 Please, seated, we would like to begin. So welcome to the last session of one of the non-malarial curves. We have two talks. The first talk on non-malarial randomness encoders are the implications, where Bahá'u'lláh couldn't hold the site actually about a while loop, and surely, according to truly, we'll be giving the talk. Thank you for the introduction. And taking the place to actually know how to pronounce the names that we gave. So no idea how, actually, we are going to be talking about non-malarial randomness encoders, their applications. This is going to go with Há'u'lláh Há'u'lláh, and the site actually Há'u'lláh will do. So the other Há'u'lláh audience, there is no science factor. Before we get into what these two are, as we reminded, they're very motivated by first understanding what non-malarial curves are. So let's take a look at what non-malarial curves are. Non-malarial curves spread through these. They're introduced by Sibosky, Fidsar, and Wigs in 2010. So typically, they are an audience scheme, composed of an encoder or decoder. First of all, satisfies the basic property of correctness. So what is correctness? Straight forward. For every message, your decoder or encoder for the message should give you the class of message to the property model. That's basically correctness. In addition to it, what we see is the property of non-malarial curves. So let me go ahead and tell you what this property means. You have this encoder, you input a message, you are going to the forward scene, and say this forward is now proved when I proceed with tampering. So we are going to leave the information that I just said, which will give you the set for street and unbounded and first thing to ask is how do we model this property? We do this by our adversary to pick a function from a specific function family. And this we call the tampering family. That's what the tampering is going to look like, the adversary to do this function. The encoder is now modified to this C-prime, from which you then decode and modify the message. So non-malarial curve that you see is that this decoder will be modified in message. Should either be seen as the original message and if not, it should be something independent of it. That's the end of the user code. So the first thing you do is define what I mean by this C-prime. What is the problem of this? That's what we're going to do. What is this? We're going to follow it, define what it means to say that the forward scene will be styled non-malarial with respect to a specific tampering function family care. The first test that will naturally occur is we have a formalized distribution of the modified message and that's what we do. So this is the random variable, we call it tampering nf, and this is specific to the choice of message that it will be given and the specific function that it will see as true. That's the random variable that's going to be written by modified message. Basically, it's just going to open your decoder f of n to the f. The random source comes from the random source that it will use. That's what we do most distribution on the modified message. Now what do we wish to capture? I wish to capture that this is independent of the choice of the message n. So that's the non-malarial which I was telling you about. To do that, I'm going to capture it. We're going to see that for every choice of function that the industry needs, if you're able to define the distribution same as, if you're able to come up with the same app, then just depend on the function. Such that, one of the main choices that the industry needs for every possible message might not be able to do assignment closest to the simulator or the simulator distribution. Then I'm going to capture the non-malarial result. The closest is in the static load. Well, this is the definition I'm going with. You have a smaller decoder that I've been avoiding. So what does the function have to even see itself? That is, my random random variable here would have opponent the message n itself. And a simulated random variable here does not have the resolution at all. So that's a small decoder which can be a decoder for the industry. For the person of the law, let's just assume that that is a valid movement. That's what we formally find a non-malarial decoder for the industry. Going forward, non-malarial goes by the use of the solution for being a line of tamper-resulting, tamper-resulting app that gets a very, very tamper-resulting app. And I'm going to give you that application for a further motivation. So specifically, let's look at what kind of data we have or the way we look at that. To understand it, let's say you specifically take a digital signature scheme. This is my signing in the world for the digital signature scheme. And the standards together you can be, is that if an atmosphere in your heart lasts just to the sign of the border, then you should not even force the nature on a different application. That's the standard data you have. So this is what you have, but it's what happens is they say that once we manage to tamper the device on this key, and he modifies the key to something like a line. So it's a rebellion. In that particular situation, what the industry gets to also are signatures on this related key, not on the original key as it supposed to be. So this is the management information he needs with the help of which he might be able to enforce signatures. This kind of a task, so it's based on the standard security I've been provided by the commercial signatures. This kind of a task about related data. So the national question that comes up is, how do we secure it as well? Well, there are other solutions. One solution is offered by the tool I just introduced, which are my managements. What do we do? We don't store the key itself. We don't manage to be aboded and store the code word on the device. So now the arrangement that we get is that if such a modification occurs, for that to be done, then the key that you would write about, what if I came and I would write about, would be something independent of the original. So in such a situation, the arrangement information that I was using would be of no use to me. So you would have to avoid doing that. That's the motivation of, one such motivation for, by not having to do something. One of the tools that you look at for not having goals, the important part of the most important aspect, which one of the goals had been studied, the time of finding the respect which you are constructing there, and certainly the rate of improvement, which is very important. I said that the time of constructing is important. Well, not having goals, you are not having goals, you are not having goals, you are not having goals, you are not having goals. And so they have to be defined with respect to a specific task. So it's natural to ask, what is the task of finding the goal which you can actually achieve on that? And the main, I'm going to be only focusing on this particular family which has been very often studied over these previous days' families. So this is the family that you may be looking at. What this family captures is, that you split a good world into three chunks. And you allow the other family to tamper each of them now, other way. So, a little bit more of the idea, I wrote it by a guide key, and it has a collection of three functions as well as the other key. And each function, basically I, so to formally capture it, so this is the reduct of three functions, and each of the functions is now going to add up an individual log of the code word. So that's the least in the state family. If you observe here, lower the value of T is, more power you're giving to the atmosphere. So specifically, within this family of entities, the most powerful atmosphere would be for the value of T equal to two. Well, you have two chunks of the code word and each of the block is tampered arbitrarily. The second parameter that we're looking at is the rate of the code word. So, how do we define it? It's basically the ratio of the message and the code word count. Typically, higher the rate, lower the redundancy you would have introduced in your code word, and that's good. You don't want to introduce much redundancies. Having noted that, the only great problem in the realm of non-native codes has been to build optimal rate non-native codes for the two-spirit state family F2. So that has been the ultimate goal. The first question that pops up is, what is the optimal rate you can achieve for the T-spirit state family? And this was answered in 2014 with Chirachi and Kuruswamy. And they show that for T-spirit state family, the optimal H-spirit rate is actually one minus one over T. So specifically, for the two-spirit state family that we need to construct a code word, the optimal H-spirit rate is half. But this is known. What is where do we stand in terms of efficient construction? Let's briefly take a look at that. So, the red code here denotes the optimal H-spirit rate and the blue would denote what is known in terms of efficient construction. So to begin with, the initial construction was for this value of T equal to N, where N is the size of the code word. And if you see from the previous result, asymptotically, the optimal H-spirit rate for this family is one. In 2014, Chirachi and Kuruswamy also gave an efficient code which achieved this rate. Moving ahead, it was turning out to be difficult to construct constant rate codes for value T less than N. Let alone optimal rates. And in that manner of work, in 2014, Chattrapali and Sangamen gave the first constant rate code for the T-spirit state family. Well, this was constant rate. The explicit constant was not known and it's quite far from the optimal rate system. For the moving ahead, last year in one of our work, in TCC, the same set of authors, we gave an explicit constant rate non-manual code for the fourth state family and this achieves the rate of one third. But it's still not optimal. Where do we stand on the optimal goals that we wish to achieve, like that's two-spirit state family? Unfortunately, we do not know of a constant rate code for the two-spirit state family yet and the best known construction is due to leave in 2017, last year. This is an inverse law of the big construction. So that's the best known situation. Really summarizing what I said, so if you observe here, we do not have any constant rate non-manual codes for T less than four. And the ultimate goal was to construct an optimal rate code for T equal to two. But if you observe non-manual codes, they give a strong guarantee of achieving non-manuality for all messages for every possible message. Do we really need that? If you look at the applications typically in Trimto, specifically the application we spoke of in terms of security against related tiered ads, the typical kind of non-manuality guarantee you need is for random uniform messages. So specific to our application, we require non-manuality for the key key, which was a uniform message. With that motivation in this work, we asked this question, can we do better in terms of rate if we just seek non-manuality for random messages? Turns out we can, and we answered this by introducing these tools called non-manual randomness encoders. And further on, we show that we can actually construct an efficient non-manual randomness encoder achieving rate half for the two-split state family. That will be the result of the work. And let me now go ahead and define formally what non-manual randomness encoders are. So they would also consist of an encoder and decoder in a lot. How an encoder is going to behave is that it's going to take in a randomness R, and it's going to output the random message K, so this is my message, along with its encoding C. That's how my encoder goes. And the tampering model is going to be exactly as in the case of non-manual codes. You allow the encoder to pick a function from the family and he modifies the C to corresponding C prime using this function. And then you recover your modified K prime. So now I have to formalize what I mean by the non-manual randomity guarantee in this setting. I'm just going to be giving an informal definition for this. The formal definition is, along the same lines is that for NFC's, but it's quite technical for the purpose of the dog we don't need to get into it. So informally, or the guarantee that I need in terms of non-manuality is that if such a tampering has occurred, then the modified K prime is either same as my original random message K. If it's not, your original message K should remain uniform, should look uniform, even given this K prime. So it combines two things. One is that I require this message to be a uniform message, it's a random message. And secondly, this should be independent of the modifications. So that's what is combined in this setting. Another thing that you'd observe here is that any non-manual code would by default give you an NMR. But that doesn't give us anything better in terms of ring. Our goal of introducing this was to get a better ring NMR. So moving ahead, I'll give you a brief of how we have constructed an NMR, achieving the real dimension, and a brief security loop sketch for the same. So before I end with the construction, there are three building blocks that you could require for it. Then we can please just tell you what building blocks are. So the first building block is a randomized extractors. They typically do which convert non-uniform source frame, so like W, it takes it. And along with the short uniform C, it managed all uniform bits. So bit more formally, what you see is that an extractor value on a source terminal, a CDS, looks uniform even if it is. The second tool that we'll be using are information heritage, one type message authentication codes. So what we'll be composed of is this one is a nav generating a Gotham or a verifier Gotham. So the dialog Gotham takes a key and generates a tag on the message M. Verifier Gotham, using the same key, checks the validity of the message tag by any resource. So the kind of guarantee you require from this is that a resource unit takes a look at one message tag pair, should not be able to forge a valid tag on another message. The third tool that we'll be requiring is any two-state non-uniform. So when I state, it means any rate, so you don't particularly require any of my links. So because it's a two-state code, I'm going to be looking at the code word as L and R. So like I said, it can be any two-state code for the specific instantiation to get the rate that I just mentioned. We'll be instantiating with the Shin-Li-Sa inverse logarithmic rate code word, or the two-state code. But if you observe here, because we're going to be using a whole rate non-uniform, and you want to save up on the rate, you can only use this non-uniform to encode short messages. That's when I can gain a mother-in-law. Let's see how it actually comes from when we can't use two-state code together. Non-uniform, so this NRI encoder has to do things. One, it has to generate a random message. Second, it has to generate the encoding corresponding to it. So to generate the random message, I'm going to use the extractors. The extractor takes in the source W, the C, S, and it's going to output this random message P. That's going to be the random message output by the encoder. Coming to how we're going to actually come up with a non-manual encoding of it. So we should output a code word from which you're able to recover the key. Okay. So, first thing is, yeah, we can't, of course, output the key itself. What do we do? We output the source W. So the other information we need to convey for decoding is the C, S. Let me make it simple at first step, and say the state-conditioned W is non-modifiable. What can I do? I can convey S to achieve what I want. Turns out extractors with short Cs exist. So if we use such an extractor, I can actually encode my C, S using the R-line and non-manual code, and output the two states of this code word along with DERD. If I do that, because my W is not modified within the setting, there are two things that can happen. If my S ends up getting modified, you know that it will be something independent of the original C. And in such a situation, extractors have a very nice problem that my original extractor output, which is K, would remain looking uniform, even given the extractor value on the modified independent C. So we would achieve the non-manual C. If it was not modified, then good enough you'd recover your original S. And this simplification, what do we do when W is actually modified? So turns out we can handle it by first authenticating W using the one-time map. And then we have to convey the authentication key and tag. The way we do it is, because maps with short keys and tags exist, we can encode this key and tag along with the C and convey it. So my final code word is going to consist of this W along with this L-line, which now encodes my authentication key tag along with the C. So the D-code is quite natural from here. How do you decode this quite naturally? What I promised was a two-state NMRE, where it turns out we can do it by combining these two states, W and N. So this gives me the two-state code word. One small point is it uses a stronger notion of non-manuality for augmented non-manuality. I urge you to look into the paper to see what that non-manuality is. So that is my final code word. Let me briefly explain how the security would go through. So just like in the case of non-manual codes, if you have a goal to prove security, we need to build a simulator, which sort of simulates the distribution on the modified key-prime to capture the independence. It's similar in sense to how we did it for LMCs. So the simulator, NMR-SIM, is going to take in the two functions that it was used to modify, and it has to relate the distribution on key-prime currently. And this is going to use the underlying non-manual code simulator, NMR-SIM, in LAN ports. NMR-SIM outputs this modified key tag and SIM combination. There are two cases that can arise here. One is say this was not modified. And the other is if it was modified, you know by the non-manuality guarantee that it would be something independent. So we take up a case-by-case analysis from here. And if you look at the first case where it's not modified, you know that the underlying authentication key is not modified here. So what does that tell me? If the adversary had changed my source, then he could not have forced a valid tag on it because of the max security, and you'd be detected. So you'd output bot in that scenario. Else, you would have retained the same source and you would have recovered the key. So in this case, typically, your message would either be the same, same key key, or it would output something like bot. So that's what was to be handled. Coming to the other case, because the independence guarantee that you have, the C, S, the modified C, S, and L is going to be independent of your S. Turns out in the situation, irrelevant of whether my source was modified or not, because extractors have a nice property, all the additional information that the adversary gains in the situation can be captured as what is known as auxiliary information. So that's like a leakage. And by doing that, using extractor security, you can actually simulate an independent key plan. So again, the details of this, I'm not going to go into it. I'd urge you to look at the paper in the details of this particular case. So what do we have in our portfolio? Either you'll output something independent of K or you'll pay our polling cost. So you could do. So that brings us to the end of the security loop for this. We instantiated this particular construction with the set underlying NMC, and we managed to get the rate, that rate half from here. Also in this work, we give an application of NMRE as well. So if you remember all this is the picture of the non-nuclear codes we ended with, we did not have any constant rate non-nuclear codes for D less than four. And there was this gap between D equal to two F. So also in this work, we managed to bring this gap number bit more, and we construct a one-third rate, three-state non-nuclear code by using this NMRE with half rate in nanobots. So summarizing what we did here was introduced non-nuclear parameters encoders as a nominee for non-nuclear encoding of random messages. We built a two-state half rate non-nuclear randomness encoder, and as an application, we got a three-state one-third rate MC. In terms of interesting open problems to take up from here, if you observe, we knew from the non-nuclear code setting for the two-state state family, half is the optimal achievement rate, that goes in more. But for non-nuclear randomness encoders, it's not clear whether that would be the optimal achievement rate. So the question you ask is, is half the optimal achievement rate for two-state data NMREs? Can we do better than three-half? And the second is, there is interest to look at other applications that you would get from NMREs. Not a lot of applications of non-nuclear codes are new, other than the time it has been setting. And very quickly in our follow-up work, we managed to show a connection between NMREs and this very important problem in the realm of information theory to give you a know of privacy application. So this is one of the first connections that one of the first applications to NMREs to search rooms. So privacy application was introduced in the previous session. So basically, I was involved sharing a low entry source, which is a real common random stream. And the holy grail, I'm not going to state it formally. The holy grail problem in the realm of privacy application is to achieve optimal round protocols with certain optimal parameters in terms of entropy loss and energy requirement. And while I have several lines of work, in the subsequent work, we give a connection between NMREs and privacy application, and specifically the result. We show that if my NMRE scheme, the two-state NMRE scheme, along with me constantly, has certain additional strong properties, then you can get privacy application protocol with such optimal parameters. So it's interesting to look at how we can actually achieve these strong properties in terms of what we're trying to do. Because they are very keen to look at the problem in privacy application. So this is actually joint work with the same set of authors, Bhavna and Ramna and Ishaan and Satyapadhyay. You can look it up on the screen. So, yep. Thank you. We have time for a quick question. Thank you.