 Ok, ok. Ok. back into the action. So in our paper, we revisit continuously a malleable single sharing for achieving a new flavor of security. In particular let's start a brief introduction to single sharing. In single sharing is one party called the dealer that is a secret message in the one to share it in their end parties as one SN and in such a way that only certain sub sets of the set the parties can reconstruct the message. In particular we have the notion of access structure that these are monoton class of subsets of the set of the parties, and here we have the authorized subsets that are all the subset of parties belonging to the access structure. And there are the unauthorized subsets that are all the other subsets of parties. In secret sharing we have two properties. The correctness property that states that every authorized subset of parties can fully reconstruct the message. And the privacy property that states that no unauthorized subset of parties can obtain any information about the underlying secret. Now, suppose that you are an individual attacker that wants to learn at all costs some information about the message, and suppose you cannot fully corrupt an entire authorized subset of parties. Then you could try to slightly modify all the shares, for example installing malware or dialectical signals or something. And you could try to see the result of this modification to the message. This kind of attack is called tampering attack and works as follows. The attacker chooses a tampering function f among restricted family of functions, capital F, and then uses it to modify shares as one, sn into shares as one prime, sn prime. And then the attacker also specifies the authorized reconstruction subset t in order to reconstruct the message n prime. Now, in classical secret sharing we have no guarantees on n prime. So, if the secret sharing scheme is involved in some other scheme for which the secret message is also the private key, the attacker could fully access in performing a related key attack. So, in particular, it may be also reconstruct entirely the message and this is a very big problem. To overcome this problem, Gojala and Kumar in 2018 came up with the notion of non-malleable secret sharing that informally states that the scheme remains secure even if the attacker is allowed to tamper once. In particular, they achieve information theoretic security and they give this definition in which the resulting message n prime is either the original message or it is completely unrelated. And they also state that this is impossible to achieve for arbitrary function families. And so they find a scheme initially for independent tampering. Suppose now that the attacker can perform this kind of attack continuously in particular. He specifies the first tampering function, the first reconstruction set and obtains the first message, then the second function and reconstruction set and so on. A scheme that is secure against this kind of attack is called continuous non-malleable. And at the moment, there is only one construction achieving continuous non-malleability that is by Faunian Venturi and they achieve computational security with self-destruct feature that informally states that whenever the first invalid reconstruct the message happens the entire system self-destructs and the attacker is not more allowed to perform any tampering attempt. So they also prove that it is impossible to achieve continuous non-malleability in the information theoretic setting or without this self-destruct feature and they achieve security against independent tampering and for a particular class of access structures, there is a threshold access structure in which the authorized subset of parties is authorized if only if the number of parties are above a certain threshold. Actually they achieve security for a slightly weaker version of secret sharing called RAM secret sharing in which there is a little gap between the privacy threshold and the reconstruction threshold. So they obtain leakage resilience that informally states that this scheme remains secure even if the attacker is allowed to learn some information from all the shares. So we designed two new continuous non-malleability secret sharing schemes for arbitrary access structures. In particular, our first scheme is in the common reference sharing model in which there is a third algorithm called initialization algorithm that outputs a reference stream that is used both for the share and for the reconstruction algorithms. And we achieve security against joint tampering in assuming WNN-shel trapdoor permutations and collision-resistant hash functions. As opposed to property, we achieve also bounded leakage resilience. That is, the scheme remains secure even if the attacker is allowed to learn a limited amount of information from all the shares. Our second construction is in the plain model so without the need of a CRS and without the need of a trusted third party generating this CRS. However, in this model we obtain independent tampering security only. Here we assume the existence of one-to-one one-way functions and as a bonus property we achieve noisy leakage resilience in which the scheme remains secure even if the attacker learns any information he wants from the shares as long as the learned information does not reduce the minentropy of the distribution of the shares by too much. However, in this talk I'll speak only about the CRS model and thus introducing also our new security notion. We adopt the game-based model to give our definitions and our proofs and in particular here we give the definition for continuous normality. So we have the attacker to the right and the challenger to the left. Here the challenger generates and outputs the common reference string and the attacker chooses two messages, M0 and M1 along with a k-partitioning of this joint and non-overlapping subsets of the parties. And then upon receiving this the challenger computes the secret sharing of either M0 or M1 and then the attacker can start to perform all these queries. The attacker can perform two kind of queries. In the leakage query he sends functions g1, gb and the challenger computes each function on the relative respective subset of parties and then the challenger outputs the result of these leakage functions to the attacker. In the tampering query the attacker specifies tampering functions f1, fb along with the authorized reconstruction set t and then the challenger computes each fi with input all the shares within the partition bi and obtains all the modified shares s1 prime, sn prime. Then the challenger reconstructs the message using the shares defined in the tampering in the reconstruction set t and then here are three possibilities. In the first case the constructed message is an invalid message and in this case the challenger outputs this special symbol both and self destructs so the attacker is no more allowed to perform any query. In the second case the constructed message could be either M0 or M1 and thus the challenger outputs this special symbol same stating this condition but without saying which one the constructed message is and this is needed to avoid trivial attacks and otherwise simply outputs and prime. Then the attacker is allowed to do such queries for a polynomial number of times and finally he outputs s bit b prime that trying to guess if the secret sharing was either secret sharing of M0 or secret sharing of M1. So our definition is that secret sharing scheme is a k joint leakage resilient continuous non malleable secret sharing scheme if any polynomial time attacker cannot distinguish between secret sharing of message M0 or a message M1 except with probability. We construct our scheme by generalizing the following construction of a 2 out of 2 continuous non malleable secret sharing scheme known also as continuous non malleable code in the split state model and in particular upon input M we secret sharing obtaining shares M0 and S1 and then we compute the hash and then we compute the zero knowledge proof of each share being the hash of the respective share and note that in the zero knowledge proof we also adopt the labels so we use zero knowledge proof supporting labels and the label is the other hash that we didn't use in the proof and then we reconstruct in order to obtain the new shares S0 star S1 star here the common reference is the CRS for the proof algorithm plus the public key for the hash algorithm so, our natural idea is to replace the shared algorithm with secret sharing scheme for arbitrary access structures but we encounter two problems the first problem is that the hash HI could reveal information about the share SI and the second problem is that permuting the shares is allowed in joint tampering that is the attacker could permute or switch shares while performing a tampering query and this scheme does not give any guarantee about this particular tampering so, we modify the construction as follows upon input the message we secret share it obtaining shares S1, Sn then for each share we use a commitment scheme instead of the hash function in order to commit the share along with its position in the vector so that permuting now is very difficult without triggering a self destruct and then we compute the proof PIJ of the commitment CI and of the pair I with SI using the label CJ so here we again use zero knowledge system supporting labels so, our main theorem is the following assuming that share is a K-joint leakage resilient secret sharing scheme come is a statistically hiding a correlation abandoning commitment scheme improve is a true simulation extractable nisk and not about the share algorithm a K-joint leakage resilient secret sharing scheme is a scheme as a similar definition to the continuous non malleable one but in this case the attacker is not allowed to perform any tampering query so, here is the security proof strategy the privacy is quite straightforward because privacy comes privacy of the underlying secret sharing scheme plus the hiding property of the commitment scheme and the zero knowledge property of the proof algorithm for continuous non malleability we adopt the hybrid argument in particular in the first hybrid we change this proof algorithm and use the zero knowledge simulator so that we now don't need anymore the shares and compute the proof PIJ and in our second hybrid experiment we slightly modify how we answer to the tampering queries in particular instead of computing the tampering and then recombining the shares obtaining the message and prime checking if the commitments are good and the proofs are good so in this we replace all this part by extracting all the shares from the modified proofs and then we combine each subset of shares together in order to reconstruct each possible message from the subset MI prime and then we perform all the checks on the commitment, on the proof and we also check that all the messages in this column are all equal if something is wrong, as usual we trigger a self-destruct and otherwise we output the only message and prime that we have and doing so we don't need anymore all the shares in order to compute the tampering but we only need all the shares in one of the subsets in particular finally we apply reduction to the underlying signature in scheme and here we simulate the adversary in the leakage oracle we use the leakage oracle to obtain the first self-destruct index and finally we check that we didn't leak too much so here this concludes the proof to conclude our work we find a concrete association of our scheme for logarithmic partition size, in particular through simulation extractable nisk can be obtained from Dublin ancient trapdoor permutations and statistically hiding and computation rebounding commitments can be instantiated from collision resistant hash functions as for the leakage resilient secret sharing scheme we adopt a recent construction that achieves information to ready security against adaptive partitioning but is tailored to partition size to logarithmic partition size so as a first open problem we leave it open to find out a concrete association with super logarithmic partition size we note that this happens automatically if we found a new leakage resilient secret sharing scheme that achieving super logarithmic partition size or if we improve the one that we use now and as a second open problem we wonder if it's possible to achieve continuous normal ability against joint adaptive tampering rather than selective and although our leakage resilient secret sharing scheme the underlying leakage resilient secret sharing scheme achieves security against adaptive partitioning our proof strategy breaks down if we allow the attacker to perform tampering queries with adaptive partitioning as a third open problem we leave it open to find a similar security notion also if this similar security notion is also valid in the plain model or in other words if we can obtain continuous normal ability against joint tampering in the plain model and that's it. Thank you for the attention. Any questions? OK, so let's thank him again.