Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Secure communication is perhaps the central goal of cryptography. It allows a sender, Alice, to securely transmit a message to a receiver, Bob so that even if some eavesdropper, Eve, is intercepting their communication she can not figure out anything about the transmitted message. When Alice and Bob share a physical (but potentially tappable) communication channel, this task can be easily carried out by use of standard public-key cryptography techniques, e.g., Bob sends Alice his public key who uses it to encrypt her message and send it over the physical communication channel to Bob. But this idealized scenario occurs rarely in modern networks, such as the Internet, where Alice and Bob would most likely not share a physical channel and would, instead, have to communicate over some (potentially incomplete) network of routers. Without further restrictions, the above modification marginally complicates the problem as it can be directly solved by means of a private flooding scheme. In such a scheme, Alice encrypts her message, as before, and sends it to all her immediate neighbors, i.e., network routers with which she shares physical links, who then forward it to their immediate neighbors, and so on, until it reaches Bob. Clearly, if Alice has a path to Bob and the forwarding step is repeated as many times as the length of this path, the message will reach Bob. And the fact that the intermediate routers only see encryptions of the transmitted message means that they do not learn anything about the message.

But modern distributed protocols often require much more than just privacy of the transmitted message. For example, ensuring anonymity in communication is a major goal of security as it, for example, protects against censorship or coercion. Similarly, as privacy awareness in social networks increases, users might not be willing to reveal information about the structure of their peer graph (i.e., their Facebook friends graph) to outsiders. Other applications might require to hide a communicating agent’s location, as is the case in espionage or when using mobile agents to propagate information through some ad-hoc network, e.g., in vehicle-to-vehicle communication. All these applications require a routing scheme, that hides the topology of the underlying communication network. Evidently, using the simple private flooding strategy does not hide the topology of the underlying communication network as, for example, an eavesdropping router can easily determine its distance (and direction) to the sender by observing in which round (and from whom) it receives the first encryption.

1.1 Related Literature

The problem of routing through an incomplete network has received a lot of attention in communication networks with a vast amount of works aiming at optimizing communication complexity in various network types. In the following, however, we focus on the cryptographic literature which is more relevant to our goals—namely network hiding communication—and treatment.

Perhaps the main venue of work in which keeping the network hidden is a concern is the literature on anonymous communication, e.g., [Cha03, RR98, SGR97]. These works aim to hide the identity of the sender and receiver in a message transmission, in a way that protects these identities even against traffic analysis. In a different line of work initiated by Chaum [Cha81], so called mix servers are used as proxies which shuffle messages sent between various peers to disable an eavesdropper from following a message’s path. This technique has been extensively studied and is the basis of several practical anonymization tools. An instance of the mix technique is the so called onion routing [SGR97, RR98], which is perhaps the most wide-spread anonymization technique. Roughly, it consists of the sender applying multiple encryptions in layers on his message, which are then “peeled-off” as the cipher-text travels through a network of onion routers towards its destination. An alternative anonymity technique by Chaum [Cha88] and implemented in various instances (e.g., [Bd90, GJ04, GGOR14]) is known as Dining Cryptographers networks, in short DC-nets. Here the parties themselves are responsible for ensuring anonymity. The question of hiding the communication network was also recently addressed in the context of secure multi-party computation by Chandran et al. [CCG+15]. This work aims to allow n parties to compute an arbitrary given function in the presence of an adaptive adversary, where each party communicates with a small (sublinear in the total number of parties) number of its neighbors. Towards this goal, [CCG+15] assumes that parties are secretly given a set of neighbors that they can communicate with. Because the adversary is adaptive, it is crucial in their protocol that the communication does not reveal much information about the network topology, as such information would allow the adversary to potentially discover the neighbors of some honest party, corrupt them, and isolate this party, thereby breaking its securityFootnote 1. Another work which considers such an adaptive corruption setting is the work of King and Saia [KS10], which is tailored to the Byzantine agreement problem. We note in passing that the result of [CCG+15, KS10] was preceded by several works which considered the problem of MPC over incomplete networks. However, these works do not aim to keep the network hidden as they either only consider a static adversaryFootnote 2, e.g., [BGT13], and/or they only achieve so called almost everywhere computation [GO08, KSSV06a, KSSV06b, CGO15] where the adversary is allowed to isolate a small number of honest parties.

Most related to the goals of our work is the recent work of Moran et al. [MOR15], which considers the problem of topology-hiding secure multi-party computation over an incomplete network in the computational setting (i.e., assuming secure public-key encryption) tolerating a semi-honest (passive) and static adversary. At a very high level, [MOR15] uses public-key encryption and (semi-honest) multi-party computation to implement a proof-of-concept network-hiding communication protocol, which emulates a complete network of secure channels. This emulated network is then used to execute an arbitrary multi-party protocol in which parties communicate over a complete communication network, e.g., [GMW87, Pas04]. In fact, as noted in [MOR15], relying on a computational assumption seems inevitable, as in the information-theoretic setting the work of Hinkelmann and Jakoby [HJ07] excludes fully topology-hiding communicationFootnote 3. Due to the similarity to our goal we include a detailed comparison of our results with [MOR15] in Sect. 1.3.

1.2 Our Contributions

In this work we present the first network-hiding communication protocol which makes black-box use of public-key encryption and, for networks with moderate degree and diameter, has a moderate communication and computation complexity. Our protocol allows the parties to communicate over an incomplete network of point-to-point channels in a way which computationally hides both the transmitted message and the neighborhood of honest parties from an adversary passively corrupting arbitrary many parties. We remark that as pointed out in [CCG+15], when the communication graph is to be kept hidden, the adversary cannot be eavesdropping on communication channels, and in particular cannot be informed when a message is transmitted over some channel. We resolve this issue by assuming, along the lines of [MOR15], a special network functionality (cf. Sect. 2).

A bit more concretely, the high-level idea of our construction is to enhance the naïve private flooding-protocol by using homomorphic public-key encryption (in short, PKE). The starting point of our approach is the observation—underlying also the construction from [MOR15]—that the flooding protocol would be topology-hiding if the parties could not read intermediate messages. But instead of using, as in [MOR15], expensive nested MPCs for ensuring this fact (see below for a high-level description of [MOR15]) we use a version of threshold PKE with additional network hiding properties. We also show how to implement our enhanced threshold PKE definition assuming hardness of the Decisional Diffie-Hellmann (DDH) problem.

To demonstrate our ideas, imagine there was a world in which parties (corresponding to all intermediate routers) could encrypt with a homomorphic public-key encryption scheme where the private (decryption) key is known to nobody, but instead parties have access to a decryption oracle. Provided that the associated PKE-scheme is semantically secure, parties can enhance the flooding protocol as follows: Alice encrypts its message and starts the flooding; in each step of the flooding protocol, the intermediate party—which, recall, is supposed to forward the received ciphertext—first re-randomizes the ciphertext and then forwards it. Once the message arrives to Bob, he invokes the decryption oracle to open its final ciphertext. We observe that in this case the adversary does no longer learn anything from intermediate messages, the protocol is thus topology-hiding.

There are two major challenges with the above approach. First, if intermediate parties are silent until a message reaches them during the flooding, then the adversary observing this fact can use it to deduce information about the network. E.g., if a neighbor \(p_i\) of a corrupted party has not sent anything by the second round of the flooding protocol, then the adversary can deduce that \(p_i\) is not a neighbor of Alice. Secondly, we need a way to implement the decryption oracle. Observe that using a off-the-shelf threshold decryption scheme and have decryption shares exchanged by means of flooding would trivially destroy the topology-hiding property; and the same is the case if we would use an MPC protocol for this purpose, unless the MPC were itself topology-hiding. In the following we discuss how we solve each of the protocols, separately.

The first issue—information leakage from silent parties—can be solved by having every party send messages in every round. As simple as this idea might seem, it has several difficulties. For starters, the messages that are injected by intermediary parties should be indistinguishable from encryptions, as otherwise adding this noise makes no difference. But now, there is a new issue that the intermediate parties cannot tell which of the indistinguishable messages they receive contains the initial message sent by Alice. The naive solution to this would be to have parties re-randomize everything they receive and add their own noise-message. But this would impose an exponential, in the graph diameter, factor both in the message and communication complexity. Our solution, instead, is to use the homomorphic properties of the encryption scheme and build an efficient process which allows every party to compute an encryption of the OR of the messages it receives from its neighbors. Thus, to transfer a bit b, Alice encrypts b and starts flooding, whereas every party encrypts a zero-bit and starts flooding simultaneously. In each following round of the flooding scheme, every party homomorphically computes the OR of the messages it receives and continues flooding with only this encryption. Bob keeps computing the OR of the encryptions he receives, and once sufficiently many rounds have passed, the decryption is invoked to have him obtain Alice’s bit. Note that we only treat the case of semi-honest parties here, thus no party will input an encryption of a one-bit into this smart flooding scheme which would destroy its correctness.

To solve the second issue—i.e., implement the decryption oracle in a topology hiding manner—we introduce a new variant of threshold homomorphic public-key encryption (TH-PKE) with enhanced functionality, which we call multi-homomorphic threshold encryption with reversible randomization. Roughly speaking, our new TH-PKE assumes a strongly correlated setup, in which secret (sub)keys are nested in a way which is consistent with the network topology and which allows parties to decrypt messages in a topology hiding manner. We provide a security definition for the new primitive and describe a topology-hiding protocol for establishing the necessary setup using no setup-assumption whatsoever. And we also describe how to instantiate our schemes under the DDH assumptions. We believe that both the general definition of this augmented TH-PKE and the concrete instantiation could be of independent interest and can be used for anonymizing communication.

Applications. Building on our topology hiding network and utilizing the functionality of our topology hiding homomorphic OR protocol we present the following applications:

  • Anonymous broadcast: We consider a variant of anonymous broadcast where parties can broadcast messages under a pseudonym. The presented protocol allows to realize anonymous broadcast directly from the topology hiding homomorphic OR protocol without using expensive MPC to setup the pseudonyms.

  • Topology hiding MPC: Having a topology-hiding network, we can execute on top of it any MPC protocol from the literature that is designed for point-to-point channels which will render it topology hiding.

1.3 Comparison with  [MOR15]

The work by Moran et al. [MOR15] provides the first, to the best of our knowledge, work that solves this problem for general graphs in the computational setting. Our goals are closely related to theirs. In fact, our security definition of topology-hiding communication and, more general, computation is a refinement of their simulation-based definition of topology-hiding MPC. But our techniques are very different. In light of this similarity in goals, in the following we include a more detailed comparison to our work.

More concretely, the solution of [MOR15] also follows the approach of enhancing the naïve flooding protocol to make it topology hiding. The key idea is to use nested MPCs, recursively, to protect sensitive information during the execution of the flooding protocol. Roughly, in the basic topology-hiding communication protocol of [MOR15], each party \(P_i\) is replaced by a virtual-party \(\hat{P}_i\), which is emulated by its immediate neighbors by invoking locally (i.e., in the neighborhood) an off-the-shelf MPC protocol. The complete network of point-to-point channels required by the MPC protocol is emulated by use of a PKE-scheme over the star network centered around \(P_i\), i.e., by naïve flooding where \(P_i\) is used as the routing node. The above ensures that \(P_i\) cannot analyze the messages that are routed through him, as they are actually handled by its corresponding virtual party \(\hat{P}_i\). However, there is now a new problem to be solved, namely, how do virtual parties use the underlying (incomplete) communication network to flood messages in a topology hiding manner? This is solved as follows: To enable secure communication between adjacent virtual-parties a PKE-scheme is used (once more). Here each virtual-party generates a key-pair and sends the encryption key to the adjacent virtual-parties using real parties as intermediates. This basic protocol is topology-hidingly secure as long as the adversary does not corrupt an entire neighborhood. But this is of course not enough for arbitrarily many corruptions to be tolerated. Thus, to ensure that the overall flooding protocol is also topology hiding, each virtual party is replaced, again by means of MPC, by a “doubly virtual” party \(\hat{\hat{P}}\). This will ensure that only adversaries corrupting all the parties that emulate \(\hat{\hat{P}}\) can break the topology hiding property. To extend the set of tolerable adversaries, the doubly virtual parties are again emulated, and this process is continued until we reach an emulated party that is emulated by all parties in the network. This requires in the worst case a number of nested MPCs in the order of the network diameter.

In the following we provide a comparison of the solution of [MOR15] with ours demonstrating the advantages of our solution both in terms of simplicity and efficiency. In all fairness, we should remark that the solution of [MOR15] was explicitly proposed as a proof-of-concept solution. The major advantage of our work over [MOR15] is that our communication protocol makes no use of generic MPC, and makes black-box use of the underlying PKE. This not only yields a substantial efficiency improvement, in terms of both communication and computation, but it also yields a more intuitive solution to the problem, as it uses the natural primitive to make communication private, namely encryption, instead of MPC.

More concretely, the player-virtualization protocol from [MOR15] makes non-black-box use of public-key encryption, i.e., the circuit which is computed via MPC is a public-key encryption/decryption circuit. This is typically a huge circuit which imposes an unrealistic slowdown both on the computation complexity and on the round and/or communication complexityFootnote 4. And this is just at the first level of recursion; the computation of the second level, computes a circuit, which computes the circuit, which computes PK encryptions/decryptions, and so on. Due to the lack of concrete suggestions of instantiation of the PKE and MPC used in [MOR15] we were unable to compute exact estimates on the running time and communication complexity of the suggested protocols. Notwithstanding it should be clear that even for the simple case in which the network has constant degree and logarithmic diameter—for which their communication protocol in [MOR15] achieves a polynomial complexity—and even for the best MPC instantiation the actual constants are huge.

Instead, our solutions make black-box use of the underlying PKE scheme and are, therefore, not only more communication and computation efficient, but also easier to analyze. In fact, in our results we include concrete upper bounds on the communication complexityFootnote 5 of all our protocols. Indicatively, for a network with diameter D and maximum degree d our network-hiding broadcast protocol communicates at most \((d+1)^{D} \cdot n \cdot \lambda \) bits within just \(5 \cdot D\) rounds, where \(\lambda \) is linear (with small constant, less than 5)Footnote 6 in the security parameter \(\kappa \) of the underlying PKE scheme. We note that many natural network graphs, such as social networks or the internet have a small diameterFootnote 7.

1.4 Preliminaries and Notation

We consider an MPC-like setting where n parties \(\mathcal {P}= \left\{ { P_1,\dots ,P_n }\right\} \) wish to communicate in a synchronous manner over some incomplete network of secure channels. When the communication is intended to be from \(P_i\), the sender, to \(P_j\), the receiver, we will refer to the parties in \(\mathcal {P}\setminus \{P_i,P_j\}\) as the intermediate parties. We will assume a passive and non-adaptive (aka static) computationally bounded adversary who corrupts an arbitrary subset \(\overline{H}\subseteq \mathcal {P}\) of parties. Parties in \(\overline{H}\) are called dishonest or corrupted while parties in \(H= \mathcal {P}\setminus \overline{H}\) are called honest. We use simulation based security to prove our results. For simplicity our proofs are in Canetti’s modular composition framework [Can98] but all our results translate immediately to the universal composition UC framework [Can00]. (Recall that we consider semi-honest static security.) In fact, to make this transition smoother, we describe our hybrids in the form of UC functionalities. For compactness, for any functionalities \(\mathcal {F}\) and \(\mathcal {G}\), we will denote by \(\{\mathcal {F},\mathcal {G}\}\) the composite functionality that gives parallel access to \(\mathcal {F}\) and \(\mathcal {G}\).

Throughout this work, we assume an, at times implicit, security parameter \(\kappa \) and write \(\text {neg}(\kappa )\) to refer to a negligible function of \(\kappa \). (See [Gol01] for a formal definition of negligible functions.) For an algorithm A we write \((y_1,\dots ,y_k) \leftarrow A(x_1,\dots ,x_k)\) to denote that \((y_1,\dots ,y_k)\) are outputs of A given inputs \((x_1,\dots ,x_k)\). For a probabilistic algorithm B we write \((y_1,\dots ,y_k) \leftarrow B(x_1,\dots ,x_k; r)\) where r is the chosen randomness. If we write \((y_1,\dots ,y_k) \twoheadleftarrow B(x_1,\dots ,x_k)\) instead, we assume that the randomness has been chosen uniformly.

1.5 Organization of the Paper

The remainder of the paper is organized as follows. In Sect. 2 we give our definition of topology-hiding security. In Sect. 3 we present a construction which allows to realize topology-hiding communication. The construction is based on multi-homomorphic threshold encryption with reversible randomization (RR-MHT-PKE) which is introduced in Sect. 3.1. Next, in Sect. 3.2 we describe a topology-hiding threshold encryption protocol based on RR-MHT-PKE. This protocol is used in Sect. 3.3 to topology-hidingly realize the Boolean-OR functionality. This allows to give a topology-hiding construction of broadcast and secure channels in Sect. 3.4. Finally, in Sect. 4 we present topology-hiding MPC and topology-hiding anonymous broadcast as applications of the protocols from the previous section.

2 Topology Hiding Security Definition

In this section we provide the formal simulation-based definition of topology-hiding computation. Our definition is an adaptation of the original simulation-based definition of Moran et al. [MOR15]. More concretely, the topology-hiding property requires that parties learn no information on the underlying communication network other than the description of their local neighborhood, i.e., the identities of their neighbors. To capture this property, we assume that the parties (in the real world) have access to a network functionality \(\mathcal N\) which has knowledge of every party \(P_i\)’s neighborhood (i.e., the set of point-to-point channels connected to \(P_i\)) and allows \(P_i\) to communicate (only) to its neighbors.

Clearly, a protocol execution over such a network \(\mathcal N\) allows an adversary using it knowledge of the neighborhood of corrupted parties; thus the simulator needs to also be able to provide this information to its environment. To give this power to the simulator, [MOR15] augments the ideal functionality with an extra component which allows the simulator access to this information. In this work we use \(\mathcal N\) itself in the ideal world to provide this information to the simulator. Note that this does not affect the security statements, as the trivial \(\mathcal N\)-dummy protocol \(\phi ^\mathcal N\) securely realizes \(\mathcal N\) Footnote 8.

A conceptual point in which our model of topology-hiding computation deviates from the formulation of Moran et al. has to do with respect to how the communication graph is chosen. At first thought, one might think that parameterizing the network functionality with the communication graph does the trick. This is, however, not the case because the parameters of hybrid-functionalities are known to the protocol which invokes them and are therefore also known to the adversary. The only information which is not known to the adversary are inputs of corrupted parties and internal randomness of the functionality; thus, as a second attempt, one might try to have the network functionality sample the communication graph from a given distributionFootnote 9. Unfortunately this also fails to capture the topology-hiding property in full, as we would like to make sure that the adversary (or simulator) gets no information on any given (hidden) graph.

Motivated by the above, [MOR15] defines topology-hiding computation using the following trick: they assume an extra incorruptible party, whose only role is to provide the network graph as input to the network functionality. Because this network-choosing party is (by assumption) honest, the simulator cannot see its input and needs to work having only the knowledge that \(\mathcal N\) allows him to obtain, i.e., the neighborhood of corrupted parties.

In this work we take a slightly different, but equivalent in its effect, approach to avoid the above hack of including a special purpose honest party. We assume that each party provides its desired neighborhood to \(\mathcal N\) as (a special part of) its input. Since the inputs are explicitly chosen by the environment, we are effectively achieving the same topology-hiding property as [MOR15] but without the extra special-purpose honest party.

In the remainder of this section we provide a formal specification of our network functionality (also referred to as network resource) and our formal security definition of topology-hiding computation.

The Network. The network topology is captured by means of an undirected graph \(G=(V,E)\) with vertex-set \(V=\mathcal {P}\) and edge-set \(E\subseteq \mathcal {P}\times \mathcal {P}\). An edge \((P_v,P_u)\in E\) indicates that \(P_u\) is in the neighborhood of \(P_v\), which, intuitively, means that \(P_u\) and \(P_v\) can communicate over a bilateral secure channel. For a party \(P_v\) denote by \(\mathbf {N}_G(v)\) its neighborhood in G. We will refer to \(\mathbf {N}_G[v] = \left\{ { P_v }\right\} \cup \mathbf {N}_G(v)\) as \(P_v\)’s closed neighborhood. Furthermore let \(\mathbf {N}_G[v]^k\) be all nodes in G which have distance k or less to \(P_v\). (Clearly \(P_v\in \mathbf {N}_G[v]^k\).)

The network functionality allows two types of access: (1) any party \(P_v\in \mathcal {P}\) can submit its neighbors \(\mathbf {N}_G[v]\), and (2) every party can submit a vector \(\vec {m}\) of messages, one for each of its neighbors, which are then delivered in a batch form to their intended recipients. In order to be able to make statements for restricted classes of graphs, e.g., expanders, we parameterize the network functionality by a family \(\mathcal {G}\) of setups and require that \(\mathcal N_\mathcal {G}\) only allows (the environment on behalf of) the honest parties to chose their neighborhood from this class. Note, that the adversary is not bound to choose a neighborhood from a graph in \(\mathcal {G}\), i.e., any valid neighborhood is accepted for corrupted parties. This is not an issue in the semi-honest setting considered in this work as a semi-honest adversary will submit whatever input the environment hands it. Thus, for the semi-honest case it suffices that the functionality becomes unavailable (halts) upon receiving an invalid neighborhood from the adversary (or from some honest party)Footnote 10. In the full version of this paper [HMTZ16] we also describe a network functionality that adequately captures the guarantees needed to prevent a malicious adversary from using the check of whether or not the neighborhood he submits results in an invalid-graph message from \(\mathcal N_\mathcal {G}\) to obtain information on the neighborhood of honest parties.

In the description of \(\mathcal N_\mathcal {G}\) we use the following notation: For a graph G with vertex set V, and for any \(V'\subseteq V\), we denote by \(G|_{V'}\) the restriction of G to the vertices in \(V'\), i.e., the graph that results by removing from G all vertices in \(V\setminus V'\) and their associated edges.

figure a

An important feature of the above functionality is that the communication pattern (i.e., which parties send or receive messages) does not reveal to the adversary any information other than the neighborhood of corrupted parties. Thus, the simulator cannot use this functionality in the ideal world to extract information about the network. However, when using this network-functionality (in the real-world protocol) to emulate, e.g., a complete communication network, the adversary might use the messages exchanged in the protocol to extract information that the simulator cannot. In fact, the challenge of a topology-hiding protocol is exactly to ensure that the exchanged messages cannot be used by the adversary in such a way.

Definition 1

Let \(\mathcal {G}\) be a family of graphs with vertex set \(\mathcal {P}\). Let also \(\mathcal {F}_{} \) be a functionality and \(\mathcal N_\mathcal {G}\) denote the network functionality (as specified above) and \(\pi \) be a \(\mathcal N_\mathcal {G}\)-hybrid protocol. We say that \(\pi ^{\mathcal N_\mathcal {G}}\) securely realizes the functionality \(\mathcal {F}_{} \) in a topology-hiding manner with respect to network class \(\mathcal {G}\) if and only if \(\pi \) securely realizes the composite functionality \(\{\mathcal {F}_{},\mathcal N_\mathcal {G}\}\).

3 Topology-Hiding Communication

In this section we present a construction which allows to securely and topology-hidingly realize different types of communication channels using black-box PKE. The section consists of the following four steps, each treated in a separate sub-section.

RR-MHT-PKE: In Sect. 3.1 we introduce multi-homomorphic threshold encryption with reversible randomization (RR-MHT-PKE), which is a special type of threshold public-key encryption. In addition to the (common) homomorphic property of ciphertexts RR-MHT-PKE features homomorphic public-keys and decryption-shares. This allows for a decentralized generation of shared keys which enables parties to generate securely and topology-hidingly a public-key setup where the private-key is shared among all parties. Its reversible randomization property allows parties to transmit public-keys and/or ciphertexts through the network such that the adversary can not track them. We give a practical implementation of RR-MHT-PKE based on the DDH assumption in the full version [HMTZ16].

Topology-Hiding Encryption: In Sect. 3.2, we present a topology-hiding threshold encryption protocol based on black-box RR-MHT-PKE. More precisely, we provide (1) a distributed setup protocol, (2) an information-transmission protocol, and (3) a distributed decryption protocol.

Topology-hiding Boolean-OR: In Sect. 3.3 we present a protocol which, for networks with moderate degree and diameter, securely and topology-hidingly realizes the multiparty Boolean-OR functionality using the topology-hiding threshold encryption protocol from the previous section.

Topology-hiding Broadcast and Secure Channels: Finally, in Sect. 3.4 we use the Boolean-OR functionality to securely and topology-hidingly realize secure channels and broadcast. The main result of this section is the following theorem.

Theorem 1

Given a network \(\mathcal N_{\mathcal {G}}\) with diameter D and maximum degree d where \(d^D = {poly}(\kappa )\) there exists a protocol which securely and topology-hidingly realizes broadcast using black-box RR-MHT-PKE. The protocol communicates at most \((d+1)^D \cdot n \cdot \lambda \) bits within \(5\cdot D\) rounds, where \(\lambda \) is linear (with small constant, less than 5) in \(\kappa \).

3.1 Multi-homomorphic Threshold Encryption with Reversible Randomization

In this section we introduce multi-homomorphic threshold encryption with reversible randomization, a special type of threshold public-key encryption, which will allow us to securely and topology-hidingly realize a distributed encryption scheme. We first start by recalling some standard definitions. A public-key encryption (PKE) scheme consists of three algorithms, \(\texttt {Keygen}\) for key generation, \(\texttt {Enc}\) for encryption and \(\mathtt{Dec}\) for decryption. Since in this work we consider semi-honest adversaries, we will only need encryption satisfying the standard IND-CPA security definition. Threshold public-key encryption (T-PKE) is PKE in which the private key \(\mathsf {SK}\) is distributed among l parties \(p_1,\ldots ,p_l\), such that each party \(p_i\) holds a share (aka sub-key) \(\mathsf {sk}_i\) of \(\mathsf {SK}\) with the property that any \(l-1\) sub-keys have no information on \(\mathsf {SK}\). Importantly, such a scheme allows for distributed decryption of any given ciphertext: any party \(p_i\) can locally compute, using its own sub-key \(\mathsf {sk}_i\) of the private key \(\mathsf {SK}\), a decryption share \(\mathsf {x}_i\), so that if someone gets a hold of decryption shares (for the same c) from all parties (i.e., with each of the shares of the private key) he can combine them and recover the plaintext. Homomorphic (threshold) PKE allows to add up encrypted messages. Here, the message space \(\langle \mathcal {M},+\rangle \) and the ciphertext space \(\langle \mathcal {C},\cdot \rangle \) are groups such that \( m_1+m_2 = \mathtt{Dec}(\mathsf {SK},\texttt {Enc}(\mathsf {PK},m_1;r_1)\cdot \texttt {Enc}(\mathsf {PK},m_2;r_2)) \). for any key pair \((\mathsf {PK},\mathsf {SK}) \leftarrow \mathtt{KeyGen}\) and any messages \(m_1,m_2 \in \mathcal {M}\).

Multi-homomorphic Threshold Encryption. We first present multi-homomorphic threshold encryption which is in essence HT-PKE with two additional properties. The first property is a decentralized key-generation. The idea is that parties locally generate public/private-key pairs. By combining those local public keys they can then generate a public key with shared private-key where the local private keys act as key shares. More formally, its required that the public-key space \(\langle \mathcal {PK},\cdot \rangle \) and the private-key space \(\langle \mathcal {SK},+ \rangle \) are groups. Moreover its is required (1) that there exists a key-generation algorithm \(\mathtt{KeyGen}\), which outputs a public/private-key pair \((\mathsf {pk}_i,\mathsf {sk}_i)\in \mathcal {PK}\times \mathcal {SK}\), and (2) that for any key pairs \((\mathsf {pk}_1,\mathsf {sk}_1),(\mathsf {pk}_2,\mathsf {sk}_2) \in \mathcal {PK}\times \mathcal {SK}\) it holds that \(\mathsf {pk}_1 \cdot \mathsf {pk}_2\) is the public key corresponding to private key \(\mathsf {sk}_1 + \mathsf {sk}_2\). In other words a multi-homomorphic threshold encryption scheme is homomorphic with respect to public/private keys. We point out this is not a standard property of threshold PKE schemes. For instance, the scheme of  [Pai99], does not satisfy this property. Secondly, a versatile homomorphic threshold encryption scheme is required to be homomorphic with respect to decryption shares and private keys. That is, for any key pairs \((\mathsf {pk}_1,\mathsf {sk}_1),(\mathsf {pk}_2,\mathsf {sk}_2)\) and any ciphertext c it must hold that \( \mathtt{ShareDecrypt}(\mathsf {sk}_1,c)\cdot \mathtt{ShareDecrypt}(\mathsf {sk}_2,c) = \mathtt{ShareDecrypt}(\mathsf {sk}_1+\mathsf {sk}_2,c) \).

Definition 2

A multi-homomorphic threshold encryption (\(MHT-PKE\)) scheme with security parameter \(\kappa \) consists of four spaces \(\mathcal {M}\), \(\mathcal {C}\), \(\mathcal {SK}\), and \(\mathcal {PK}\) and four algorithms \(\mathtt{KeyGen}\), \(\mathtt{Enc}\), \(\mathtt{ShareDecrypt}\), and \(\mathtt{Combine}\) which are parametrized by \(\kappa \) where:

  • 1. The message space \(\langle \mathcal {M}; +\rangle \), the public-key space \(\langle \mathcal {PK}; \cdot \rangle \), the private-key space \(\langle \mathcal {SK}; +\rangle \), the ciphertext space \(\langle \mathcal {C}; \cdot \rangle \), and the decryption-share space \(\langle \mathcal {DS}; \cdot \rangle \) are cyclic groups of prime order.

  • 2. The (probabilistic) key-generation algorithm \(\mathtt{KeyGen}\) outputs a public key \(\mathsf {pk}\in \mathcal {PK}\) and a private key \(\mathsf {sk}\in \mathcal {SK}\) where for any key pairs \((\mathsf {pk}_1,\mathsf {sk}_1)\), \((\mathsf {pk}_2,\mathsf {sk}_2) \in \mathcal {PK}\times \mathcal {SK}\) it holds that \(\mathsf {pk}_1 \cdot \mathsf {pk}_2\) is the public key corresponding to private key \(\mathsf {sk}_1 + \mathsf {sk}_2\).

  • 3. The (probabilistic) encryption algorithm \(\mathtt{Enc}\) takes a public key \(\mathsf {pk}\in \mathcal {PK}\) and a message \(m \in \mathcal {M}\) and outputs a ciphertext \(c \leftarrow \mathtt{Enc}(\mathsf {PK},m;r)\).

  • 4. The decryption share algorithm \(\mathtt{ShareDecrypt}\) takes a private key \(\mathsf {sk}_i \in \mathcal {SK}\) and a ciphertext \(c \in \mathcal {C}\) as inputs and outputs a decryption share \(\mathsf {x}_i \leftarrow \mathtt{ShareDecrypt}(\mathsf {sk}_i,c)\). For any ciphertext \(c \in \mathcal {C}\) and private keys \(\mathsf {sk}_1,\mathsf {sk}_2 \in \mathcal {SK}\) where \(\mathsf {x}_1 \leftarrow \mathtt{ShareDecrypt}(\mathsf {sk}_1,c)\) and \(\mathsf {x}_2 \leftarrow \mathtt{ShareDecrypt}(\mathsf {sk}_2,c)\) it holds that \( \mathsf {x}_1 \cdot \mathsf {x}_2 = \mathtt{ShareDecrypt}(\mathsf {sk}_1+\mathsf {sk}_2,c) \).

  • 5. The combining algorithm \(\mathtt{Combine}\) takes a decryption share \(\mathsf {x}\in \mathcal {DS}\) and a ciphertext \(c \in \mathcal {C}\) and outputs a message \(m \leftarrow \mathtt{Combine}(\mathsf {x},c)\).

A MHT-PKE scheme satisfies the following correctness property: For any key pairs \((\mathsf {pk}_1,\mathsf {sk}_1), \dots , (\mathsf {pk}_l,\mathsf {sk}_l) \leftarrow \mathtt{KeyGen}\) and any message \(m \in \mathcal {M}\) it holds that \(m = \mathtt{Combine}(\mathsf {x}_1 \cdot \; \dots \; \cdot \mathsf {x}_l,c)\) where \(\mathsf {x}_i = \mathtt{ShareDecrypt}(\mathsf {sk}_i,c)\), \(c = \mathtt{Enc}(\mathsf {pk},m;r)\) and \(\mathsf {pk}=\mathsf {pk}_1 \cdot \; \dots \; \cdot \mathsf {pk}_l\). Moreover, given a message m and a ciphertext c one can efficiently invert \(\mathtt{Combine}\), i.e., compute a decryption share \(\mathsf {x}\) with \(m = \mathtt{Combine}(\mathsf {x},c)\).

We define the security of MHT-PKE with respect to a threshold variant of the IND-CPA security definition.

Definition 3

A MHT-PKE scheme is IND-TCPA secure if the adversary’s advantage in winning the following game is negligible in \(\kappa \).

  • 1. The game generates key pairs \((\mathsf {pk}_1,\mathsf {sk}_1),\dots (\mathsf {pk}_l,\mathsf {sk}_l) \twoheadleftarrow \mathtt{KeyGen}\) and chooses a random bit b. Then the adversary gets \(\mathsf {pk}=\mathsf {pk}_1 \cdot \; \dots \; \cdot \mathsf {pk}_l\), \(\mathsf {pk}_1,\dots ,\mathsf {pk}_l\) and \(\mathsf {sk}_2,\dots ,\mathsf {sk}_l\). This allows him to generate encryptions of arbitrary messages and to generate decryption shares for all key pairs except \((\mathsf {pk}_1,\mathsf {sk}_1)\).

  • 2. The adversary specifies two messages \(m_0\) and \(m_1\) and the game returns \(c = \mathtt{Enc}(\mathsf {PK},m_b)\).

  • 3. The adversary specifies a bit \(b'\). If \(b=b'\) the adversary has won the game.

Furthermore for any chosen public-key \(\mathsf {pk}\in \mathcal {PK}\), it should be hard to distinguish between \((\mathsf {pk},\mathsf {pk}\cdot \mathsf {pk}_1)\) and \((\mathsf {pk},\mathsf {pk}_2)\) where \(\mathsf {pk}_1,\mathsf {pk}_2\) are distributed according to \(\mathtt{KeyGen}\). More formally, we require that the scheme has the indistinguishability under chosen public-key attack (IND-CKA) property.

Definition 4

A MHT-PKE scheme is IND-CKA secure if the adversary’s advantage in winning the following game is negligible in \(\kappa \).

  • 1. The adversary specifies a public key \(\mathsf {pk}\in \mathcal {PK}\).

  • 2. The game generates a key pair \((\mathsf {pk}_1,\mathsf {sk}_1) \twoheadleftarrow \mathtt{KeyGen}\) and chooses a uniform random bit b. Then the adversary gets public key \(\mathsf {pk}_2\) where

    $$ \mathsf {pk}_2 = {\left\{ \begin{array}{ll} \mathsf {pk}_1 &{} {if }\ b = 0 \\ \mathsf {pk}_1 \cdot \mathsf {pk}&{} {if }\ b = 1 \\ \end{array}\right. } $$

  • 3. The adversary specifies a bit \(b'\). If \(b=b'\) the adversary has won the game.

Reversible Randomization. Next, we introduce multi-homomorphic threshold encryption with reversible randomization which is MHT-PKE with additional randomization properties.

Randomization of Public Keys. The first property required is the randomization of public keys. More concretely, a MHT-PKE with reversible randomization allows a party \(P_i\) with public key \(\mathsf {pk}_i\) to “randomize” \(\mathsf {pk}_i\), i.e., compute a new masked public-key \(\widetilde{\mathsf {pk}}_i\) so that anyone seeing \(\widetilde{\mathsf {pk}}_i\) is unable to tell whether it is a freshly generated public-key or a randomized version of \(\mathsf {pk}_i\). Importantly, we require the randomization algorithm to be reversible in the following sense. The randomization algorithm must provide \(P_i\) with information \(\mathsf {rk}_i\), the de-randomizer, which allows it to map any encryption with \(\widetilde{\mathsf {pk}}_i\) back to an encryption with its original key \(\mathsf {pk}_i\). Looking ahead, the randomization of public-keys property will ensure that the adversary can not trace public keys while they travel the network. This allows us to build a topology-hiding information-transmission protocol.

Randomization of Ciphertexts. The second property required is the randomization of ciphertexts. More concretely, a MHT-PKE with reversible randomization allows a party \(P_i\) with ciphertext \(c_i\) to “randomize” \(c_i\), i.e., compute a new masked ciphertext \(\widehat{c}_i\) so that anyone seeing \(\widehat{c}_i\) is unable to tell whether it is a freshly generated ciphertext (using an arbitrary public-key) or an randomized version of \(c_i\). Importantly, we require the randomization algorithm to be reversible. This means it must provide \(P_i\) with information \(\mathsf {rk}_i\), the de-randomizer, which allows it to map any decryption share of \(\widehat{c}_i\) and decryption key \(\mathsf {sk}\) back to a decryption share of the original ciphertext \(c_i\) and \(\mathsf {sk}\). Looking ahead, the randomization of ciphertexts will ensure that the adversary can not trace ciphertexts and decryption-shares while they travel the network. This will allow us to build a topology-hiding decryption protocol. We remark that this property differs from the usual ciphertext re-randomization in homomorphic PKE schemes where one randomizes a ciphertext by adding up an encryption of 0.

MHT-PKE with Reversible Randomization. We can now give the formal definition of a MHT-PKE with reversible-randomization scheme.

Definition 5

A MHT-PKE with reversible-randomization (RR-MHT-PKE) scheme is a MHT-PKE scheme with extra algorithms \(\mathtt{RandKey}\), \(\mathtt{DerandCipher}\), \(\mathtt{RandCipher}\), \(\mathtt{DerandShare}\) where:

  • 1. The (probabilistic) (key) randomization algorithm \(\mathtt{RandKey}\) takes a public key \(\mathsf {pk}\in \mathcal {PK}\) and outputs a new public key \(\widetilde{\mathsf {pk}} \in \mathcal {PK}\) and a de-randomizer \(\mathsf {rk}\in \mathcal {RK}_P\).

  • 2. The (ciphertext) de-randomization algorithm \(\mathtt{DerandCipher}\) takes a de-randomizer \(\mathsf {rk}\in \mathcal {RK}_P\) and a ciphertext \(\widetilde{c} \in \mathcal {C}\) and outputs a new ciphertext \(c \in \mathcal {C}\) such that the following property holds. For any key pair \((\mathsf {pk},\mathsf {sk})\), \((\widetilde{\mathsf {pk}},\mathsf {rk}) \leftarrow \mathtt{RandKey}(\mathsf {pk};r')\), any message \(m \in \mathcal {M}\), and any ciphertext \(\widetilde{c} \leftarrow \mathtt{Enc}(\widetilde{\mathsf {pk}},m;\tilde{r})\) there exists an r such that \(\mathtt{Enc}(\mathsf {pk},m;r) = \mathtt{DerandCipher}(\mathsf {rk},\widetilde{c})\). Moreover, given a ciphertext c and a de-randomizer \(\mathsf {rk}\) one can efficiently invert \(\mathtt{DerandCipher}\), i.e., compute a ciphertext \(\widetilde{c}\) such that \(c = \mathtt{DerandCipher}(\mathsf {rk},\widetilde{c})\).

  • 3. The (probabilistic) (ciphertext) randomization algorithm \(\mathtt{RandCipher}\) takes a ciphertext \(c \in \mathcal {C}\) and outputs a new ciphertext \(\hat{c} \in \mathcal {C}\) and a de-randomizer \(\mathsf {rk}\in \mathcal {RK}_C\).

  • 4. The (share) de-randomization algorithm \(\mathtt{DerandShare}\) takes a de-randomizer \(\mathsf {rk}\in \mathcal {RK}_C\) and a decryption share \(\hat{\mathsf {x}} \in \mathcal {DS}\) and outputs a decryption share \(\mathsf {x}\in \mathcal {DS}\) such that the following property holds. For any key pair \((\mathsf {pk},\mathsf {sk})\), any ciphertext \(c \in \mathcal {C}\), \((\mathsf {rk},\hat{c}) \leftarrow \mathtt{RandCipher}(c;r)\), and \(\hat{\mathsf {x}} \leftarrow \mathtt{ShareDecrypt}(\mathsf {sk}_i,\hat{c})\) we have \(\mathtt{DerandShare}(\mathsf {rk},\hat{\mathsf {x}}) = \mathtt{ShareDecrypt}(\mathsf {sk}_i,c)\). More over given a decryption share \(\mathsf {x}\) and a de-randomizer \(\mathsf {rk}\) one can efficiently invert \(\mathtt{DerandShare}\), i.e., compute a decryption shares \(\hat{\mathsf {x}}\) such that \(\mathsf {x}= \mathtt{DerandShare}(\mathsf {rk},\hat{\mathsf {x}})\).

For any public key \(\mathsf {pk}\) it should be hard (for the adversary) to distinguish between \((\mathsf {pk},\mathtt{RandKey}(\mathsf {pk}))\) and \((\mathsf {pk},\mathsf {pk}')\) where \(\mathsf {pk}'\) is freshly generated using \(\mathtt{KeyGen}\). Similar, for any ciphertext c it should be hard to distinguish between \((c, \mathtt{RandCipher}(c))\) and \((c,c')\) where \(c'\) is a randomly chosen ciphertext. More formally, the scheme should have the indistinguishability under chosen public-key and chosen ciphertext attack (IND-CKCA) property.

Definition 6

A RR-MHT-PKE scheme is IND-CKCA secure if the adversary’s advantage in winning the following game is negligible in \(\kappa \).

  • 1. The adversary specifies a public key \(\mathsf {pk}\in \mathcal {PK}\) and a ciphertext \(c \in \mathcal {C}\).

  • 2. The game generates key pairs \((\mathsf {pk}_1,\mathsf {sk}_1),(\mathsf {pk}_2,\mathsf {sk}_2) \twoheadleftarrow \mathtt{KeyGen}\) and a uniform random message \(m \in \mathcal {M}\). The game then chooses uniform random bits \(b_1\) and \(b_2\). The adversary gets public key \(\widetilde{\mathsf {pk}}\) and ciphertext \(\widehat{c}\) where

    $$ \widetilde{\mathsf {pk}} = {\left\{ \begin{array}{ll} \mathtt{RandKey}(\mathsf {pk}) &{} {if }\ b_1 = 0 \\ \mathsf {pk}_1 &{} {if }\ b_1 = 1 \\ \end{array}\right. } $$

    and

    $$ \widehat{c} = {\left\{ \begin{array}{ll} \mathtt{RandCipher}(c) &{} {if }\ b_2 = 0 \\ \mathtt{Enc}(\mathsf {pk}_2,m) &{} {if }\ b_2 = 1 \\ \end{array}\right. }. $$

  • 3. The adversary specifies bits \(b_1'\) and \(b_2'\). If \(b_1=b_1'\) or \(b_2=b_2'\) the adversary has won the game.

The security of a RR-MHT-PKE scheme is defined with respect to the above security properties.

Definition 7

A RR-MHT-PKE scheme is secure if it is IND-TCPA, IND-CKA, and IND-CKCA secure.

DDH Based RR-MHT-PKE. One can practically implement secure RR-MHT-PKE using an extended variant of the ElGamal cryptosystem [ElG84] over a group G of prime order \(q(\kappa )\) where the DDH assumption holds. We refer to the full version [HMTZ16] for more details.

Lemma 1

Given a DDH group one can securely implement RR-MHT-PKE.

3.2 Topology-Hiding Threshold Encryption

In this section we build a topology-hiding threshold encryption protocol using a secure RR-MHT-PKE scheme. More precisely, we provide (1) a distributed setup protocol, (2) an information-transmission protocol, and (3) a distributed decryption protocol. Looking ahead, those protocols will allow us to topology-hidingly realize the Boolean-OR functionality.

The RR-MHT-PKE Scheme: We assume that the parties have access to a secure RR-MHT-PKE scheme with security parameter \(\kappa \), where \(n = {poly}(\kappa )\). In particular, each party has local (black-box) access to the algorithms of the RR-MHT-PKE scheme.

The Network Graph: A prerequisite for our protocols to work is that the network graph G of \(\mathcal N_\mathcal {G}\) is connected. Otherwise (global) information transmission is not possible. The parties also need to know upper bounds on the maximum degree and the diameter of the network graph. We therefore assume that the parties have access to an initialized network \(\mathcal N_\mathcal {G}^{d,D}\) where the graphs in the family \(\mathcal {G}\) are connected, have a maximum degree of \(d \le n\), and a diameter of at most \(D \le n\) where d and D are publicly known. For simplicity we restrict ourselves to present protocols for d-regular network graphs. We point out that one can extend the presented protocols to the general case where parties may have less than d neighbors. The idea is that a party which lacks d neighbors pretends to have d neighbors by emulating (messages from) virtual neighbors (cf. [MOR15]).

Setup Protocol. In this section we present a protocol which allows to topology-hidingly generate a threshold-setup where each party \(P_i\) holds a public key \(\mathsf {PK}_i\) such that the corresponding private-key is shared among all parties. The high-level idea of our protocol is as follows. We first observe that the D-neighborhood of \(P_i\) consists of all parties. The setup thus provides party \(P_i\) with a public key where the corresponding private-key is shared among the parties in the D-neighborhood \(\mathbf {N}_G[i]^D\) of \(P_i\). This implies that one can generate the setup recursively. In order to generate a k-neighborhood public-key \(\mathsf {PK}_i^{(k)}\), \(P_i\) asks each of its neighbors to generate a public key where the private key is shared in the neighbors \((k-1)\)-neighborhood. It can then compute \(\mathsf {PK}_i^{(k)}\) by combining the received public-keys.

Definition 8

A setup for topology-hiding threshold encryption over a network \(\mathcal N_\mathcal {G}^{d,D}\) consists of the following parts.

  • Private-Key Shares: Each party \(P_i\) holds a vector \((\overline{\mathsf {SK}}^{(0)}_{i}, \dots , \overline{\mathsf {SK}}^{(D)}_{i})\) of \(D+1\) private keys which we call its private-key shares. For any \(0 \le k \le D\) we denote by \(\overline{\mathsf {PK}}^{(k)}_{i}\) the public key corresponding to \(\overline{\mathsf {SK}}^{(r)}_{i}\).

  • Public-Keys: Each party \(P_i\) holds a vector \((\mathsf {PK}_i^{(0)},\dots ,\mathsf {PK}_i^{(D)})\) of \(D+1\) public keys where \(\mathsf {PK}_i^{(0)} = \overline{\mathsf {PK}}^{(0)}_{i}\) and \(\mathsf {PK}^{(k)}_{i} = \overline{\mathsf {PK}}^{(k)}_{i} \cdot \prod _{P_j \in \mathbf {N}_G(i)} \mathsf {PK}^{(k-1)}_{j}\). We call \(\mathsf {PK}_i^{(k)}\) the level-k public-key of \(P_i\) and denote by \(\mathsf {SK}_i^{(r)}\) the corresponding (shared) private key. The public-key of \(P_i\) is \(\mathsf {PK}_i := \mathsf {PK}_i^{(D)}\) and the shared private-key is \(\mathsf {SK}_i := \mathsf {SK}_i^{(D)}\).

  • Local Pseudonyms: Each party \(P_i\) privately holds a injective random function \(\nu _{i}(\cdot ): \mathbf {N}_G(i) \rightarrow \{1,\ldots , d\}\) which assigns each neighbor \(P_j \in \mathbf {N}_G(i)\) a unique local identity \(\nu _{i}(j) \in \left\{ { 1,\dots ,d }\right\} \). W.l.o.g. we will assume that \(\nu _{i}(i) = 0\).

We remark that the condition on the public-keys ensures that any \(0 \le k \le D\) (and for reasonably large \(\mathcal {PK}\)) the private key \(\mathsf {SK}_i^{(k)}\) is properly shared among the k neighborhood of \(P_i\), i.e., each party in the k-neighborhood holds a non-trivial share.

Definition 9

A protocol is a secure (topology-hiding) setup protocol over a network \(\mathcal N_\mathcal {G}^{d,D}\) if it has the following properties.

  • Correctness: The protocol generates with overwhelming probability a setup for topology-hiding threshold encryption over the network \(\mathcal N_\mathcal {G}^{d,D}\).

  • Topology-Hiding Simulation: The adversarial view in an actual protocol-execution can be simulated with overwhelming probability given the neighborhood of dishonest parties in \(\mathcal N_\mathcal {G}^{d,D}\) and the output of dishonest parties, i.e., given the values

    $$ \big \{\mathbf {N}_G(i),\nu _{i}(\cdot ), \overline{\mathsf {SK}}^{(0)}_{i}, \dots , \overline{\mathsf {SK}}^{(D)}_{i}, \mathsf {PK}_i^{(0)},\dots ,\mathsf {PK}_i^{(D)} \big \}_{P_i \in \overline{H}} $$

The simulation property ensures in particular that (a) the adversary does not learn more about the network topology and that (b) the adversary does not learn the private key corresponding to the public key \(\mathsf {PK}_i\) of party \(P_i\) unless it corrupts the entire k-neighborhood of \(P_i\).

figure b

Lemma 2

Given a secure RR-MHT-PKE scheme the protocol \(\mathtt{GenerateSetup}\) is a secure setup protocol. The protocol communicates \(D \cdot d \cdot n \cdot \log {|}{\mathcal {PK}}{|}\) bits within D rounds.

Proof

(sketch) Correctness: It follows directly from protocol inspection that the setup generated by \(\mathtt{GenerateSetup}\) is valid for \(\mathcal N_\mathcal {G}^{d,D}\). Topology-Hiding Simulation: The view of the adversary during an actual protocol execution is

$$ \big \{\mathbf {N}_G(i), \nu _{i}(\cdot ), \left\{ { \mathsf {PK}^{(k)}_{i},\overline{\mathsf {PK}}^{(k)}_{i},\overline{\mathsf {SK}}^{(k)}_{i} }\right\} _{0 \le r \le D}, \left\{ { \mathsf {PK}^{(k)}_{j} }\right\} _{P_j \in \mathbf {N}_G(i), 0 \le r \le D-1} \big \}_{P_i \in \overline{H}}. $$

Now consider the view where the public keys \(\left\{ { \mathsf {PK}^{(k)}_{j} }\right\} _{P_j \in \mathbf {N}_G(i)\cap H, 0 \le r \le D-1}\) are replaced by freshly generated public keys using \(\mathtt{KeyGen}\), i.e.,

$$ \big \{\mathbf {N}_G(i), \nu _{i}(\cdot ), \left\{ { \mathsf {PK}^{(k)}_{i},\overline{\mathsf {PK}}^{(k)}_{i},\overline{\mathsf {SK}}^{(k)}_{i} }\right\} _{0 \le r \le D},\left\{ { \widetilde{\mathsf {PK}}^{(k)}_{j} }\right\} _{P_j \in \mathbf {N}_G(i)\cap H, 0 \le r \le D-1} \big \}_{P_i \in \overline{H}}. $$

Note that the second view can be easily computed by a simulator given the outputs of dishonest parties. It remains to show that those views are computationally indistinguishable. Note that for any \(P_j \in \mathbf {N}_G(\overline{H})\cap H\) the public-key \(\mathsf {PK}^{(k)}_{j}\) has the form \(\mathsf {pk}_1 \cdot \mathsf {pk}\) where \(\mathsf {pk}_1 = \overline{\mathsf {PK}}^{(k)}_{j}\) and \(\mathsf {pk}= \prod _{P_i \in \mathbf {N}_G(j)} \mathsf {PK}^{(k-1)}_{i}\). The indistinguishability therefore follows from the IND-CKA security of the RR-MHT-PKE scheme. Communication Complexity: The protocol runs for D rounds and in each round \(n\cdot d\) public-keys are sent.

Information-Transmission Protocol. In this section we present a topology-hiding information-transmission protocol. Here, each party has a message \(m_i\) and a public-key \(\mathsf {pk}_i\) Footnote 11 as input. The output of party \(P_i\) is a ciphertext \(c_i\) under the public key \(\mathsf {pk}_i\). If all parties input the 0-message, \(c_i\) is an encryption of 0. Otherwise, \(c_i\) is an encryption of a random, non-zero message. The information-transmission protocol has a recursive structure and is thus parametrized by a level k. The protocol requires that parties have generated local pseudonyms. We therefore assume that the parties have access to a setup for topology-hiding threshold encryption over \(\mathcal N_\mathcal {G}^{d,D}\).

Definition 10

A protocol is a level-k (topology-hiding) secure information-transmission protocol over a network \(\mathcal N_\mathcal {G}^{d,D}\) if it has the following properties.

  • Setup, Inputs, and Outputs: The parties initially hold a setup for topology-hiding threshold encryption over \(\mathcal N_\mathcal {G}^{d,D}\) (cf. Definition 8). Each party holds as input a message \(m_i \in \mathcal {M}\) and a public key \(\mathsf {pk}_i \in \mathcal {PK}\) (not necessarily part of its setup).

    The output of each party \(P_i\) is a ciphertext \(c_i \in \mathcal {C}\).

  • Correctness: With overwhelming probability the output \(c_i\) is the encryption of message \(s_i\) under \(\mathsf {pk}_i\) and randomness \(\rho _i\) (i.e. \(c_i = \mathtt{Enc}(\mathsf {pk}_i,s_i;\rho _i) \)) with

    $$ s_i = \left\{ \begin{array}{ll} 0 &{} {if }\ m_j = 0\ { for\ all }\ P_j \in \mathbf {N}_G[i]^k \\ x_i &{} {if } m_j \ne 0\ { for\ at\ least\ one }\ P_j \in \mathbf {N}_G[i]^k \end{array} \right. $$

    where \(x_i \in \mathcal {M}\setminus \left\{ { 0 }\right\} \) uniform at random.

  • Topology-Hiding Simulation: The adversarial view in a real protocol-execution can be simulated with overwhelming probability given the following values

    $$ \big \{\mathbf {N}_G(i),m_i,\mathsf {pk}_i, c_i, \nu _{i}(\cdot ) \big \}_{P_i \in \overline{H}} \cup \big \{ s_i, \rho _i \big \}_{\mathbf {N}_G[i]^k \subseteq \overline{H}}. $$

    In other words the simulator gets the neighborhood of dishonest parties (in \(\mathcal N_\mathcal {G}^{d,D}\)), their protocol in- and outputs, and their local pseudonyms from the setup. For any party \(P_i\) where the whole k-neighborhood is dishonest the simulator is additionally given the content \(s_i\) and the randomness \(\rho _i\) of output \(c_i\).

The simulation property ensures in particular that (a) the adversary does not learn more about the network topology and that (b) the adversary does not learn the content of ciphertext \(c_i\) of party \(P_i\) unless it corrupts the entire k-neighborhood of \(P_i\).

figure c

Lemma 3

Given a secure RR-MHT-PKE scheme and for any parameter \(0 \le k \le D\) with \(d^k = {poly}(\kappa )\), \(\mathtt{InfoTransmisson}\big (k,(m_1,\mathsf {pk}_1),\dots ,(m_n,\mathsf {pk}_n)\big )\) is a secure level-k information-transmission protocol. The protocol communicates at most \((d+1)^k \cdot n \cdot (\log {|}{\mathcal {PK}}{|} + \log {|}{\mathcal {C}}{|})\) bits within 2k rounds.

Proof

(sketch) Correctness: For \(k = 0\) each party locally computes \(c_i\) as specified by the correctness property. The protocol thus achieves correctness perfectly. For \(k>0\) assume that the protocol achieves correctness for \((k-1)\). More precisely, the output of a party \(P_j\) for parameter \((k-1)\) is computed perfectly correct if all \((k-1)\)-neighbors have input 0. Otherwise, the output of \(P_j\) for parameter \((k-1)\) is computed correctly except with error probability \({\varepsilon }_{k-1}\). First, we consider the case where all parties in the k-neighborhood of \(P_i\) have input 0. The assumption for \((k-1)\) implies that all \(\widetilde{c}_{i,\nu _{i}(j)}\) contain 0. The properties of the RR-MHT-PKE scheme imply that \(s_i = r_i \cdot 0 = 0\). In the second case at least one party in the k-neighborhood of \(P_i\) has a non-zero input. This implies that at least one \(\widetilde{c}_{i,\nu _{i}(j)}\) contains a uniform random, non-zero message (with error probability of at most \({\varepsilon }_{k-1}\)). The properties of the RR-MHT-PKE thus ensure that \(c_i\) contains a uniform random, non-zero message (except with error probability \({\varepsilon }_{k} := {\varepsilon }_{k-1}+\frac{1}{{|}{\mathcal {M}}{|}}\)). This implies an overall success probability of at least \(1-(\frac{k \cdot n}{{|}{\mathcal {M}}{|}})\). Topology-Hiding Simulation: To simulate the view of the adversary the simulator is given

$$ \big \{\mathbf {N}_G(i),m_i,\mathsf {pk}_i, c_i, \nu _{i}(\cdot ) \big \}_{P_i \in \overline{H}} \cup \big \{ s_i, \rho _i \big \}_{\mathbf {N}_G[i]^k \subseteq \overline{H}}. $$

For \(k = 0\) those values correspond exactly to the view of the adversary during an actual protocol execution. Simulation is thus easy. For the case \(k >0\) assume that the view of the adversary can be simulated for \(k'<k\). The view of the adversary can now be simulated as follows. At the beginning, the simulator generates all public keys and de-randomizers seen by the adversary. For each dishonest \(P_i\) the simulator computes \(\mathsf {rk}_{i},\widetilde{\mathsf {pk}}_{i}\) using \(\mathtt{RandKey}\). For each honest \(P_j\) in the neighborhood of \(\overline{H}\) the simulator sets \(\widetilde{\mathsf {pk}}_{j}\) to a random public-key using \(\mathtt{KeyGen}\). Due to the IND-CKCA property of the RR-MHT-PKE scheme these public keys are indistinguishable from the corresponding public-keys seen by the adversary in an actual protocol-execution. The above values also determine all keys \(\mathsf {pk}_{i,\nu _{i}(j)}\) for \(P_i \in \overline{H}\) and \(P_j \in \mathbf {N}_G(i)\). Now, we consider the ciphertexts seen by the adversary in the second part of the protocol. In essence the simulator must generate all \(\widetilde{c}_{j,\nu _{j}(i)}\) where \(P_i\) and/or \(P_j\) are dishonest. If the whole \((k-1)\)-neighborhood of \(P_j\) is dishonest the simulator must also provide the content and the randomness of \(\widetilde{c}_{j,\nu _{j}(i)}\) which are required for the sub-simulation of the recursive protocol invocations. We recall that \(\mathtt{DerandCipher}\) is efficiently invertible if the de-randomizer is known. First, simulator generates a random \(r_i \in \left\{ { 1,\dots ,{|}{\mathcal {M}}{|}-1 }\right\} \) for each dishonest \(P_i\). If the whole k-neighborhood of \(P_i\) is dishonest (i.e., \(\mathbf {N}_G[i]^k \subseteq \overline{H}\)) the simulator is additionally given \(s_i\) and \(\rho _i\). This allows the simulator to compute for each neighbor \(P_j \in \mathbf {N}_G[i]\) a valid \(s_{j,\nu _{j}(i)}\), randomness \(\rho _{j,\nu _{j}(i)}\), and an encryption \(\widetilde{c}_{j,\nu _{j}(i)} = \mathtt{Enc}(\widetilde{\mathsf {pk}}_{i}, s_{j,\nu _{j}(i)}; \rho _{j,\nu _{j}(i)})\) such that . If there exists a honest party in the k-neighborhood of \(P_i\), the simulator is not given \(s_i\) and \(\rho _i\). However, in this case there is at least one \(P_j\) in \(\mathbf {N}_G[i]\) such that \(\mathbf {N}_G[j]^{k-1} \not \subseteq \overline{H}\). This allows the simulator to first generates all \(s_{j,\nu _{j}(i)},\rho _{j,\nu _{j}(i)}\) and \(\widetilde{c}_{j,\nu _{j}(i)} = \mathtt{Enc}(\widetilde{\mathsf {pk}}_{i}, s_{j,\nu _{j}(i)}; \rho _{j,\nu _{j}(i)})\) where \(\mathbf {N}_G[j]^{k-1} \subseteq \overline{H}\). Then it chooses the remaining \(\widetilde{c}_{j,\nu _{j}(i)}\) randomly under the constraint that . In a final step the adversary generates for any honest \(P_j \in \mathbf {N}_G[i]\) the values \(s_{i,\nu _{i}(j)},\rho _{i,\nu _{i}(j)}\) and \(\widetilde{c}_{i,\nu _{i}(j)} = \mathtt{Enc}(\widetilde{\mathsf {pk}}_{j}, s_{i,\nu _{i}(j)};\rho _{i,\nu _{i}(j)})\). The \(IND-TCPA{}\) property of the RR-MHT-PKE scheme and the correctness property of the protocol ensure that the generated ciphertexts are indistinguishable from the ones seen by the adversary in an actual protocol execution. Now all values required for the simulation of the \(d+1\) invocations of \(\mathtt{InfoTransmisson}\) with parameter \((k-1)\) are given. The simulator can thus use the sub-simulator to generate the view of the adversary in the middle part of the protocol. Communication Complexity: Let f(k) be the communication complexity of \(\mathtt{InfoTransmisson}\big (k,\dots \big )\). Then we have \(f(0) = 0\) and \(f(k) = d \cdot n \cdot (\log {|}{\mathcal {PK}}{|} + \log {|}{\mathcal {C}}{|}) + (d+1) \cdot f(k-1)\). This results in a communication complexity of at most \((d+1)^k \cdot n \cdot (\log {|}{\mathcal {PK}}{|} + \log {|}{\mathcal {C}}{|})\) bits. The round complexity follows from the observation that one can invoke the subprotocols \(\mathtt{InfoTransmisson}(k-1,\dots )\) in parallel.

Decryption Protocol. In this section we describe a distributed decryption protocol which allows each party \(P_i\) to decrypt a ciphertext \(c_i\) under its shared private-key \(\mathsf {SK}_i\) which has been generated by the setup protocol. The decryption protocol consists of two parts. First the parties jointly compute for each ciphertext \(c_i\) a decryption-share \(\mathsf {x}_i\) under the shared private-key of \(P_i\). In a second phase each party \(P_i\) can locally decrypt \(c_i\) using the decryption share \(\mathsf {x}_i\). First, we present a subprotocol which allows to compute the required decryption shares. The key-idea is to use the homomorphic property of decryption-shares which allows a recursive computation. The subprotocol is therefore parametrized by k.

Definition 11

A protocol is a secure level-k (topology-hiding) decryption-share protocol over a network \(\mathcal N_\mathcal {G}^{d,D}\) if it has the following properties.

  • Setup, Inputs, and Outputs: The parties initially hold a setup for topology-hiding threshold encryption over \(\mathcal N_\mathcal {G}^{d,D}\) (cf. Definition 8). Each party \(P_i\) inputs a ciphertext \(c_i \in \mathcal {C}\). The output of party \(P_i\) is a decryption share \(\mathsf {x}_i \in \mathcal {DS}\).

  • Correctness: With overwhelming probability \(\mathsf {x}_i = \mathtt{ShareDecrypt}(\mathsf {SK}_i^{(k)},c_i)\) for \(\mathsf {SK}_i^{(k)}\) the level-k shared private-key of \(P_i\) from the setup.

  • Topology-Hiding Simulation: The adversarial view in a real protocol-execution can be simulated with overwhelming probability given the following values

    $$ \big \{\mathbf {N}_G(i),c_i,\mathsf {x}_i, \nu _{i}(\cdot ), \overline{\mathsf {SK}}^{(0)}_{i}, \dots , \overline{\mathsf {SK}}^{(k)}_{i} \big \}_{P_i \in \overline{H}} $$

    In other words the simulator gets the neighborhood of dishonest parties (in \(\mathcal N_\mathcal {G}^{d,D}\)), their protocol in- and outputs, their local pseudonyms, and their private-key shares (up to level-k) of the assumed setup.

The simulation property ensures in particular that the adversary does not learn more about the network topology.

figure d

Lemma 4

Given a secure RR-MHT-PKE scheme and for any parameter \(0 \le k \le D\) with \(d^k = {poly}(\kappa )\) the above protocol \(\mathtt{DecShares}(k,c_1,\dots ,c_n)\) is a secure level-k decryption-share protocol. The protocol communicates \(d^k \cdot n \cdot (\log {|}{\mathcal {DS}}{|} + \log {|}{\mathcal {C}}{|})\) bits within 2k rounds.

Proof

(sketch) Correctness: The correctness essentially follows from the structure of the assumed setup and from the properties of the RVHT-PKE scheme. In the case \(k = 0\) we have \(\mathsf {SK}^{(0)}_{i} = \overline{\mathsf {SK}}^{0}_{i}\) which implies \(\mathsf {x}_i = \mathtt{ShareDecrypt}(\mathsf {SK}^{(0)}_{i},c_i)\). For \(k > 0\) we have \(\mathsf {SK}^{(k)}_{i} = \overline{\mathsf {SK}}^{(k)}_{i} + \sum _{P_j \in \mathbf {N}_G(i)} \mathsf {SK}^{(k-1)}_{j}\). The properties of the RVHT-PKE scheme thus imply that \(\mathsf {x}_i = \mathtt{ShareDecrypt}(\mathsf {SK}^{(k)}_{i},c_i)\) (c.f. protocol line 9). Simulation: In the case \(k = 0\) the view of the adversary is directly determined by values given to the simulator. Simulation is therefore easy to achieve. In the case \(k > 0\) the simulation of the adversarial view works similar as for the information-transmission protocol (we recall that \(\mathtt{DerandShare}\) is efficiently invertible if the de-randomizer is known). The simulator essentially emulates the protocol run. The IND-CKCA property of the RVHT-PKE scheme allows the simulator to choose random ciphertexts for \(c_{i,\nu _{i}(j)}\) of honest \(P_j\). Moreover, the decryption shares \(\mathsf {x}_{j,\nu _{j}(i)}\) for honest \(P_j\) can also be chosen randomly (where the distribution is conditioned on the outputs of dishonest parties). The view during the executions of \(\mathtt{DecShares}\) with parameter \(k-1\) can be generated using the \((k-1)\)-subsimulator guaranteed by the induction hypothesis. Communication Complexity: Denote by f(k) be the communication complexity of \(\mathtt{DecShares}(k,\dots )\). Then we have \(f(0) = 0\) and \(f(k) = n\cdot d \cdot (\log {|}{\mathcal {DS}}{|} + \log {|}{\mathcal {C}}{|}) + d\cdot f(k-1)\). This results in a communication complexity of \(f(k) = d^k \cdot n \cdot (\log {|}{\mathcal {DS}}{|} + \log {|}{\mathcal {C}}{|})\). The round complexity follows from the observation that one can invoke the subprotocols \(\mathtt{DecShares}(k-1,\dots )\) in parallel.

Definition 12

A protocol is a secure (topology-hiding) threshold decryption protocol for network \(\mathcal N_\mathcal {G}^{d,D}\) if it has the following properties.

  • Setup, Inputs and Outputs: The parties initially hold a setup for topology-hiding threshold encryption over \(\mathcal N_\mathcal {G}^{d,D}\) (cf. Definition 8). Each party \(P_i\) inputs a ciphertext \(c_i \in \mathcal {C}\). The output of party \(P_i\) is a message \(m_i\).

  • Correctness: With overwhelming probability it holds for each party \(P_i\) that \(m_i = \mathtt{Combine}(\mathtt{ShareDecrypt}(\mathsf {SK}_i,c_i))\) where \(\mathsf {SK}_i\) is the shared private-key of \(P_i\).

  • Topology-Hiding Simulation: The adversarial view in a real-protocol execution can be simulated with overwhelming probability given the following values

    $$ \big \{\mathbf {N}_G(i),c_i,m_i, \nu _{i}(\cdot ), \overline{\mathsf {SK}}^{(0)}_{i}, \dots , \overline{\mathsf {SK}}^{(D)}_{i} \big \}_{P_i \in \overline{H}} $$

    In other words the simulator gets the neighborhood of dishonest parties (in \(\mathcal N_\mathcal {G}^{d,D}\)), their protocol in- and outputs, their local pseudonyms, and their private-key shares of the assumed setup.

figure e

Lemma 5

Given a secure RR-MHT-PKE scheme, \(\mathtt{Decryption}(k,c_1,\dots ,c_n)\) is a secure threshold decryption protocol. The protocol communicates \(d^D \cdot n \cdot (\log {|}{\mathcal {DS}}{|} + \log {|}{\mathcal {C}}{|})\) bits within 2D rounds.

Proof

(sketch) The correctness follows directly from Lemma 4 and the properties of the RVHT-PKE scheme. The adversarial view in a real protocol execution can be simulated as follows (recall that \(\mathtt{Combine}\) is efficiently invertible). First the simulator computes for each pair \((c_i,m_i)\) a decryption share \(\mathsf {x}_i\) such that \(m_i = \mathtt{Combine}(\mathsf {x}_{i},c_i)\). The rest of the view can then be generated using the sub-simulator for \(\mathtt{DecShares}(D,\dots )\). The communication complexity and the number of rounds follows directly from the invocation of \(\mathtt{DecShares}\) with parameter D.

3.3 Multi-party Boolean OR

In this section we present a protocol which securely and topology-hidingly realizes the multi-party Boolean-OR functionality \(\mathcal {F}_\mathtt{OR}\) using the topology-hiding threshold encryption protocol from the previous section. The functionality \(\mathcal {F}_\mathtt{OR}\) takes from each party \(P_i\) an input bit \(b_i\) and computes the OR of those bit, i.e., \(b = b_1 \vee \dots \vee b_n\).

figure f

Assumptions. We assume in the following that the parties have access to a secure RR-MHT-PKE scheme with security parameter \(\kappa \), where \(n = {poly}(\kappa )\). Moreover, parties are given the network \(\mathcal N_\mathcal {G}^{d,D}\) where the graphs in the family \(\mathcal {G}\) are connected, have a maximum degree of \(d \le n\), and a diameter of at most \(D \le n\) where d and D are publicly known.

figure g

Lemma 6

Given a secure RR-MHT-PKE scheme and for dD with \(d^D = {poly}(\kappa )\) the protocol \(\mathtt{Boolean-OR}(b_1,\dots ,b_n)\) securely and topology-hidingly realizes \(\mathcal {F}_\mathtt{OR}\) (in the \(\mathcal N_\mathcal {G}^{d,D}\)-hybrid model). In the initialization phase the protocol \(\mathtt{Boolean-OR}(b_1,\dots ,b_n)\) communicates \(D \cdot d \cdot n \cdot \log {|}{\mathcal {PK}}{|}\) bits within D rounds. In the computation phase the protocol communicates at most \((d+1)^D \cdot n \cdot (\log {|}{\mathcal {DS}}{|} +\log {|}{\mathcal {PK}}{|} + 2\log {|}{\mathcal {C}}{|})\) bits within \(4\cdot D\) rounds.

Proof

Correctness: We assume the condition \(d^D = {poly}(\kappa )\). The correctness thus follows directly from the properties of Lemmas 2, 3, and 5 as the information-transmission protocol essentially allows to compute Boolean-ORs.

Topology-Hiding Simulation: Given the values \( \big \{\mathbf {N}_G(i),b_i,b \big \}_{P_i \in \overline{H}}. \) the view of the adversary can be simulated as follows. First the simulator generates a setup for \(\mathcal N_\mathcal {G}^{d,D}\). Next, for each dishonest \(P_i\) the simulator computes the messages \(m_i\) and \(m_i'\). It generates the corresponding ciphertext \(c_i\) (including the randomness). With those values the simulator now runs the the sub-simulators for \(\mathtt{GenerateSetup}\), \(\mathtt{InfoTransmisson}(D,\dots )\), and \(\mathtt{Decryption}(\dots )\). The properties of Lemmas 2, 3, and 5 ensure that the generated view is indistinguishable (for the adversary) from a real protocol execution.

Communication Complexity: The claimed communication complexity follows directly from the used subprotocols.

Remark 1

If the RR-MHT-PKE is instantiated using the DDH based construction, the computation complexity of the Boolean-OR protocol is similar to its communication complexity.

3.4 Topology-Hiding Broadcast and Secure Channels

In this section we describe a protocol which securely realizes the (bit) broadcast functionality \(\mathcal {F}_\mathtt{BC}^{s}\), while making-black box use of the \(\mathcal {F}_\mathtt{OR}\) functionality from the previous section. The functionality \(\mathcal {F}_\mathtt{BC}^{s}\) allows sender \(P_s\) to input a bit \(b_s\) which is output to all parties. This result directly implies that one can securely and topology-hidingly realize secure channels and broadcast using black-box RR-MHT-PKE.

figure h

Lemma 7

The protocol \(\mathtt{Broadcast}(P_s,b_s)\) securely realizes the \(\mathcal {F}_\mathtt{BC}^{s}\) functionality in the \(\mathcal {F}_\mathtt{OR}\)-hybrid model.

Proof

We have that \(b = 0 \vee \dots \vee b_s \vee \dots \vee 0 = b_s\) which implies correctness. The view of the adversary in an actual protocol execution consists of inputs and outputs of dishonest parties and is therefore easy to simulate.

Corollary 1

For dD with \(d^D = {poly}(\kappa )\) one can securely and topology-hidingly realize \(\mathcal {F}_\mathtt{BC}^{s}\) (in the \(\mathcal N_\mathcal {G}^{d,D}\)-hybrid model) using black-box RR-MHT-PKE while communicating at most \((d+1)^D \cdot n \cdot (\log {|}{\mathcal {DS}}{|} +\log {|}{\mathcal {PK}}{|} + 2\log {|}{\mathcal {C}}{|}) + D \cdot d \cdot n \cdot \log {|}{\mathcal {PK}}{|}\) bits within \(5\cdot D\) rounds per invocation.

Moreover, parties can simply realize secure channels given broadcast. First the receiver generates a key pair and broadcasts the public-key. The sender then broadcasts his message encrypted under this public-key.

Corollary 2

For dD with \(d^D = {poly}(\kappa )\) one can securely and topology-hidingly realize secure channels (in the \(\mathcal N_\mathcal {G}^{d,D}\)-hybrid model) using black-box RR-MHT-PKE. The communication complexity is twice the one of the broadcast protocol.

4 Applications

In this section we provide two applications of our network-hiding communication protocols. Namely, one can securely and topology-hidingly realize MPC and anonymous brodcast.

4.1 Topology-Hiding Secure Multi-Party Computation

The protocols from the previous section allow parties to topology-hidingly realize a complete network of secure channels (including broadcast channels). They can then use this network to execute a multi-party protocol of their choice, e.g., [GMW87, Pas04]. This easily proves the following result.

Theorem 2

For dD with \(d^D = {poly}(\kappa )\) one can securely and topology-hidingly realize any given multiparty functionality (in the \(\mathcal N_\mathcal {G}^{d,D}\)-hybrid model) using black-box RR-MHT-PKE.

4.2 Anonymous Broadcast

Theorem 2 implies that one can topology-hidingly realize anonymous channels given black-box access to a RR-MHT-PKE scheme. But using generic MPC to achieve an anonymous channel is expensive in terms of communication complexity. We therefore provide a protocol in the \(\mathcal {F}_\mathtt{OR}\)-hybrid model which directly realizes anonymous broadcast \(\mathcal {F}_\mathtt{ABC}\).

The functionality \(\mathcal {F}_\mathtt{ABC}\) generates for each party a unique but random pseudonym. In the subsequent communication rounds each party can publish messages under its pseudonym. Message are linkable which means that parties can relate messages to pseudonyms. Parties can prevent this by generating fresh pseudonyms (e.g., after each communication round).

figure i

Anonymous Broadcast Protocol. The high-level idea of our construction is as follows. In a scheduling phase each party gets a random (but unique) communication slot \(\sigma (i)\) assigned. In a communication round for each slot \(\sigma (i)\) the \(\mathcal {F}_\mathtt{OR}\) functionality is invoked which allows \(P_i\) to broadcast its bit.

The major challenge is to compute the slot assignment. We solve this issue with a scheduling loopFootnote 12. At the beginning each party selects a random slot. Then over several scheduling rounds the parties resolve colliding selections by computing a reservation matrix. The size of this matrix (parametrized by m) determines the collision detection probability. A larger m means a faster expected run time at the cost of increased communication costs per round.

figure j

Lemma 8

The protocol \(\mathtt{AssignSlots}(m)\) for the \(\mathcal {F}_\mathtt{OR}\)-hybrid model securely computes a random permutation \(\sigma \) of n elements where each party \(P_i\) learns \(\sigma (i)\). The expected number of rounds the protocol requires to compute the permutation is bounded by \(\frac{m}{m-1} \cdot n\) where \(\mathcal {F}_\mathtt{OR}\) is invoked \(n\cdot m\) times per round.

Proof

The protocol terminates if each row of A contains exactly one non-zero entry. Thus each slot in \(\left\{ { 1,\dots ,n }\right\} \) has been chosen at least by one party. As there are n parties this also means that no slot was chosen twice. The output is therefore a valid permutation. Inspection of the protocol also reveals that the permutation is chosen uniform at random (we consider semi-honest security).

Next, we show that the protocol eventually terminates. Each slot is in one of three states. Either its empty, or its selected by multiple parties, or it is assigned to a single party. We observe that the state transition function for slots is monotone. A selected slot cannot become empty and an assigned slot stays assigned to the same party. In each round where a collision is detected at least one empty slot becomes assigned. After at most n such rounds there are no empty slots left. But this also means that each slot is selected by at least one party and the protocol terminates. This also leads to a crude upper bound on the number of expected rounds. We observe that a collision between two parties is detected with a probability of at least \(p = (1-\frac{1}{m})\). The expected number of rounds required to detect a collision is therefore at most \(\frac{1}{p} = \frac{m}{m-1}\) (geometric distribution). The number of expected rounds is thus bounded by \(\frac{m}{m-1}\cdot n\). It remains to consider the simulation of the adversarial view. We observe that the (current) slot selection of dishonest parties is enough to simulate the view of the adversary in a scheduling round. The simulator can therefore essentially emulate the protocol (conditioned on the final slots of dishonest parties).

figure k

Lemma 9

The protocol \(\mathtt{Anonymous Broadcast}(m)\) securely realizes the functionality \(\mathcal {F}_\mathtt{ABC}\) in the \(\mathcal {F}_\mathtt{OR}\)-hybrid model.

Proof

The statement follows directly from Lemmas 7 and 8.

Corollary 3

For dD with \(d^D = {poly}(\kappa )\) one can securely and topology-hidingly realize \(\mathcal {F}_\mathtt{ABC}\) (in the \(\mathcal N_\mathcal {G}^{d,D}\)-hybrid model) using black-box RR-MHT-PKE.