 So, is this audible? Okay. So, today in this talk, I will present an explicit construction of a non-malible code, which is resistant to permutation and perturbation of bits. This is a joint work with Shashank Agarwal, Divya Gupta, Omkand Pandey and Manoj Prabhakar. First, let me go ahead and introduce the notion of non-malible codes at an intuitive level. Zimbowski, Peterzak and Wix in 2010 introduced this notion of non-malible codes as an extension of classical notions like error correcting codes and other notions of, other cryptographic notions of codes like arithmetic manipulation detection codes. In this setting, we have the following guarantee. Suppose a message is encoded using a non-malible encoding scheme, then the following guarantee will be ensured. Suppose an adversary comes along and tampers with the encoding, then the message which is encoded inside this tampered encoding will exhibit either of the following two properties. It will either be the original message itself or it will be a message which is completely unrelated to the message which was encoded originally. So our result constructs an explicit non-malible code against tampering functions which are allowed to permute and perturb each bit of the encoding. So let me explain what permute and perturb tampering functions exactly look like. An adversary, when presented with a encoding, can first permute the bits of the encoding. Next, for each permuted bit, it can choose one of the four operations. It can either forward the bit that is keep it identical or flip the bit or set it to one or reset it to zero. Let me explain this further. Suppose we have an encoding which has four bits. The adversary to tamper it first defines a permutation. In this case, this is the permutation defined by the tampering function. Next, for each bit, the adversary either can choose to forward the bit, flip the bit, set it to one or reset it to zero. Using this example, suppose the initial code word was C0, C1, C2, C3, then the tampered code word will be C0, 1, 1 minus C1 and zero. So our result will show that we can construct non-malibule codes which are resistant to such tampering. That is the adversary can permute the bits of the encoding and for each bit, it can decide to either forward it, flip it, set it to one or reset it to zero. Next, let me go ahead and provide some intuitive definition of what non-malibule codes are. So it is defined in a following manner. For every tampering function f, we have to show the existence of a simulating distribution d sub f which is over the sample space, same star, some input messages, and bought such that for any message which has been encoded using this non-malibule coding scheme, the following two distributions are closed. The left side distribution is the distribution of the message encoded inside the tampered code word. Let's look at it closely. We have the message m which was encoded, tampered, and subsequently decoded. So this is the real distribution of message which is encoded inside the tampered code word. On the right side, we have a simulated distribution which intuitively carries the meaning that the distribution is somehow independent of m. Let me explain this further. If the sample drawn according to df is the special symbol, same star, then the right hand distribution is the message itself. Otherwise, it's a symbol that is either it's a message or a bot which is completely independent of the message because d sub f was completely independent of m. But the first question we must ask ourselves is this notion even realizable? Because consider the following tampering function. The tampering function f first decodes the encoding, adds one to it, and then re-encodes it. In this case, given an encoding of a message, we can always produce, the tampering function can always produce an encoding of message plus one. And for this, there is no such df. So what went wrong? What's important is the order of quantifiers. We first need to fix the class of tampering functions. And once we have fixed the class of tampering functions, then we design a non-malible code for that particular class of tampering function. And in particular, the decode, add one, and re-encrypt function will not fall in this class, a tampering function class cal f. So let's try to understand what our result exactly is. We will provide a explicit construction of a non-malible code such that for any tampering function f, which happens to be a permute and perturb tampering function, v will show existence of a simulating distribution d sub f such that for any message m which is being encoded, the distribution of tampered message in the real world will be close to a simulated tampered distribution. Before I move ahead, I want to summarize what the current state of the art in non-malible codes is. First of all, there are some very beautiful results which show that non-malible codes exist for a very large class of sophisticated tampering functions. These results show that with probability close to one, we can find such constructions. These Monte Carlo constructions work in several settings. So why do we even want to look for explicit constructions? I want to just look at such constructions just because they are beautiful mathematical problems. But for settings like resilient storage where non-malible codes was first introduced, there's such existential results or Monte Carlo constructions which work with extremely high probability suffice. But non-malible codes have come a significant distance from that start. They are currently being used to show reductions between various different kinds of cryptographic primitives. And if these reductions are in a setting where parties are adversarial, we cannot use these Monte Carlo constructions. And in fact, we need constructions which are explicit. One such reduction shows that the class of tampering functions being considered in our paper, that is the class of functions which permute and perturb, is interesting by showing a reduction of a string commitments, non-malible string commitments, to bit commitments. Now we know that explicit constructions are useful and interesting. Can't we just de-randomize these existential results to obtain such explicit constructions? This is the famous problem of finding hay in the haystack. And we know that these problems are notoriously hard for most problems in theoretical computer science. And this particular case is no different. Although not all hope is lost yet, we know explicit construction for several interesting classes of tampering functions. Coming from the introductory work, the first work on non-malible codes by Zimbowski, Piotrzak and Wicks in 2010, where they considered bit tampering attacks. In bit tampering attacks, an adversary can tamper each bit individually and decide whether it wants to forward it, flip it, set it to one, or reset it to zero. Note that this class of attacks is a special case of the tampering class we are considering in this paper. If you fix the permutation to be the identity permutation, then this is the exact class of tampering function. In a sequence of work, we now have explicit constructions of non-malible codes which are resistant to bit tampering attacks. And in this final work, we were able to provide a rate amplification compiler, which takes a bad rate non-malible code and amplifies its rate all the way to one. So now, we know of rate one constructions. That is, the encoding is roughly the same size as the message length itself. And they exhibit this fascinating property of non-malibility. For there are other interesting classes of tampering as well. One very popular class is the class of tampering functions in which the first half of the encoding is tampered independent to the second half of the encoding. And this field has seen some very beautiful line of work in the recent couple of years. It began with this work of Zimbabwe's Kazana Obremski in 2013, where they showed that how we can construct non-malible encodings of only bits. Since then we have come very far, this result shows that we can indeed construct non-malible codes for split-state encoding, where the encoding is constant larger than the length of the message itself. In this recent work of ours, we have been able to construct rate one split-state encodings where we use one-way functions. And we also show that one-way function is necessary to construct rate one. Another interesting class of tampering functions is the one that we are considering in this paper. In this, the adversary is allowed to permute and perturb each bit independently. Note that this is an obvious generalization of the bit tampering attack, but it is incomparable to the split-state attack, because in our case, there are no a priori fixed compartments which are to be tampered independently. Each point could influence any other point. In these two works, we have been able to construct rate one construction. And the final paper here is a companion paper to this paper which was presented at TCC earlier this year. And this provides a rate amplification technique which takes the construction presented in our paper and makes it into a rate one construction. So let me go ahead and explain to you what our construction is. So I have to give a encoding scheme such that for any tampering function which permutes and perturbs, I have to show existence of a simulating distribution d sub f such that for any message which is being encoded, the real message encoded in the tampered function is close to a simulated distribution. To explain the encoding, I need to introduce some very basic encoding schemes. Let me go ahead and do that. So the first encoding scheme that I want to explain is the famous Reed-Solomon encoding. Suppose we have a field f, 0, 1, 2, n minus 1. And we want to encode and message m0, m1 up till ml minus 1, which is an element in f to the power l. Then we choose a random polynomial f of suitable degree such that when the polynomial is evaluated at 0, 1, 2 up till l minus 1, it agrees with the message m0, m1 up till ml minus 1. The output of this encoding is the evaluation of the polynomial f at all other points in f. That is, the output f evaluated at l, l plus 1 up till n minus 1. And we denote this by rs of m0, m1 up till ml minus 1. We don't use this scheme directly in our construction. We use a slight variation of this, which we called an augmented Reed-Solomon encoding and is identical till we choose this polynomial f. But instead of just outputting the polynomial f evaluated at l, l plus 1 up till n minus 1, we instead output the following blocks. The first block is the tuple 0, f evaluated at l. The second block is 1, the tuple 1 and f evaluated at l plus 1. And the last block is n minus l minus 1 and f evaluated at n minus 1. We just append the position index of each block with the code word. And it is denoted by ars of m0, m1 up till ml minus 1. The next encoding that we will use is called balanced unary encoding. Suppose we have a set s, which is 0, 1, 2 up till t minus 1. Then to encode an element k in this set, we choose a random bit string of length 9t, which has 3t plus 3k ones. And it will be denoted by bu3 of k. The last encoding scheme that I need to introduce is the famous additive secret sharing scheme, where a bit b is encoded by a1, a2, aq such that the parity of these bits is identical to the bit b. And we will represent it by add sub q of b. And our encoding scheme does the following. Suppose we are asked to encode m0, m1 up till ml minus 1, where each of these is an element in some field f. Then we first compute an augmented read Solomon encoding of the message m0, m1, ml minus 1. Now we interpret each block of this encoding, which is of the form i, x as an integer i multiplied by size of the field plus x. And this number is encoded using the balanced unary scheme. Next, each bit of this concatenated code is encoded using the additive secret sharing scheme. Finally, our encoding scheme outputs a random permutation pi and the code c under permutation pi. The decoding procedure is very simple. We look at pi, undo the permutation, and decode according to the decoding procedure of this corresponding to this concatenation code. Let me go to the proof now. Sadly, I don't have sufficient time for this. So instead, I will just provide you a ZK proof in the ideal world. But if you are interested to know more about the paper, please contact me in the real world. And I will be glad to discuss the intuition and detail behind our proof and the construction. But before I end, I want to discuss the future directions of non-malible code. One obvious thing that we want to do is to construct non-malible codes which are resistant to more sophisticated tampering attacks. And I think this is a very fascinating direction of research. But I want to conjecture something more. I want to envision non-malibility as an extension of properties of error correction. What if we are able to put these two objects in one spectrum, such that we have codes which error correct up to a particular threshold of errors? And beyond that, it ensures a weaker property of non-malibility. What if we could construct such codes which provide a spectrum of various cryptographic properties? Towards this end, I believe that there are two important directions of research that we should undertake. First, we should try to come up with composition theorems where we will be able to combine ingredient constructions into larger constructions which have stronger properties. And finally, as exhibited by recent results of ours, we need to identify some additional properties like just non-malibility does not suffice. In all our rate amplification kind of results, we always had to define something which was non-malible plus something else. We needed these properties for the composition to hold. Maybe we need to identify these new additional properties which will help us develop these composition theorems. With that thought, I would like to conclude my talk. Thank you.