 Veselo, sem Jean-Luc Gabriel, a prič sem izvok, kako se bolj skupnila vseh vseh, zespečenje, tajnji, plajnje, mordel, in kapacitiv. To je vseh vseh vseh, z Antonio Fagnio in Daniela Venturi. Vseh vseh je kriptografične primidiv, v kaj je player, zelo, For instance, it is impossible to protect against attacks, which are able to jointly leak from or tamper with all the shares, because the adversary could simply, for instance, reconstruct the secret and output the distinguishing bit, or in the case of tampering, after reconstructing the secret, the adversary could flip one bit and then share the secret again. For this reason, leakage resilience and non-malability are defined with respect to a family of functions. In our work, we consider the family and tampering, in which the adversary is able to partition all the shares in unauthorized disjoint subsets, and then he is able to jointly tamper with all the shares in each subset. The same strategy applies for leakage, in which case the output of the leakage function is computed jointly on all the shares within each subset. Finally, we consider the stronger notion of continuous non-malability, in which after fixing our reconstruction set, the adversary is able to tamper and then see the result of the reconstruction as many times he wants, as long as the reconstructed message is valid. Again, also in this case we consider leakage attacks obtaining what is called leakage resilient continuous non-malability. However, this model comes with some further limitations. The first one is that achieving continuous non-malability in the information turned accepting is proven to be impossible and therefore we can only achieve as I said before, is the self destruct trigger. Whenever the result of a tampering query is invalid, the oracle self destructs and no more queries are allowed. Again, this is a limitation which is inherent to continuous non-malability and it is easy to show that this is necessary. In this setting, let me show our construction, which is a slight modification of our recent construction of Gojal, Serene Vazan and Ju. Upon input a message M, the first step is to share it using sharing, obtaining shares s1 up to sn. Then, for a share we compute the split state leakage resilient one-time statistical in non-malable code of it. And finally, we apply again Shamir's secret sharing to the right part of each codeword. The new shares are defined as follows. The first share is the left part of the first codeword and all the first shares of the right parts. Similarly, the second share is the left part of the second codeword and the second shares of the right parts, and so on. Until here, this is the construction of Gojal, Serene Vazan and Ju without significant modifications which we also proved to be leakage resilient other than non-malable. Then, we make our modification consisting of computing a perfectly binding and computationally hiding commitment to the message and sharing the randomness along with the message. In our work, we prove that this modification suffices to obtain the first leakage resilient continuously non-malable secret sharing scheme against joint tampering in the playing model. Indeed, almost all the other continuously non-malable secret sharing schemes are only secure against independent tampering and the only one which is secure against joint tampering actually needs a trusted setup. The proof of normalability is quite long, but I'll show you the main ideas. Consider the first two steps of the scheme consisting of computing Shamir's secret sharing of the pair message randomness and then computing a non-malable encoding of each share. The first fact we want to prove is that notversary is able to distinguish with more than negligible advantage between the original security game and an hybrid game in which we replace the first share with a completely random share. Here, we proceed by induction. Is the adversary is able to distinguish between the two games by only performing one query, then it is possible to construct a reduction which breaks statistical one-time normalibility of the non-malable code. For the inductive step suppose that the adversary is only allowed to perform p tampering queries but notversary is able to distinguish between the two games by performing less than p queries. Then the decisive query is the last one and all the other ones can be simulated by the reduction. How? Well, first the reduction leaks the necessary information to correctly compute the tampering and then obtains the tampering commitment. Then since the reduction is unbounded it is able to open the commitment by brute force and since this is perfectly binding it allows to obtain the tampering message. Finally, the reduction checks that the simulation has no errors by performing a leakage query just before the last tampering query. Now it only remains to discuss one detail which is how does the reduction simulate the leakage queries and the last tampering query. This is the reason for the third step of the scheme. In particular the reduction generates all the information which is not related to the first codeword as well as some shares for the right part of the first codeword. Then the reduction constructs the left leakage or tampering function which takes as input the left part of the first codeword and computes the corresponding joint leakage or tampering and the right leakage or tampering function which takes as input the right part of the first codeword deterministically completes the corresponding Shamir Cigres sharing and finally computes the corresponding joint leakage or tampering. This concludes the proof of the original game being statistically close to the hybrid one. However, the exact same proof can be used to step to another hybrid game in which the first two shares are completely random, then the first three and so on until all the shares are completely random. At this point the only information related to the original message is the commitment. But by completely hiding property we can finally replace it with a commitment of a completely unrelated message therefore concluding the proof. The next result of our paper involves studying the rate of the Cigres sharing schemes which is the ratio between the length of the message and the length of the largest share. In this setting we achieve a negative result which informally says that any Cigres sharing scheme which is continuously unmalable against jointly tampering with more than t over two shares cannot have shares too small. The proof is quite simple and the main idea is to construct a commitment scheme from the unmalable Cigres sharing scheme. In particular we consider the commitment scheme which upon input the message m and random coins r computes at t out of n continuously unmalable Cigres sharing of m with random coins r and outputs the first t minus k shares where k is the maximum number of shares the adversary is allowed to jointly tamper with. Is this commitment scheme perfectly binding? Well, suppose not. Then the commitment has at least two different openings which are the original one and another one with a message m prime which is different from n. This means that there exists a Cigres sharing of m prime which is different from a Cigres sharing of m but as the first t minus k shares is in common with it. Therefore it is possible to construct an adversary which learns the value of k shares of m one bit at a time and in particular by replacing them with the corresponding shares of m prime if the bit to be linked is one and applying the identity function otherwise. Finally, after learning the k shares the adversary could query one last tampering function in which he is able to reconstruct the message and learn one bit by possibly producing an invalid codeword. Since the attack breaks continuous non-malability then the commitment scheme must be perfectly binding to avoid it. But this also implies that the size of the commitment must be at least the size of the message which implies that the size of a share must be at least the size of the message divided by the number of shares inside the commitment. Therefore the capacity which is the maximum achievable rate of any continuously non-malable Cigres sharing scheme against joint tampering with more than half of the shares in the reconstruction threshold is bounded by t minus k. We show now a compiler to achieve such optimal rate. First we start from our non-malable Cigres sharing scheme. Then we apply the following modification. We replace the message with a random key for an encryption scheme and we encrypt the message. If we append the encrypted message to its share we would obtain a rate of one but not optimal. Instead we use an information dispersal scheme which is almost the same of a Cigres sharing scheme but without the privacy property to share the ciphertext and we append one share of the ciphertext to each share of the key. The advantage in using an information dispersal scheme is that it is easy to achieve one with rate t star where t star is its threshold. By applying this compiler to our previous result we would obtain a leakage resilient continuous non-malable Cigres sharing scheme against joint tampering in the plane model with rate t star which is a free parameter. However, we only achieve this result with the following restriction. When tampering with the shares the adversary is forced to choose either zero or at least t star shares from each subset of the partition for the reconstruction procedure. Here is the idea of the proof. First we define an hybrid game in which the shared key is a random key unrelated to the one us for the encryption and we prove that this is computationally close to the original experiment by reduction. In particular, the reduction reconstructs the modified ciphertext inside the tampering oracle and then outputs a Cigres sharing of zero or of one depending on the first bit of the ciphertext. Then the reduction does the same for the second and all the other bits of the ciphertext therefore leaking all the tampered ciphertext by only using tampering queries. This works because the reconstructed ciphertext must be always the same in each tampered subset otherwise the code word is invalid and the oracle self destructs. However, this is also the reason for the restriction on the adversary model. Indeed, the reconstruction procedure needs to see at least t star shares of the ciphertext in order to reconstruct it. Finally, when the shared key is unrelated to the encryption key, a simple reduction to the security of the encryption scheme against chosen ciphertext attacks completes the proof. In this slide I copied the theorem and the restriction for reference. The main consequence of our rate compiler is that we obtain the first continuously unmalable Cigres sharing scheme against independent tampering breaking the rate one barrier. Notice that independent tampering is a subset of joint tampering in which the attacker is only allowed to tamper with each share independently. In this case, the restriction says that the adversary is forced to choose either zero or at least one share from each subset, making the statement always true for the case of independent tampering. Moreover, the corollary follows by considering our continuously unmalable secret sharing scheme against jointly tampering with t over two shares for which t star equals t over two. Indeed, since the independent tampering queries can be viewed as k joint tampering queries for any key, the scheme is also secure against independent tampering thus proving the corollary. In this setting we also study how to achieve optimal rate in the random oracle model and in the algebraic group model. In this case, we slightly modify our constructions that t star equals t, and each share also contains the hash of the ciphertext. This is not a problem because another reduction can extract the ciphertext from the hash and does not need to reconstruct it inside the tampering oracle anymore. Therefore, in both the random oracle model and the algebraic group model we achieve optimal rate t. Notice that this does not contradict our negative result about the rate upper bound because our result only appears in the plain model. So, in conclusion here is a summary of our results followed by some problems we leave open. First, we construct the first secret sharing scheme achieving continuous normal ability against joint leakage and tampering in the plain model. Then we prove a negative result on continuously normalible secret sharing schemes by finding an upper bound on the rate of such schemes in the plain model. Finally, we show how to achieve by adding a constraint to the tampering qualities of the adversity. We also applied this result to achieve the first continuously unmalable secret sharing scheme against independent tampering in the plain model with rate strictly greater than 1. A first natural open problem is to find out whether it is possible to achieve optimality in a more general setting without the need to add restrictions to the behavior of the adversity. Then we leave open to improve the overall efficiency of our construction so that the rate of optimality also holds in the case of small messages. Another open problem is to extend our results to more general cases. For instance, by removing restrictions on the threshold or even better for general access structures. We also want to stress that our results on the rate hold without restrictions on the threshold. But for now, the only continuously unmalable scheme against joint tampering in the plain model is the one in our work which has this restriction. Well, that's all. Thank you for your attention.