 OK. Thank you. And it's about continuously normalable codes in the split state model, for minimal assumption, this is joint work with Rafe Strozky, Daniela Venturi, and Ivan Viskoti. OK. So we are talking about coding schemes. So there is some overlapped with previous talks. So I'm going to go faster. So I have two algorithms. One is the encoding algorithm, and the other is the coding algorithm. encoding algorithm can be randomized. So it takes plaintext, M, and that puts a codeword C and the codeword is given to the decoding algorithm which comes up with plaintext. And hopefully I want M to be equal to N prime, and I measure the efficiency as the rate, meaning the ratio between the length of the plain text and the length of the code word. And correctness, like if you encode them, then you decode, then you get the same thing with overwhelming probability over the random coin tosses of the encoding algorithm. The coding algorithm could be in principle, could be randomized as well, but typically it's deterministic. So there is a new notion on this that has been introduced quite recently, relatively recently, by Zembowski, Peter, Jack, and Vicks, like a few years ago, and it's about non-manualable encodings. And so what do you have here? You have the encoding works as usual, but then before getting the code word to the decoding, there is an adversary that applies a function f, a tampering function. And this tampering function is independent of the randomness used by the encoding, and it creates a new code word, c tilde. And we want to prevent the adversary from creating a code word, c tilde, for a related plain text, m tilde. Normally, it means that either m tilde is equal to m, meaning f doesn't do anything, or that m tilde is independent of m, because the adversary can always just forget about c and encode a different message which is completely unrelated to m. And so, for example, you might have something like, if the first bit of m tilde of m is zero, you leave it as it is, otherwise the adversary creates an invalid code word. That would be considered a success for the adversary. Or something else, like you take an encoding of m, and you produce an encoding of m plus one. And of course, as has been pointed out also in the previous talk, like if you allow the adversary to do anything, then since this is a keyless primitive, it could just decode and encode a related message. So, we are playing and we are trying to come up with a significant family of functions, color f, which is interesting enough, in which we can do something meaningful with it. Okay, so this is the classical notion, and we look at the continuous normality case. This has been introduced by Faust et al a few years back, and the difference here now is that the adversary is not allowed just to try one tampering function, but it can try several tampering functions, polynomial remaining, okay? So, instead of having just f, you have fi for i equal one to poly. So, there are some caveats. Okay, first of all, the same fi is applied to the, sorry, the fi's are applied to the same codeword, my adversary. And we also have a restriction, which is necessary, that the first time the adversary produces an invalid codeword, then the experiment stops, meaning that from that moment on, the adversary just, it doesn't get any feedback, essentially, it just says, oh, invalid, invalid, invalid. And also, in the adversary, in the experiment where we have the experiment with two possible codewords and two possible plaintext, m0 and m1, and the adversary is trying to guess which one of the two has been encoded. Of course, we cannot, like if the adversary doesn't do anything, it cannot just learn, oh, that was an encoding on m0, so it just learns that that was an encoding of the same plaintext. So, the definition, this is a game-based definition, like that the view of the adversary for any polynomial number of tampering queries is the same for any to plaintext, m0 and m1. So, there are various related, various applications of this concept, I'll be very fast, these are known, they've been discussed before, essentially they have to do with physical attacks, like we know that we can read some of the bits by reading the radiation, we can modify some of the bits, and some of these attacks are practical and effective on some important cryptographic primitives, like AS, and so we want to protect against this, and in general, normalible codes could be used to do some sort of a compiler that makes things tamper-proof. Essentially, okay, so we compile the functionality that we are supposed to compute by taking the input and encoding the input, and then operating on the codeword. Okay, this is. And now, here, we are using, we let the adversary try several tampering functions with the exception that if, at one point, it produces an invalid codeword, then all bits are off, and the codeword, the adversary gets no further information. And this is a theorem that was in the original paper, that if it's f-nomalable, meaning nomalable with respect to its family of function, of tampering function, and the compiled functionality is f-memory tampering, is secured against f-memory tampering from the same family of functions. Okay. Why continuous nomalability? Essentially, you could have continuous nomalability from one-time nomalability by at the price of raincoding and perfectly erasing. Erasing could be problematic, because we know that this is very hard to achieve in physics, and so what we do, we just try to encode this security notion in our primitive, and we try to construct it. Okay, this is an example that was also in the previous talk by Yanis. Nomalability in general is impossible if we allow the adversary to do anything, because it could decode, as I said before, it's a keyless primitive, and read, oh, this is M, and now I encode M plus one, and then I win the game. In this talk, I concentrate on a specific model, which is the split-state model. In the split-state model, the codeword is divided into left and right part, and the adversary can tamper each of the two parts independently, so it has two tampering functions, f-zero for the left part and f-one for the right part, and each is applied to the left part and the right part. Okay, so let's now talk a little bit about our definition. First of all, I imposed a... I imposed a self-destruct condition, like the first time during the... the first time the adversary produces an invalid codeword, then the whole system distracts. Why is this necessary? This is necessary for otherwise we cannot achieve any security, and there is a very simple attack, which is described on this talk. Like, the adversary makes one tampering query for each bit of the codeword, and he try and... he manages to reconstruct the whole codeword, and once he has the whole codeword, then he can do anything, because he can decode it locally and then have two tampering functions that just encode a related message. Okay, so how is the attack? It makes one tampering query for each bit of the codeword. So he keeps an initial reading of... sorry, a current reading of the bits of the codewords, x i to x in minus one, and then he does the following. The tampering, the height tampering just sets the height bit of the codeword to zero, and then he sees what happens. If he gets... He can only get two possible results, same or spade or error. If he gets same, then he guesses that the codeword has encrypted the height bit of the codeword is zero, otherwise he deduces that it's one. And then he constructs. If you think carefully, it doesn't actually reconstruct the same codeword, that decodes correctly to the same message that was encoded. And once he has x, the old codeword, then he can do the attack. So unless we prevent the adversary from... to mount this attack, there is no possible... there is no possibility of achieving normal ability. So let's talk now about another necessary condition. So this was observed in the first paper that dealt with continuously-nomalable codes and that any continuously-nomalable code that is secure needs to enjoy the following message uniqueness property. Essentially means that for any left part c0 prime, there must be only one possible right part that make a legal codeword. And if this is not true, then you could have a simple attack that defeats continuously-nomalability. And so this is the attack. Essentially the attack is the following, like the two tampering functions f0 and f1, what do they do? They just rewrite the left part with c0 prime and then they rewrite the right part with c01 prime or c0 double prime, c1 prime or c1 double prime depending on the i-th bit. And then the code and then he observes whether do I get m prime or m double prime and then I read the specific bit. And this attack will work unless the message is unique. Because unless the code is the message uniqueness property because in that case either you cause an error in which case you lose or you just know what happens. You get the same message. So there has been some previous work on non-malibal code. One time non-malibal code that were introduced by Zambolski et al in 2010. And state of the art construction is by Agavar et al that gave first information theoretic in the plane model multiple bits stock some few years back and there is also another construction that added the leakage resiliency and for continuous non-malibal that was introduced by Faust and the only add construction with strong set up assumptions. Also as I said there is one important distinction between persistent and persistent. If you remind when I explained the model in persistent we are in the persistent case. Like the codeword says the same and the same function is the tampering functions are applied on the same codeword. This is without loss of generality because you can think that if you want a non-persistent like you apply F1 and then you have a new codeword then you apply F2 on the second codeword you can always do this in the persistent case because what do you do? Instead of F2 you have F1 composed with F2. And there is another notion between basic non-malibility which depends on whether the adversely sees that the coded message or the tampered codeword. And this is an important consequence on the achievability of the notion because Faust et al considered super non-malibility which implies codeword uniqueness and added construction in the CRS model. And recently there has been a paper by Dahman Soled that proved that codeword uniqueness implies super non-malibility for the split state and this requires non-falsifiable assumptions. So what do we do? We go back to the standard non-malibility of the original paper by Zembozki et al and this is what we do. We prove that if one-to-one one-way functions exist then there exist continuous non-malibal code in the split state model in the standard model like no CRS and of course non-falsifiable assumption and it also proved that there is a message unique code like a code that has the property of message uniqueness but that is not continuous non-malibal. Fet for a while during our research we thought that uniqueness was not only necessary but was also sufficient but we have a very simple construction. So now I'll give you an overview a very fast overview of what we do and how we do it. This is a first attempt. OK, so we know that we need uniqueness. How do you impose uniqueness? You do a commitment. So what do you do? You do a commitment gamma 0, gamma 1 of M and then on the left part you put one of the commitment and the randomness used for the other and vice versa. So you have gamma 0, R1, gamma 1, R0 that part. The problem is that commitments now could reveal commitments are not supposed to reveal the message but they might reveal a bit. You might have a stupid commitment that doesn't use one of the random bits and then repeats the random bits in the commitment without affecting probability. And this is a problem because now if you try to prove security of the non-malleability of this construction even if you use non-interactive non-malleable commitment which you can do under some very strong assumption then it's very difficult to reduce the attack to an attack on non-malleable commitment and here I have on the slides an explanation of this but I'm going to skip. So what do we do essentially? The randomness of a commitment by encoding the message with now a non-interactive commitment which quite surprising could be a regular non-interactive code it doesn't need to be non-malleable and then we use an inner non-malleable encoding to encode the message and the randomness. So this is our construction. So you have a left part which is a commitment gamma which is m using randomness r and then you have c0 prime which is the left part of a non-malleable commitment one time non-malleable commitment of m concatenated with r. So how do you decode? When you get c0 and c1 you first check that the same commitment gamma appears left and right and if it's the case then you decode c0 prime c1 prime m and r and then you check that m and r are actually the message and the randomness used to compute gamma and if this is the case you give m as an output. So this is the main this is the construction and there are some how do you do this? Now you are going to reduce an attack on this either on the commitment or on the inner one time code the inner one time code is information theoretica this gives us some leverage because now our reduction can run in exponential time and this is important because we are going to use our exponential time to break the commitment the commitment is statistically binding so I can break it in if I have enough time and I still have a significant I still have a meaningful reduction because the inner construction the inner one time code is information theoretica but to do so I have a problem because the inner code knows nothing about commitment but I'm using commitment so I need to I need a function that leaks some information that says oh suppose that there is a commitment then what do I do I apply the commitment and I want to know what happens and then I need to keep our inner inner one time non malleable code with the leakage function and this is what and this has been achieved for one time in the paper by Agavarital which we are going to use internally ok so this is the proof an overview of proof which I'm going to skip since running out of time and this is the main the main trick the main trick is that ok so we also have one more restriction the inner code is a one time code so I cannot ask many questions actually I can only ask one question so what do I do I do the following I just simulate optimistically meaning that every time I receive a query from my continuous attacker I just enumerate all possible commitments and then I reply to the attacker with the most with the answer which has the highest probability and then I continue when the attacker at the end knows feels that he can break it what do I do a leakage query that says tell me of all these queries that I have simulated optimistically internally what was the first query that actually I made a mistake so that I can rewind there and start the simulation again and now of course you have to think that leakage is I have leakage but I don't have unbounded leakage so I have to bound the number of mistakes that I make I need codeword independence meaning that essentially there is no subliminal channel between the left and the right part and this properties that we formalize as codeword independence and conditional independence we formalize and we show that they are sufficient so we can do our proof and then we use the agavarital from tcc16 construction and prove that it's information secure information theoretically secure even in the presence of leakage this was known and what we do we prove this to specific technical property that we need for our proof to go through and this is the second result I just have one slide on this it's uniqueness is not sufficient this is a unique code it's okay this escaped us for a while so we thought we deserve the slide and can be broken without two tampering queries and I'm running out of time so I'll do very quickly essentially what does it do it does the following you have one time part m plus k, m is the message k is the key of the one time part and what do you do you do the following you normally encode both nk but then the decoding is very stupid because it only looks at c00, c01 and then that's what it does and now what do I do I can switch the two c00 with c01 and c01 and c11 so that I learned k and then I use k to decode one time part and once I have m I can do whatever because then I can encode so with two tampering queries first swap and learn k and then actually do the attack I can break and this scheme is easily seen to be a message unique okay thank you that's what I wanted to say sorry I was a little bit