 Hello, I am Mathieu Rambeau, I am going to present the paper, a symbolically good arithmetic secret sharing over Z modulo p to the LZ with strong multiplication and its application to efficient multi-party computation. The content of this paper is that we consider gadgets for information theoretically secure computation, which were already known over finite fields, typically Z modulo pZ. And we construct them over the ring Z modulo p to the LZ, of which the most interesting case is p equal to the ring of machine integers. We construct them with the same parameters as so far known over finite fields. The gadget considered as our secret sharing with the strong multiplication, reverse multiplication friendly embeddings, which enable to harmonize the cost of the simultaneous evaluation of the same circuit in parallel. And finally batch verification of beaver multiplication triples. For this last gadget of independent interest, we also improve its communication complexity over finite fields. And therefore, as a particular case of our methods, we recover directly the results of polycronado and song about information theoretically secure computation over the field Z modulo pZ. The main motivation for these these gadgets are secure computation directly over the ring Z modulo p LZ. Namely, when we consider an arithmetic circuit expressed with multiplication and addition gates, modulo p to the L, the question is, what's the best protocol enabling to evaluate the circuit. There is an indirect approach consisting in emulating this circuit from a circuit over finite fields and then using known methods over finite fields. But here we are considering the we are considering protocols that are naturally expressed over the ring Z modulo p LZ. And we asked the question, how far can these protocols be efficient. The complexity of such protocols are naturally measured in terms of communication the number of elements of the ring sent on the network. And for the computation complexity, it is measured in terms of additions and multiplications modulo p to the L. The answer to the question, which comes as a corollary of our results, is that for a circuit naturally expressed over the ring, there exists a protocol naturally defined over the ring Z modulo p LZ, whose complexity is exactly the same as the complexity of the best known protocol over fields that computes the circuit modulo p. This is the best we could hope for. Let's define the gadgets in more detail. Recall that a secret sharing is a randomized transformation taking a secret to a vector of n shares and the number of players. This threshold t guarantees that up to any t shares reveal no information on the secret, while the strong multiplication property states that starting from two vectors of shares of two secrets, consider the products component by component product share by share. So if we start from these products share by share, imagine that T of them are missing so that we have only n minus t products share by share strong multiplication guarantees that the product of the two secrets encoded by these numbers of shares is anyway reconstructible from the n minus t remaining share by share products. The second gadget are reverse multiplication friendly embeddings. They consist in linear maps, taking vectors of length K to elements of a Galois field extension of degree say M. Such that when we they guarantee that to compute it is possible to compute the product of two input vectors component by component from the knowledge of the product of their images. The next time fear of why the parameters of these gadgets is the lower M the extension degree, the better it is, and the higher K the number of products computable the higher K the better it is. Similarly, the third gadget is the beaver multiplicative triple verification. It was so far known as a protocol but we can formalize it as a gadget that takes as input many triples, and each of these triples comes as a shared secret. AI is a vector of ensures be I a vector of ensures CI a vector of ensures and this for I from one to two big and the number of multiplicative triples. The linear map outputs takes all these vectors of shares and output a result which determines with high probability if the triples are multiplicative or not. And in the process this reveals no information on half of the triples. And therefore, they are usable in the secure computation protocol. The main technical task of the paper is to find codes with square of large distance. Let me define the terms and motivated this question. For two vectors X and Y we denote the star product as the vector of same length consisting of the products coordinate by coordinates of the two vectors. And when we consider a code of a ring, we ask that it is freely generated. It is a free module. That K be the number of independent generators. And we define the square as the code in the same space generated by all the star products between elements of the code. In particular, a generating family consists in the basis vectors EI star EJ for all IJ in the range K, and we can always assume I smaller than J. This family of generators is of cardinality KK plus one over two. The bad news is that actually a generic code has its square of dimension KK plus one over two. Namely, generically, it's the result in bread. There is no linear relation between this family of generators, the star product of element of the basis. Why do we want to find codes with a small square and thus large distance because then this implies that the product of two secrets is reconstructible from a few products components by components. And we call that a vector of product component by component is none other than an element of the square of the code. So this is the main motivating question. And let us recall solutions for this program over finite fields. The first example or read Solomon code, they consist in evaluation at end points of polynomials of degree up to K minus one. Therefore, the, the square has small dimension to K minus one. That's just big distance. The problem with with Solomon code is the, the size overhead, because the module speed of the finite field, the cardinality needs to be higher than the length of the vectors to have enough evaluation points. This problem is overcome by algebraic geometry codes. And then we can enable codes of arbitrary large length for fixed P prime number. Then the natural question is how to carry these constructions over rings. And a strategy that works very well for some properties is to start from a good code. Lift arbitrarily the coordinates of generating family. And this produces a code over the ring module P to the L that has same dimension, same distance, and dual distance than the code below. We call that your distance is parametrizes the privacy threshold of a shared secrets, a secret shared by your code word. But this strategy fails for the square of the code. If we start from a code module P that has a small square, then when we arbitrarily lift the basis of the code as before, it is not guaranteed anymore that the square will be small. And actually the square is typically large. We give some examples in the paper. But let me give the intuition, it's because the code with a small square, this means that there are many linear relations between the KK plus one over two generators. But this linear relations module P, there is no reason that they also hold module P to the L. This is a big problem. There is a solution to this problem for retellament codes. Namely, we just directly define the code above over the ring as the evaluation code of the polynomials of degree, smaller than K defined over the ring. And this produces a code whose square is of same dimension, 2K minus one, as the square of classical read Solomon codes over fields. Now we ask the question, is it possible to do the same construction directly or algebraic geometry codes, which do not have the size overhead. And this is the main theorem of the paper. This states the existence of lift module P to the L of a g codes that have the same distance, the same big whose square has the same big distance. The proof is not necessary to understand the rest of the paper but let me overview it. So what we start with an HG code is built from a space of functions, which is L of D bar, which is an notation for the Riemann-Rohr space. It's a space of functions defined over an algebraic curve whose poles are of smaller order than the data of this, which is called the divisor D bar. Now we bounce the pose of the functions considered this space of functions is a dimension K. And this is the dimension of the evaluation code. So the code is defined as evaluation at endpoints of this vector space of functions. So it is very similar to read Solomon codes. Now we can we lift this material module P to the L. A celebrated result in algebraic geometry states that it is possible to lift the curve X along with the divisor and the points. Now, we can define a space of functions associated to the lifted divisor. And from this recent results of Judy Walker, guarantee that the space of functions above is actually of same dimension it subjects module P to the space of functions below. The result of Judy Walker guarantee that the evaluations at the points above of the space of functions above is injective and this map of evaluation above it subjects module P to the map of evaluation below. The consequence is that the image of the evaluation map above is a code which is a lift of the code below a free module of same dimension. And therefore, by the previous results, it has same dimension and distance. This miracle, we can reproduce it, not for the divisor D, but this time for the divisor 2D. And indeed, the square of the code belongs to the evaluation code of the divisor 2D for the same reason as for read Solomon code, the square of a read Solomon is corresponds to evaluations of polynomial of degree 2k. Here it's the same. It's the similarity. And therefore, the square is small. It has a large distance, because we have this inclusion of codes. This was the existence theorem. The use is that we can directly compute a lift of a G codes in L steps, each steps is takes as input a code module P to the L and outputs a code module P to the L plus one with the square of same dimension. The technique is classical. And therefore, we're going to recall it. It is called handsome lifting. And this theorem, which is actually how to prove it is proven only in the long version of the paper guarantees that this handsome lifting always returns a solution, a code module P help us one with a square of same small dimension. But consistent. Considering all the generators of the square, the E I star E J, and expressing them on a basis of the square basis be of small cardinality, because the square is divided by hypothesis small. When we write this decomposition model of P to the L plus one by lifting I'll be traveling the basis vectors. There appears an error term, the quality is not anymore true. As we said before, there is no reason why linear relations model of P to the L would still hold model of P to the L plus one. The goal is to search. Lifts of the basis vectors in new I and coefficients long than new module appeal plus one such that's the previous linear relation also holds module appeal plus one. Without loss of generality, you can express them as arbitrarily lifts of the previous basis module appeal, so lift module appeal plus one, plus a corrective term of the form pl times a vector fi. Same thing for the coefficients, which we can always look for in the form of an arbitrary list of lambda plus a corrective term. And we inject this form into the previous system. And after a miracle, which is a simplification, we can cancel out from the same, the equality from which we started. By canceling this equality, we obtain a system of the form and equality, a list of the qualities, which are all multiples of module P to the L. And so we can divide everything by P to the L and obtain a linear system over the finite field, the module PZ. And the unknown are exactly the corrective terms that we are looking for. So this concludes the theorem. Thank you very much for your intention. And don't forget that this explicit computation are possible because we have tools for computing the age codes overfield the starting points. It is an active field of research to make this algorithm more efficient.