 Thanks for the introduction. So I'm going to talk about leakage resilience secret sharing and applications, and this is based on joint work with Prashant Nalini Vasudevan. So let me start the talk by giving you a brief overview of threshold secret sharing. So as you might all be aware, it was introduced in the seminal works of Shamir and Blackley in the late 70s. And in this setting, there is a dealer who has a secret message M, and he wants to split this secret into N shares, SH1 to SHN with some threshold parameter T. The dealer then sends the IH share SHI to party PI. So we require a threshold secret sharing to satisfy two properties. The first is the correctness property, which states that any group of T or more parties can come together, use their shares to reconstruct the secret message M. And the second property is the secrecy property, which states that any adversary who's correcting at most T minus 1 parties learns no information about the secret message. So threshold secret sharing is a fundamental cryptographic primitive with numerous applications. Some of the applications include constructing secure multi-party computation protocols, constructing threshold cryptographic primitives and so on. And the security of all these applications crucially rely on the secrecy property of the underlying secret sharing scheme. So the question we would like to address today is that, what if the adversary in addition to corrupting T minus 1 parties, also learn some partial information about the Harness party shares? So this information could be leaked to the adversary via some side channels that it might have on the storage devices of the Harness parties. So the privacy property that I just mentioned does not give any guarantees under the stronger adversarial model. And hence we need a stronger notion of security in order to capture this. So this was done by two independent works, one by Benhamudda et al, which appeared in crypto last year and other by Goyal and Kumar that appeared in stock 2018. And they introduced this notion called as leakage-resilient secret sharing. So leakage-resilient secret sharing is just like any other threshold secret sharing satisfying the correctness property. In addition, the privacy property is now strengthened to something called as leakage-resilience. So this states that any adversary who's corrupting at most T minus 1 parties learns no information about the underlying secret message M even when given some bounded leakage from the other shares. So let's see the formal definition. So the formal definition is modeled as a game between an adversary and a challenger. So the challenger first generates the sharing of some secret message M and let's call the shares to be SH1 to SHN. The adversary now gives a set T which denotes the set of corrupted parties as well as some leakage functions FIs to be applied on the Harness party shares. So we require two properties. The first is that the size of the set T which denotes the number of corrupted parties that should be less than or equal to T minus 1. The second property is that the output length of this function FI should be bounded. So notice that if we allow the output length of these functions to be arbitrary, then the functions output length could be as long as the share size. And if the identity and the functions are just identity functions, then the adversary gets all the information about the secret. So here we cannot hope to give any sort of privacy and hence we need to restrict the output length of these leakage functions to have some bounded length. However, notice that we do not place any restrictions on the computational complexity of these leakage functions. So these leakage functions could be arbitrary as long as they have a bounded output length. So given this the challenger now sends back the shares corresponding to the corrupted parties as well as the output of these leakage functions applied on the harnessed parties shares. So at the end we require the adversary given even this additional information not to learn any information about the secret message M. Okay, so this is the formal definition and let me give you a brief overview of the prior work in this area. So Guru Swami and Wooters in 2017 showed that Shamir's secret sharing when instantiated over finite fields with characteristic two is not leakage resilient. That is they showed an explicit reconstruction strategy that allows an adversary to obtain the entire secret given some partial information from all the shares. In interesting work, Ben Hamuda et al. showed that Shamir's secret sharing when instantiated over a large prime order field is in fact leakage resilient for thresholds T greater than or equal to N minus N to the one fourth. And in the work of Goyal and Kumar, they gave a different construction of leakage resilient secret sharing scheme for the constant thresholds case. So as you can see, there is a huge gap which is left. So the first question that we would like to address is that can we construct a leakage resilient secret sharing scheme for all thresholds? And the second question is that can we extend it to for all monotone access structures? So in this work, we resolve this question. So we show a compiler that takes any secret sharing scheme for a monotone access structure A with some rate R and it converts into a leakage resilient secret sharing scheme for the same access structure with the following properties. The first property is that the rate of the resultant secret sharing scheme is only a constant multiplicative factor worse than the rate of the original sharing scheme. That is the rate of the leakage resilient secret sharing is R over 3.01. And the second property is that the leakage resilience rate which is defined to be the ratio of the number of bits leaked to the share size can be made to be arbitrarily close to one. So this in turn implies that even if we leak almost 99% of the share size, we can prove security. And in the next talk, you'll hear from Mark about their construction which also gives such a compiler. Okay, so as an application of our compiler, we show how to construct a constant rate non-malable secret sharing scheme in the information theoretic setting. So as you heard in the first talk, non-malable secret sharing is just like any other threshold secret sharing scheme that satisfies the correctness and the secrecy properties. It also satisfies this additional non-malability property which roughly states that any tampering attack on the shares either preserves the original secret or completely destroys it. So this notion was introduced in the work of Goer and Kumar in 2018. And it can be thought of as a generalization of this notion of non-malable codes. And a question that was left open in the work was to construct a constant rate non-malable secret sharing in the information theoretic setting. So what we show in this work is that if we plug in our leakage resilience secret sharing with the non-malable secret sharing compiler of Badrinarayan and Myset that appeared in EuroCrip this year, we can in fact get a constant rate threshold non-malable secret sharing for thresholds T greater than or equal to four. And in the next talk, you'll also hear about giving a stronger notion of non-malable secret sharing from this leakage resilience secret sharing. And I hope that Mark will be able to give these details. So as another application, we also give a leakage tolerant multi-party computation for general interaction patterns. But unfortunately, I wouldn't have time to go into the details and I would encourage you to look into our paper. Okay, so in the rest of the talk, I'll focus on the threshold case. I'll give you a construction of a leakage resilience secret sharing that has a constant rate, but the rate would be small, it would be worse than the promised by a compiler. And also the leakage resilience rate that our construction satisfied would be worse, but then the optimum of one, but it's still a constant. So these simplifications are just for the purpose of this talk. Okay, so let's start with the construction. So let's say that we want to secret share a message in. So the first step in our construction is to just split this message M into N shares using Shamir secret sharing. So here we do not assume any leakage resilience property from the underlying Shamir secret sharing scheme. Okay, so let's assume that each of these Shamir shares is in a finite field F. The next step is to choose a random vector R from F to the K, where K is some constant. Okay, so once you choose this R, you then choose a random vector L1 from F to the K such that the inner product of L1 with this R is equal to the first Shamir share SS1. Then you do this for the next one as well. So you choose a random vector L2 such that the inner product of L2 with the same R is the second Shamir share SS2 and so on. So you choose L3 up to LN such that the inner product with R is the corresponding Shamir shares. Okay, so thus you obtain L1 to LN and this is the second step. So the final step is to take this vector R and you then split it into N shares R1 to RN using Shamir secret sharing now over F to the K. Okay, so the share corresponding to the I at party will be LI comma RI. Okay, so this is the secret sharing scheme. So how do we reconstruct? You first, given any T shares, you can use the Shamir secret sharing to reconstruct this R. Then you take the inner product with the corresponding LIs to get the T Shamir shares of M and then you use the reconstruction of Shamir again to get the secret message. So this is how the reconstruction works. So the interesting point is that how do we show that it is in fact secure against in the leakage model? So for the purpose of the stock, let's assume that the final T minus one shares are revealed in the clear. This corresponds to the set T and there is some arbitrary leakage function acting on the rest of the shares. So this is just for the purpose of the stock. So the proof actually follows from several observations. So the first observation is that each individual leakage function F does not learn any information about the secret vector R that was chosen in the sharing phase. So to see why this is the case, notice that each of these FIs just looks at one of these RIs and since R is in fact a Shamir share of R, it hides all the information about R. So one can roughly think about the leakage function acting solely on the vector LIs. So this is the first observation that the FI of LI comma RI, FI does not get any information about R. So the second observation is that the output of this leakage function FI of LI comma RI hides all information about the Shamir share SSI. Okay, so to see why this is the case, notice that inner product acts as a strong two source extractor. So even given some bounded leakage on one of the sources, here one of the sources is LI, the inner product of LI with the other source which is R has sufficient entropy. So this can be formalized to show that FI of LI comma RI hides all information about the underlying Shamir share SSI. So this is the second observation. And the third observation is that the only Shamir shares that the adversary gets access to are those which correspond to, which are revealed in the clear. And since there are at most T minus one revealed shares, it follows from the privacy of the Shamir secret sharing of N that these T minus one shares hide information about it. So this is the rough intuition behind the proof. Of course, there are lots of subtleties involved and I would encourage you to look into the paper for the exact details. So to conclude the main result in our paper is to give a compiler that converts a secret sharing scheme for a monotone access structure A to a leakage resilience secret sharing scheme for the same access structure with the following property. So it has a constant factor degradation in the rate and it has optimal leakage resilience rate. And we gave applications to constructing constant rate non-malable secret sharing in the information theoretic setting as well as application to constructing leakage tolerant MPC protocols for restricted interaction patterns. And in a concurrent and an independent work, Kumar Meika and Sahai gave a stronger notion of leakage resilience property and they actually gave interesting constructions based on connections to communication complexity. So an interesting open question would be to find other applications of leakage resilience secret sharing scheme. And that's it. Thank you for your attention. Mark Simkin will continue the presentation. All right, so I'm going to present our paper which deals with a very similar topic to the paper that we just heard about. So this is stronger leakage resilient and non-malable secret sharing for general access structures. And this is a paper joint work with Divesh Agarwal, Ivan Damgard, Jesper Busnilsen, Machi Abramsky, Eric Provanto, Joe Ribeiro and me. And yes, so we like already heard like what is non-malable secret sharing with this leakage resilience secret sharing in the previous talk. So I'm kind of gonna focus on the things that you didn't hear so much yet. So non-malable secret sharing, as you had before was introduced quite recently, but like a lot of papers deal with this problem and the idea is again that you have some file and you secret share it like you compute a bunch of shares and now the adversary can somehow tamper with each file independently with each share independently. And what we would like is that the reconstructed secret from the tampered shares is either the same as it was before or it is completely unrelated. Okay, so we want to prevent that it is transformed into a related message. And the first notion dealt with the case of a single tampering and like a minimal reconstruction set. And what we do in this work is that we extend this non-malability notion to something that we call concurrent reconstruction. And the idea is that in this case, the adversary cannot specify like one set of tampering, not one vector of tampering functions, but several vectors of tampering functions. And so he does this in a non-adaptive way which is in contrast to the paper that Antonio presented. So here he like has to specify all of the vectors at once. And then the secret sharing at the top will basically be thrown into these tampering functions. And then even we can use different reconstruction sets here which are again chosen non-adaptively by the adversary. We reconstructed different reconstruction sets to get different kind of corrupted secrets. And again, we want to have the property that all of those secrets are so that for any one of those secrets, it's either the same one as it was before or it is completely unrelated. Okay, and yes. Okay, so what we do in our papers basically, this is kind of abstractly speaking, like we construct like leakage resilience, secret sharing construct non-mailable secret sharing, but the general idea of how to construct all of them follows the same kind of blueprint. So what we will end up doing is we will take a secret sharing scheme and we will take some encoding function and we will like mingle them together. And then depending on which encoding function you plug in you will get either leakage resilience or you will get non-mailability. So it's kind of like a general simple approach of how to do these things. Yes, so we get leakage resilience. So and all of this is for general access structures and with information theoretic security. And yes, our non-mailable secret sharing will be for three monotone general access structures so that means that any authorized set has at least size three. And then we use again basically the same approach to show that you can also build something which we'll call leakage or non-mailable threshold signatures which I'll like skim over towards the end of the talk. And in comparison to the previous talk what we basically have is that both so both the non-mailable secret sharing and the leakage resilience secret sharing that we construct has a signal like a worse rate than the constructions from the previous talk but in comparison to the previous talk we achieve a stronger security notion for our non-mailable secret sharing. So this is kind of how the two papers complement each other. Okay, so kind of on a very high level what we have is we're given some secret sharing for some access structure and what we would like now to do is we would like to take those shares and somehow re-encode them into new shares such that we get like the leakage resilience and non-mailability properties. And what we, yes. And what we will basically do is think of like we have some encoding function which takes each one of those shares and it will produce two different shares. Okay, and then again we will plug in different encoding functions to get different things. So what we simply do is we will take each of those shares and we will split it into two shares with this encoding function. And now we will redistribute the shares accordingly as follows, so originally the first share was this and now the new first share will be this vector of shares, okay? So what does this, what is this? It will be the green one of the first share and then all of the other red ones, okay? And for the second share it will be like the green one of the second one and then all of the red ones from the other ones and we'll continue doing this. Now if we want to reconstruct, say we have this first and the second share then we can combine those two and those two to reconstruct the original two shares and then if this is kind of like, if the X structure allows these two shares to reconstruct the secret then the whole construction will kind of reconstruct the secret, okay? And note that kind of if this encoding in some sense requires that you definitely need both of those parts to reconstruct what you encoded then for the third share, for the fourth share, for the fifth share, you'd never have the green part, okay? So like they know exactly, they can exactly decode the two shares that they are supposed to decode. Yes, and the other important thing is that every one of the green shares is held exactly by one party, okay? So yeah, it's a very obvious statement. That's one party that has each green share. So now the question is what do we do, what encoding do we use to obtain different secret sharing schemes? So let's start with non-leakage resilient secret sharing and it's in the same model as before. So we basically can independently leak from each share and we would like to ensure that the secret remains hidden even when the adversary sees the leakage, okay? So what we will use is basically a strong seeded extractor which is a primitive that it takes this like a uniformly random seed as input, some high min entropy string. Yeah, that has a lot of entropy and when you apply the extractor you will get something that looks uniform or is close to uniform, okay? And the strong here means that even if the seed is revealed, this still looks close to uniformly random. And another property that we will need for our construction is that this extractor also has something that is called efficient pre-image sampling. So that means that if I have something here I can efficiently find some uniformly random inputs or close to uniformly random inputs that will, if the extractor is applied to it give me that output, okay? And what we now simply do is to encode one of those original secret shares we will apply this inverse of the extractor to obtain these two things. So basically one of those will be the seed and one of those will be the high min entropy sample. And like as we've seen from the previous samples from the previous slides, the jth share will then be kind of a bunch of the red ones and one of the green ones. This will compose the new share. And if we look what this means here is we will basically have one of those things will be this long sample and the rest of those will be the short seeds which will in total compose the new share of our leakage resilience secret sharing scheme. And the intuition why this is a leakage resilience secret sharing scheme is that even if the adverse we get to leak pretty much all of the red shares as I said before the green share is only held by one part like each of the green shares is only held by one party. And what this just says is that this just has to be some high min entropy sample. So that means that if after leaking some of its bits there's still a lot of entropy left then he cannot do anything based on the properties of the extractor, okay? And we all like by plugging in a different encoding scheme we almost immediately get non-mailable secret sharing we just need to make some small tweaks. So the one thing that we need to prevent if we want to have non-mailable secret sharing is that in the construction that I said before whatever encoding scheme we use it doesn't prevent that the adverse we could just override a share with some default value. Okay so in this case the adverse you could just go and override the second share here with some default value. And this could potentially lead to a reconstruction here that reconstructs to related secret to get like a, if you wanna think of a very simple example think of a modified Shamir secret sharing, okay? Like imagine you have Shamir secret sharing and you are given a non-minimal authorized set. Now what does modified Shamir secret sharing scheme could do is could say okay I will take a minimal authorized set and reconstructed secret and then I will have a special kind of share and for every occurrence of this special share I will add plus one to the reconstructed secret. So in this case if I had this kind of artificial secret sharing scheme I could override this thing here with this special share and this would result in this constructing a related secret, okay? So this is kind of an artificial example but the compiler has to deal with all kinds of secret sharing schemes. But this problem is solved in a very simple fashion so we just add a nonce to every share so now rather than encoding the first share, the second share and so on we just pick an additional nonce R and then this encoding will basically be the first share concatenated with R and so on and the reconstruction function is modified accordingly that it reconstructs the blue shares and if the nonces are not consistent then it will abort and otherwise it will reconstruct the secret because now if you were to override a share you would need to somehow know R which you don't so this is kind of why this nonce prevents this attack and I won't go into details like what encoding scheme you have to use but basically it's similar to the encoding scheme that I just showed you for the leakage resilient secret sharing just that it has kind of some extra non-mailability properties and then these non-mailability properties directly transferred to the secret sharing scheme that we construct. And then pretty much the same trick that we did through this talk so far you can also play to get something that we call leakage resilient or non-mailable threshold signatures so what you just do is so in a threshold signature scheme you have a key pair and the key is split into a bunch of secret like key shares and all of those key shares can be used to sign messages and then these signature algorithms produce signature shares and from these signature shares I can basically construct a signature for the message that will verify under this public key and then we introduce non-mailable secret sharing non-mailable threshold signatures where we require that even if kind of the adversary man is allowed to tamper once with the vector of secret keys and afterwards he's allowed to query for signatures on messages of his choice he should still not break the unforgeability guarantee and in a similar fashion we get something for leakage resilience so here there are the secret keys the adversary gets to see some leakage on all of those keys and again then like in a chosen message type of security notion he should not be able to forge a message so I won't go into detail how we construct it but basically the constructions are kind of similar to what I showed before of how to distribute the secret like how to split the secret shares or the secret keys in this point and how to distribute them among the players so with this we kind of get leakage resilient and non-mailable threshold signatures yes questions? We have time for questions and both authors will be on stage to answer them as you ponder yours, I have one of mine can you speak of applications of your scheme and how close we are in terms of concrete parameters to being suitable for these applications? Let me think about practicality so the main issue with this to answer this why for me it's a hard question to answer is because I'm not sure what you would consider a practical parameter for the threshold signature scheme for reasonable values of N I think it is like you get somewhat larger secret keys than you have in the original threshold signature scheme but they're not extremely large I think this could be practical if you wanted to do something like this Any other questions? Well let's thank all the speakers of the session Thank you