 My talk is about undercomplexity of Arosmek Secretary. This is a joint work with Renat Krama and Xinchao Pin. Here at the outline of my talk, first I want to introduce some background of Arosmek Secretary's scheme, and then I will give all our new construction of Arosmek Secretary's scheme. At the end, I will give some concluding remarks or suppose some open problems. So first, what is Secretary's scheme? I just give some narrow sense of Secretary's scheme, which is for all our convenience. So our Secretary's scheme is just a secret S on my own parties and with these following requirements. First, it has T privacy, which means that any T parties learn nothing about Secretary's S, also R reconstruction, which means any R parties can compete to recover S. So our Secretary's scheme, we just require that it has T privacy and R reconstruction. So there's a very famous Shenmueh Secretary's scheme, which can realize the Secretary's scheme we mentioned in our previous slide. So yeah, what is Shenmueh Secretary's scheme? So assume that we have a secret S, we just pick random D equity polynomial effects with F zero equals S. So each party PI will receive a share of alpha i, alpha one to the alpha n, n distinct the elements, also non-zero. So we can show that this Secretary's scheme has T privacy and D plus one reconstruction and due to this laground interpolation. Yeah, let us go a little beyond Secretary's scheme and we want our Secretary's scheme to be linear, required a linear Secretary's scheme. Our Secretary's scheme has a secret space Q to the L and a share space FQ and there are n parties. So this Secretary's scheme has a Shenmueh scheme, which given a S secret as an input and it will generate n shares as one to the SN. So it's this Secretary's scheme has a key privacy here for SI and also any T shares SI implies nothing about the Secretary's S. So also our reconstruction, which means that any R shares of the parties when this reconstruction scheme will recover the Secretary's S for any R shares. And besides this Secretary's normal definition of Secretary's scheme, and it also has another property, which called the linear RT. So I assume that we have two vectors belong to this Secretary's scheme. And so the secret is X and Y, the linear combination of the secret X plus lambda Y, which can be recovered from the linear combination of the shares X one plus lambda Y one to the XN plus lambda YN. So for this linearity, if our Secretary's scheme has this FQ linearity, we call it a linear Secretary's scheme. Okay, so let's go a little beyond the linear Secretary's scheme. You want the Secretary's scheme to be, to have a multiplicative property, we call it Arithmetic Secretary's scheme. The formal definition is that a sigma is said to be C strongly multiplicative, first it has a T privacy, and then the reconstruction is even more strict restrict. It's more strict because we don't require the reconstruction, we also require the product reconstruction, which means that if we have two vectors belong to this Secretary's scheme. And so the component Y's product of the secret X, Y can be recovered from the product of the shares, but not all shares, but N minus T shares. So if our Secretary's scheme satisfies these two property, and of course it's also should be linear, then we call it a T strongly multiplicative linear Arithmetic Secretary's scheme. So also sigma is said to be asymptotically good. Yes, and if a Q is fixed, and N over T, a T over N, and A over N are positive constant. So we want T and A are linearly N, and the Q is fixed. So when N goes to infinite, and yeah, it's still be a positive constant, then we call it asymptotically good Secretary's scheme, which we borrowed this concept from the coding theory. So if our course is said to be asymptotically good code, then the relative distance and the rate of code are positive constant when the length of the code goes to infinite. So there are now some non-count results, and we know that there exists construction of asymptotically good T strongly multiplicative Arithmetic Secretary's scheme over any fixed finite field. And this construction is derived from algebraic geometry code. Also it's not very elementary. So you have to know a lot of things about algebraic geometry code, so as to construct this code. This is Secretary's scheme, and also the shear and recontract scheme efficient because they both of them range polynomial time, and also, yeah, but it's not a linear time, and it's at least a quadratic time, because it reaches due to the encoding and decoding algorithm of algebraic geometry code. So also there is a big gap in the number of parties, and also this gap, why has this gap? Because of our Secretary's scheme, and because the Secretary's scheme is asymptotically good, which means that we have a family of Secretary's scheme on n parties, so the part n goes to infinite, which gives you a family of Secretary's scheme, and each family, each Secretary's scheme, and in the, each adjacent Secretary's scheme, there's a jump on the number of parties. So this jump is linear in n, also sometimes the jump is very big, so it's due to the algebraic geometry code. So we cannot make it very small, and there must be a big gap, which will cause the loss of performance in terms of the privacy and the reconstruction. I will note there are many applications we just list, I just listed some of them. So the first application is amortized the communication complex of MPC protocol, and also they are, yeah, in MPC protocol, most of that we require that our Secretary's scheme to be multiplicative, and also we want it to be asymptotically good in some application, so which will give the merit of amortizing the communication complexity. The second application is zero knowledge approval protocol, and so for example, MPC in the head is the second application, or the third application is a positive rate of least transfer for our noise channel, so they are also extra, extra, extra, there are lots of other applications, yeah, we just mentioned some of them. Okay, so let's introduce our new approach. Yeah, here we also construct a new, construct asymptotically good to strongly multiplicative arithmetic sequential scheme over any finite field, it's over any fixed finite field. Oversharing and reconstruction scheme for C linear time instead of for previous scheme, they will, they have to rain at least a quadratic time. The gap in our new scheme is negligible, and so the third merit is that the construction only relies on the existence of asymptotically good algebraic geometry codes instead of its algebraic structure. To be more precise, precisely, actually our construction only relies on the existence of multiple good multiplicative codes, or maybe a good asymptotically good arithmetic sequential scheme. If this scheme exists, then we can find it very efficiently. So this is the assumption we need, but we don't need assumptions that, yeah, we have to know the structure of this code, and so that we have to know the encoding at the coding algorithm. Actually, we have, we don't need to know any of it. So yeah, this is also another good thing for in our construction. Okay, so there are three building blocks in our construction. So we need a variant of the Schemar sequential scheme with a sequence space over a large field, and so different from the normal Schemar sequential scheme, the circuit and the share are over the same field, and in our construction, we require that they are over different fields. The combination of two are Schemar sequential scheme gives rise to a new Schemar sequential scheme. So the combination idea for Schemar sequential scheme, yeah, it's so far as we know, we introduced this combination scheme, and this is the first time the combination idea from the coding theory are introduced to their arithmetic sequential scheme. So I thought the third block is a reverse multiplication for the embedding, which you can split sacred over a big field to a sacred in some small field, but with a big dimension. So on this IMFE, we are keeping the multiplication property. So these are basically two to three building blocks that we need in our construction. So first we will introduce this variant of Schemar sequential scheme. So what is this variant Schemar sequential scheme? And we have a sacred space Q to the L and a shared space Q. So later we need two are gamma, which is a primitive element in a big field FQ to the L and also alpha one to alpha N, which is a element is FQ to FQ and also they are distinct. The Schemar scheme is just giving a sacred S of a big field, which depict random polynomial of degree AR plus T so that F gamma equals S because gamma and S they are defined over the same field. So we can do that. And so the share is the F alpha one to the F alpha N and so the real constraint scheme you do as follows. We can use the like large interpolation and then with the so to recover effects, once we recover effects, of course we know F gamma and we know the sacred S. This scheme is also T-strawling multiplicative here for S3T plus two L is less than N. So this is the first building block of our scheme and the second building block is the conkination. So we just introduced the conkination of learning linear sequential scheme. So we have two linear sequential scheme, sigma one and the sigma two and the sigma one is defined over sacred space is over the big field FQ to the L and the share space FQ and the second scheme and the sacred space is FQ, which is the share space of the first scheme and the share space of the second scheme is FQ, Q is small Q. So the conkination of these two scheme is just like this. And so for each share of sigma one, we use sigma two to reshare the share. So we treat each share of sigma one as a sacred and they use the six sigma two to sacred share the share. So this is the idea of the sequential scheme. And we can show that the sigma is T1 plus T1, T2, that's strongly multiplicative. You have sigma one is T1, what is strongly multiplicative and the sigma two is T2, what is strongly multiplicative. Also sigma one has a sacred space FQ to the L and the share space FQ and over MN parties and it can share the sacred on MN parties. And yeah, in fact, we can also set M is all log N and the Q is all log T. So that means M and the Q are very small compared to N and the Q, big Q. The third building block is a reverse multiplication of brandy embedding. RMFV actually consists of a pair of maps, phi and the psi. So that phi is just the maps from a vector space to a field and the psi is from a field to a vector space. They just answer the combination of these two maps will map the vector space back to itself. And we also require that these two maps are linear maps, FQ linear maps. And so this in the following conditions, X satisfies, X the compound product, Y's of X, Y equals and the first two we just map X from a vector space to a field and then, sorry, then and then we have we just also map the Y in the same manner. And so phi X and phi Y just are two elements in a big field and the product of these two elements also in this big field. And then we make it map it back to a vector space. So by doing this one, and we, yeah, so we call it, so we, so these are pair of maps that satisfy this property and this we will use it to split the circuit. So the circuit, once the circuit, the circuit in a big field, the product of a circuit in a big field will be split into multiple circuit. Each circuit is in a small field and the compound Y's of the circuit in a small field just like the here X times Y which implies a circuit in a big field phi X times phi Y. So this is basically what we need for our smart secretary scheme construction. So this IMF we can be constructing in course in your time. So then we can put everything together. So the first step is that we, we concatenate, concatenate to second-chamber secretion scheme which give our respect secretion scheme. And this secretion scheme has a very big field. A circuit is over a very big field FQ to the L and then the share space is over a very small field is FQ. And so, and then we also need a third strongly multiplicative a respect secretion scheme which is asymptotically good is compared to this secretion scheme. They are not asymptotic good, but the good thing is that for this the third secretion scheme and we, the secret space is over FQ, the share space is over F log Q. Log Q is a very, very small. And log Q is a log log of capital Q, which means that, yeah, we can find it in a very, in only linear time in big Q. So this is, I mean, and also it's guaranteed by algebraic geometry code. So this is a good thing. And then we know the existence of this code and then we just look for this code. And the search space is very, very small. So we can do it in linear time, almost linear in linear time. And so step three is that we can concatenate sigma one with sigma two, which gives our asymptotically good strongly multiplicative arithmetic secretion scheme. And the secret space is Q to the L is very big and the share space is log Q is very small. And so because the secret space is a very big filter, we apply the IMFE to the secret space FQ to L so that to obtain a secret space and over log Q, but dimension is linear is omega MN, which means that it's linear in MN. So this is what is required for this asymptotically good arithmetic secretion scheme. So we have done, we've done. Okay, so let's give some concluding remarks. So in this work, we represent an asymptotically good strongly multiplicative arithmetic secretion scheme. And this scheme, this new scheme and you can share and reconstruct the secret in cos linear time and also can be efficiently constructed without knowing the structure of algebraic geometry code because we only search for this code instead of using the algebraic structure of this code. So that's the search, because the search space is very small so we can do it very efficiently. So we don't need to know any structure or any structure of this code. So this is the first thing. Also can share a secret number of parties without loss of its performance. That means that we have a very small gap, the gap is very small so we can do it. Okay, so there are some open problem we might explore in the future. So first problem is that can we make this arithmetic secretion scheme linear time? So currently the bottleneck of our scheme is the encoding or decoding of our IS code because IS code can only be encoding and decoded and decoded in cos linear time. If we replace, we can replace cycle with some other code which is also multiplicative and also running linear time. Yeah, we can do that, but yeah, it's a very challenging. So we don't know if we can do that. Also the second problem is that can we complete get rid of our algebraic geometry codes in the arithmetic secretion scheme? And for example, we just want an elementary construction of arithmetic secretion scheme. So we don't know if there exists a good asymptotically good algebraic geometry codes or asymptotically good multiplicative code. We don't know the existence of this code or we don't realize that any existence of this code. We just constructed it from scratch, is that possible? Yeah, so yeah, we don't know that, but it's worth exploring. Thank you for your attention.