 Hi, I'm Ishan today I'll be talking about non-malibule codes extractors and secret sharing in two different models of tampering functions. This is joint work with Shin Lee. All right, so the outline of the talk is the following that will talk about three related objects. The first is non-malibule codes. So this arises in the intersection of coding theory and cryptography has found a lot of nice applications. It has a lot of cool work as well recently. So the second object is non-malibule extractors. So this arises in the intersection of state randomness and cryptography and has found really strong applications in both of these areas. The third object is non-malibule secret sharing. This is a recently defined notion, which has also affected a lot of work. So let's start off with non-malibule codes. And to motivate non-malibule codes, let's recall error correcting codes. So error correcting codes. The problem is you have a message as you want to transmit it over our noisy channel and hopefully if too many bits are not tampered or flipped. You want to get, you want to recover back as so the experiment is the following. So there's an encoding function, which encodes a message to a code word and an adversary tamper set. And then we decode back the tampered code word to get S prime with the hope that S is equal to S prime. And the goal is to recover, of course, S to recover back S and also maximize the relative rate. So add less redundancy. The relative rate is the ratio of M over N. And the relative distance of the code, which is related to how well we can tolerate errors. So it's the min over all the pairwise hamming distances of the code words normalized by the block length N. And if there are not too many flipped code words, flipped bits in the code word, that is, if C and C prime are close, then we would want to recover back S. So this is unique decoding where the number of flip bits is less than half of the minimum distance. A more relaxed notion where you allow more number of bits to be flipped as listed coding where the guarantee need is weaker. You need just a list of messages, which contains the original message. So these have been heavily studied for decades in coding theory. So one thing to notice is that the closeness and hamming distance of C and C prime is a severe restriction on the kind of adversaries that we can deal with. So for example, simple adversary that flips all the bits. We cannot handle it. If we want such guarantees. So this kind of motivates non-meleval codes. So it's a relaxation of error correcting codes. The tampering experiment is still the same. But now we look more closely to the adversary and fix a family of tampering functions F and we think of tampering function from the family acting on the code word. And the requirement is the following. So we need a weaker guarantee in non-meleval codes. The weaker guarantee is that either the tampered code word that we get back as prime is equal to S, which is really a favorable guess. So in this case, S prime is completely unrelated to us. So this removes the case where the adversary can force us to decode to code a message of her choice. So more formally. Okay, so before defining more formally the hope is that, you know, this weaker requirement we can handle more general functions of tampering functions. And to formalize this one needs the encoded to be randomized. To define this notion of unrelatedness. It's defined in the following way that there is a distribution DF, which is independent of the message that you're starting with. And the randomness that you use in the encoder. So it's a distribution over the space of messages and the bot symbol. So either S is equal to S prime, which is a good case or S prime is in statistical distance close by this parameter epsilon to this distribution DF. So BF note that does not depend on S and epsilon is called the error parameter and the closeness of distributions is in the usual statistical distance which is half of the one distance. So this is a formal definition of a non-malibu code. And the goals as before is to maximize the rate of the code on minimize the error parameter and also handle more general families of tampering functions. And this was introduced in 2010 by Zimbio ski Peter Zach and Wix. There has been an explosion of research on non-malibu codes well beyond the stock. In the stock will be focusing on explicit constructions without any computational assumptions. And there's a host of applications of non-malibu codes. Well, a key parent that is important in this pursuit for explicit constructions is that the excess non-malibu codes for really large classes of tampering function. So, I'm sure that as long as you know the size of the families doubly exponential with delta and a parameter delta bounded away from one. Then we actually there exists non-explicit that exists really good non-malibu codes. And of course the question is for interesting tampering functions can we actually construct such codes. Turns out a really popular model is the split state model where the code word is thought to be split into say L parts each part is kept on a server and we allow any arbitrary function to act on each server or part individually. This is a really popular model of tampering which has been heavily studied. The last few years. And now we have the best almost the best possible that one could expect. So, one cannot expect, expect, you know, nmcs in the one split state model because that's all functions. So in the two split state model we have concentrate and it's negligible error, which is achieved in a really recent work. All right. And one could ask what does can we handle say global tampering models and in fact there's work on this. So, there's local functions functions which are inspired from more complexity theory oriented things like say small depth circuits. And so most of these so these functions these tampering functions have access to all the bits of the code word as opposed to, you know, the partition model also polynomials over large fields. And this is in fact the focus of the current talk which is constructing non-malibu codes beyond the partitioning model beyond the partitioning model. Okay, so to motivate our first tampering model, let's recall the two split state model. So here the code word again is split into two parts f1 and f2 arbitrary f1 tamper is the first half f2 tamper is the second half. So the first tampering model we'll consider is the interleaved split state model. So this generalizes the split state model, the following way that now the partition is unknown. So still there are two functions f1 and f2 f1 acts on some unknown n bits f2 acts on some remaining unknown n bits, and the partition is unknown. So it's arbitrarily interleaved. And of course, it's obvious that this generalizes the split state model. And the motivation is one national motivation is perhaps the server is communicating to a common party who decodes the code word the tampered code word and we do not know in which order the bits are arriving. And also, more importantly, this goes beyond the known partition model which is kind of the motivation of this work can we go towards global tampering or not knowing what the partition is. And our main theorem here is an explicit code with relative rate inverse polynomial and exponential error. And this is in fact the first explicit construction in this model. So, this question was raised by church and grew Swami in 2014, and we make progress on this problem. And of course, a natural open problem is to improve the parameters of the code more importantly, it would be great to achieve constant rate. All right. The second tampering model because it is the following. It is shared by other areas of theoretical computer science. So, this model is by composing tampering functions in the following way at like F and GB to arbitrary classes of tampering functions. If I'm as composed with G to be the set of all functions that you can construct by composing a function from F with a component with a function from G in and using the usual function composition. So there you could, one could think of this as two attacks of tampering so the adversary gets to choose a function G and then tamper the code word and then again choose F and then apply F. And this is of course a natural way of defining more and building by composition you can build more powerful classes of adversaries. And such things have been heavily studied in other areas of theoretical computer science, that communication complexity and also complexity theory. All right. And our main result is for the specific to classes so F is the interleaved split state and G is linear. The set of linear functions considered from n bits to n bits, imposing the field structure of the factor space structure. And we give an explicit and MC for F composed with G with polynomial rate and sub exponential error. And one could think of the tampering as happening in the following way that a code word is first acted upon globally by this linear function. And then, you know, F1 and F2 tempers it so the pictures shows just a split state tampering, but we can handle, of course, more general kinds of tampering. And this is the first sets on trivial construction for such compositions. And this significantly generalizes our study of, you know, trying to construct non malleable codes for more global tampering functions. And we hope that this starts a more systematic study of non malleable codes with respect to composition. Another really interesting open question is given say non malleable codes for two arbitrary tampering functions F and G families F and G can be, you know, find more general ways of constructing non malleable codes for the composition. In particular, our methods do not even seem to work if we flip the order of tampering so for instance if you start first apply, you know, split state tampering and then a linear tampering we do not know how to handle this case. All right, so this finishes our part on non malleable codes, and we move on to non malleable extractors now. And the connect is this beautiful connection of Cherokee and Guru Swami who showed that if you can construct seedless non malleable extractors with some invertibility property you can actually construct non malleable codes. All right. So let's start off with randomness extractors. So informally an extractor is an object which, you know, transforms weak random sources. So random sources which have some entropy, but it's not purely random to output bits which are purely random and the motivation is, you know, bunch of applications in different areas of computer science. And the fact that you know in nature, we do not have high quality sources of randomness. So it looks like you get a sample from a weak source X and you output a random variable applying an extractor such that the random variable is purely random. Or more precisely one that the output of the extractor is close in statistical distance to uniform on and that's. All right. So how do you measure quality of a source the usual way of doing it is using man entropy, which is a source has been entropy K, if it places with a post to power minus K on any element in its support. And, of course, it's not hard to see that if, if you have a distribution on and that's its main interface between zero and and the higher the man entropy is the more random the sources, and we'll be talking about K sources, which is a distribution on n bits with men entropy at least K. And for most arguments you could think of exercise this uniform on some subset someone known subset of size to par K, and it looks something like this. All right, and what's a seedless extractor. So the solution that one makes here, which is folklore is that there's no extractor even for the class of N comma N minus one sources. So of course we need one extractor for a class of our family of sources. And even if you know this family of sources has really high entropy there's no single extractor. The proof is not hard but I'll skip it, due to lack of time. The point is, if you assume some structure some more structure on your source, then you can actually show that there exists extractors, and this has been a long line of work for the last three or more decades. So one popular model is the independent source model where you assume that your source X can be split up into independent sources. So if you could assume some algebraic structure for example that's uniform on some unknown k dimensional subspace, or it's produced by low complexity algorithm. Well there are many such examples. And here we are concerned about non-manual extractors which is a significant strengthening of seedless extractors. So this was introduced by direction groups for me settings the following that you have a family of sources, and a family of adversaries. If you have any source in this family and any adversary in this family, what you want is that the output of the non-manual extractor on X looks uniform, even when you're given the output of the non-manual extractor on the tampered version of X. So, in terms of an adversary suppose adversaries given you know the output of the non-manual extractor on F of X, even then that adversary, the output of the non-manual extractor on X looks almost uniform to the adversary. All right. So informally, you know, this non-manual extractor removes the correlation between X and F of X. And if you will come, for example, for such non-manual extractors to exist is suppose F is the identity function, and literally there, you know the same random variable. So it turns out that if you just remove the simple condition of F not having any fixed points, and you can show that there exists non-manual extractors for very expressive families of adversaries. The crucial connection that was established by Chirakshin Guruswamy was that if you give me a non-manual extractor that works for very high entropy with respect to a family, and it's also invertible, meaning that given an output you can sample efficiently from the pre-mage, then there exists a non-manual code with respect to this family. And roughly the decoder is the non-manual extractor and the encoder is the sampler for the pre-mage. And the relative rate is m over n and the error. If you know the parameters what you want is really lower error with respect to the number of bits you want to output. So that's really, so the lower the error you can achieve, the better the rate you can get. So there are many known constructions in particular for the split state model, and also for affine tampering functions and small depth circuits. And our main result is a non-manual extractor for the interleaved split state model, and also the compose of linear with interleaved. And we also show efficient sampling for these non-manual codes, which immediately gives our non-manual code results. All right. And I'll say very brief words about her techniques in particular suppose, let's specialize to the case of the interleaved tampering. There are two functions, and the interleaving is given by a permutation, and we want to construct a non-manual extractor such that given two independent sources X and Y, which is arbitrarily permuted. We want the output of the non-manual extractor to look uniform, even condition on its output on the tampering. And very briefly it goes through this framework that was set up in my previous work with Vipul Goyal and Shin Lee, which uses something called as an advice generator, which we can set the task first to just outputting short strings, which is just such that. So Z is just, you know, X, Y with the permutation. So what we want is that the advice generator's output is just not equal to the advice generator's output on the tampered copy. So this is much weaker than looking uniform condition on the tampered copy. So this part is done through error-critical codes and samplers, which builds on previous work. And the second part is heavy machinery, which is called as advice correlation breakers, which takes. Okay, so in here there's a small typo, so the second correlated part should be advice with Z prime. So the advice correlation breaker takes Z and the tampered copy, along with the advice, which we know is different and outputs some outputs are random variable, which is uncorrelated from the tampered copy. So these two can be combined in the natural way and it has been done in previous work and most of our work goes in actually constructing these objects. And very briefly this is constructed using alternating extraction in non-trivial ways. All right. And the final part is secret sharing. So recall that in a secret sharing scheme, you're given a secret S and you distribute the secret among parties such that any, so this is threshold secret sharing where any R parties can recover the secret but no key parties can reconstruct the secret. That's the privacy. So the variable secret sharing was introduced very recently by Goyal and Kumar. And it has many recent constructions. And here, you are, you need that it's still a secret sharing scheme, but also on top of it you need that if an adversary acts on the secrets, then either the recovered secret by our parties is unrelated to the original secret or it's the same secret. So it's pretty similar to non-malibu codes. All right, and our result is the following that we give such non-malibu secret sharing schemes in the, when the shares are binary and the adversary can split the partitions into two arbitrary ways and tamper each partition arbitrarily using any function of their choice. And on top of it, it can apply a global function, which is linear. And we need that the partitions are not too large. So it's bounded away from N by N power delta. All right. So in relation to previous work either was not known how to handle binary shares. So the share size was larger. Or the adversary could not handle a global round of tampering. All right. So I'll conclude with some open questions. So natural open question is handling more global tampering other natural families of global tampering. In particular, one direction could be can we handle more compositions. We just gave a specific example in our work. And our techniques do not even extend to, you know, when you reverse the order of the tampering and it's a really intriguing open question. And also improve parameters of the various non-malibu codes that we have constructed in our work. Thanks for listening.