the adversary is similar but he only receives read access over the code word and what he requires is privacy. So non-mallable codes for partial functions imply all or nothing transforms. And finally constant functions are excluded from the model so potentially we can achieve stronger primitives. So actually this is what we do we achieve a stronger notion which we call non-mallable codes with manipulation detection which manipulation detection is on top of non-mallability. So we have simulation based security and we also achieve manipulation detection. So manipulation detection guarantees that the modified code word will either decode to the original message or it will decode to the invalid symbol bottom. So as I said manipulation detection does not apply non-mallable codes with manipulation detection but the other way around holds. And I would like to stress out that this is an important property for the applications of the primitive. So if you have manipulation detection you can use the primitive like in other settings than tamper resilience like for secure communication. We cannot allow the adversary to override the whole message. The receiver needs to know that he received actually the correct message or he wants to detect that somebody tampered with the communication. So assuming one way functions we construct this notion non-mallable codes with manipulation detection in the CRS model with rate one and information rate one minus over omega log K where K is the security parameter we are in the computational setting and then we show how to remove the CRS and we have a construction in the standard model with information rate and access rate one over one minus over omega log K and we increase the alphabet size. So before the adversary was accessing bits of the code word now he's accessing like bit strings of length log K. We have like our symbols are like the alphabet is bigger. And our results of course apply efficient or nothing transforms under standard assumptions and which is like to our knowledge is the first construction that achieves this kind of rate under standard assumptions. So I will go over the challenges a bit towards the construction. So we cannot allow the adversary to read the entire code word otherwise we have the trivial attack and of course this might not be a partial function but I would like to say it anyway. Secondly, we have an impossibility result on the information theoretic setting by Geragin Guzwami which says that any scheme that achieves a constant access and information rate it can only achieve security with constant probability. So we focus on the information theoretic setting and since we need privacy let's start like to build our construction and let's have an encryption based solution. So what we do is like, sorry, so what we do is that we encrypt our methods, we use symmetric encryption and we encrypt our methods using a secret key and then we somehow distribute like the ciphertext and the secret key inside the code word in any possible way like we don't care. We put somehow those bits inside the code word and we don't care about the structure and we might also use some other like primitives to achieve security. So those pattern bits over here denote let's say I don't know a commitment or zero knowledge proof or something that we use to achieve security. So any such type of attack like can have of construction can have a simple attack. What is the attack? The attacker simply is accessing the secret key. The secret key is short, we are in the computational setting. So compared to the methods length, the secret key length is very small. So the attacker is accessing the secret key and constant number of bits of the ciphertext and he can partially recover the message and he requires access rate of like this, of like length of SK over the methods length which is very small. So we might actually try to protect the secret key like using some inner encoding. So instead of storing the secret key directly to the code word we like store the encoding over the secret key but again we have the same problem because any such encoding will be short. It will be very efficient and its length is going to be independent of the length of the methods so we can have the same attack again. One other solution would be like to encode the ciphertext somehow so that partial decryption cannot happen anymore. However this encoding over here, its length is proportional to the methods. So the length is going to, this will affect the length of the scheme and we would like to achieve like the best possible rate. So the question is is it possible to have like access rate greater than this fraction and more generally is it possible to have access rate which is greater than the weakest primitive that you use in your construction sustains. You have a secret key of specific length. Can you read more than this specific length? So the observation here is that the structure of the code word is fixed and the attacker knows all the sensitive code word locations he knows the locations of the secret key for instance. So the main idea is like to hide the structure via randomization we somehow kill the structure and of course it is easy to kill the structure but you need a way to recover the structure. You need some information that will enable you to decode because if the adversary like modifies things if like say permute things you don't know where are like the secret key bits where is the ciphertext you know nothing. So in this work like we implement this structure recovering mechanism in two ways. Our first construction is in the CRS model and then we saw how to remove the CRS. So what we do actually is we encrypt our methods using symmetric authenticated encryption and we also apply a protection like an inner encoding to protect the secret key. Our protection over the secret key is very efficient and very simple. What we actually do is like we secret share the secret key and secret key to the third. So the value three like you can consider also other values there we just need a non-linear relation over the secret key. So we construct this encoding and we get Z and then we randomly distribute the bits of Z inside the code word according to the CRS. So the CRS defines the code word locations in which we are going to store the sensitive bits like the bits output by the inner encoding. And the remaining bits like the white bits store the ciphertext. Of course there is an important detail here. The tampering function is not adapted with respect to the CRS. So first the adversary fixes the locations of the code word that he is going to access. Then we sample the CRS and then the adversary tampers with the code word while receiving read access over the CRS which is a restriction that we will remove later. So the idea has as follows behind like the proof. Due to the suffering since we permute like the locations we can prove that the adversary learns nothing about SK and SK to the third. He's only accessing shares for those values but he learns nothing about the secret key. So let's say that he modifies Z in a way such that this pair through the function F goes to this pair SK prime and SK double prime. The idea is that having that the adversary learns nothing about the secret key if he modifies those values in a way that actually he produces like a different key different SK or different SK to the third then we can prove that the probability according to which the new value satisfies this relation SK SK to the third is negligible otherwise we have a way to recover the original secret key and we break security of encryption and now simulation is like straightforward why the adversary is only accessing shares so we can give shares to the adversary and we can check if he modifies the secret key or not. He modifies the secret key the simulator outputs bottom otherwise the secret key is secure and security follows by the authenticity property of the encryption scheme which means that if he modifies the ciphertext the simulator outputs bottom otherwise we know that the code word like is like the same the message is secure. So of course the restriction over the CRS we want to avoid it so in our next construction we managed to remove the CRS and how we are doing it we increase we increase the alphabet size so before like those boxes were bits now those boxes are blocks or symbols of size log K where K is the security parameter so again we have we encrypt and we use the inner encoding and we have a sensitive and nonsensitive blocks the white blocks are like ciphertext blocks which we call like nonsensitive and the blue or gray it should be gray but now it's blue the blue let's say blocks are like sensitive blocks in which we use to store Z the sensitive bits so the structure has as follows it's like nonsensitive block starts with a zero and stores like part of the ciphertext it's sensitive like a block starts with a bit one and stores the index of the bit together with a bit so an example for such a block would be like one five and the fifth bit of Z and we can prove security using similar arguments as before so to conclude we propose a stronger notion which is like non-minable codes with manipulation detection which we believe it might like gives us like applications of the primitive beyond tamper resilience like for secure communication or like anything like any application which you require some sort of like detection if like the attacker has modified the original message or not we have efficient constructions for this notion for the class of partial functions constructions that are like they can be all like implemented and we also propose several applications like in tamper resilience cryptography for Boolean and arithmetic circuits and for secure communication of our adversarial channels and of course the application like that comes all the applications that are like come from all or nothing transforms thank you for listening and I'm happy to answer any questions the paper is on the print