 Ho ho ho! Merry Christmas! My name is Bernardo David and I'm here today to present to you a little taste of our paper called YOLO YOSU, Fast and Simple Encryption and Secret Sharing in the YOSU model, which is joint work with Ignacio Cascuto, Lydia Garms and Anna Skoling. The whole inspiration of this paper is the so-called YOSU model of computation, I mean secure computation. In this model we go from the traditional multi-party computation model with a fixed set of parties and several rounds where each of these parties interacts with each other to a more flexible model in a way and inflexible in a completely different way where each party can only speak once. In the YOSU model you only speak once, you have a huge pool of parties and then you sample smaller subsets of these parties in order to perform your MPC protocol. Each of these subsets of parties, each of these committees will be responsible for computing one round of this protocol and after they speak, after they send their message to the next set of parties, they have to stay silent. Most importantly, this committee stays anonymous until the point where they actually perform an action where they send their message, which gives us security against adaptive corruptions. Also, the point that you're able to sample small committees from a huge set of parties helps us with the scalability problem. However, when you work in this model, you have to worry about the problem of going from constructing secure channels with a public infrastructure and traditional public encryption, which we do in standard MPC protocols. And you need to actually figure out how to construct secure channels among parties who do not know each other. You need to be able to allow one committee who is executing a given round of the MPC protocol to communicate its state to the next committee whose identity is unknown until they speak themselves. Obviously here we cannot simply rely on our traditional public encryption schemes and our traditional public key cryptography techniques, we need something else we need to be able to encrypt towards an unknown party who is executing a certain role in the next round of this MPC protocol. Several previous approaches have been proposed to solve this problem. The main, the start of this line of work was this paper called Can a Blockchain Keep a Secret by Ben Hamouda and others, where they construct a protocol that allows evolving committee protocol to transfer a secret that is proactively secret shared from one committee to the next committee to the next committee, however they only tolerate less than a quarter of the parties being corrupted. Then the Yoso MPC paper itself that built on this idea in order to create the sort of MPC where each round is executed by a different committee. Use an idealized model where you get an ideal channel that allows you to communicate some secret states to a committee that will be acting in the next round. However, they don't show any construction of their idealized model, although they needed to be secure against less than half corrupted parties. The same authors of the Yoso MPC proposed the idea of a random index PIR, which is a private information retrieval protocol where parties are able to retrieve some data from a random index without revealing that to the servers and they use that plus some techniques like MPC had to implement a way to retrieve random public keys associated to random identity so they can actually encrypt data towards someone whose actual identity they don't know. The problem we're trying to address here is how to construct a efficient channel from one committee in Yoso MPC to the next committee, while also achieving a publicly verifiable secret sharing scheme that is compatible with this The approach we take is a little bit different from the previous approaches. We're actually building on the work that is being presented also in Asia-Pacific this year called encryption to the future. That defines a primitive that allows you to encrypt data towards a role rather than a party. A role is assigned to a party according to a lottery predicate that tells you whether a given party has been assigned a given role at some point in time. So you can have a role identifier string that uniquely identifies a role, and then you have time divided in slots according to a blockchain protocol. When a certain block is produced in a given slot, that block will allow you to determine which party will be performing a given role at that slot. And so encryption to the future ciphertext that have been generated towards that role can be decrypted by the party who has been selected according to some lottery procedure that can be checked by this lottery predicate. While this work by Campanelli and others in Asia-Cryptus year actually produces the first definition for this primitive and introduces a number of different ways of constructing it. It still suffers from some drawbacks in terms of concrete efficiency and also in terms of compatibility with existing publicly verifiable secret sharing schemes. In this paper, we will construct what we call encryption to the current winner, which allows you to encrypt a message towards a party who executes a role according to the lottery predicate when given the current state of the blockchain. So there's already enough random message of blockchain to determine the identity of the current winner of this role, although that identity remains hidden until that party acts. We do that using the idea based on shuffling, which gives us consent size for the ciphertext as opposed to ciphertext with the same number, the same size as the total number of parties. And then we use the idea of the ETF paper to show that it can actually take this encryption to the current winner and realize you also MPC, or even get full-blown encryption to the future towards people who might be elected for the future by using IBE and a committee that has communication independent from the number of messages or length of messages. Our contributions here, apart from this construction of encryption to current winner using shuffling are a publicly verifiable secret sharing scheme that is compatible with our ECW scheme in a way that we have proofs that the set of shares has been correctly generated. There are off-size independent from the number of parties, and that can give us actually a very efficient implementation of PVSS more efficient than our previous words such as Albatross or Scree. We also show how to efficiently do re-sharing with public verification for this PVSS protocol, and we finalize here with some constructions. Our constructions are based on DDH and as well as a generic linearly homomorphic encryption scheme, and we believe that as far as we know this is the most efficient PVSS scheme constructed today, even independently from our YOSU application. As future words, we would like to instantiate our framework under different assumptions rather than this DDH instantiation we show. A promising approach is using the Castagnos-like-Yomi approach for linearly homomorphic encryption, and we would also like to get better concrete constants and parameters for the full-blown PVSS on top of ECW implementation. Thanks for attention, and I hope you enjoy this conference, and Merry Christmas to all of you.