 Hi, my name is Vipul Goyal I'll be talking about non-malable secret sharing for general access structures. This is a joint work with Ashutosh Kumar. So secret sharing is a very fundamental primitive in cryptography. If you are a cryptographer then the chances are you have used secret sharing in designing your systems in some form or the other. Just a brief reminder we have two algorithms share and reconstruct. The share algorithm takes a message which is the secret and splits it into n parts or n shares, n strings, sh1 to shn. The reconstruction algorithm takes some subset of these strings what is called as an authorized set. For example, nat out of these n strings and then it's supposed to recover the original secret the message back. And there are two key properties to be satisfied first is of course correctness which says the following that any authorized set of shares can be used to reconstruct the correct secret. The message that we end up with should be the message that we started with. And then we have the property of secrecy which says that any unauthorized subset of shares if your subset is not big enough then it should have no information at all about the underlying secret. So typically in secret sharing we are concerned with the secrecy you know hiding this message m. But what if the goal of the adversary is to tamper with this message instead right? So we can consider the following kind of experiment where the adversary takes all these shares applies some kind of tampering function to these shares to output tampered shares SH1 tilde up to SH n tilde tilde denotes the tampered version of the variable. And then the reconstruction algorithm takes some subset and outputs a tampered secret m tilde. So in this setting you know one could ask for several different guarantees and accordingly in literature people have proposed several different notions examples being verifiable secret sharing the notion of error detecting codes and AMD codes is also very close to this setting. And each of these primitives it comes with different guarantees and has different applications. So one such primitive was proposed very recently in a work of Goyal and Kumar and it's called non-malable secret sharing. So here in a sense the guarantee that we want is that any kind of tampering any kind of non-trivial tampering by the adversary essentially destroys the secret. In more detail either the distribution of the tampered secret is independent of the secret that we started with which means that the original secret has been destroyed or the secret remains unchanged which refers to the case when for example the adversary did not tamper with anything at all. So any tampering the secret is gone and some unsolicited string shows up. So a little more formally in non-malable secret sharing you can consider two experiments. In the first experiment the original secret can be m1 which is you know divided into various shares the shares are somehow tampered by the adversary and after reconstruction we get this message m tilde. We can consider a second experiment in which we instead start with a different message let's call this message m2 and again the tampering happens and you get m tilde prime and we require that the distribution of m tilde and m tilde prime should be pretty similar statistically close perfectly close or whatever you know you have it. So essentially what this means is that regardless of whether you started with m1 or m2 you ended up with the same tampered message which means that the tampered message is actually independent of the message which you started with. So now let me talk a little bit about how this tampering is being done. One could consider various tampering models the most natural and probably the simplest of all is what can be seen as the individual tampering model. So here the adversary tempers with each of these shares individually. In more detail adversary can be represented by n functions f1 to fn where the function fi takes the share i as input and outputs a tampered version of this share i. So n functions they are acting independently on the n shares and finally we have the tampered secret. A natural strengthening of this model is what can be seen as joint tampering. So here the adversary partitions the n shares into let's say two disjoint subsets a and b. The adversary takes all the shares in a tempers with them jointly and produces some subset of tampered shares and similar is the case with the secret b. And notice that we cannot have a single tampering function which takes all of these shares as input and the reason being that you know if the tampering function gets all the shares as input then it can just reconstruct recover the original message and then replace the original shares with shares of a message which let's say is just m plus 1 or something related. So in that case clearly non-malability is something which we cannot achieve. Going beyond even this joint tampering model we can consider what can be seen as the overlapping joint tampering you know for lack of a better name. So in this case the two sets in which we partition the shares can be possibly overlapping. The only restrictions is that shares in any set must not be sufficient for reconstruction otherwise the same kind of attack I was talking about applies. As an example we could have a function f which could take the first n minus 1 shares and outputs the first half of the tampered shares and similarly we have a function g which takes you know 2 to n of these strings and then outputs the second half of these strings. So before moving on to our results and the construction and so on there is this very beautiful line of work on non-malable codes which is very related to our notion. In particular we have non-malable codes in the so called split state model where the guarantee is as follows. The message can be encoded into two states L and R, left state and right state. The adversity tempers with each of these states individually and then finally we have the tampered message m tilde and very roughly non-malable codes require that the distribution of m tilde should be independent of the distribution of m right. So this guarantee seems something very similar to what we are hoping for but the key difference between non-malable codes in the split state model and non-malable secret sharing is the property of secrecy. Non-malable codes do not explicitly require any secrecy of the message in particular like one of the states could leak the message entirely. Nonetheless it's possible to show that two split state non-malable codes are also two out of two non-malable secret sharing. But such an implication does not hold when the number of states grow beyond two. In particular a three split state non-malable code need not be a three out of three non-malable secret sharing. It's very easy to construct examples of three split state non-malable codes which are not three out of three non-malable secret sharing. As an example you know you can divide your message into two parts using any two out of two split state non-malable code and in the third part or the third state you can just put the message entirely in clear. So one can show that this would still be a valid three split state non-malable code but clearly it cannot be a three out of three non-malable secret sharing. It has no secrecy whatsoever. The third state reveals the message entirely. But nonetheless I should say that you know our notion is directly inspired by these works on non-malable codes. So constructing non-malable codes in the split state model actually proved to be surprisingly hard. There have been a number of works in the literature. First a construction was proposed in the computational setting assuming a trusted setup. Then an unconditional construction was proposed for a single bit message which was then generalized to arbitrary length message and since then a number of works have studied like stronger properties, the rate of these codes and so on. And non-malable codes have also found interesting applications and connections to other areas in cryptography, temper resilient cryptography, designing non-malable commitments and so on. And many of these applications or in fact I should say most of these applications use non-malable codes as two out of two non-malable secret sharing. So another application of non-malable secret sharing was given in this work of Goyal and Kumar. They introduced the notion of non-malable message transmission. This is a problem which is inspired by the problem of perfectly secure message transmission. Again there have been a number of works in this direction. So in this setting we have a sender trying to send a message to the receiver and all the nodes on the path are corrupted. In particular for example these nodes are trying to change the message. If the message says attack, they want to change it to defend and vice versa. And here our goal will be to ensure the non-malability property either the adversaries don't modify the message at all or the original message is essentially lost. So here one can see that you can directly use non-malable secret sharing schemes. You can divide the message into four parts here using a scheme which is secure against individual tampering and if the adversary is modified then the message is essentially destroyed. Stronger setting is when these adversaries may also be connected to each other. In that case they might pool their shares before tampering with the shares. So in this case we might end up having to use non-malable secret sharing with joint tampering and so on. So various tampering models you can consider. So the main result in this work prior work was a construction of a T out of N non-malable secret sharing scheme. The construction was in the joint tampering model and the adversary could partition the set of shares into any two disjoint and unequal sets. And prior to this work T out of N non-malable secret sharing schemes were of course unknown in the individual tampering model. The only thing that was known of course is just two out of two non-malable secret sharing. So a natural question is what about more general access structures beyond threshold. So we continue this line of work and we have two main results in this paper. The first result is a general compiler which takes any statistical or computational secret sharing scheme realizing some access structure A and we can construct a non-malable secret sharing scheme for the same access structure A and the security holds only in the individual tampering model. So we can instantiate this theorem based on various prior works by instantiating this result with a result of Kochomer and Wigderson. We get unconditional non-malable secret sharing scheme for Boolean formulas or even more generally for monotone span problems. Yao had this unpublished work in which he proposed secret sharing schemes for all of monotone P, instantiating our theorem based on this. We get computational non-malable secret sharing for monotone P based on any one-way function. Even more recently there is this work of Komar Gotzky et al. They use techniques from multi-linear maps and witness encryption to construct secret sharing for monotone NP and again we can apply our theorem and get non-malable secret sharing for monotone NP. Our second more theorem is going beyond, going further in the tampering models and getting a result for overlapping joint tampering. So we construct an unconditional N out of N non-malable secret sharing scheme with respect to overlapping joint tampering family. And of course it's the first such non-malable secret sharing scheme in such a model beyond this just for two out of two non-malable secret sharing all these three models are the same. So now many of our construction ideas borrow from this paper of Goyal and Komar. So without explaining either their technique or our technique I will try to explain to you the differences between the two. Let's see if I'm successful. So Goyal and Komar rely heavily on the following idea. It's an idea which is used multiple times in their paper for generating shares of the message M under T out of N secret sharing. So first even before getting the secret, before getting the message they fixed T minus one shares S1 to S T minus one and once the message is known you can choose the last share S of T and all the rest of the shares S of T plus one to S of N accordingly. And this still gives you a valid T out of N secret sharing of the message M. So unfortunately if you're talking about computational setting this idea actually breaks down completely. This is because each share may have full information about the message M. So it's no longer possible to sample this share without knowing the message M and this is because the share hides the message only computationally but information theoretically it may have full information about this message. So one thought which immediately comes to mind is what if we choose the share S i as per some random message M prime and then argue that any way the share would look indistinguishable from the correctly chosen S i as per the right M i. So you can argue such indistinguishability but unfortunately indistinguishability is never sufficient for non-malleability which is a much stronger property. So these kind of ideas don't work for us. So now let's try to construct non-malleable secret sharing scheme for our setting. So first thing which I would like to remark an idea which immediately does not work is using any kind of linear secret sharing scheme. All the linear secret sharing schemes are malleable. You can multiply each share by two and you will get a share of twice the original message and of course these kind of ideas are beautifully exploited in designing secure multiparty computation and so on but for us it's all bad news. Instead we will try to use two out of two non-malleable secret sharing which of course is known and get non-malleable secret sharing for more advanced access structures. So let's try to do that. Here is the first attempt. You start with the original message and you break it into two parts L and R using two out of two non-malleable secret sharing scheme and then you further share both of these parts L is shared into N shares and so is R using the scheme A share. So recall that you are given an underlying secret sharing scheme for an access structure A. So this is the sharing procedure which we are using and let our share just be a concatenation of Li and Ri. So these are the shares which we will get in our scheme. Now remember that we are in the individual tampering setting and adversary tempers with all of these shares individually and we get L1 tilde, R1 tilde and so on and then of course you can reconstruct L tilde, R tilde and get the tampered message. And our idea would be to prove the security of the scheme by relying on two out of two non-malleable secret sharing. But remember that the security of two out of two non-malleable secret sharing is guaranteed only if L and R are independently tampered. Here the shares of L and shares of R are stored together they can be jointly tampered as such it is not clear you know how to argue that they are individually tampered. We really need to ensure that this R tilde is independent of L depends only on R and vice versa L tilde must only depend on L and not on R. So how do we do that? We will just change this procedure slightly. Everything else remains the same except now we secret share the message R using a two out of N secret sharing scheme. And for simplicity assume that this is a T out of N secret sharing scheme where T is greater than or equal to 2. So any two shares are sufficient or insufficient for reconstruction in A. This is a simplifying assumption I will make for the stock. So it is important that the parameters of these two secret sharing schemes are different. For one two is enough for reconstruction and for this two is not enough for reconstruction. And now this as we will see this idea already gets us pretty far and why is that? Now let us look at these tampered shares. One can argue that R tilde is fixed only given two of these tampered shares because it is a two out of N secret sharing. Since we are in the individual tampering model these two shares can only depend on two shares of L but two shares of L have no information about L at all. So recall our condition was that L is for example a three out of N secret sharing scheme. So essentially what this means is that R tilde does not depend on L at all. So R tilde only depends on R. So this is an idea which originated in the literature on non-malleable commitment in a work starting with the work of Goyal and since then several subsequent works have used it. So this idea allows us to make some progress but we are still not done. The reason being that L tilde can still depend on R. So we get like one sided non-malleability. So to solve this problem we will use a leakage resilient secret sharing. It is a notion that we study and we also construct in our paper. So in this notion we have two secrets let's say R and R prime. You share both of them using a two out of N leakage resilient secret sharing scheme. So adversary gets several shares of both R and R prime. Enough shares potentially even to reconstruct R and R prime completely. And now adversary gets leakage on all the remaining shares of either R or R prime. And the guarantee is that the adversary cannot tell which share the leakage is coming from. Cannot distinguish R is this leakage on R or R prime. This in particular also means that the leakage is actually independent of the message either R or R prime. So this idea will allow us to get non-malleability from the other side. So here the idea is to think of the tampered shares of L as leakage from the shares of R. So this would allow us to conclude that L tilde the shares of L tilde and L tilde in turn does not depend on R. And we have already concluded that R tilde is independent of L. So now we get non-malleability in both directions. We can conclude that L tilde is independent of R and R tilde is independent of L. And from this point onwards we can hope to reduce the security to two out of two non-malleability secret sharing. So of course this is just a high level overview. There are several other techniques which go into making this work. In particular we have to convert the given secret sharing which is possibly computational into a secret sharing with limited information theoretic secrecy where any two shares hide the secret unconditionally. And it turns out that we have to run like two copies of a non-malleability secret sharing scheme in parallel to make this work. So quite a few open problems here. Can we go beyond T out of N for joint tampering? All our results here in this paper are for individual tampering. And for overlapping tampering we gave a construction for N out of N non-malleability secret sharing scheme. Can we go beyond N out of N? And of course there is always this question of can we improve the rate as well. And that's it.