 Today I'm going to talk about Black Box Secret Sharing. When Black Box Secret Sharing was introduced in 1989, then a significant progress was made in 2001 and 2002. Since then, there's not much progress. First, I'm going to give a brief introduction to Secret Sharing Scheme. A Secret Sharing Scheme actually is an important primitive in cryptography. It has many applications. One of the significant applications is secure multiparty computation, where we use multiplicative Secret Sharing Scheme. The most important Secret Sharing Scheme is the Shamil one, where we use resomal codes or equivalently we use polynomial evaluations. However, the Shamil Secret Sharing Scheme has both shares and secrets in a fixed field. Black Box Secret Sharing was introduced by Desmet and Franke in 1989. In BBS, as with AIM players, a Secret S is a form of arbitrary obedient group G, and shares are vectors in D-dimensional space over G. The explaining factor of Black Box Secret Sharing is defined to be D, because it's clear to see that the explaining factor measures the share size. Therefore, we want a small explaining factor for our Black Box Secret Sharing Scheme. Note that BBSS is independent of obedient group G, otherwise for any obedient group G, we can use the same scheme. It was shown by Crema and the first that BBSS is equivalent to a monotone SPAN program. A monotone SPAN program was introduced by Kojima and Wiedersen. Let us give a definition of a Secret Sharing Scheme. A Secret Sharing Scheme, Sigma is m plus 1 type, x0, x1 to xn of random variables. These random variables are all defined on the same finite probability distribution in a set R. In the Shamil Secret Sharing Scheme, R is just a finite field. The Black Box Secret Sharing R is our obedient group G. And then we must certify the following condition. The conditional attribute h is 0, namely given x1 to xn. x0 is completely determined. For each i, we call it a player. For the adversarial structure, delta sigma is a set of subsets of n such that each xa gives no information on Secret x0. The excess structure, gamma sigma, consists of subset b of n, where this n function is 0. This means the collection of shares from xb fully determines the Secret x0. And we say that sigma has t privacy. It means that any subset of sites at most t belongs to the adversarial structure. In other words, any subset t of sites at most t gives no information about the Secret. We say that sigma achieves arc reconstruction. If any subset of sites at least arcs completely determine the Secret, we say that sigma is threshold. If r equal to t plus 1, in other words, any t or less players know nothing about the Secret. However, any t plus 1 or more players can completely reconstruct the Secret. Now we talk about the relation between the Secret sharing and the monotone span program. So our idea is to construct the black box Secret sharing through monotone span program. We are sure that these two concepts actually are equivalent. So first we give a definition of monotone span program. Suppose r is a ring, m is a matrix. The number of rules of m is d times a, the number of columns of m is e, where all elements, all entries of m belong to a ring r. So we divide m into sub matrix, where each m i has d rules. For a subset s of n, we denote by m sub s, the sub matrix of m consists of m i for i or i in s. So now we have a top ring r, matrix m, n and d. Actually, we are not really interested in e. So we just ignore e, a parameter e, where e is a number of columns of m. So a top r, m and d is called a monotone span program computing this delta t, gamma r. If for any s in delta t, the target vector 100 is r span by rules of ms. Namely, we look at sub matrix ms. So the rule of space contains, the rule of space of ms contains this target vector. For any t in gamma sub r, the first column of mt is r span by rules of columns of m sub t. If we restate these two properties, then we have a following number, number one. So a monotone span program m computes this pair if and only if these two equations is solvable in r. So actually we convert the previous condition to the equation, equations, actually equation systems in r. And this conversion is very important for us for the construction of black box 6-series. We return to the definition of black box 6-series. Suppose G is an abandoned group. S is the element of G is a secret which is uniformly distributed. If we randomly choose a vector G of E such that the first coordinate of G is the secret s and rest are random, then we define the vector s to be G times mt where t is a transpose of m. Then we get a vector in dn dimensional space over G. So we divide this vector into n sub vectors. So each vector si has length d. So therefore actually each si is our shear. So shear is si. Black box 6-series for this delta t gamma r is a top b where z is an integer ring, m is a matrix defined above, a and d are also defined above, satisfy the following properties. First completeness, namely for any s in gamma r, then we have a vector b such that this inner product b with this s is the secret with probability 1. Namely if we have s-shears, we combine s-shears, then we take a vector consisting of this s-shears with b in the product, then we get a secret s. Privacy, for any t in this delta t, then s sub t contains no Shannon information on s. Namely any t players gives no information about the secret s. Okay, now this result shows equivalence between monatone span program and black box 6-series. So monatone span program m actually is equivalent to black box 6-series for same adversary and reconstruction structure. Now let us talk about expansion factor again. For black box 6-series scheme b with n players, the number d is called expansion factor. This vector measures the average number of group elements that a shear has. So therefore we want d to be small. So the key, actually the key part of the black box 6-series is this expansion factor, a ramp black box 6-series. So for the monatone expansion structure defined by this delta t, gamma r is denoted by r sub t, rn. Recall that delta t stands for all subsets of size at most t, where gamma r stands for the state of all subsets of size at least r. So the black box 6-series scheme for this rtr is called threshold, if r equal to t plus 1 and the ramp if r is bigger than t plus 1. Okay, so let us see how well we can get expansion factor. The other ones want to look at lower bounds on this expansion factor. So the theorem 2 says that every ramp black box 6-series scheme for this r sub trn has expansion factor at least this number. So that means no matter how you constructed your black box 6-series, the expansion factor must be at least this number. So when it is the threshold, actually the result is already obtained by Decimate and frankly in 1989, it says that the expansion factor is at least the knock of m plus 3 over 2. Then we want to see whether we can get some black box 6-series scheme, which is close to this lower bound. The first upper bounds derived by Decimate and Frank via Venom and the type of matrix, they get expansion factor, which is an expansion of n. So this is far bigger than the lower bound. So then of course we are not satisfied with this upper bound. Then in 2001 and 2002, Crema and Fair shows that we can get a threshold black box 6-series with expansion factor, which is at most knock n plus 1, where they use a number field theory. They use a number field, they first construct a mountain span program over a number field ring, and then convert it to a mountain span program over integers. And finally they get this result. So look at this upper bound. It's already very close to the lower bound, we just show. So if we want a constant expansion factor, then by lower bounds in theorem 2, R minus t must be proportioned to n. That means we need a ramp black box 6-series sharing. Note that by theorem 2, the best possible result is R minus t must be exponential of this minus d times n for constant expansion factor d. Okay, finally we show we use a group technique to get optimal ramp black box 6-series sharing scheme. So first, if we combine number 1 and theorem 1, then we have a following result. So this black box 6-series sharing scheme B, if and only if for any S, the equation is solvable in Z, and for any T in gamma sub R equation of this equation is solvable in Z. So this is a global equation because Z is viewed as a global ring. So then we have some local global principle from mathematics. So in mathematics, there's a well-known healthy condition or local global principle. So there are many examples. For instance, a healthy condition. If a defending equation is a solvable modular, every prime power, as well as in real, then it is solvable in the integer. Some other examples like a graph has an eulering circuit, if and only if every node has even degree. We also have some other local principle problem, a local global principle problem. So we also use this healthy local global principle. Namely, for any matrix A and vector B, this equation over Z is solvable if and only if it is solvable over every Z sub PL for all prime P. So that means it is solvable globally, that is also solvable locally. So we use this name to get our result. So our idea is following. First, if we want to construct a matrix of size A, we consider this fundamental matrix. With all integers here. So therefore, for this fundamental matrix, for any prime P bigger than A, then we get a monotone span program. And actually, this is a threshold. So the problem is that how do we get a monotone span program for all primes P less than A? So that is the key point. So then we glue monotone span program for all P less than A together with the monotone span program short before. We combine these two, then we can get a monotone span program over Z. So the result is given in CM3. So if we have a monotone span program for all prime P less than A, then together with the previous monotone span program, we get CM3. So by CM3, the key part is to construct a monotone span program, compute the ramp structure for all prime P less than A. And we know that a monotone span program over a field is equivalent to a secret sharing scheme. So in fact, a linear secret sharing scheme is equivalent to a linear code. So therefore, our construction is the following. We first fix a matrix of size D times A times L. For each P less than A, we construct a linear code C over Fp with less than A and dimension L. To guarantee privacy and reconstruction of secret sharing from such a code, we require a large minimal distance and a dual distance of C simultaneously. So then a good candidate for a linear code with both large minimal distance and dual distance of C is algebra geometrical code. So therefore, we first fix a matrix of size. Then for each prime P less than A, we construct algebra geometrical code over Fp with less than A and dimension L. If we let G sub P be a general matrix of size D times A times L for such an algebra geometrical code, then we lift all general matrix G sub P to obtain a matrix ML via Chinese remainder theorem. So this M sub 2 is the required matrix we want in theorem 3. Now a monotone span program, M2 computes the extra structure for all prime P less than A. Therefore, we get our main result. Namely, for any odd integer D, which is explained factor, then we can have black box secret sharing over this extra structure. And explain factor D such that RMT is equal to expansion of this one times A. Furthermore, this expansion is namely every ramp threshold black box secret sharing over extra structure with expansion D must obey this one. So this means up to a constant, we get an optimal ramp black box secret sharing. Thanks. That's all.