 I am Akshay Ram and the title of my talk today is Revisiting Non-Malable Secret Sharing and this is based on joint work with Saikrishna Badrinarayanan from UCLA. So let me start this talk by giving you a brief overview of threshold secret sharing. As you might all be aware, threshold secret sharing was introduced in the seminal works of Shamir and Blackley in the late 70s and it works as follows. So there is a dealer who has a secret message M and he splits this secret message into N shares SH1 to SHN with some threshold parameter T. He then sends the IH share SHI to party PI. We require two properties from the threshold secret sharing scheme. So the first is the correctness, which says that if any group of T or more parties come together and they can use their shares to reconstruct the message M. And the second is the secrecy property, which says that any group of T minus one parties learn no information about this message M. And threshold secret sharing is a fundamental cryptographic primitive with numerous applications. Some of these applications include constructing secure multi-party computation protocols in the HONEST majority setting, constructing threshold cryptographic primitives such as threshold encryption, threshold signatures, and so on. And the security of all these applications crucially rely on the secrecy property of the underlying threshold secret sharing scheme. But what if the adversary's goal is to not to learn the secret, but instead its goal is to tamper with the secret? So to motivate this further, let's take the example of a threshold signature scheme. So here there is a sharing algorithm, which takes in a secret signing key SK, and it splits this secret signing key SK into n shares using any threshold secret sharing scheme. And let's fix the threshold parameter to be T. And the sharing algorithm then sends the IH share SHI to party PI. And we require two properties from threshold signatures, namely any group of T or more parties can come together and generate a signature on a message. And the security property is that any group of T minus one parties cannot forge a signature. But now consider an adversary who corrupts the channel through which the parties receive their shares and induces a tampering attack on these shares. So we'll denote the tampered version by a tilde symbol on top. For example, the tampered share of party P1 is denoted by SH1 tilde. Now when a group of T or more parties come together and generate a signature with respect to these tampered shares, then they are implicitly generating the signature with respect to a tampered signing key. For example, this tampering attack could fix the last few bits of the signing key to be all zero string, in which case the signature is generated with respect to a signing key whose last few bits are all zeros. This means that the system now becomes vulnerable to related key attacks. And this is devastating. So you might be wondering that if the adversary is able to tamper this with signing key to some related signing key, isn't he breaking the secrecy property of the secret sharing scheme? So the answer is no. So it's possible to tamper with the secret even without learning the underlying secret. And in other words, secrecy alone is not sufficient to prevent these tampering attacks. So let us first see why the existing cryptographic primitives do not provide a reasonable solution to this problem. Firstly, observe that most of the existing secret sharing schemes in the literature are linear. This means that if I multiply each share with some constant alpha, then the reconstructed secret will be alpha times m. And this property has been crucially used in many applications, including designing secure multi-party computation protocols and so on. However, this property trivially allows tampering attacks because each of these functions can just multiply the shares with alpha and we can tamper with respect to a related secret. On the other hand, primitives such as verifiable secret sharing and robust secret sharing only provide guarantees when at most half the shares are tampered with. However, in the scenario that I explained before, it's possible for the adversary to corrupt all the channels and tamper all the shares, in which case these primitives do not provide any meaningful security guarantees. And a beautiful work of Kremer et al introduced this notion called as algebraic manipulation detection codes, which can detect if a tampering has occurred. However, it restricts the class of tampering attacks to be just additive functions, so it's a very restrictive class. Another beautiful work of Zimboski-Petrasek and Wix introduced this notion called as non-malable codes, which can protect against these tampering attacks. Unfortunately, they do not provide any secrecy guarantees, which is crucial for applications such as constructing threshold signatures and so on. There is an exception to this, so for the special case of two split-state non-malable codes, it's known to imply a two out of two secret sharing scheme. However, this is not even true for higher states, including three. So even three split-state non-malable codes is not known to imply a three out of three secret sharing scheme. Thus, to prevent the tampering attacks on existing secret sharing schemes, Goel and Kumar introduced a new notion called as non-malable secret sharing. So what is this non-malable secret sharing? So it's just like any other threshold secret sharing scheme. It satisfies the correctness and the secrecy property. And in addition to that, it also satisfies the non-malability property, which roughly states that any tampering attack on these shares either preserves the original secret or completely destroys it. So more formally, let's consider the shares SH1 to SHn of some secret message M. And let's consider an adversary who defines these tampering functions F1 to Fn. So we consider the function Fi to take in the share SHi and output the tampered share SHi tilde. Now the non-malability property requires that for any choice of these adversarial tampering functions, the reconstructed secret is either the original secret M, in which case there is no tampering, or the distribution is independent of M, where the randomness from this distribution is over the randomness of this sharing phase. So it says that either it's the same message or its distribution is completely independent of the starting message. So in this work, we only focus on the individual tampering setting, where each Fi just acts on an individual share SHi. But it's possible to consider more expressive tampering functions, which can take in two or more shares together. But here we'll just restrict ourselves to individual tampering. So coming back to the case of threshold signatures, let's see how a non-malable secret sharing helps us in preventing these related key attacks. And this was proposed in a recent work of Agarwal et al. So the sharing phase now takes in the secret signing key. And instead of sharing it using any threshold secret sharing, it will now share it using a non-malable secret sharing scheme. So now when an adversary tampers with these shares, the non-malability property of the secret sharing scheme ensures that the reconstructed secret SK tilde is either the original secret SK or something which is completely independent of the secret key SK. So this means that the system is protected against related key attacks. So what is new in this work? We give rate efficient as well as stronger constructions of non-malable secret sharing. So let me start with the rate efficiency part. Recall that the rate of a secret sharing scheme is defined as the ratio between the size of the secret message to the size of a share. And it's a main parameter which determines the efficiency of a secret sharing scheme. So the prior work of Goyal and Kumar, which introduced this primitive non-malable secret sharing also gave a construction of non-malable secret sharing with rate which grows as 1 over n log m, where n is the number of parties, and m is the size of the secret. Asymptotically, this rate tends to 0 as the size of the secret goes to infinity. And the constant siden inside the big theta notation are also large. So it's not concretely efficient. So in this work, we improve the state of affairs by first giving a positive rate construction of t out of n non-malable secret sharing for any threshold, t greater than or equal to 4. So in particular, the rate is 1 over t log squared n, where t is the threshold, and n is the number of parties. So this rate is independent of the size of the secret. And another advantage is that the constants hidden are very small, and it's in fact concretely efficient. Another advantage of our construction is that it easily extends to more general access structures. So we can also get non-malable secret sharing for more monotone access structures beyond the threshold constructions. So these are the results in the rate efficiency part. So let's move on to the stronger security model that we consider. So the prior work of Goyal and Kumar considered a security definition where the adversary tampers with the share only once. But in practice, it's possible for the adversary to launch more than one tampering attack. For example, if the shares are stored on some smart cards, then the adversary could make multiple copies of these smart cards and launch different tampering attacks on each copy. And to prevent these attacks, we propose a stronger attack model called as multiple tampering, which is somewhat related to this continuous non-malable course which you heard about today. And roughly it says that if I take in the shares SH1 to SHN of some secret message M, and if I consider two different adversarial tampering attacks on these shares, we require that the joint distribution of the reconstructed secrets should be independent of the original secret message M. So here we just consider two tampering attacks, but it's possible to extend it to multiple tampering attacks in a straightforward manner. So this is the security model. So this is directly inspired by a similar notion for non-malable codes studied by the work of FOST et al. And concurrent and independent work of Agarwal et al. also consider a strengthening of this multiple tampering model where the strengthening allows the reconstruction sets to be different across different tampering. So in the stronger security model, we first show a negative result which shows that if we allow a priori unbounded number of tampering, then for any threshold T and for any number of parties, this notion is impossible to achieve. And we also show a positive result which states that if we a priori bound the number of tampering, then it's possible to construct this notion. And additionally, the positive result is also rate efficient. So it has a positive rate. It's independent of the size of the message. So in the rest of the talk, we'll first go over the main ideas behind the rate efficient construction. And I'll then briefly describe how to extend it to the stronger security model of multiple tampering. And I'll finally conclude with some recent progress in this area. So let's start with the rate efficiency part. So before going on, let's see what was the main bottleneck that was affecting the rate in the prior work of Goel and Kumar. So the prior work of Goel and Kumar used this two-split-state non-malable code. And then it used it as an underlying building block to construct a non-malable secret sharing. The rate of the code that was used in their paper was 1 over log m. And that's where the log m factor comes in the rate. And this is asymptotically tending to 0. And subsequent to our work, constant rate two-split-state non-malable codes was constructed very recently in the work of Agarwal and Obremski. But the parameters there are still concretely inefficient of this code. So the main idea behind the rate efficient construction is to instead rely on a three-split-state non-malable code. And there are constructions which have an explicit constant rate of 1 over 3. So this actually requires some new techniques. And let me tell you the techniques that we require. OK, so before moving on, let's quickly recall what is a three-split-state non-malable code. So there is a message m. And there is an encoding procedure that allows you to encode this message into three states, l, c, and r. And there's also a corresponding decoding procedure which, given these three states, reconstructs the message m. So the non-malability property requires that if we tamper with these three states independently, then the reconstructed tampered message is either the original message or something which is independent of it. So as I mentioned before, the difference between non-malable codes and non-malable secret sharing is that non-malable codes need not preserve the secrecy property. For example, there could be one state which gives information about the message. And independent works of Kanakurthi et al and Gupta et al give explicit three-split-state non-malable codes with rate which is 1 third. And we'll be using this as the building block in our non-malable secret sharing. So let's go on to the construction. So let's start with the sharing phase where we have a message m, and we want to split it into n shares. So the first part is to first encode this message using a three-split-state non-malable code to get states l, c, and r. We'll then secret share l using any t out of n secret sharing scheme. It need not be non-malable or anything. So you can just think about Shamir secret sharing. To get the shares l1, l2, up to ln, we'll then share c using a three out of n. So here it's t. It's here it's 3 to get the shares c1 to cn. And finally, we'll secret share r using a two out of n secret sharing to get the shares r1 to rn. And the share corresponding to Parti will be li, ci, and rn. So it will be evident in a few moments on why we are using different thresholds. So this is crucially used in the security argument. But let's first check if it's reconstructable. So given any t shares, you can use the reconstruction procedure for the underlying secret sharing to get the states l, c, and r. And then finally, we can use the decoding procedure of the non-malable code to get the secret message in. So the interesting part is that how do we prove non-malability of this construction? So recall that to prove non-malability, we need to show that for any choice of adversarial tampering functions, say f1 to fn, the reconstructed tampered secret is either the original secret or something which is independent of it. So to do this, we actually reduce any tampering attack against the secret sharing scheme to a corresponding tampering attack against the underlying non-malable code. That is, given these functions f1, f2, to fn, we construct functions g1, g2, and g3, which tamper with the states l, c, and r. And it follows from the security of the non-malable code that the reconstructed tampered secret is either the original secret or something which is independent of it. But the main challenge in designing this g1, g2, and g3 is to ensure that they are independent. So to use the security of the non-malable code, we must ensure that the tampering function g1 is independent of both c and r. Similarly, the tampering function g2 has to be independent of l and r. And the tampering function g3 has to be independent of l and c. So ensuring this independent is the main challenge. And this is where we'll use the fact that we are secret sharing c and r using different thresholds. So let's see how we can argue that g2, which is tampering c, is independent of the first state l. So if you assume that the threshold t is greater than or equal to 4, now assume consider c, and it's secret shared using a 3 out of n secret sharing scheme. So it means that given any three states, let's say c1, c2, and c3, we can use it to reconstruct c. However, because l is secret shared using a t out of n secret sharing scheme, and t is greater than or equal to 4, given l1, l2, and l3, l is completely hidden. So this is how we use the fact that these are different to ensure that g2 is independent of l. So given any three states, it's possible to construct c, but given any three states of shares of l, it's information theoretically hides l. So we can use this to argue that g2 is independent of l. By a similar argument, we can show that g3, which is tampering r, can be made independent of both l and c. How? Since r is secret shared using a 2 out of n secret sharing scheme, given any two states, let's say r1 and r2, it's possible to reconstruct r. But given any two states of c, let's say c1 and c2, and any two states of l, l1 and l2, it's impossible to, it information theoretically hides both l and c. So we have used this fact that these thresholds are different to prove that g2 is independent of l, and g3 is independent of both l and c. But still we need to prove independence in the other direction, namely we need to prove that g2 is still independent of r, and g1 is independent of both c and r. Okay, so to prove this, we actually use a tool called as leakage resilience secret sharing, which was introduced in this independent works of Ben-Namouda et al and Goyal and Kumar. So it's just like any other threshold secret sharing which satisfies this correctness property. And in addition, the secrecy property is now strengthened. So the secrecy property requires that any group of t minus one parties learn no information about the secret message m, even when they are given bounded leakage from the other shares. So the adversary is now provided t minus one shares in the clear, as well as bounded leakage from the other shares, and still he cannot tell what the secret is. Okay, so we'll use this primitive and we'll slightly modify the construction so that we'll secret share c using a three out of n leakage resilience secret sharing, and secret share r using a two out of n leakage resilience secret sharing. Now, using the leakage from this two out of n, we can in fact prove that both G2 and G1 is independent of r. And similarly, using the leakage from this three out of n secret sharing scheme, we can prove that G1 is independent of c. So we have proved independence in all directions. So this is the high level idea behind the proof, there are lots of other things that I swept under the rug, but I'll encourage you to look into the paper for the details. And in this work, we also give efficient constructions of leakage resilience secret sharing for any constant threshold t, and this is used via connection to combinatorial objects called as perfect hash function families, and this might be of independent interest. Okay, so this is the main idea behind the rate efficient construction. And let me quickly go over the details behind the strongest results, that is non-malibule secret sharing in the stronger multiple tampering model. So the construction is exactly the same as before, except that we use a three split state multi-tamperable non-malibule codes. And we reduce any multi-tampering attack against this underlying secret sharing scheme to a corresponding multi-tampering attack against the non-malibule code, and this is the high level idea behind the security. And as an independent contribution, we also give rate efficient constructions of multi-tamperable three split state non-malibule codes. Okay, so to conclude, in this work, we give rate efficient constructions of non-malibule secret sharing in the stronger security model of multiple tampering, and there has been a lot of recent progress in this area, and if you are not working in this area, then it's probably the right time to jump in. So in a subsequent work with Vasudevan, we actually extend the techniques in this work to get constant rate construction of non-malibule secret sharing. So here we just had a positive rate construction, but here it's an explicit constant rate. The rate is close to one third, which is the rate of the underlying non-malibule code. And in another work, interesting work of Kumar, Meika, and Sahai gives constructions of leakage resilience secret sharing against a stronger model of adaptive leakage. So here the adversary is allowed to adaptively query leakage functions from the shares, and still the secrecy should hold. So this is a much stronger model than what we require for constructing non-malibule secret sharing. And another interesting work, Farnio and Venturi give a construction of continuous non-malibule secret sharing in the computational setting with optimal rate. And some of the interesting open problems are, can we get some lower bones on the rate of non-malibule secret sharing? Another interesting problem is to improve the rate for more expressive tampering functions, and even positive results are very rare in this more expressive tampering function. And that's it. Thank you for your attention. Any questions? So I may be missing something, but is it clear that if you have a privacy threshold of T, you cannot hope to get a normal ability threshold larger than T in this split model? We can still hope to get T minus one shares, we can tamper with T minus one shares together. And yeah, so there are lots of interesting, so there are some positive results in this area, but there is a lot of open questions. So in the split model, you could hope to get a normal ability threshold larger than the privacy threshold. In the split state model? No. When your function are applied separately on each share? No, I didn't get your... So I'm asking you, I should say that I have a privacy threshold of 10. Can I hope to get a normal ability threshold of 20? No, because you can just reconstruct the secret and then you can just tamper with it, let's say add one to it and then you can... So even if you're tampering functions or they are separately tampering secret, you can apply this attack? So you're saying that... So if I'm tampering with each share independently, then my reconstruction set can be as high as possible. Yes. But so I'm... I'm asking, I'm not saying. Yeah, yeah, exactly, so that is true. Okay. Thank you. So in your construction, why do you need two out of N secret sharing for R? Can't you just publicly send the amount of R and follow the same argument? Because it seems that secret sharing for R is not... Then we can't argue that tampering on C is independent of R because we actually crucially used the fact that R is secret shared using a two out of N leakage in secret sharing, which is something stronger than just threshold secret sharing to argue this independence of the other tampering functions of R. So in order to reduce to the security of non-malable code, we need to have independence in all directions. But still when... So like if it was one out of N, still you could... Then I don't think this construction is secure. At least I don't have a proof that it is secure. Okay, thank you. Any more questions? So kind of the same in the same topic. When you talk, when you give that reduction to tampering on L and on C and R, what you basically showed that the tampering on L is independent of C and R, what you showed that tampering on R is independent of L and C, but you don't show the same on C. You show that C. No, we also show it. So... Okay, so you gave some simplification of the argument, right? Because like if you go this way and this way, you show that C is tampering independently of L. We need to step through the G2s independent of both L and R. Yeah, you need both of them, but you showed only from L and from R. Oh, R is actually done via this leakage resilient secret sharing. So since R is secret shared using leakage resilient secret sharing, we can use the leakage from this secret sharing scheme to prove that G2 is independent of R. So we just used the threshold sharing. It was showing that it's independent of L and then you add some leakage from R, right? So you can think about this leakage from this as the tampered state of C. Okay, I think I get it. Thank you. Okay, so if you replace this three-split by a two-split code, do you get the threshold T greater than or equal to three? Yes. Okay, yeah. More questions? No? Okay, so when you say you want to prove better lore, like prove lower bounds, what do you mean? You already get a constant rate. You want to prove a constant lore? So the constant is one-third what we achieve. So is it necessary to have this one-third or is it possible to get just like Shamir's rate? I see, got it, okay. So thank you. Thanks to the speaker again. Thank you.