 Zelo, to je o ZDN-šeljelji, vsim. o ZDN-šeljelji, da se načalimo. ZDN-šeljelji je objev, ko je prav, da pošladje, in pošladuje, da bo tudi n-šeljelj, kako se jaz n-šeljeljk, in qeženje, z dvej vsej, zelo čevajščenji, je rekočenje, tudi, da to vsi rekočenje, Prenet fuel and fuel heating can join together and reconstruct the original message and then tau privacy. Tau privacy means that any set of tau minus one part is if they join together, they have no clue of what the second message is. So those are the two basic property so we consider this thing called tau, rho and threshold secret sharing and of course the optimal thing is when tau is equal to rho this is usually called tau out of n secret sharing In da je to tačne, da je tukaj lakšin, da je račnj. In to je kaj, da so tukaj zelo v Likteratur, ki je za veliko vsega vsega vsega. In da se je vsega vsega, da se je vsega, ali zelo vsega bilo vsega in nekaj vsega, in da je to veče pravne vsega, ko se pogleda Koumar, lastiara stok, in iznači je to, da je na pridon, kaj je za vsega vsega, Zato, da imeš tvoj skup in ovo je naprejveno, da se spetiramo, da se spetiramo, potem dočeš prijevam, dočeš, da pokazamo, na načinaj s bilo na pljamo, je dočeš prijevamo, tako se zelo načinaj. Nismo, da je prijevamo, dočeš, da se spetiramo, dočeš prijevamo, dočeš prijevamo, dočeš prijevamo, dočeš prijevamo, Kaj je zrčinil, nekaj nekaj zrčinil ga vzati vzati v možno. Zobr, da se vačem vzati vzati vzati. Učeč je, da vzati nekaj zrčinil, da je vzati, da se nekaj vzati vzati. Kaj nekaj da vzati vzati, da je vzati vzati, da je vzati, da se nekaj vzati. V izgledu je, da se nekaj vzati. Zdaj sem nekaj vzati, da sem nekaj, da sem nekaj vzati. poglednivate prič, ne ne vse te ne tudi. Zeloウs sedj, da ta nepodalječ ni. Sledač nešten ni pa zipila sisim, uvaj na potstre, pa je mi alča in z tem thatju, pa je mislite, da je pospeš negrana, katero se pripredno nekaj tega vresi. A velika srpa ne. I pa je, da, in to je tudi, pravč tudi, nekaj ta brezeta je nekaj to, to je uročnjeroundiz, a v toj ni pa ustalila. To je, da priproprečite vsi, in vse z vzduženje vzduženje, ki najsne zelo predljivoj. Tudi je nekaj vzduženje, da bilo ljudi v svačke, da vzduženje je zelo zelo zelo zelo zelo, in vzduženje je zelo zelo zelo zelo. Tudi daj smo se zelo zelo, da vzduženje je vzduženje. Tudi začeli zelo zelo zelo zelo. Profii. Šok, kot je tu proravne bolj. Proravne bolj je počurjene. Zato, čekaj 1 vs 1, ne natajPRIN, se nerve, malo pri updatedare, rečte, nekaj so proravne bolj. Moj počutek je, da izhleda aquarestva, ampunke, to, še prese, da sreče, pri určiti, pri určiti na pravistju, pri určiti na pravistju, pri určitvu, kar ga začem, Getting an experience in... And in this time tampering, is that an adversary can tamper function, he gets to see a message, then he can get another tamper function and he gets to see the message again and again. So we get unbounded tampering. This unbounded tampering is sometimes called continuous normality. Then we have adaptive concurrent reconstruction. in rekonstručno je vse površtite. Zelo, da imeš odpravljenj, počo imeš pristop, ali imaš počo vsezkega rekonstručnja. Mimo počo da imamo rekonstručnju, vsezko, z sedim, vsezko, tudi kaj nekaj vsezak je zrata, tako, da vsezak je zrata, barče informacije o počešku. In tudi, da vsezak je začala, Zato je tukaj izgledaj o vsega vsega in vsega začetak. In to je 1. Ok, tukaj je tukaj, zelo jazim. Nisem tukaj ne vem, da tega zelo izgledaj. Zato pa se lahko koncentrujimo in zlečim. Tako daj pokljužimo, da ne jazim, da je zelo jazim. The only difference, the only thing that distinguishes us from the related works, is that we need to assume one-way function while all the other works are in the information theoretic setting. If you think about it, actually this thing, the point is that we need to assume one-way function because one-way functions are necessary to get continuous normal ability, at least they are necessary when tau is equal to rho. Of course we have tau, which is smaller than rho, but there is a kind of an indication that it is very hard to do this kind of thing without computational assumption. So to go back to the definition, the definition I say that the adversary can tamper many, many times, but at some point maybe the adversary sends a tamper in function and this tamper in function is too bad. And then there is no message that can be reconstructed. And in this case the reconstruction say, look, error, I cannot say what message was inside of these shares. And in this case we need to cut the oracle access to the adversary, so we need to self-destruct. Why we need to do that? Because otherwise there will be an impossibility result. So it's not possible to do continuous normal ability without self-destruct. Again, so we also want to have leakage resilient. So the kind of leakage resilience that we consider is called the noisy leakage model. In this noisy leakage model the adversary can leak partial information about the share and the only restriction on the function that he can send is the following. So the only restriction is on the average conditional metanthropy of the shares given the leakage. This thing has to be half enough. So let's go to our construction. I'm going to show you our construction with pull rate. So we want to do a t out of n secret sharing. Let's start with the simplest case. So the simplest cases are two out of two continuously normalable secret sharing. So we want to do this thing and actually they already exist. Two out of two continuously normalable secret sharing is just a continuously normalable code in the split state model. So we know already how to do them. We know we can do them from one way function. This is this work of Ostrowski, Persiano, Venturia, Visconti of last year here at Crypto. So we have them. So the technical contribution of this work is the following. We start with two out of two continuously normalable secret sharing and we obtain a tau, tau minus one and continuously normalable secret sharing. So this is the take home of this paper from the technical part. So let's try to do them. So let's warm up with an example. Let's try to do a two out of two, a two out of n continuously normalable secret sharing using a two out of two continuously normalable secret sharing. So what we do, so let's look at this matrix. So in this matrix, each column is a share. Now it's empty and then each row will be indexed by a couple of indexes and we're going to compile this matrix. So what we do is we do a fresh share of the message that we want to share and then there is the first index will be one, two and we put the share one in position one, the share two in position two. Then there is one three, so share one position one, share two in position three and so on and so on. And we continue to fill all these matrix. Now if we want to reconstruct, supposedly we want to reconstruct using the index to three very easily. So to three, they define a row in this matrix. So we go to this row, we pick these two shares and now we reconstruct them. Easy. It's really also easy to show that this thing is continuously normalable. Basically it's just an hybrid argument over all the rows of this matrix. But it's easy but not super trivial. In fact, already for this case, we need to assume a property from the inner, a property from the inner two out of two continuously normalable secret sharing. So what is the point of this slide? The point of this slide is to show a very basic principle of secret sharing in general. So if you have to secret sharing, let's say that one secret sharing has an access structure equal to A, the other secret sharing has another structure equal to A prime. If we do this composition of sticking together the row, then you get another secret sharing with access structure equal to A union A prime. This is a very basic principle although you can agree on this. So keep in mind this thing. So let's now give another secret sharing. This secret sharing is going to have a weird access structure. Let's look at it. So we're going to call this thing the building block secret sharing. So the building block secret sharing will be, we will do the following thing. So we sample a key, then we share the key and we get to share S1 and S2. Then we use this key and the message to create an authenticated Cypher taxi and then we do Shamir secret sharing of the Cypher taxi. Now the value tau for the Shamir secret sharing will be said to be tau minus two. And I can convince you that this thing is continuously normalable. So the key is well protected because it is using continuously normalable secret sharing. So the key is not in the view of the adversary. And now the adversary get to see a Cypher taxi. But this is an authenticated Cypher taxi. So it cannot manipulate it in any way. And then we use Shamir to get privacy out of this scheme. Now what is the access structure of this building block secret sharing? So the access structure is the access structure A12, which is equal to the all the set of cardinality at least tau, which contained index one and two. Okay, I think I'm going very fast. So let's see how to do tau out of secret sharing. To do that, so we basically do the composition of before. So we sample a secret sharing using the building block secret sharing. And so we get two shares for the key. We put here the first share, we put here the second share. And this is the Shamir secret sharing. Then we do it again, but now we permute the index where the... So this is a fresh secret sharing. We permute the index of where we share the key. So the key will be shared in the index one and two. And then we continue with this procedure until to complete all the matrix. So now what is the access structure of this secret sharing? So the access structure of each row is equal to A12, 23, and so on. So the access structure in total will be the union of all the access structure. And if you do just... If you look at this thing, you will notice that the access structure of this secret sharing is actually the tau out of n access structure that we are looking for. So this seems good. So you will think, okay, let's proceed as before. Let's do an hybrid argument over... I show you that each component is continuously normalable. Let's try to do an hybrid argument over all the possible row. It seems that this thing would give us a continuously normalable secret sharing. But actually there is a problem. I didn't tell you how to reconstruct. So how would you reconstruct? So to reconstruct, let's suppose that we want to reconstruct using the index one, two, three, and then. So what you do, so you pick the minimum indexes in the set. So this is one and two. Then you go to the row one and two. Now you can do the reconstruction of this key, the reconstruction of the ciphertext in the script. And so as I said before, there is a problem. The problem is that... So I will show you the problem. So suppose that the adversary want to reconstruct using one, two, three, and then. So now suppose that he tamper at the share and actually can tamper this share. He can transfer information from this part of the share over here. So he can really transfer a lot of information. And the point is because the reconstruction here is a linear function. So he can really leak a lot of information about the share here. So we cannot proceed with the hybrid argument because we wanted to resource to the continuously normalable property of these two shares. But here there is some leakage. So we cannot do that. So what is this solution? The first solution is, you know, let's assume that this secret sharing is leakage resilient. Now it's leakage resilient. Yeah, there is some leakage. It seems this thing to solve the thing. But the problem is that this would only solve the problem partially because we can resort to leakage resilient only a bounded amount of time. Instead, we are looking for unbounded normaliability. So we need to do something more. The extra trick that we use is that we do reconstruct the shami secret sharing in a different way. So instead of using the classical Lagrange interpolation, we use something we call twice reconstruction, double reconstruction. So let's see what double reconstruction means with an example. So let's suppose that we want to do 5 out of n secret sharing. So the threshold is equal to 5. And instead of setting the Shamir's threshold to b3, because it would be 5 minus 2, we set it to 2. So it would be 5 minus 3. Why we do this thing is because we need to have extra space for this double reconstruction. So what we get is a threshold secret sharing with parameter 5, 4, n. So 5 reconstruction and 4 privacy. So let's suppose that the adversary comes and sends a tampering function in a reconstruction set 1, 2, 3, 6. And then what we do is that, OK, 1 and 2 are the minimal indexes in this set. So we use 1, 2 to reconstruct the secret key. And then we want to reconstruct the ciphertext using the indexes 3, 6 and n. And what we do is that we divide it in two sets. We use the set 3 and 6 and set 6 and n. And we do twice the reconstruction. So we can do this thing because we set the threshold appropriately. So we reconstruct once and we get a ciphertext c. Then we reconstruct another time using the indexes 6 and n. And we get the ciphertext c prime. And now we check this thing. So we check that the ciphertext c and the ciphertext c prime are the same. If they are not the same, then we send an error, which means that there will be a self destruct. So now why this thing works, basically the thing is the following. So as I showed you before, before the attacker could leak information about S132 here. So he could transfer this information and then thanks to reconstruction it would leak information out of a tampering query. So now we need to show that this kind of thing cannot work. It cannot happen. So to do that, we show that the average conditional entropy of S132, given the leakage, meaning the reconstruction using the indexes S123 and tampered S126, doesn't give us any information. So to do so, we use this equation, so the counter of this equation, we use the fact that if the reconstruction is good, if there is no self destruct, then c prime is going to be equal to c prime. So now we need to bound the average conditional entropy of S132, given this leakage. But you see here that this leakage is independent respect to the S132, because we are in the individual tampering model. So those are different indexes that refer to different shares. So even if you manipulate them, you cannot get any information from S132, which means that the average conditional in S132 didn't drop. It's still the same. So this thing cannot make any leakage. Then, of course, at some point, c will be different than c prime, so this equation doesn't hold anymore. In this case, there will be a drop in the conditional average mean entropy, but this thing happens only once. It happens only once at the end when we have the self destruct. So in that point, we can resort to the leakage resilience of the scheme. OK, so we did it. So the main trick that we used was this composition of our AOL building block secret sharing and then reconstructing twice semi secret sharing. And also there is yet another trick that we needed, and I don't have enough time to explain it, but basically it's an easy property of a polynomial interpolation. If you want to know more, you can ask me offline. So to conclude, so in our paper we have this scheme and then I promise you to have a rate one continuously non-malable code. Actually that scheme is not rate one, it's rate zero. We have a rate compiler that take any continuously non-malable secret sharing, which is rate zero and it amplify the rate to be rate one. Then we have an application to threshold signature with local adversary. And then we have a follow-up paper that is going to appear at TCC 19, where we close the gap so between reconstruction and privacy. And we also have a different model of tampering, like the joint tampering model. And that's all. Thanks. We have time for questions. The microphones are at both end of the ais. And if there are no questions, let's thank the speaker again.