 Hi everyone, I am Sai Lakshmi Bhavna Obattu from Microsoft Research and in this video I will talk about our paper on adaptive extractives and their application to leakage resilience secret sharing. This is joint work with Nishant Chandran, Bhavna Kanukruti and Shruti Sekar. Our initial focus will be on adaptive extractives and then we will move on to leakage resilience secret sharing schemes abbreviated as LRS is discussing the definition and leakage models and finally our construction and security. Before understanding adaptive extractives, let's first see what extractives are. They are introduced by Nishant and Sekarman in 1996 as deterministic algorithms that take in a long endropic source W which acts as a source of imperfect randomness and a short uniform seed S which acts as a catalyst to output a long uniform looking string. Formally the extracted output is guaranteed to look indistinguishable from uniform even given the seed and this guarantee holds true even in the presence of some arbitrary leakage on W. Throughout this talk, by indistinguishability of two distributions, we mean that the distributions are statistically close. An implicit requirement in the above security guarantee is that the leakage on W is independent of the seed S and the challenge which is either the extractor output or the uniform string. Why not allow the dependence? Because the leakage function could be such that it takes in the WS and the challenge and checks if the challenge equals the extractor output or not helping to distinguish with very high probability. So, is this the end of the story? Well, in this work we demonstrate that this is not the end of the story by introducing adaptive extractors. We say an extractor is adaptive with respect to a leakage family scripted if for every function F in the family the extractor output looks indistinguishable from uniform even given the seed and the adaptive leakage on F that is the output of F on WS and the challenge. Here, we'd like to mention that while our notion of adaptive extractors explore a general form of adaptivity for a function family script F specialized variants were implicitly considered in the literature in the works of Simon and Agrawal et al. In this result, we show that every extractor is output adaptive by which we mean that the leakage on W can arbitrarily depend on the challenge. Formally, the extractor output is indistinguishable from uniform even given the seed and any arbitrary short leakage dependent on the source and challenge. Strictly speaking, we show that any extractor that extracts L with and is epsilon secure is an epsilon into 2 power L output adaptive extractor. Though this may seem like huge loss in the security, we show a practical instantiation using the GUV extractor and also demonstrate a non trivial application like LRSS to prove the strength of output adaptive extractors. Finally, concluding on adaptive extractors, we note that these are gadgets of independent interest and would be interesting to study extra extractors that are adaptive against different leakage families. For example, one could study what kind of joint leakage on W and S is permissible without breaking the extractor security. Moving on to secret sharing schemes which were introduced by Shamir and Blackley independently in 1979. An N-party T threshold scheme comprises of a share algorithm that takes in a secret M and outputs the shares M1 through MN. Some of the shares are fed into a reconstruct algorithm to output a secret. A secret sharing scheme should satisfy two basic properties which are correctness which guarantees that given any T plus 1 or more shares of the message M, the secret M is reconstructed correctly. The second property is privacy which requires that any set of T shares have no information about the message M. In 2007, Zimboski and Petrosov initiated the study of leakage resilience in secret sharing schemes where a secret sharing scheme is said to be leakage resilient against a leakage function family script F. If for every leakage function F in the family and any two secrets M and M prime, the leakage on shares of M is indistinguishable from leakage on shares of M prime. Since the introduction of LRSS, numerous leakage models were studied in the literature which can be broadly classified as follows. Independent versus joint leakage where in the independent model the leakage can only be queried on individual shares as opposed to the joint model which allows leakage on multiple shares together. Another distinction is in adaptivity when where a model is said to be adaptive if the adversary can observe leakage on some shares and then choose the shares and leakage functions to vary next. Most leakage models also support to reveal some full shares along with the partial leakage on shares obtained through the leakage functions. Independent of this categorization, another leakage model that was considered in literature is the affine leakage model where the leakage function can act on all shares in affine manner collectively. Other parameters of interest to LRSS are the rate which is the ratio of the secret size to the share size and the bulk vary limit which is the maximum number of shares a joint query can depend on. Note that this limit can at most be t as otherwise the leakage function could reconstruct the secret. Observe that higher rate stronger leakage model and higher per query limit are usually desirable. The literature of LRSS has seen a long line of interest in results. For the purpose of this talk, we do a comparison of prior works in the information theoretic setting that are relevant to our result. In the information theoretic setting, the distribution that's trying to distinguish between the leakage of two distinct messages is allowed to have unbounded computational power. We compare prior works based on the leakage models they support and their rate. From the perspective of rate, the result due to Srinivasan and Vasudevan has an impressive rate of one-third supporting the basic leakage model namely the independent and non-adaptive leakage model. From the perspective of leakage models, Chitopach Hai et al and Kumar et al support the strong leakage model namely the joint and adaptive leakage model. They also let the joint queries to be overlapping letting the adversary to ask leakage on a share multiple times. But observe that even for any restricted setting of NNT, there is not even a concentrated LRSS for any model other than the independent and adaptive leakage model. Before presenting our construction, let me quickly summarize our leakage model. We divide the leakage into two phases, the leakage phase and the reveal phase. Where in the leakage phase, the adversary can first ask for partial leakage on share and get back the leakage responses. And after the leakage phase in the reveal phase, he can ask for full shares and get them. All these queries can be made in a joint and adaptive manner on all N shares such that each query set is of size at most, which is a necessary requirement. And the second requirement is that all query sets have to be non-overlapping across the phases. Our construction has the two simple building blocks and NNT which are an anti-secret sharing scheme and an output adaptive extractor X. Recall that an output adaptive extractor guarantees that the extractor output looks uniform even given leakage or even given short arbitrary leakage on the source and the challenge. Let's look at a simple construction that serves as the base for our main construction which supports leakage from T shares and reveals T mode phase. We would like to mention here that the following construction can be thought of as a clever adoption of adaptive extractors to SV19's construction that supports only individual and non-adaptive leakage. We denote the sharing algorithm as base share. The message M is firstly secret shared into shares M1 through MN. Each MI is masked with an extractor output on a fresh source WI and ACID S chosen uniformly. The masked MI, appended with ACID share SI and the source WI, forms the i-th base share denoted as VSHI. Think of the construction as follows. The message M is first shielded by a secret sharing scheme and then each share of the scheme is further protected by the extractor outputs in the base share scheme. To quickly see the security, any form of leakage on ethnos T shares is independent of the seed S except for the extractor outputs. This is by the privacy of the scheme sharing the seed S which further imply independence of the leakage from MI's and M's. This follows by output adaptivity of the extractor which guarantees that leakage on the sources and the masked MI's is indistinguishable from leakage of the sources and the uniform strings. Now that the responses in the leakage phase are independent of MI's, the construction can afford to leak T new MI's and hence BHIs. Why doesn't the construction extend to support more than T leakage queries? Note that leakage on more than T shares can possibly depend on the seed S as privacy provided by its shares is lost. This will further imply dependence on MI's as we no longer have the guarantee that the extractor outputs look uniform given this adaptive leakage dependent on the seed which may finally lead to dependence on the secret M. To stop this avalanche of dependence, the seed that is used in masking MI's should be protected against more number of leakage queries. How to do that is what we'll see next. Now, we extend the base construction to support two T leakage queries and T revealed queries as follows. Let's denote the sharing as next share. Note that IHB share can be passed as two checks YI and WI where YI consists of masked MI and a seed share SI. In the next share procedure, each YI is further masked than extractor output on a fresh source WI prime and a seed S prime. Note that the source and seed are independent of the sources and seed used in generating the base shares. The masked YI upended with a seed share SI prime and the source WI prime used in this procedure and the source WI used at the base level forms the IHB share in the next share procedure denoted by NHI. To see why this extra layer of masking with fresh extractor outputs work, observe that the first set of T leakage responses are independent of all YIs by the security of extractor on the seed S prime. The reasoning is similar to the security of the base share and hence won't be repeated. The second set of T leakage responses may positively depend on YIs but we show that this leakage on NH, this leakage on next shares can be reduced as leakage on the base shares which we have already discussed to be independent of MI's. While discussing the security of base shares, finally, as in the base construction, since any leakage in the leakage phase is independent of all MI's, too many shares can be revealed and clear in the reveal phase by privacy of the seed sharing end. To summarize, we support any required number of leakage queries by increasing the number of layers of masking. For the sake of completeness, I quickly go over the final H level construction that supports history queries in the leakage phase and T queries in the reveal phase for a tunable parameter H. Firstly, the secret M is anti-shared into shares M1 through MN. Then, for every layer J from one through H, we sample the sources W1J through WNJ and the seed SJ uniformly. Further, each seed is secret shared to generate each party's share. The share MI is masked with an extractor output to get Y1I, which is then appended with the seed share S1I and the source W1I to form the first level share. Y1I and S1I are together then masked with a fresh extractor output to get Y2I, which is then appended with the seed share S2I and the sources used up to this level which are W2I and W1I. All these together form the second level share and this process continues up to H levels to derive the final share I. With this, we conclude the discussion on RR construction and security and briefly tell you how we instantiate the building blocks in our construction. We instantiate the secret sharing schemes with the Shami secret sharing scheme and then instantiate the output adaptive extractor with the GUV extractor. I now conclude the talk with a brief mention of applications of LRSS, which are leakage resilient secure message transmission where a message has to be transferred from one place to another via leaky channels and leakage resilient non-malleable secret sharing schemes where non-malleable secret sharing schemes guarantee that even if some shares are tampered, the reconstructed secret is either unrelated or same as the original secret. Using our LRSS construction, we show how to construct an LRNMS in the joint leakage and independent tampering model. We refer the audience to our paper for any further details. Thank you.