 Hi, I am Hussein, I will be talking about the quadratic secret sharing and quadratic conditional disclosure of secrets. This is a joint work with almost a female and then. So I will start by a general descriptions description of our results. The notation that I will use in this slide will be familiar clear in a few slides. So we study polynomial secret sharing, which is which is in generalizes that we studied in our secret sharing. The motivation in studying polynomial secret sharing first, we want to construct a new efficient secret sharing skins for access structures. And second, we want to prove lower bounds for a larger class of skills. So in terms of results we we construct a quadratic secret sharing skins that are better than the best known they are secret sharing skins. And we construct a quadratic condition disclosure of secrets and protocols that are better than the linear protocols. And we prove lower bounds for polynomial secret sharing. In this talk, I will start by an introduction of secret sharing and the previous results in secret sharing. I will then introduce a polynomial secret sharing define it and describe the motivation by studying polynomial secret sharing. Then I will present our results in polynomial secret sharing. And then I will describe a building block that we use in our reconstruction which is polynomial conditional disclosure of secrets. Then I will summarize and discuss opening questions left by our work. So secret sharing skins were defined independently by Shamir and Blakely in 79 for the threshold case and by it was set to it was set on which is gain it is even for the general case so in secret sharing there is a dealer who holds a secret s and there is a set of in parties. The dealer applies a function on the secret s and some random string are generates and shares and gives each party a share. We say we define an access structure gamma as a collection of right sets of parties, and we say that a secret sharing scheme realizes gamma is the two following conditions first for correctness we require that any set that is in gamma should learn the secret. For security we require that any set that is not in gamma and it's called an authorized set should learn nothing about that secret. So in this talk the secret is only one bit which is a zero or one. And then we start by a warm up which is a secret sharing scheme realizing the end out of an access structure. So in this access structure that there is only one authorize set which is the set of all the parties and every other set is an authorize it. So in the construction is as follows the secret, where the secret is that the data it chooses in minus one random bits are one to R in minus one. The units are in the exclusive or office and all the other bits, and now gets party PI the share is a bit. So for correctness if all the parties a party said that then they can learn learn the secret by exploring all the shares. So if one party missing then there will be a random bit missing and we can prove that they have they have actually independent random a piece of the share size in this scheme is only a one a bit. Okay, so now we move to present our scheme for arbitrary access structures. Yes, we look at an access structure gamma that has a minimal override sets. So for every minimal override set a of size L, we independently execute it out the ask an L out of a secret sharing the scheme among the parties in a. For example, for the following access structure with there is two minimal authorize sets P1 P2 P1 P3 the third day is right set is not minimal. So we execute a two of two out of two scheme among the parties a P1 a P2 and independently execute a two out of two scheme among the parties a P1 and P3. So each party can be in at in up to two to the end a minimal authorize set sets then the number of the shares can size can be as large as the two to the end. This is what the best chair says the share size known for realizing arbitrary access structures until a few years ago. So, recently, after more than 30 years of research, we have a bit of upper bound for realizing arbitrary access structures. So we have an upper bound of two to the 0.585 and this achieved by a sequence of work started from 2017 and the last result was achieved in a paper that is presented in this conference. When we look at lower bounds we know that the best known lower bound is do the sense in the 97 is a omega n square over a look at. So we can see that there is a huge gap between the best of our bound and the best lower bound we know at and it's a central opening question in secret sharing to reduce this gap. Okay, this is what's a general secret sharing and now we will move to talk about linear secret sharing which is a class of skins. So this is an important class of schemes due to reasons first the many of them only known as secret sharing skins are linear and second, it has a useful properties such as homomorphism, which is critical for many some applications such as multi a party computation. So the linear secret sharing is constructed in finite field of the secret is one element in this in the field, and the randomness is the L is the finite number of the field elements we do not it by L, which are chosen by with uniform distribution. So, for example, here we that either it chooses R1 and R2 with uniform distribution in the future. Okay, so we say we define linear sharing. We say that the sharing is linear. If the share is I is a vector in the field of the vector of CI elements. And each element in this vector is a fixed combination of the secret and the random beats. So for example, here P1 is given only one element which is R1 plus to R2 plus s, and P2 is given to random elements. This is R1 and R2. If we say that the linear reconstruction is linear, if each of the right sets reconstruct the secret using a linear function. For example, P1 and P2, an authorized set computes the secret by S11 minus S21 minus to S22. This is a linear combination. We know that linear sharing is equivalent to linear reconstruction. This is by a result by previous say works. Okay, so now we talk about the previous result and results in the secret sharing. First, the scheme that we presented in the beginning of this talk is linear and has shared size to do the end. Recently, after 30, more than 30 years of work, we have better upper bounds. The best about non-today is 2 to the 0.7575n, which is achieved in a paper in this conference. And the best lower bound is 2 to the n over 2. For explicit access structures, we know a lower bound, which is 2 to the omega n. So we can see that the gap between the best upper bound and best lower bound in linear secret sharing is much smaller than the gap in a general secret sharing. And this motivates us to study in new classes of secret sharing. Therefore, we study a polynomial secret sharing. So polynomial secret sharing, we need to present motivation, the definition we presented in next slide. So polynomial secret sharing is a broader class of secret sharing schemes than linear schemes. The previous work defines secret sharing with the polynomial sharing. And in our conceptual contribution is the discussion of two additional polynomial secret sharing classes. So we introduce and discuss schemes with a polynomial reconstruction and the schemes with both polynomial sharing and reconstruction. So the motivation in studying polynomial secret sharing. Approve lower bounds for a broader class of schemes and second, explore new techniques for constructing efficient secret sharing schemes for some or all access structures, exploiting the nice algebraic structure of polynomials. So next we define a polynomial secret sharing. It's a polynomial secret sharing is constructed in a finite field F. The secret is an element in NS, which is a subset of the field, for example, is here reconstruct a scheme where it's all the field F3. This is a finite number of field elements donated by L that are choosing with uniform distribution. So here the dealer it chooses two random elements R1 and R2 with your from distribution. So if we say that the sharing is degree D sharing, if the share is the share of each party is a vector of CI elements in F, and each element in the in the share is computed by degree D polynomial of the secret and the random beats. The P1 is given to one element which is R1 plus R1 R2 square plus this is a degree three polynomial P2 is given two elements R1 and R2 this is linear. Okay, so degree D, we say that the reconstruction is degree D. If each of our set reconstructed the secret with a degree D polynomial. So for example, P1 and P2 computes is 11 minus is 21 minus is 21 is 22 square in order to learn the secret. This is a degree three polynomial. So we said that the secret sharing is degree D secret sharing. If it has degree D sharing and degree D reconstruction. So this is what's polynomial secret sharing. Now we will talk about present our results in polynomial secret sharing. So in our first result we separate between shea polynomial sharing and the polynomial reconstruction. So we prove that the polynomial sharing does not imply a polynomial reconstruction. This is improved and there is some complexity assumption. So in order to prove this, we show an efficient secret sharing schemes that has a polynomial sharing for an access to the share that under this assumption does not have a secret sharing with a polynomial reconstruction. So we prove in our second result lower bounds. So we prove a lower bound of omega two to the N over D plus one for secret sharing with degree D reconstruction. And we prove a lower bound of two to the omega N over D for secret sharing schemes with degree D reconstruction for an explicit access structure. So then we present our main result, which is our bounds for quadratic secret sharing. So first quadratic secret sharing is secret sharing with degree D sharing to sharing degree to sharing and reconstruction. Our main result reconstruct a quadratic secret sharing scheme for arbitrary access structure that has shared size to the 0.705N. So this is worse than a better than the best linear scheme which requires share size to the 0.75N. However, it's worse than the best linear scheme which requires share size to the 0.585N. We also separate the secret quadratic secret sharing for a linear secret sharing. So we construct a quadratic secret sharing for almost access structures with share size to two to the N over three. And by a lower bound that we know in linear secret sharing, which is two to the N over two for realizing, realizing almost all access structures, we get a required separation. Okay, so this is wasn't this was our results. Now we will move to talk about our constructions. So as building a block in our constructions we use a polynomial conditional disclosure of secrets. So conditional disclosure of secret, there is a function F, a Boolean function, which with K inputs, each input is in domain N. There are K servers, if you want to QK, and each server has a private input, has holds a secret S, and holds a common randomness R. There is a referee, the referee knows all the inputs, X1 to XK. And now each server sends one message to the referee, such that when sending the each message of each server depends on his private input on the secret S and on the common randomness R. The server does not see the inputs of the other servers, and does not see the messages that the other servers send to the referee. So very correctness if the value of the if a function F is one, then the referee should learn the secret, and if the value is zero, the referee should learn nothing about the secret. So now we present ABAR bound for CDS protocols. So for a function F with K inputs, each input in domain N, we will have a linear K server CDS for every function F with message size N to the K minus one over two. This is a tight ABAR bound by a lower bound proof in previous work. We also know that there is a non-linear CDS protocol with K servers for every function F with message size two to the square K log N. And we know that there is a quadratic CDS protocols with two servers for every function F with message size N to the one over three. So in our paper we construct a quadratic CDS protocol with K servers for every K for every function F with message size N to the K minus one over three. This is a tight ABAR bound by a lower bound that we we prove. This was the results in CDS protocols. Now we move to describe the ideas of our construction of CDS. So first we present the roadmap of our main result that we use the CDS in it. So we start by quadratic to server CDS from a previous work, we transform this protocol to quadratic K server CDS, we will present the ideas of this transformation in the next slide. Then we transform the quadratic K server CDS to quadratic K server robust CDS. The robust CDS is a new perimeter that was defined in previous work. Then for using transformations in previous words of converting a CD robust CDS to arbitrary secret sharing for arbitrary access structures, we get our quadratic secret share. Now we will talk about our constructions for a quadratic CDS. We start by quadratic for server CDS and the present the ideas in this protocol. So we want to construct a protocol for a function F with four inputs, each input in domain N. So now we're going to call some of the quadratic to server CDS of previous work for a function F in which the first input is in domain N and the second input is in domain into the three. So there are two servers q1 and q2 q1 has input in N, why q2 has input y and into the three so that each code and we look at the natural mapping of y to two. The three coordinates y1, y2, y3, which coordinate is in N. There has come on randomness is one is two is three, which are subsets of N. And now that's q1 sends a message of size order and we will not describe the message as it's not relevant to our ideas. Now q2 sends three subsets a1, a2, and a3, such that if the secret is zero, then h equals sh and if the secret is one, then h equals sh x or yh. That means that if the if yh is in sh then we remove it, and if it's not then we add it. So we have now two additional servers q3 and q4. The input of q2 is divided among the input y is divided among q2, q3 and q4. And now a server q2 cannot send it to the sets a2 and a3 since they depend on the inputs of q3 and q4. But he can send a1 as it depends on only in his input so he can send, he sends a1, q2, similar to q3 sends a2, and the q4 sends a3. So the message in this protocol is order N. Now we present quadratic seven server cdsc protocol, that's some of the previous protocol. So now we want to construct a protocol for function F with seven inputs, each input is in domain N. Now we look, we want to simulate the quadratic for server cds where the input of the first server is in N and the input of the other three servers is N squared. So we treat X2 and X3 as Y1 and X4 and X5 as Y2, X6 and X7 as Y3, and now we are back to the situation of for server cds. In Q1, the server Q1 sends the message of the first server in the for server cds, which requires your message size N squared, and the other servers should send the messages of the other three servers in the for server cds. So in order to do this, Q2 and Q3 execute a PCM protocol for sending S1 if the secret is zero, and S1 XOR Y1 if the secret is one. This means that Q2 sends one message, Q3 sends one message, and the referee should learn S1 or S1 XOR Y1 without learning anything about the secret. And our technical contribution is to show how to secure two and the Q3 send the messages. Similarly Q4 and Q5 execute PCM for sending S2 and Q6 and Q7 execute PCM protocol for SC3. So PSM should be quadratic and we show how to construct this PSM. So this is a protocol can be generalized for every AK using the PSM, this so our, so we have a protocol for every AK. Okay, this was the ideas of our constructions. And now we summarize and present open problems. So we studied polynomial secret sharing, which is a broader class of secret sharing schemes than they will need to study linear class. We proved lower bounds for secret sharing with polynomial reconstruction, we proved a new upper bounds for quadratic secret sharing and quadratic cds. These upper bounds are better than the best non-linear upper bounds. We separated between linear and quadratic secret sharing for almost all access structures. Now we discuss open problems. So the first question is to prove lower bounds on the shared size secret sharing schemes with degree D sharing. In our work we proved lower bounds for secret sharing schemes with degree D reconstruction, and it's interesting to extend the lower bounds to degree D sharing. So we constructed the quadratic secret sharing schemes and it's interesting to construct new degree D secret sharing schemes that are better than the quadratic secret sharing schemes that we constructed. Now the most interesting question is to construct efficient degree D secret sharing schemes efficient code people or schemes with polynomial shares. So construct efficient degree D secret sharing schemes for a larger class of access structures, then the access in the class of access structures that we know that have efficient linear secret sharing schemes. Okay, that's it. Thank you for your attention.