 The next talk is the final talk in this session. It's about the torsion limit for algebraic function fields and its application to arithmetic sharing. It's given by Ignacio Cascudo, Ronald Cramer, shopping scene. Ignacio will give a talk. Okay, so thank you. So this talk is about arithmetic setting. This is a notion that has had a number of applications in information theoretically secure cryptography, especially to party cryptography. So before I talk about these applications, I have to define about these arithmetic sequence schemes and definition is itself already a contribution in this general form that we will give it. So... Yeah, so first I need to define what an encode is. So we have a finite field, fq, and two integers, k and n. K will be the size of the secret, n will be the number of shares. An encode is a vector subspace of fq to the k times fq to the n that satisfies two properties. So if we think about the code words in C, having in the first k coordinates the secrets and in the last n the shares, then the property that we need is first that for any vector in fq to the k, this is a secret for some code word. This is a secret coordinate in some code word. In other words, that we can secret share any vector of fq to the k. And the other property that we need is that the set of all shares determine the secret. So if we know all the shares, there's only one possible code word that contains this. Yeah. So we define these two properties about encodes. First, r reconstructing means that any set of r shares determine also the secret. And then, well, of course an encode is un reconstructing by the definitions before. And the contrary property, an opposed property is that a code is t disconnected if any set of t shares is independent from the secret. This doesn't mean, doesn't imply that the sets of t shares are uniformly distributed in fq to the t. If this happens, we say that the code has uniformity. Okay, so until now, so far, we have only talked about usual properties of secret sharing. Now we define the arithmetic properties that distinguish this line of work. So it's all about powers of an encode. So given an encode and a positive integer d, we define the dith power, as being the linear span of all coordinate-wise products of dith words in C, that don't need to be different. We would like to talk about privacy or disconnection and reconstruction in this power of the code, but the problem is that this is not always an encode, because even though C is an encode, the power satisfies this first property that we can share any secret. What it is not always satisfied is that the set of all shares determine the secret. So the power is kind of a destructive process. This inspires the following definition, the definition of arithmetic secret sharing scheme and Ntdr arithmetic secret sharing scheme where t is larger than or at least one and d at least two is going to be an encode that it is disconnected and such that the dith power does satisfy the property that it is an encode, so that the set of all shares determines the secret. And actually we ask for more, we ask that it is... are reconstructing. I don't want to... I don't want to come again, but I don't want to come again, I don't want to come any further. I don't want to come any further. So, well, if the underlying code has the uniformity, we say that arithmetic secret sharing scheme has uniformity, which is important for some applications, I will come back later to that. Okay, so this definition és a la Generalitat Socialista de les Polèmiques de l'Estat i a l'exili. El conseller d'Oscar Modés ha dit que, al final de l'esquadra, la principal tradició des del segle XX del 2007 és la situació del responsable de l'estat d'unakan de la Generalitat Socialista del Plancer de l'Estat i de l'Estat de l'esquadra. Si no, és queaç d'ells que no es pot accelerar under the catchy name of arithmetic codex that you may remember if you attended Ronald's Invited Talk in Eurocrit. OK, so Ciclasein's scheme exists. Sameer's Ciclasein's scheme has this property, actually, given the appropriate constraints. Also Franklin and Jung, which is the generalization for more than one secret. The constraints are these two. So this one is to be able to construct the scheme, and this is to give arithmetic properties. But if we look at the first constraint, we see that the number of shares has to be bounded by the size of the field. So the question that we wonder is what happens if this field is fixed, but we want to have an arbitrary large number of players. So can we still get positive rates of T? Can we get T linearly in N? This is going to be always bounded. Yeah, so constant, I didn't say it. OK, so in order to answer this question, Chen and Cramer introduced algebraic geometric Ciclasein's schemes in 2006, and they proved that for some fields you can achieve this property. Namely, those that have iharas constant, which is some algebraic geometric notion, bigger than 2 times T. And this includes all Q squared, with Q bigger than this thing here, and Q extremely large. The authors of these papers together with Chen consider a weaker notion, the case where D equals 2, and we drop this requirement of uniformity and prove that we can get this for any finite field. OK, so what are the applications of this asymptotical study of the arithmetic Ciclasein's schemes? Well, so the original application was giving a asymptotical version of the results by Benorgal, Barser, and Bigderson, and independently, Chen, Crepo, and Dunbar that proved that there exist multi-party computation protocols, which are information theoretically secure against an adversely corrupting one-third of the players. But the problem is that they use a Chamier's scheme. So if you want to have an asymptotical version, one can use the ideas of Grammer, Dunbar, and Maurer, combined with these algebraic geometric schemes. But what I want to stress is that lately in the last few years there have been new applications of this work in two-party cryptography. And this might seem a bit surprising, because why should we care about having many shares if we are in a scenario with two players? Well, that's of course because the Ciclasein schemes are not used to deal shares to the real players of the protocol anymore. But they are going to be used as, well, abstractly, we could say, virtual processes. Of course, the role depends on the concrete application. So for example, we have the paper by Shaikou Shilebi Sostorski in Sahai. This is the so-called NPC in the head paradigm. They construct zero-knowledge protocols using secure multi-party computation protocols. So the prover basically simulates in his head some secure multi-party computation protocol and then open the views of some of the players on request of the verifier. So the players are virtual. And for some of the results, we need a large number of those. And then you have other papers. Some of them you can remember from the last talk, especially this. And some of the papers that have used these tools require other stronger properties, like this uniformity that I explained before, of the bigger than two. So our results in 2009 fall short sometimes. Another interesting property of these schemes is that if you have these arithmetic properties, a secretion scheme with these arithmetic properties, this allows for an efficient and simple error correction algorithm that can reconstruct the secret in the scenario where we have all the shares and T of them are faulty. We actually, in this paper, generalize that to the case where we have an NTD and minus T arithmetic secretion scheme and we want reconstruction in all the powers up to D minus 1. This is important because in some works it seems to be required to have this error correction also in C squared. OK, so then, but the main results of this paper I explained it here. What we do in this paper is introduce a new technique to construct these algebraic geometric secretion schemes. In order to do that, we need to define a new algebraic geometric notion which we will call the torsion limit and seems to have application in other areas apart from cryptography. We will prove bounds for this notion and we will get as an example of a result for the case D equals 2, we get that exist infinite families of asymptotically good infinite families of these arithmetic secretion schemes for fields such as F8, F9 and all fields with more than 16 elements. This is, we can compare this with results in CCO6 here and they could only achieve this for Q squared and bigger than 49. And actually, even when they achieve this, with these new techniques we can improve the rates of T divided by N. And we can also improve our results in 2009. Actually algebraic geometry seems to be the only way so far that we can achieve such results. In particular, probabilistic methods don't seem to work as opposed to what happens in code theory where algebraic geometries only give some improvement on results that are also achievable by probabilistic methods. Ok, so the following slides are a bit technical so I will only go a bit fast over it. We use algebraic geometry codes, so we consider a function field over finite field and these codes are evaluations of some subspaces of this function field. So the good thing about algebraic geometry codes, apart from the fact that they give good families in the code theoretic sense, is also that we can control the behavior also of the powers of the code because they are power of an algebraic geometry code is contained in another algebraic geometry code with non-parameters. So we can characterize the arithmetic properties with what we call Riemann-Roch systems of equations. These are systems of equations over the class group so where we equate some Riemann-Roch dimensions of certain spaces and if we have a solution of this system then this yields an arithmetic sequence scheme with the properties we want. So in CCO6 what they did to solve this thing was impose strong conditions on the function field and then they could prove that any device of a certain degree is actually a solution. But that, as I say, imposes strong conditions on the function field so you cannot always achieve these things. In our paper what we do is to... well, we have a smarter way to prove that there is a solution of this sequence scheme without imposing some strong conditions and then we can sum up that in some inequality that involves some parameters of the function field many of them we can deal with by using some results that have appeared in other papers in cold theory. But the problem is this guy here. This is the size of the... of the torsions, a group of the class group. And well, this hasn't... as far as we know, seem to be treated in those papers. So we need to bound these elements and we have to do so asymptotically. So we have to consider a limit that compares the size of these things to the genus of the function field, in a family of function fields. So that's what we call the torsion limit. We define this notion. Yeah, we can do that over... to consider it over all families of a function... over a finite field. And we finally can get a theorem where we have a condition, a sufficient condition, to get this asymptotically good families of function... of arithmetic sequence schemes with all the properties we want. The condition is that the Iharas constant of Q is bigger than 1 plus this torsion limit. So Iharas constant, at least, for some finite fields, is known or bounded. So we still have to bound this thing. And yeah, so we do so. We have some weaker bounds that we get by applying some classical results in algebraic geometry, in, yeah, avilium varieties. But if we work more, we get a much better bounds for some specific families, namely, garthiastic then of families of function fields. Okay, so I already jumped to the conclusions. Yeah, so, as I said, arithmetic sequence schemes seem to be an important primitive in information theoretically secure crypto. Asymptotics seem to play a role, important role in some recent applications in two-part cryptography that I have mentioned before. The only way that we have so far to have this good asymptotical construction seems to be algebraic geometry. And we suspect that it has to be like that, but we don't have proof of it. And particular probabilistic methods that work in cold theory to get asymptotically good families in the sense of good dimension and distance don't work here. And in this paper, we have presented some more general definitions and framework, and we have presented a new methodology to construct these algebraic geometric sequence schemes asymptotically, and we get the existing results that we didn't have before. We have all the quantitative improvements. And on our way to do that, we have introduced a new mathematical notion that seems to have applications in other areas, like algebraic complexity of multiplication and extension fields. And this is the torsional limits. So, thank you very much. We have time for only short questions. Do you have any questions? Okay, let's send. Thanks, speaker, again.