 Hi, welcome to my talk on public randomness extraction with ephemeral roles and worst-case corruptions. This was a really fun project with Jesper from Aura's University and Machia from CQT and the National University of Singapore. So it's found out that randomness is fundamental in cryptography. And perhaps the simplest way of generating randomness is to assume some trusted randomness generator that samples bits uniformly at random and broadcast them to several parties. And these parties all agree on the same bit and they all trust that this bit is indeed uniformly random. But this is a very strong assumption and so we usually replace this trust as party by some distributed protocol where parties interact in order to agree on a common random bit. But this is also complicated because many of these protocols require that parties maintain stateful environments for a long time and this is a hard task. Because for example there may be power outages or one computer may restart and start working on some updates and it's even worse under adversarial behavior because adversaries can mount targeted denial of service attacks. So because of this prior work has studied a stateless NPC where the goal is to design protocols which do not require parties to keep state. And this is also the focus of our work and we considered the recent you only speak once model or yoso for short of stateless NPC with ephemeral roles. And a yoso protocol is composed by a series of roles few roles which are executed in sequence. And the way we should think about this is that there is a large ground set of parties and there is a role selection mechanism that selects a party to execute a certain role in this case the first role. And executing a role entails broadcasting a public value x1 and also sending private messages to future roles. And after a role is executed the party that executed the role can basically blow itself up and go offline forever because it doesn't need to speak again anymore. And the protocol persists like this. So for the second role the selection mechanism picks a party to execute the code and again more messages are sent etc until the protocol ends. And in the original yoso work the role selection mechanism was assumed to be uniformly random which means that worst case corruptions on the ground set become random corruptions on the roles and this allowed them to design NPC protocols with about half rate of random corruptions. In this work we consider a modification of the original yoso setting where we replace random corruptions by static chosen corruptions and we specifically consider the task of public randomness extraction. So here's an example we have four roles and before the protocol starts we allow the adversary to corrupt say two roles of its choice. And in the protocol persists as before so roles are allowed to broadcast public values and to send private messages to future roles. And furthermore corrupted roles are allowed to deviate arbitrarily from the protocol. In the end we want to compute our coin by applying a deterministic function to only the public values of the protocol x1 to x4 and this coin should be statistically close to uniform. And the reason why we want the coin to be a function only of the public values is that we want that even people that did not participate in the protocol to be able to compute the coin by themselves. Now why is it interesting to consider worst-case corruptions? Well first it captures settings where the role selection mechanism may be biased in which case previous protocols are insecure. Second it forces us to actually go beyond committee-based protocol design and to invent interesting techniques. And finally we believe it is a clean model with many potential applications. So in this work we are mainly interested in understanding the maximum rate of chosen corruptions that still allows for low bias public randomness extraction in our use of setting. And we obtain both positive and negative results. So with respect to positive results we obtain two types of zero error randomness extraction protocols depending on how the private messages to future roles are implemented in practice. And these protocols are based on a YosoFight version of William Auer's secure MPC made simple combined with some Yoso specific techniques. And to complement this we also show that in both models if you want to extract randomness with subconstant bias against T corruptions then we need at least four T plus one roles. So in particular for one corruption we obtain the optimal number of roles for this problem.