 Thanks for the introduction and my talk is about the robot sequestering scheme and it's a joint work with search for okay so so first of all what is sequestering scheme and so actually I mean the former talk and they also say that about sequestering scheme and this is not a very rigid version of the sequestering scheme and then we just use it because for for convenience okay so first for sequestering scheme and actually we want to share a secret my N parties and so there are two parameters where is the for the privacy and we hope that the NAT parties cannot learn anything about the S because there may be some corroborated party inside and another feature is the reconstruction and we will hope that and any our parties can recon completely recover the sacred this year that our definition for the sequestering scheme and so there are very said they are celebrated like Samia sequestering scheme to realize our realize this sequestering scheme and so how to do that and imagine that we have a sacred s and then we just pick a random degree T polynomial FX and the letter F zero equals S for each party and he will get an evaluation of this polynomial at some point and for example SI equals F alpha I and so by very simple like launch interpolation we can show that actually it has it has T privacy and the T plus word reconstruction and so we also call it a threshold sequestering scheme and this is and so what is the robust sequestering scheme and besides the privacy and reconstruction we have another feature for this sequestering scheme and that means that first we imagine that this sequestering scheme we have honest dealer and honest constructor the dealer will distribute the shares among the parties and the deconstructor will collect the shares and reconstruct the sacred however because we know there are some corrupted party and this quarter party he can corrupt his shares and he don't not honestly and report his share so that in this case so assume that we have a tea corrupted party and yeah indeed you know in all side we assume that the first tea is corrupted and so these tea parties are the shares are not corrected and then yeah in this case we still can robustly reconstruct reconstruct the sacred with high probability and the error probability is very small exponentially small so we call it the robust sequestering scheme and okay so and you know in our paper and we consider this this adversity model and the Russian adversity model and so what is the Russian adversary the Russian adversary and actually he's more powerful and because you know during the reconstruction phase and everyone have every party he has to send back his share to a reconstruct but however the adversary and he control maybe for example tea parties and he will delay his transmission until he saw all others share and then his share is depends on the shares of the honest party and in this case we call it a Russian adversary yeah actually it's quite powerful and there's also non-Russian adversary non-Russian adversary means that he don't have this power and his decision is a completely determined by by his the tea quarter party he only can see his share so this is a non-Russian adversary okay so there are some yeah some results and also some previous works in this area and I just list some of them because there are many many results and just this result are more relevant and so yeah so there are actually there are several and there are two performance we can come we can we can do comparison and the first is the share and you know the smaller the share is that the better the performance it be and so first of the M is the M is the sacred size and the N is the number of player party and the kappa is the security parameter you see in this paper we achieve we actually we have two result when result is that which achieved optimal of optimal share size and also the Russian adversary is the more I mean it's a strong adversary model and but indeed this result is not running in polynomial time it's running super polynomial time so it's and another result is the running polynomial time but it's not optimal share size and they choose some end and end to the epsilon epsilon is a very you can be any small constant okay so there are two results we can compare with and one result for CF or 12 paper and they achieve on plus kappa because this is the Russian adversary so we are in the same but the same model but they are share size is much bigger it's all in level and and so and there are another paper it's 16th Europe 16th paper and they actually achieve the optimal share size however and it's not a it's not a Russian adversary by the way besides I mean we all all these results at least all these results are listed they achieve the maximum corruption means that the the adversary is only one less than the sorry the corrupted party is only one less than the honest party so yeah this is the maximum corruption and it's the most difficult problem situation to handle okay so let's compare and do some compare yeah there are some difference between our scheme and a scheme in their paper in Europe 16th paper so actually oh yeah we also brought some idea from their paper and there are two two things two kind of things are same and the first of first we consider the pairwise authentication so that each and one party then he not only I mean share and hold the share of the circuit also he do some verification for the other party so make sure that other party is not corrupted if if it's corrupted and you are honest party you can find his corruption and these kind of settings and also and of course if you verify all the other parties and the share size will go gross to o n so it's too big so we use a random verification graph to reduce the share size of course there are some difference first of all I mean because they use the Russian adversity model and we did oh sorry the model is not Russian adversity models so so they had actually they can do more things like first of all they use it they are they authenticate the share bios and authentication code and so they also authenticate the keys and it says but in Russian model it's it's not in we cannot do that and because in this case and the limit the ability of adversary lying about a key and also but however it's yeah it's in the Russian out of the model they are they are scheme don't work yeah also but in our work I mean we only authenticate some part of the shares instead of the whole shares and it makes so we keep our authentication key secret so yeah but it makes problems more difficult okay so actually there are some building blocks and you know our paper and this one is we introduced to introduce the listed code about codes in our construction and this is also different from their construction they don't have this and this building blocks and it's a very nice we actually we use the 40 the reason called it has very nice property to care correct up to I mean one minus arm and the episode and errors but also the list size are very small in our actually in our paper we have two different settings for epsilon and first setting episode is a constant and the other setting episode is actually here's a one over log n and so because there's a one over log n so it will output the exponential size and so and not a super polynomial science sorry it's not the exponential size but so that's why we got two different result the solutions and when solution is a super polynomial because of our list decodable codes okay so actually also there is a very frequency graph and yeah we every party you need to verify the other some small set of other parties and so that if we say he's honest and he will provide some information whether the other party is corrupted or not however of course we don't know if he's honest or not because that if it's correct party he could also disguise that he's honest or he will do some other strategy to but anyway I mean so so this is very important and because of the honest party is also always be the majority one so we have some kind of mechanism to do to check whether he's on his own honest on not not a hundred percent sure but yeah with some probability or do something so yeah this is our encoding scheme and the first of all we go we get a sacred s and we encoded by the photoresome code and using the verification random graph to add some authentication tag and keys to the share and the first and at the end we encoded the tag as the tag is the starter robustly and globally so everyone can learn can know the tag but if we corrupt the tag it makes it makes no it makes no sense it doesn't help because we store the tag robustly but we also at a sacrifice some privacy of the tag so the tag is known to everyone but yeah if we corrupt it we can recover it yeah with high probability so yeah so this year everyone get yeah and so our reconstruction scheme actually we're all reconstructing because we say that just in our setting at the Russian anniversary model I mean the adversary if you only send your share to reconstruct in one round and the direction and the adversary can learn anything about the honest party so yeah it's not safe so we separate it into three rounds and then yeah this so we first we transmission back send back the other the share and then we use some algorithm and and actually in all people we defined there's some passive corrupted party and passive party and we just see to see if for the passive party is the number of pass but is bigger or small and we have two different road route to find the corrected the sacred to reconstruct the sacred and this is a very key important very important in our analysis we divided the honest dishonest party into two type one is our passive party and other one is the active party okay so let's see some from the verification graph we can we will have some observation this option very key to our analysis and first of all if yeah we first of all we need to find a passive corrupted party the passive corrupt party and he he didn't a crowd if he didn't he didn't craft the si si is just the set result code it's a reasonable code and he just in code they encoded on it we use for the result code to encode the sacred so si is just a symbol of this for the result code and if active corrupted and he can crop anything so this is our definition of of the corrupted party and then and we have yeah there are some several observations first is the passive party and honest party they can all pass over verification of the honest parties because of this property and the second is that active party if you are active corrupted party you cannot pass the verification of the honest party and the last is also very important that this distribution of honest party neighbors are uniform at random so that means if adversely he did when he when he decided which party is the only a passive one which is active one and he has learned nothing about this distribution of the honest party's neighbors and so because we separate into three round and so we make we can make it happen okay so there are two settings first as we assume that there are many passive parties large so the P is very large and in this case we can use the result for the result code to do reconstruction however this will output a list of the candidates and it's not the only one but we can make sure that correct one is also always in this list and then we use them with the help of verification graph we can find the disc correct one out of the al candidates yeah that's and and so let's go to the small passive small p and for small p and yeah actually we have a t-plus one honest party and it's more one at least it's one most at least a more one more than the active and corrupted one so if we can we our organ works for every honest party and we take a majority vote and we will find it the correct sacred so let's assume that we start from honest party and the red one is a red spot is on a green spot is honest one and the red one is a passive one and the black one is active one so because the red one is always be the in the minority so we just and the first step and we start from honest party and we do verification and all the honest party and if he's the neighbor of this red green one and he will be passed a verification also the passive one will pass a verification but to the active one will never pass the verification then the second round but since I'm little bit more subtle because I mean because there's some passive one passive party and the passive party he can he can let the active party pass this verification and so so that the black one will join the circle and join the sets and also you know the because the green one is honest one honest one we always bring the honest one and a passive way and so so but but however our algorithm make sure that if we only do it for constant round and the honest one at the active one and the passive one it is only only will be the minority but much it's only account for very small proportion of this number of the proportion in this set so it's well don't affect our analysis so we don't care too much about it so let's summarize so so yeah let's do some there are some conclusion from our our algorithm and after I mean do it for constant round and the honest party will be a million and it will be the vast majority of the set and but however the active at the passive party and the only account for I'm a square root epsilon of the pad a proportion of the set so so that and because I mean the honest one is the vast majority and we have some other algorithm and the DOS algorithm and we just using the probabilistic argument to find all the honest party and some passive party but the active party is is less than the passive party so in this case I mean because our our yeah we encoded it by resum code for the resum code for the resum code is also a resum code you can treat it as a read some code so they are very good redundancy and so we can then we can use some unique decoding code algorithm to decode correctly okay so this is our two algorithm and we want to have some concluding remarks from for our paper for our result and actually we presented to you about sequestering scheme against a Russian anniversary and yeah one scheme achieves CSS is a suboptimal but a running polynomial time another scheme to achieve optimal CSS but a running time is exponential because of the this size so there's an open problem whether we can do it in polynomial sense or do it in polynomial time and also optimal share size this is my talk thank you thank you any questions so you said that it's on Solomon code should be folded can you can you comment on that why why should it be folded and what does it mean exactly sorry I can why the rates on Solomon code should be folded sorry I can't beg your pardon so are you using normal read Solomon codes or fold like you said they are folded sorry I can't sit here clearly sorry because because maybe it may be the stage for so the reason the question is about the read Solomon code yeah so are you so I understand correctly you're not using any read Solomon code you mean the least size or the size yeah because this is the I mean and this is a new result from maybe eight yeah for there are folks 18th or 14 19th people and by Mary water and I guess I don't remember all the people's name but yet they will achieve very there's a very good result and achieve a constant this size and also like the size of your so you have a verification graph yeah so can you tell us about the number of edges in this oh yeah of course sorry yeah it's a very good question okay so so actually and they are there because we have two schemes one scheme we achieve the optimal size a share size so that the degree of the verification graph is log n or log square n or cubic n I can't remember it yeah but but it's it's a polylog and actually we can see the poll again and the second another algorithm and the achieve another scheme achieves the actual suboptimal and the degree is n to the epsilon or square actually it's n to the square root epsilon and will be more precise okay is that connected to the parameters for the read Solomon code or is it independent actually it's a connect to our our graph algorithm actually we use the expanded graph and so the degree of expand graph and it's and the larger the degree is and I mean so it can expand it more quickly so if the degree is small and expand it more slowly and but but but because first of all we need to come consider a graph algorithm so that we fix our degree and then and but there'll be another problem occurs because if we if our degree is if our degree or in our expansion graph it's bigger and this means that we have we don't we cannot have too many passive party so so and so it will add a difficulty to our list of audio algorithm and in our list the code algorithm we cannot achieve constant you know epsilon we can only chew over log n epsilon so so so it's it's the least size is explained as super polynomial so yeah this is a trade-off thank you thank you any more questions if not then let's thank the speaker again