 Hello, everyone, I'm Chen Zhi, and we're going to introduce our work on multi-cells non-malibule extractors and its applications. This is a drawing work with Vipo Goyo and Aksherin Svini Vasen. I will start by introducing what is a true-source non-malibule extractor. The notion is introduced by Teri Gacchi and Bruce Swami in 2014. So in this setting, you have two independent weak random sources named X1 and X2. So here the weak means that both sources are not uniformly random. And then you want to use an extractor to extract n-bit randomness from the sources that are close to uniform. And further, the input sources can be tampered independently by arbitrary tampering functions. And the security requires that the tampered output is either the same as the original one or is independent, which means the value is destroyed. So here the randomness of a source is measured by its mean entropy. So if the mean entropy of the source is greater than k, then it means for any x the probability that the source is equal to x is less than 2 to the minus k. So intuitively, the source has higher mean entropy means it contains more randomness. And we assume the X1 and X2 are in-bit sources with mean entropy k. They are also called in-bit sources. And more formally, the non-manability is defined as the joint distribution of the original output and the tampered output is absolutely close to a joint distribution of 2n-bit strain, where the first one is uniformly random and the second one is either the same or independent of the first. And the epsilon here is called the arrow of the non-manable extractor. When this work, we introduce a new notion called multi-source non-manable extractor, which is the generalization of the two-source one. And instead of two-source, now we have as independent n-case sources. And similarly, each source can be tampered independently by arbitrary functions. And then we can define a security in a same way. However, it is not hard to see that this definition is actually weaker than the two-source one. Since we can view such a multi-source non-manable extractor by just applying the two-source non-manable extractor to the first two sources and then ignoring the rest. And in fact, there's no previous result including cases beyond the independent tampering. So in this work, we mainly focus on the following question. Can we protect against a tampering function that tampered multiple sources together? And then what is the mean entropy is required and what is the app? So the most general model I could consider here is the overlapping drawing tampering. So in such a tampering, for each eye, the tampering function can depend on an arbitrary set of input sources, TI. We also mentioned that this tampering model is previously proposed by Garo and Kumo in 2018. But it worked in the context of non-manable secret sharing. In the context of non-manable extractor, no previous result considered this model since they only considered two-source case. However, it is hard to protect against the general overlapping drawing tampering. So instead, we consider a more restricted tampering model called cover-free tampering, which is overlapping tampering with some constraints. So given the overlapping tampering, we say it is eye cover-free if there exists an xj, so that no tampering set tk contains both xi and xj. So for example, here for i equal to 1, you can see that x1 and x4 does not contain any at tk. We say it's cover-free tampering if it is eye cover-free for each i and s. We'll see that this tampering model includes a rich class of tampering functions. For example, it contains an independent tampering, which I already mentioned before, and it contains this drawing tampering. So this drawing tampering means the sources divided into at least two groups, so that the sources in each group are tampered together. Also, the cover-free tampering is strictly richer than the destroying tampering, as it contains some fancy tampering functions such as following. The tampering of each xi will depends on both xi and xi plus 1, so it is not destroying tampering, but it is cover-free since the xi is not tampered together with the xi plus 2. Now I'm going to summarize the main contributions. The first introduce the notion of multi-source non-modible extractor, but then we'll give an efficient construction of the as-source non-modible extractor against the cover-free tampering for any constant as greater amplitude. The main entropy requirement of our construction is linear an with negligible arrow and polynomial output lens. Also, the construction satisfies the property called efficiently pre-image sample, which means that given any output, one can efficiently do sampling over its pre-image. Using similar techniques, we further resolve some open problems in areas of non-modible secret sharing and network extractor, which I will discuss in more details now. For non-modible secret sharing, the notion is first proposed by Garland-Kumar in 2018. So in this setting, suppose you have a secret M and you want to split the secret into N shares with a threshold T such that given any T or more shares, one can reconstruct the secret M and also any T minus 1 shares contains no information about M, because such a scheme T ought to win secret sharing. Further, the non-modibility is considered in a case that each sharing might tampered by the adversary, and the security guarantees that any tampering attacks either preserve the original secret or completely destroy it, which means the secret recovered from T or more tempered shares are independent of the origin. For the prior work, the original paper considered only a restrictive version of destroying tampering. More precisely, their construction does not work in a case when the shares are divided into two destroying tampering sets of equal size. And in their follow-up work, though they can protect against cover-free tampering, their construction only worked for N auto-win secret sharing. And in this work, we give a construction of T auto-win non-modible secret sharing against cover-free tampering for any T between 2 and N. We also show that other multi-source non-modible extractor can be used to construct network extractors as they improved over previous results. So the problem of network extractors naturally arise in the context where they are P processors, and each has access to a weak random source, independent of others, and they want to get uniform randomness by communicating with each other. And further, some processors might be malicious corrupted, which means they can behave arbitrarily. And the security should guarantee that at least some of the honest processor can output uniform randomness even given all the messages sent during the protocol. So for the prior work, either the construction cannot extract uniform randomness for all the honest processor, or it is in a computational setting and requires exponential hardness assumption. And in this work, we give a construction of network extractor that can always extract uniform randomness for all the honest processors. And also, it work in the information serial of the setting, and it can tolerate up to P minus 2 malicious corruptions, which is optimal, and it requires only a single round of communication. So now I will briefly introduce our construction for the multi-source non-modible extractor and give some intuitions and ideas behind it. So our starting point is the following construction. For simplicity, we only construct three source here, and it's not hard to extend the ideas to general multi-source setting. So for three sources x1, x2, and x3, we first force each source into two parts as follows. And then for each x subscript i and yi, we use a two-source non-modible extractor to extract randomness as di. And finally, we all export all values of d1, d2, and d3 to get the output z. And then we'll see that each x subscript i and yi are from different sources, and thus they are independent, even given the rest of the sources. So there is a hope that we can reduce the overall security to the underlying two-source non-modible extractor. Also, this construction is efficiently pre-image sampleable if the underlying two-source non-modible extractor is efficiently pre-image sampleable. Intuitively, this is because the construction has a tree-like structure. So for here, given an output z, one can efficiently sample z1, z2, and z3. And then we can do pre-image sampling on each two-source non-modible extractor to get the x superscript i and yi. And finally, the input source x1, x2, and x3 can be reconstructed from all the x superscript i and yi. However, there's a problem with this construction. So consider the case where the input sources x1, x2 are tempered together, and x3 are tempered independently. So this is a destroying temporary. Since the first two input sources are tempered together, the x superscript i and yi can be tempered together. This is a fatal problem since the adversary now takes the fully control of the output of the first two-source non-modible extractor. For example, it can temper the value of x superscript i and yi together so that the temper output z1 is equal to the original z1 x1. And then the final temper output would be also equal to the original output z x1, which means that they are strongly related, but they are not the same. Therefore, the security is totally broken. So now I will introduce our main construction and bypass the previous problem. So instead of forcing each source into two parts, now we force each xi into xi1, xi2, xi3, and yi. And then we compute the x superscript i by x2 of the value in the i's column. By doing this, we'll see that each x superscript i depends on all three previous sources, which mean the previous attack will not work. So finally, the output z is computed in the same way as in the previous construction. Also, following similar idea, we can show that this construction is also efficiently pre-image sampleable. Now I will talk about some intuitions behind the security proof of our construction. Roughly speaking, the goal here is to show that the temper output z2 is either the same as the original output z or is independent of it. And the main idea is to use in hybrid arguments to show that each one of the z1, z2, and z3 is either equal to one of the z1, z2, z3 or independent of all of them. Then there are two cases. The first case is that all the z2, i as a permutation of the original zi. For example, suppose the z1, 2 is equal to z2, z2, 2 is equal to z3, and z3, 2 is equal to z1. In this case, we'll see the temper output is the same as the original output z. And the second case is that one of the zi is missing. So for example, the 2 to z1 is equal to z2, and 2 to z2 is equal to z3. However, the 2 to z3 is equal to some random variable d that is independent of all z1, z2, and z3. And in this case, we can show that z2 is independent of z. So why it is the case? So one observation is that the z1 is uniformly random given the z2 and z3. We prove it, we can fix all the input sources except the y1 and x31. So then we'll see that x3 and x2 are also fixed, which means that the z1 and z2 are also fixed. Then, since the y1, x31 can still have some randomness and they're independent, by the security of the underlying two source non-malleable extractor, the z1 is close to uniform given the z2 and z3. And therefore, given the z2 and z3, we know that the z2 will be fixed, but the z is still close to uniform. And thus, it implies that z2 is independent of z. So now I will give some intuition behind the proof of the main hybrid arguments. Recall, the goal here is to show that each one of the 2 to the zi is either equal to one of the zi or independent of all of them. A key step improving above is to show the following. To give any x2, y2, and x3, y3, for each i, the z2 is either equal or independent of the original z1. The proof of this key step contains most of our main techniques, and therefore, for the rest of our talk, we'll mainly focus on the idea behind this proof. Recall that the zi, tilda, and z1 are the output from the two source non-malleable extractor. Therefore, the idea here is to reduce the problem to the security of the underlying two source non-malleable extractor. Here is the rough proof idea. So, suppose we consider the tampering function f12 and g3, where f12 tampered the first two source together, and the g3 tampered the third source independently. The idea is to first fix all the input sources except the y1 and x31. Then, as we argued before, the superscript 1 and y1 are independent sources. Therefore, in order to use the property of the underlying non-malleable extractor, we just need to show that x12 and y12 can be represented as an independent tampering of the x1 and y1. So, first for the y12 and y22. So, given y1, since all the parts in x1, x2 are fixed, by the tampering function f12, one can compute the y12 and y22. Then let's consider the case for x12 and x22. So, given the x1, similarly to the previous case, one can compute the x312 and x32. However, it is not enough to compute the x12 and x22, since they also depend on the values of the x11, x12, and x21, and x22. And we cannot compute those values from x1. Then, one observation here is that rose value can actually compute it from y1. Therefore, the idea here is to view rose tamper value as leakage from the y1 and use the liquid resilient to source non-malleable extractor. Well, formally, here we use what we call unbalanced leakage resilient to source non-malleable extractor. We'll give a detailed construction of such an unmanable extractor in our paper. So, here the unbalanced means the input sources have different lengths. More precisely, we need the y to be several times longer than x. This requirement is necessary if we want the lengths of the leakage to be several times of the lengths of x. And the tampering function is like the independent tampering. The only difference is that now we allowed f to depend also on some leakage information from y. And the security requirement is similar to the original to source non-malleable extractor. So, given the leakage, we now can compute x12 and x22 from the x1. So, finally, for the case of x32 and y32, using the previous idea, we can compute x32 and y32 from x1 and the leakage from y1. This also implies that z32 can be computed from y1 and the leakage. However, none of x32 and y32 can be computed from y1. So, to solve this problem, the idea is by letting the tampering function of y1 to simply output a constant y star. This y star satisfies that for every possible output, one can always find a proper x that lads the two source non-malleable extractor to output as, given the second sources is equal to y star. We show and have a paper that we can always find such a y star with higher probability. Then for the tampering of x1, since it can compute the z32, it can also output an x that lads the two source non-malleable extractor to output an z32. Therefore, we can actually represent the tampering of z3 as an independent tampering from the source x1 and y1, which means that we can also reduce the security to the underlying two source non-malleable extractors for this case. So, by the end, we briefly mentioned some interesting open problems that are related to this work. The first is whether we can construct multi-source non-malleable extractors against tampering functions that beyond the cover free tampering. And the second one is in the setting of multi-source non-malleable extractor, whether we can achieve lower main entropy requirements, say polylog in the lens of each input source. And the final one is there are other applications of the multi-source non-malleable extractor. And thank you for listening.