 Hello everyone. I'm Jun Jie-Liao from Cornell and the title of our work is Namediability Against Poinomial Temporary. And this is a joint work with Marshall Boe and Tomah Kim from Columbia and my advisor Ishan Chatapati, also from Cornell, and Leon Tan from Stanford. So first let me tell you what is a Namedibot Code. So Namedibot Code is first introduced by Jim Boski, PR Trek and Wix in 2010. And it contains an encoding function and a decoding function. And we'll consider a temporary experiment which take input message s and encode it into a codeword c, and then there will be an adversary who tempers this codeword c to a temporary codeword codeword c. And then we'll apply a decoding function on codeword c to get the temporary message to the s. So our goal in this temporary experiment is we want to guarantee that either the temporary message s remains unchanged or it becomes something unrelated to s, which means it gets destroyed by this temporary experiment. So formally we will consider a temporary function family f, which we want to protect against. And then we want to grant it two properties. So the first one is the correctness, which says if we take a message s and then we encode it and decode it without any temporary, then what we get is exactly the same message. And the second property is a Namedibility, which says for every function f, there exists a simulator df for the corresponding temporary experiment for f, which means the temporary message s will be roughly equivalent to applying this simulator df on the original message s. And furthermore, this simulator df should be a distribution over identity function or constant function. So here identity function means the message will remain unchanged. And constant function means it will be changed to something completely unrelated. In other words, the message gets destroyed by this temporary experiment. And a simple observation here is it is impossible to construct a Namedible code, which is secure against arbitrary temporary function f, because otherwise the adversary can just take the temporary function to be first decoding the code word to get the original message and change it to something related and then re-encode it, then this will break the Namedibility. So some restriction on this temporary function family is necessary. And next, we will see some temporary functions which have been considered in previous works. So the most well-studied one is probably the split state model. So in a split state model, a code word will be split into several parts, and the adversary is allowed to temper each part of the code word individually and arbitrarily. And there are a lot of great work in this line, and remarkably, a recent result by Agarwal and Obromsky shows that it is possible to construct a Namedible code with constant rate in the two split state model. And another line of work which recently received more attention are the global temporary functions. So in a global temporary functions, we can apply, the adversary can apply a function, temporary function on the full code word. However, there should be some restrictions on the temporary function that the adversary can apply. So some examples include permutations and biflipping, local functions, affine functions, modep circuits, modep decision trees. And there are also some other beautiful works based on some possible cryptographic assumptions, but in this talk, we will focus on conditional information theory results. So the first result in our paper also falls in this category. So we construct a Namedible code which is secure against polynomials over a prime field FQ. And formally, the code word in our Namedible code will be n elements over a prime field FQ. And then the temporary functions will be degree d polynomials on unbearable over a prime field FQ. So if the adversary choose p1 to choose degree d polynomials p1 to pn as a temporary function, then the temporary code word will become p1x, p2x to pnx. And our first result is we show that for every integer m and d and the sufficiently large prime Q, there exists a Namedible code which is secure against degree d polynomial temporary. And interesting corollary of our result is our Namedible code actually also works for arithmetic circuits. So in an arithmetic circuit, it's a circuit which takes some variables and some constants. And in this circuit, each gate will compute the product or the sum of its two inputs. And so we will consider the temporary function to be size s arithmetic circuits on unbearable over FQ. And we define such a temporary function family to be E and Qs. And here the size s is the number of gates in the arithmetic circuits. And it's not hard to see that size s arithmetic circuits actually compute a polynomial with degree at most 2 to E s. So this means this temporary function family E and Qs is contained in F and Q 2 to E s. So our result for against polynomial temporary will also give a Namedible code which is secure against arithmetic circuits. So note that there is the restriction of the prime should be larger than a polynomial in 2 to E s. However, the code the length of the code word is unlock Q, which means the length of the code word is actually only have a linear dependence on the circuit size s. So this restriction on the prime Q is actually not unreasonable. And our second result is the Namedible secret sharing. And before we introduce our result, first let's briefly review what is a secret sharing. So a secret sharing scheme is first introduced by Shamir and Blockley in 1989. And in the T autofund secret sharing scheme, there are two functions, a share function and a reconstruction function. And a share function will take the secret s and produce n shares. And we want to guarantee two properties. The first one is the correctness, which means given any t shares, we should be able to apply the reconstruction function on it to get to reconstruct the original secret. And the second property is a secrecy, which means if we are only given less than t shares, then these share together should reveal no information about the original secret s. And the recent work by Goyal and Kumar consider a Namedible secret sharing, which is basically a secret sharing scheme with an additional Namedibility guarantee. So in Namedible secret sharing, we will consider an adversary who can temper the shares. And what we want to guarantee is if we take t tempered shares and apply the reconstruction function on it to get a tempered secret, then this tempered secret should either be identical to the original secret or it should become something unrelated to the original secret. So similar to the Namedible code, it is also necessary to play some restriction on the tempering function that the adversary can apply. Otherwise, the adversary will be able to reconstruct the secret and then temper it and then reshare this tempered secret, which will embrace the Namedibility. So in prior works, the most common tempering model is probably individual tempering. So in individual tempering, the adversary can temper each share individually and arbitrarily. So the first tempered share will only depend on the first share and the second tempered share will only depend on second share and so on. And there is also another model which has been considered is the joint tempering model. And in a joint tempering model, the adversary can split the shares into two disjoint sets. And then the adversary can temper the shares in each disjoint set jointly and arbitrarily. But still, the tempered share in the first set can only depend on the shares in the first set and the tempered share in the second set can only depend on the share in the second set. And finally, there is another model which is global tempering function. And in global tempering functions, we allow each tempered share to depend on all the input shares. However, we will play some restrictions on the tempering function that the adversary can apply. So some examples include a fine tempering, which is by Lin at all, and the composition of joint tempering and the fine function, which is by ShadowParty and Lin. And our second result is also forced in this category. We construct a nominal secret sharing, which is secure against a polynomial tempering over a prime field FQ. So our second result says for every integer m and dt and some sufficiently large prime Q, there exists a t-out of a nominal secret sharing scheme for an m-bit secret against a degree d polynomial tempering. And furthermore, we actually give a stronger circularity guarantee. We allow the adversary to adaptively choose a tempering function. More precisely, the adversary can first take t minus 1 shares and then use the information from these shares to choose a tempering function F, then the adversary will apply this tempering function on all the shares to produce the tempered shares. And note that each tempered share can still depend on all the input shares. However, this choice of the tempering function can only depend on t minus 1 shares. Otherwise, the adversary will be able to apply a reconstruction attack, which is impossible. And so this adaptive choice of tempering function is actually a pretty strong security guarantee because it allows the adversary to temper these t minus 1 shares jointly and arbitrarily. And furthermore, the adversary can use some information from these shares to choose some suitable tempering function for the other shares. So the adversary can actually do a lot with this adaptive choice. And also, as a corollary, this nominal secret sharing also works for arithmetic circuits. And next we will give a brief overview on how we get these two results. So both of our results are based on a C less amenable extractor against polynomial tempering, which we will introduce in the next slides. And then with this basic building block, we will apply the reduction by traction and Guzwami to get a amenable code. And then we will apply another scheme by Lin et al. to get an amenable secret sharing. And also, in order to apply these two reductions, we also need an efficient inverter for this amenable extractor, which we believe to also contain some interesting new techniques. And also to achieve the adaptive security guarantee in our amenable secret sharing, we actually use a specific and non-trivial instantiation of the Lin et al. scheme instead of just applying it as a black box. So next let me define what is the C less amenable extractor? So a C less amenable extractor is first introduced by Tchaikovsky and Guzwami. And it is a function which will be applied on a source S to produce a distribution which is closer to uniform. And in other words, this is the randomness extractor. And furthermore, it needs to satisfy an amenability guarantee, which says for every temporary function F from some temporary function family, if we apply this temporary function F on the source to get a temporary source and feed this temporary source into the amenable extractor, then what we get should be identical to the original output of the extractor, or it should be independent of the output of the extractor. So Tchaikovsky and Guzwami show that if we have an amenable extractor for uniform distribution, then this will implies a amenable code. And the encoding against the same temporary function family. And the encoding function in this amenable code will be an inverter for this amenable extractor, which takes a uniform sample from its preimage. And the decoding function will be exactly this amenable extractor. So our main result is we show that for every integer M and D and the sufficiently large prime Q, we can construct an explicit C-less amenable extractor, which output an MB string, and which works for uniform distribution and secure against the degree D polynomial temporary functions. And furthermore, we also show that there exists an efficiently computable inverter for such an amenable extractor. So with these two results, we directly get the amenable code against polynomial temporary. And actually what we prove is a stronger result. So we show that this amenable extractor actually works for a skew of fine source, which we will define the next slide. And this stronger result is actually important to support the adaptive choice of temporary function in your amenable secretory. So we say a source X is a skew of fine source if it is a uniform distribution over a fine subplace. In other words, it is a fine source. And also it needs to satisfy the property that none of its coordinates are constant. And another way to view this skew of fine source is we can consider it as a uniform source conditioned on some fine leakage, and which doesn't reveal any single coordinate Xi. So this view will be useful in our construction of an amenable secretory, because we will consider the shares leaked to the adversary to be some fine leakage with this source. And more details can be found in our paper. And next we will give a brief overview of this extractor construction. So the construction of our extractor will be of the form which first apply a low degree polynomial edge on the input x1 to xn. And then we will take the last n bits of the output of edge to be our extractor output. And this construction have appeared several times in the context of extractors. And what we want to do here is we want to choose a proper polynomial edge such that it is this extractor is actually not amenable. So a first attempt will be choosing this extractor to be the same as the Gabison-Ross extractor, which was for a fine source over a large point field. And in such extractor, this polynomial edge is taken to be the summation of Xi to the Ci for some distinct integers you want to see. However, such extractor is actually not amenable because it is vulnerable to a linear temporary attack. And more precisely, we will choose some proper constant beta i such that beta i to the Ci equals to some constant k, which is different from 1. So this will imply that if we temper each xi to beta i xi, then the tempered output of edge will be exactly k times edge x. So this even after we truncate to the last n bits, there will still be some correlation between the original output of edge between the original output of the extractor and the tempered output of the extractor. So this will break the numerability. So our next step is to try to change this construction to something different which prevents this linear attack. So we will choose edge to be the summation of xi to the Ci plus xi to the Ci plus b, where b is the constant chosen to be co-prime to the q minus 1. And why we set two terms for each xi and make the difference of the degree to bb is because with such construction, it is actually impossible to find a beta i such that beta i to the Ci and beta i to the Ci plus b are the same and it's different from 1. So therefore a linear attack doesn't work for this construction. And so actually we will take an edge to be the summation of xi to the Ci minus 1 plus xi to the Ci, where Ci is a properly chosen arithmetic progression with common difference b and b. And we don't have time to talk too much about why we choose this, but we will give some brief ideas about how we prove that this works. So the basic proof idea is first we will use some exponential, some techniques to show that when this edge is taken to be a low degree polynomial, then the only possible correlation of the real output and the template output is the linear correlation which we have seen in the like as in the linear attack for the original construction of Gabith and Ross. And this can be proved using the well-bound from edge-backed geometry and the generalized XOR lemma by Raoul and Dodie Settle. And then after proving this, we only need to show that the polynomial edge we construct, this will never happen for the polynomial edge we construct. So we will do some case analysis which we don't have time to go through, but we will briefly talk about like how we prevent all the possible attacks. So first having two terms for each xi will prevent linear tampering as we have seen in the previous slides. And then the choice of Ci being an arithmetic progression will prevent the non-linear tampering, like suggest quadratic tampering. And this is based on a lemma by the VR, Gabith, and Wickers. And finally, because we restrict the input of find source to be skew, so this also prevents attacks which set some, which set some xi to be a constant. Okay, next we'll briefly talk about the efficient inverter which will be the encoding function of the non-linear code. So note that our non-linear extractor consists of, is a composition of a function sigma which truncates the less than bit and the polynomial edge. So to get the inverter for this, straightforward construction is to first take a preimage of sigma to, which is y, and then we will take a preimage of edge of y, for y. And to, so taking a preimage for sigma is trivial, and taking a preimage of a polynomial edge can be based on an algorithm by Traptory and Chocolati. However, there's a problem in this construction. So because we need a uniform preimage from the composition of sigma and edge, so we actually cannot sample this preimage y uniformly. Instead, we need to sample y with probability proportional to the preimage of, to the preimage size of y. But, and a simple way to achieve this is by rejection sampling. And the similar approach have been adopted by Traptory and Chocolati in the work which constructs a template state non-linear code. However, this doesn't work in our setting because in our setting, our polynomial edge works on unvariables, and this n can be pretty large. And a large n will be especially useful in our construction of non-level secretary. And computing the preimage size of edge will be expensive. So in order to solve this problem, we will actually, we observe that the algorithm by Traptory and Chocolati is also a rejection sampling. So we can embed this rejection sampling step into the Traptory-Chocolati algorithm. So we are actually applying a rejection sampling on the, on this, on this composition of sigma and edge. Finally, we briefly go through how the non-level secretary scheme work. So the linear to all scheme works by first taking a shear function to be first applying an inverter for the non-level extractor to get x, then takes a erasure, the encoding function of the erasure code to produce n shares. And so in our setting, it will be, we will take the non-level extractor to get a t out of n-secretary, we will take a non-level extractor which works on t elements in the prime field F2. And then we will use a erasure code which produce n shares of a prime element of n, which produce an element in the prime field FQ. And also we will take this encoding, decoding function to be a systematic MDS code. And this will actually implies that any, any t minus one share together will be some, a finite leakage for x, which doesn't reveal any single coordinate in x i. So in other word condition on these shares, the, the source x will still be a skew of my source. So the nominability still applies. And finally, we go through some open problems arise from this work. So the first open problem, so the first future direction will be trying to improve the parameters in our non-level code n-secretary, such as improving the information rate or the error. And the second interesting open problem would be trying to achieve nominability against polynomial over a field with smaller characteristic such as F2. And note that we, this should, if this is possible, then this should be very different from our approach, because our approach rely on a well spawned, which is only non-trivial when the, over a large prime field. And finally, it will also be interesting to achieve nominability against other polynomial, other global tampering functions, especially those which already have some interesting average case for a problem, such as small waste branching programs or AC0 circuit with parity gates, et cetera. Thank you for your attention.