 Hello everyone, I am Gianlo Gabbrian and I am here to talk about our paper Non-Malleable Secret Sharing Against Bounded Joint Tampering Attacks in the Plain Model. So let's start with what Secret Sharing is. Secret Sharing is a cryptographic primitive in which a dealer wants to share a secret message among NNet parties so that only certain subsets of parties are able to reconstruct the message. As simplicity in this talk I'll only consider T-out event secret sharing, however in our paper we actually consider more general access structures. When considering T-out event secret sharing the correctness property states that T or more parties are allowed to fully reconstruct the message by pulling their shares together, while the privacy property states that less than T colluding parties cannot learn any information about the secret. Now, even if a secret sharing scheme is secured in the sense of the privacy definition, an attacker could try to obtain information about the secret in some other subtle ways. For example, the attacker could leak some information from possibly all the shares in order to obtain information about the secret, or he could also try to manipulate the shares and then manage to see the result of this manipulation on the reconstructed message. Since this kind of attacks are quite powerful, recent trends in cryptography initiated the study of proper countermeasures. In particular, in 2018, Kumar Mekka and Sahai came up with leakage resilient secret sharing in which they achieved a secret sharing scheme that is secure even if the attacker manages to leak a small amount of information from possibly all the shares. Before them, in the same year, Goyal and Kumar came up with non-malleable secret sharing that is a secret sharing scheme in which even if the attacker manipulates the shares, the resulting reconstructed message is completely unrelated to the original one. Subsequent work kept in captainancing these two properties and often they are achieved together in what is called leakage resilient normal ability. Clearly, we have to put some restrictions since, for example, the attacker could jointly leak from all the shares and simply output their constructed secret. For this reason, leakage resilience and normal ability are always defined against particular family source functions. In our paper, we consider joint leakage and tampering attack models both under selective partitioning and under semi-adaptive partitioning. About the leakage model, we consider bounded leakage in which the adversary is allowed to obtain a leakage string that is at most L bits long, possibly also using multiple queries. Under selective partitioning, we prove that any one-time statistically non-malleable secret sharing scheme is also leakage resilient. And in this setting, we also obtain a corollary for lower bounds in the size of the shares of non-malleable secret sharing schemes. Actually, the proof of this fact is quite straightforward. By proving that any non-malleable secret sharing scheme is also leakage resilient, it only suffices to apply a result from Nielsen and Simkin in 2020 for lower bounds in the size of the shares for leakage resilient secret sharing schemes. As for semi-adaptive partitioning, this is almost like adaptive partitioning, but with some restrictions on the tampering query. In this setting, we construct a one-time non-malleable secret sharing scheme achieving security against joint leakage and tampering under semi-adaptive partitioning. And finally, we use known techniques to construct a compiler that takes any one-time statistically non-malleable secret sharing scheme and outputs a p-time computationally non-malleable secret sharing scheme. Okay, let's see more in detail how these models work. In the case of selective partitioning, the adversary commits to a particular authorized subset of its choice, which we call the reconstruction set, and also commits to a particular partition of known overlapping subsets of the reconstruction set. After that, the adversary is free to leak from all the shares within each subset. In particular, in a leakage query, the adversary outputs some functions g1, g2 and so on, for each subset, and each function takes as input all the shares in its subset and outputs a binary string. After the adversary is done with leakage, he is also allowed to output a tampering query f1, f2 and so on, and in this case, each function takes as input all the shares within the subset where it is defined, and outputs other shares within the same subset. Then, the reconstruction is computed using the new shares and the adversary only sees the result of the reconstruction. In this setting, we prove that any one-time non-malleable secret sharing scheme is also L-bounded leakage resilient. We proceed by complexity-leverging, and in particular, we construct a reduction that tries to guess the leakage string. First of all, the reduction commits to the same reconstruction set and partition of the adversary. Then, upon receiving a leakage query, the reduction samples a random binary string of the size of the expected output and returns it to the adversary. For simplicity here, I only consider one leakage query, however, with the same technique, we actually prove security even in the presence of multiple leakage queries. After the leakage phase, the adversary outputs its tampering query, and now the reduction constructs a new tampering query that hardwires the original one and all the leakage functions with their respective randomly sampled answers. The new tampering query checks if the guess on the leakage is correct, and if not, invalidates the reconstructed message. In particular, since each tampering function fi takes as input the exact same shares of the corresponding leakage function gi, the new tampering function fi hat computes gi and checks if the result is equal to the random guess. If it is so, then it applies fi to the shares, and otherwise it destroys the shares so that the resulting reconstructed message is not a valid message. Moreover, since we are considering tampering on a minimal authorized subset and we are considering a partition of that subset, every share is needed in order to reconstruct the secret, and therefore the adversary cannot bypass the check on the leakage. In other words, if the guess on the leakage is wrong, then we are completely sure that the tampering fails and the reconstruction and the reduction we see is both as an answer. Okay, so the reduction now sends the new tampering query to the challenger and forwards the answer to the adversary, and finally it outputs the same distinguishing bit as the adversary. For the analysis, suppose that the adversary has an advantage of the more than epsilon, and let's figure out what the advantage of the reduction is. First, when the adversary manages to guess the leakage, the view of the adversary is the same as in the real experiment. In fact, the answer to the leakage query is correct and also the answer to the tampering query is computed by using the tampering function of the adversary. On the other hand, when the adversary does not guess the leakage, then the view of the adversary is completely independent of the secret shared message and thus it is completely independent of the challenge bit. And this is because when the guess on the leakage is wrong, the adversary obtains a uniformly random string instead of the actual leakage, and moreover the guess on the leakage being wrong causes the new tampering function of the reduction to replace the shares with garbage, and therefore the reconstructed message is replaced with both regardless of it being M0 or M1. So being both the result of the leakage and the result of the tampering independent of the shared message, so is the view of the adversary, and therefore he has now no advantage at all. Finally, since the adversary is limited to ask a model at most L bits of leakage, the string that the reduction randomly samples is at most L bits long, hence the probability of guessing the right leakage string is 2 to the minus L, and the advantage of the reduction is more than 2 to the minus L times epsilon, and this means that if there exists an adversary breaking leakage resilient normalability, then it is possible to break simple normalability, and this concludes the proof. In the case of semi-adaptive partitioning, the adversary is allowed to perform the same queries as in the selective case, however here the adversary does not commit to a particular reconstruction set or partition, but he is allowed to choose a different partition for each query. The only restriction we require is that there are no partial overlaps between the tampering partition and the leakage partitions. In other words, for each subset X of the tampering partition and each subset Y out of each leakage partition, either Y is inside X or it is outside X. It is not allowed to have some shares of Y inside X and some other shares of Y outside X. Informally, this allows us to create the tampering query almost like if it was in the selective partitioning model, while the leakage queries resemble more the adaptive partitioning model. In this setting, normalability is much easier to achieve than in the original adaptive partitioning, and this allows us to prove security of our construction. Actually, our construction is inspired by the construction of Goyal and Kumar and involves a normalable code and two distinct secret sharing schemes with different parameters. In particular, the normalable code outputs a left share and a right share, and then we apply a joint leakage resilient secret sharing scheme to the left share realizing a T out of N access structure that is the same as the one we want to achieve, and then we apply another joint leakage resilient secret sharing scheme to the right share with a reconstruction threshold of approximately the square root of T. Finally, we obtain the new shares by concatenating each left share with the respective right share. As for the proof, we generalize the analysis of Kumar-Meghan-Sahai, and in particular we obtain the leakage and tampering existence of the scheme to be against joint attacks with up to square root of T shares in the semi-adaptive partitioning model. The actual proof is quite long and full of details, so I'll only summarize the key ideas here. First of all, once the tampering clue arrives, we split the reconstruction set into two non-overlapping subsets, T0 and T1, so that T0 has sufficiently many shares to reconstruct the right share of the normalable code. Then we proceed by hybrid argument. In the first hybrid argument, we replace all the left shares within T1 with valid shares of the same secret message that are consistent with the leakage performed by the adversary. Here is where the restriction on the semi-adaptive partitioning comes into play. In fact, without this restriction, some of the shares in T1 may be related to shares of T0 by the output of some leakage query. However, semi-adaptive partitioning ensures us that this does not happen and therefore it is safe to resemble all the shares within T1 without actually knowing the shares in T0. The rest of the proof is similar to the one by Kumar, McKensahay, and in particular we move to the second hybrid experiment by replacing all the left shares with left shares of a secret sharing of a dummy value. And for the third and the fourth hybrid experiment, we simply reapply the same ideas of the first and the second hybrid experiments to the right shares. The only difference in this case being that where we're sampling the right shares for the tampering, we need to be consistent also with the modifications introduced in the previous hybrid experiments. Finally, since the tampering on the left shares and on the right shares can be computed independently, it is now safe to reduce the non-malability of the non-malable code and this finally concludes the proof. As an application, we construct a compiler that takes a leakage resilient one-time statistical non-malable secret sharing scheme and outputs a p-times computationally non-malable secret sharing scheme. Actually, we use known techniques from paper achieving continuous non-malability and in particular in our construction we sample random coins for a commitment scheme, then we compute a commitment to the secret message using the sample randomness and we secretly share the concatenation of the secret message and the randomness. The final right share is composed by the commitment and the right share of the underlying secret sharing message. The reconstruction algorithm works as follows. Each share is parsed in a pair commitment in our share and then the algorithm checks that all the commitments are actually the same. If it is the case, the algorithm proceeds to reconstruct the secret along with the randomness and finally verifies that the pair message randomness is a valid opening for the received commitment. If not, it outputs both, otherwise it outputs the actual secret message. The key ideas of the proof are very similar to the ones in Breanne Faunioff in 2019 and in particular we proceed by induction over the number of queries. In each step, we simulate the tampering with leakage by obtaining the mold commitment and then extracting the respective secret message. When the final tampering query occurs, we then check that everything we have done so far is correct and if not, we abort, otherwise we proceed to forward the tampering query to the challenger and the respective answer to the adversity. Since we use a perfectly binding commitment scheme, we only achieve security in the computational setting and since we consider the bound and leakage model instead of the noisy leakage model, considered by Breanne Faunioff and Turi, we are only able to achieve p-time normality with p being fixed a priori. However, we obtain security against a larger class of attacks that is joint tampering under both selective and semi-adaptive partitioning. Moreover, it is always possible to increase the parameter p by increasing the amount of leakage allowed by the underlying secret sharing scheme. So, summing up, our results are the following. We prove that any non-malleable secret sharing scheme is also leakage resilient. We construct a leakage resilient one-time non-malleable secret sharing scheme that is secure against semi-adaptive partitioning and we find corollaries proving lower bounds on the size of the shares of a non-malleable secret sharing scheme and finally we construct a p-time non-malleable secret sharing scheme in the computational setting that is secure both against selective and semi-adaptive partitioning. As for the open problems, we are currently working on this topic and actually we have some preliminary work in progress towards the following over problems. The first one is the construction of a continuously un-malleable secret sharing scheme against joint tampering under selective partitioning. In this paper, we only achieve p-time non-malleability and at the moment the only two schemes achieving continuous non-malleability are either secure against independent tampering only or secure in the common reference string model but we would like to obtain security against a larger class of attacks and at the same time we want to get rid of the necessity of either a trusted third party or an un-tamperable swing. However, we leave it open to find out to construct a continuously un-malleable secret sharing scheme that is secure even in the presence of semi-adaptive or even more adaptive partitioning. The second problem we are working on is to improve the rate that is the ratio between the size of the message and the size of the shares. Towards this, we are going to improve this asymptotic rate thus reducing the gap. However, we still do not know if the same optimal rate of classical secret sharing from craftseats, paver, secret sharing made short also applies to non-malleable secret sharing or if non-malleability requires a further limitation on the size of the shares even in the computational setting. And that's it. Thank you very much for your attention and enjoy the rest of the conference.