Network-Hiding Communication and Applications to Multi-Party Protocols

Transcription

1 Network-Hdng Communcaton and Applcatons to Mult-Party Protocols Martn Hrt 1, Uel Maurer 1, Danel Tschud 1, and Vassls Zkas 2 1 ETH Zurch {hrt, maurer, tschudd}@nf.ethz.ch 2 RPI vzkas@cs.rp.edu Abstract. As dstrbuted networks are heavly used n modern applcatons, new securty challenges emerge. In a mult-party computaton (n short, MPC) protocol over an ncomplete network, such a challenge s to hde, to the extent possble, the topology of the underlyng communcaton network. Such a topology-hdng (aka network hdng) property s n fact very relevant n applcatons where anonymty s needed. To our knowledge, wth the excepton of two recent works by Chandran et al. [ITCS 2015] and by Moran et al. [TCC 2015], exstng MPC protocols do not hde the topology of the underlyng communcaton network. Moreover, the above two solutons are ether not applcable to arbtrary networks (as s [ITCS 2015]) or, as n [TCC 2015], they make non-blackbox and recursve use of cryptographc prmtves resultng n an unrealstc communcaton and computaton complexty even for smple,.e., low degree and dameter, networks. Our work suggests the frst topology-hdng communcaton protocol for ncomplete networks whch makes black-box use of the underlyng cryptographc assumpton n partcular, a publc-key encrypton scheme and tolerates any adversary who passvely corrupts arbtrarly many network nodes. Our solutons are based on a new, enhanced varant of threshold homomorphc encrypton, n short, TH-PKE, that requres no a- pror setup and allows to crculate an encrypted message over any (unknown) ncomplete network and then decrypt t wthout revealng any network nformaton to ntermedate nodes. We show how to realze ths enhanced TH-PKE from the DDH assumpton. The black-box nature of our scheme, along wth some optmzaton trcks that we employ, makes our communcaton protocol more effcent than exstng solutons. We then use our communcaton protocol to make any sem-honest secure MPC protocol topology-hdng wth a reasonable.e., for smple Research was supported by the Swss Natonal Scence Foundaton (SNF), project no Work done n part whle the author was at ETH Zurch supported by the Swss NSF Ambzone grant PZ00P , and whle the author was vstng the Smons Insttute for the Theory of Computng, supported by the Smons Foundaton and by the DIMACS/Smons Collaboraton n Cryptography through NSF grant #CNS

2 networks, polynomal wth small constants communcaton and computaton overhead. We further show how to construct anonymous broadcast wthout usng expensve MPCs to setup the orgnal pseudonyms. 1 Introducton Secure communcaton s perhaps the central goal of cryptography. It allows a sender, Alce, to securely transmt a message to a recever, Bob so that even f some eavesdropper, Eve, s nterceptng ther communcaton she can not fgure out anythng about the transmtted message. When Alce and Bob share a physcal (but potentally tappable) communcaton channel, ths task can be easly carred out by use of standard publc-key cryptography technques, e.g., Bob sends Alce hs publc key who uses t to encrypt her message and send t over the physcal communcaton channel to Bob. But ths dealzed scenaro occurs rarely n modern networks, such as the Internet, where Alce and Bob would most lkely not share a physcal channel and would, nstead, have to communcate over some (potentally ncomplete) network of routers. Wthout further restrctons, the above modfcaton margnally complcates the problem as t can be drectly solved by means of a prvate floodng scheme. In such a scheme, Alce encrypts her message, as before, and sends t to all her mmedate neghbors,.e., network routers wth whch she shares physcal lnks, who then forward t to ther mmedate neghbors, and so on, untl t reaches Bob. Clearly, f Alce has a path to Bob and the forwardng step s repeated as many tmes as the length of ths path, the message wll reach Bob. And the fact that the ntermedate routers only see encryptons of the transmtted message means that they do not learn anythng about the message. But modern dstrbuted protocols often requre much more than just prvacy of the transmtted message. For example, ensurng anonymty n communcaton s a major goal of securty as t, for example, protects aganst censorshp or coercon. Smlarly, as prvacy awareness n socal networks ncreases, users mght not be wllng to reveal nformaton about the structure of ther peer graph (.e., ther Facebook frends graph) to outsders. Other applcatons mght requre to hde a communcatng agent s locaton, as s the case n esponage or when usng moble agents to propagate nformaton through some ad-hoc network, e.g., n vehcleto-vehcle communcaton. All these applcatons requre a routng scheme, that hdes the topology of the underlyng communcaton network. Evdently, usng the smple prvate floodng strategy does not hde the topology of the underlyng communcaton network as, for example, an eavesdroppng router can easly determne ts dstance (and drecton) to the sender by observng n whch round (and from whom) t receves the frst encrypton. 1.1 Related Lterature The problem of routng through an ncomplete network has receved a lot of attenton n communcaton networks wth a vast amount of works amng at 2

3 optmzng communcaton complexty n varous network types. In the followng, however, we focus on the cryptographc lterature whch s more relevant to our goals namely network hdng communcaton and treatment. Perhaps the man venue of work n whch keepng the network hdden s a concern s the lterature on anonymous communcaton, e.g., [Cha03, RR98, SR97]. These works am to hde the dentty of the sender and recever n a message transmsson, n a way that protects these denttes even aganst traffc analyss. In a dfferent lne of work ntated by Chaum [Cha81], so called mx servers are used as proxes whch shuffle messages sent between varous peers to dsable an eavesdropper from followng a message s path. Ths technque has been extensvely studed and s the bass of several practcal anonymzaton tools. An nstance of the mx technque s the so called onon routng [SR97, RR98], whch s perhaps the most wde-spread anonymzaton technque. Roughly, t conssts of the sender applyng multple encryptons n layers on hs message, whch are then peeled-off as the cpher-text travels through a network of onon routers towards ts destnaton. An alternatve anonymty technque by Chaum [Cha88] and mplemented n varous nstances (e.g.,[bd90, J04, OR14]) s known as Dnng Cryptographers networks, n short DC-nets. Here the partes themselves are responsble for ensurng anonymty. The queston of hdng the communcaton network was also recently addressed n the context of secure mult-party computaton by Chandran et al. [CC + 15]. Ths work ams to allow n partes to compute an arbtrary gven functon n the presence of an adaptve adversary, where each party communcates wth a small (sublnear n the total number of partes) number of ts neghbors. Towards ths goal, [CC + 15] assumes that partes are secretly gven a set of neghbors that they can communcate wth. Because the adversary s adaptve, t s crucal n ther protocol that the communcaton does not reveal much nformaton about the network topology, as such nformaton would allow the adversary to potentally dscover the neghbors of some honest party, corrupt them, and solate ths party, thereby breakng ts securty. 3 Another work whch consders such an adaptve corrupton settng s the work of Kng and Saa [KS10], whch s talored to the Byzantne agreement problem. We note n passng that the result of [CC + 15, KS10] was preceded by several works whch consdered the problem of MPC over ncomplete networks. However, these works do not am to keep the network hdden as they ether only consder a statc adversary, 4 e.g., [BT13], and/or they only acheve so called almost everywhere computaton [O08, KSSV06a, KSSV06b, CO15] where the adversary s allowed to solate a small number of honest partes. 3 In fact, by a factor n ncrease on the number of neghbors of each party, [CC + 15] can avod the assumpton of a trusted setup prvately dstrbutng the neghborhoods and acheve the same level of securty whle havng the partes generate these neghborhoods themselves. 4 A statc adversary chooses all the partes to corrupt at the begnnng of the protocol executon and therefore learnng the network topology through the communcaton cannot help hm solate any honest party. 3

4 Most related to the goals of our work s the recent work of Moran, Orlov, and Rchelson [MOR15], whch consders the problem of topology-hdng secure mult-party computaton over an ncomplete network n the computatonal settng (.e., assumng secure publc-key encrypton) toleratng a sem-honest (passve) and statc adversary. At a very hgh level, [MOR15] uses publc-key encrypton and (sem-honest) mult-party computaton to mplement a proof-of-concept network-hdng communcaton protocol, whch emulates a complete network of secure channels. Ths emulated network s then used to execute an arbtrary mult-party protocol n whch partes communcate over a complete communcaton network, e.g., [MW87, Pas04]. In fact, as noted n [MOR15], relyng on a computatonal assumpton seems nevtable, as n the nformaton-theoretc settng the work of Hnkelmann and Jakoby [HJ07] excludes fully topology-hdng communcaton. 5 Due to the smlarty to our goal we nclude a detaled comparson of our results wth [MOR15] n Secton Our Contrbutons In ths work we present the frst network-hdng communcaton protocol whch makes black-box use of publc-key encrypton and, for networks wth moderate degree and dameter, has a moderate communcaton and computaton complexty. Our protocol allows the partes to communcate over an ncomplete network of pont-to-pont channels n a way whch computatonally hdes both the transmtted message and the neghborhood of honest partes from an adversary passvely corruptng arbtrary many partes. We remark that as ponted out n [CC + 15], when the communcaton graph s to be kept hdden, the adversary cannot be eavesdroppng on communcaton channels, and n partcular cannot be nformed when a message s transmtted over some channel. We resolve ths ssue by assumng, along the lnes of [MOR15], a specal network functonalty (cf. Secton 2). A bt more concretely, the hgh-level dea of our constructon s to enhance the naïve prvate floodng-protocol by usng homomorphc publc-key encrypton (n short, PKE). The startng pont of our approach s the observaton underlyng also the constructon from [MOR15] that the floodng protocol would be topology-hdng f the partes could not read ntermedate messages. But nstead of usng, as n [MOR15], expensve nested MPCs for ensurng ths fact (see below for a hgh-level descrpton of [MOR15]) we use a verson of threshold PKE wth addtonal network hdng propertes. We also show how to mplement our enhanced threshold PKE defnton assumng hardness of the Decsonal Dffe-Hellmann (DDH) problem. To demonstrate our deas, magne there was a world n whch partes (correspondng to all ntermedate routers) could encrypt wth a homomorphc publckey encrypton scheme where the prvate (decrypton) key s known to nobody, 5 To our understandng the result of [HJ07] does not apply to the case where a strong nformaton-theoretc setup, e.g., suffcently long correlated randomness, s avalable to the partes. Extendng ths results to that settng s an nterestng open problem. 4

5 but nstead partes have access to a decrypton oracle. Provded that the assocated PKE-scheme s semantcally secure, partes can enhance the floodng protocol as follows: Alce encrypts ts message and starts the floodng; n each step of the floodng protocol, the ntermedate party whch, recall, s supposed to forward the receved cphertext frst re-randomzes the cphertext and then forwards t. Once the message arrves to Bob, he nvokes the decrypton oracle to open ts fnal cphertext. We observe that n ths case the adversary does no longer learn anythng from ntermedate messages, the protocol s thus topologyhdng. There are two major challenges wth the above approach. Frst, f ntermedate partes are slent untl a message reaches them durng the floodng, then the adversary observng ths fact can use t to deduce nformaton about the network. E.g., f a neghbor p of a corrupted party has not sent anythng by the second round of the floodng protocol, then the adversary can deduce that p s not a neghbor of Alce. Secondly, we need a way to mplement the decrypton oracle. Observe that usng a off-the-shelf threshold decrypton scheme and have decrypton shares exchanged by means of floodng would trvally destroy the topology-hdng property; and the same s the case f we would use an MPC protocol for ths purpose, unless the MPC were tself topology-hdng. In the followng we dscuss how we solve each of the protocols, separately. The frst ssue nformaton leakage from slent partes can be solved by havng every party send messages n every round. As smple as ths dea mght seem, t has several dffcultes. For starters, the messages that are njected by ntermedary partes should be ndstngushable from encryptons, as otherwse addng ths nose makes no dfference. But now, there s a new ssue that the ntermedate partes cannot tell whch of the ndstngushable messages they receve contans the ntal message sent by Alce. The nave soluton to ths would be to have partes re-randomze everythng they receve and add ther own nose-message. But ths would mpose an exponental, n the graph dameter, factor both n the message and communcaton complexty. Our soluton, nstead, s to use the homomorphc propertes of the encrypton scheme and buld an effcent process whch allows every party to compute an encrypton of the OR of the messages t receves from ts neghbors. Thus, to transfer a bt b, Alce encrypts b and starts floodng, whereas every party encrypts a zero-bt and starts floodng smultaneously. In each followng round of the floodng scheme, every party homomorphcally computes the OR of the messages t receves and contnues floodng wth only ths encrypton. Bob keeps computng the OR of the encryptons he receves, and once suffcently many rounds have passed, the decrypton s nvoked to have hm obtan Alce s bt. Note that we only treat the case of sem-honest partes here, thus no party wll nput an encrypton of a one-bt nto ths smart floodng scheme whch would destroy ts correctness. To solve the second ssue.e., mplement the decrypton oracle n a topology hdng manner we ntroduce a new varant of threshold homomorphc publc-key encrypton (TH-PKE) wth enhanced functonalty, whch we call mult-homomorphc threshold encrypton wth reversble randomzaton. Roughly 5

6 speakng, our new TH-PKE assumes a strongly correlated setup, n whch secret (sub)keys are nested n a way whch s consstent wth the network topology and whch allows partes to decrypt messages n a topology hdng manner. We provde a securty defnton for the new prmtve and descrbe a topology-hdng protocol for establshng the necessary setup usng no setup-assumpton whatsoever. And we also descrbe how to nstantate our schemes under the DDH assumptons. We beleve that both the general defnton of ths augmented TH- PKE and the concrete nstantaton could be of ndependent nterest and can be used for anonymzng communcaton. Applcatons Buldng on our topology hdng network and utlzng the functonalty of our topology hdng homomorphc OR protocol we present the followng applcatons: Anonymous broadcast: We consder a varant of anonymous broadcast where partes can broadcast messages under a pseudonym. The presented protocol allows to realze anonymous broadcast drectly from the topology hdng homomorphc OR protocol wthout usng expensve MPC to setup the pseudonyms. Topology hdng MPC: Havng a topology-hdng network, we can execute on top of t any MPC protocol from the lterature that s desgned for pontto-pont channels whch wll render t topology hdng. 1.3 Comparson wth [MOR15] The work by Moran et al. [MOR15] provdes the frst, to the best of our knowledge, work that solves ths problem for general graphs n the computatonal settng. Our goals are closely related to thers. In fact, our securty defnton of topology-hdng communcaton and, more general, computaton s a refnement of ther smulaton-based defnton of topology-hdng MPC. But our technques are very dfferent. In lght of ths smlarty n goals, n the followng we nclude a more detaled comparson to our work. More concretely, the soluton of [MOR15] also follows the approach of enhancng the naïve floodng protocol to make t topology hdng. The key dea s to use nested MPCs, recursvely, to protect senstve nformaton durng the executon of the floodng protocol. Roughly, n the basc topology-hdng communcaton protocol of [MOR15], each party P s replaced by a vrtual-party ˆP, whch s emulated by ts mmedate neghbors by nvokng locally (.e., n the neghborhood) an off-the-shelf MPC protocol. The complete network of pont-to-pont channels requred by the MPC protocol s emulated by use of a PKE-scheme over the star network centered around P,.e., by naïve floodng where P s used as the routng node. The above ensures that P cannot analyze the messages that are routed through hm, as they are actually handled by ts correspondng vrtual party ˆP. However, there s now a new problem to be solved, namely, how do vrtual partes use the underlyng (ncomplete) communcaton network to flood messages n a topology hdng manner? Ths s solved as follows: To enable secure 6

7 communcaton between adjacent vrtual-partes a PKE-scheme s used (once more). Here each vrtual-party generates a key-par and sends the encrypton key to the adjacent vrtual-partes usng real partes as ntermedates. Ths basc protocol s topology-hdngly secure as long as the adversary does not corrupt an entre neghborhood. But ths s of course not enough for arbtrarly many corruptons to be tolerated. Thus, to ensure that the overall floodng protocol s also topology hdng, each vrtual party s replaced, agan by means of MPC, by a doubly vrtual party ˆP. Ths wll ensure that only adversares corruptng all the partes that emulate ˆP can break the topology hdng property. To extend the set of tolerable adversares, the doubly vrtual partes are agan emulated, and ths process s contnued untl we reach an emulated party that s emulated by all partes n the network. Ths requres n the worst case a number of nested MPCs n the order of the network dameter. In the followng we provde a comparson of the soluton of [MOR15] wth ours demonstratng the advantages of our soluton both n terms of smplcty and effcency. In all farness, we should remark that the soluton of [MOR15] was explctly proposed as a proof-of-concept soluton. The major advantage of our work over [MOR15] s that our communcaton protocol makes no use of generc MPC, and makes black-box use of the underlyng PKE. Ths not only yelds a substantal effcency mprovement, n terms of both communcaton and computaton, but t also yelds a more ntutve soluton to the problem, as t uses the natural prmtve to make communcaton prvate, namely encrypton, nstead of MPC. More concretely, the player-vrtualzaton protocol from [MOR15] makes nonblack-box use of publc-key encrypton,.e., the crcut whch s computed va MPC s a publc-key encrypton/decrypton crcut. Ths s typcally a huge crcut whch mposes an unrealstc slowdown both on the computaton complexty and on the round and/or communcaton complexty. 6 And ths s just at the frst level of recurson; the computaton of the second level, computes a crcut, whch computes the crcut, whch computes PK encryptons/decryptons, and so on. Due to the lack of concrete suggestons of nstantaton of the PKE and MPC used n [MOR15] we were unable to compute exact estmates on the runnng tme and communcaton complexty of the suggested protocols. Notwthstandng t should be clear that even for the smple case n whch the network has constant degree and logarthmc dameter for whch ther communcaton protocol n [MOR15] acheves a polynomal complexty and even for the best MPC nstantaton the actual constants are huge. Instead, our solutons make black-box use of the underlyng PKE scheme and are, therefore, not only more communcaton and computaton effcent, but also easer to analyze. In fact, n our results we nclude concrete upper bounds on the communcaton complexty 7 of all our protocols. Indcatvely, for a network 6 Of course the latter can be traded off by choosng to use ether a communcaton heavy or a round heavy protocol. 7 We note that the computaton complexty of our protocols s smlar to ther communcaton complexty. 7

8 wth dameter D and maxmum degree d our network-hdng broadcast protocol communcates at most (d + 1) D n λ bts wthn just 5 D rounds, where λ s lnear (wth small constant, less than 5) 8 n the securty parameter κ of the underlyng PKE scheme. We note that many natural network graphs, such as socal networks or the nternet have a small dameter Prelmnares and Notaton We consder an MPC-lke settng where n partes P = {P 1,..., P n } wsh to communcate n a synchronous manner over some ncomplete network of secure channels. When the communcaton s ntended to be from P, the sender, to P j, the recever, we wll refer to the partes n P \ {P, P j } as the ntermedate partes. We wll assume a passve and non-adaptve (aka statc) computatonally bounded adversary who corrupts an arbtrary subset H P of partes. Partes n H are called dshonest or corrupted whle partes n H = P \ H are called honest. We use smulaton based securty to prove our results. For smplcty our proofs are n Canett s modular composton framework [Can98] but all our results translate mmedately to the unversal composton UC framework [Can00]. (Recall that we consder sem-honest statc securty.) In fact, to make ths transton smoother, we descrbe our hybrds n the form of UC functonaltes. For compactness, for any functonaltes F and, we wll denote by {F, } the composte functonalty that gves parallel access to F and. Throughout ths work, we assume an, at tmes mplct, securty parameter κ and wrte neg(κ) to refer to a neglgble functon of κ. (See [ol01] for a formal defnton of neglgble functons.) For an algorthm A we wrte (y 1,..., y k ) A(x 1,..., x k ) to denote that (y 1,..., y k ) are outputs of A gven nputs (x 1,..., x k ). For a probablstc algorthm B we wrte (y 1,..., y k ) B(x 1,..., x k ; r) where r s the chosen randomness. If we wrte (y 1,..., y k ) B(x 1,..., x k ) nstead, we assume that the randomness has been chosen unformly. 1.5 Organzaton of the Paper The remander of the paper s organzed as follows. In Secton 2 we gve our defnton of topology-hdng securty. In Secton 3 we present a constructon whch allows to realze topology-hdng communcaton. The constructon s based on mult-homomorphc threshold encrypton wth reversble randomzaton (RR- MHT-PKE) whch s ntroduced n Secton 3.1. Next, n Secton 3.2 we descrbe a topology-hdng threshold encrypton protocol based on RR-MHT-PKE. Ths protocol s used n Secton 3.3 to topology-hdngly realze the Boolean-OR functonalty. Ths allows to gve a toplogy-hdng constructon of broadcast and secure channels n Secton 3.4. Fnally, n Secton 4 we present topology-hdng 8 Ths can be contrasted wth the complexty O(d) D n λ obtaned by [MOR15]. 9 Backstrom et al. [UKBM11] showed that a sub-graph of the Facebook socal network consstng of 99.6% of all users had a dameter of 6. In ths partcular case the broadcast protocol would communcate at most n 7 λ bts wthn 30 rounds. 8

9 MPC and topology-hdng anonymous broadcast as applcatons of the protocols from the prevous secton. 2 Topology Hdng Securty Defnton In ths secton we provde the formal smulaton-based defnton of topologyhdng computaton. Our defnton s an adaptaton of the orgnal smulatonbased defnton of Moran et al. [MOR15]. More concretely, the topology-hdng property requres that partes learn no nformaton on the underlyng communcaton network other than the descrpton of ther local neghborhood,.e., the denttes of ther neghbors. To capture ths property, we assume that the partes (n the real world) have access to a network functonalty N whch has knowledge of every party P s neghborhood (.e., the set of pont-to-pont channels connected to P ) and allows P to communcate (only) to ts neghbors. Clearly, a protocol executon over such a network N allows an adversary usng t knowledge of the neghborhood of corrupted partes; thus the smulator needs to also be able to provde ths nformaton to ts envronment. To gve ths power to the smulator, [MOR15] augments the deal functonalty wth an extra component whch allows the smulator access to ths nformaton. In ths work we use N tself n the deal world to provde ths nformaton to the smulator. Note that ths does not affect the securty statements, as the trval N -dummy protocol φ N securely realzes N. 10 A conceptual pont n whch our model of topology-hdng computaton devates from the formulaton of Moran et al. has to do wth respect to how the communcaton graph s chosen. At frst thought, one mght thnk that parameterzng the network functonalty wth the communcaton graph does the trck. Ths s, however, not the case because the parameters of hybrd-functonaltes are known to the protocol whch nvokes them and are therefore also known to the adversary. The only nformaton whch s not known to the adversary are nputs of corrupted partes and nternal randomness of the functonalty; thus, as a second attempt, one mght try to have the network functonalty sample the communcaton graph from a gven dstrbuton. 11 Unfortunately ths also fals to capture the topology-hdng property n full, as we would lke to make sure that the adversary (or smulator) gets no nformaton on any gven (hdden) graph. Motvated by the above, [MOR15] defnes topology-hdng computaton usng the followng trck: they assume an extra ncorruptble party, whose only role s to provde the network graph as nput to the network functonalty. Because ths network-choosng party s (by assumpton) honest, the smulator cannot see ts nput and needs to work havng only the knowledge that N allows hm to obtan,.e., the neghborhood of corrupted partes. 10 In any case, our protocol wll not output anythng other than the output of the functonalty, hence the smulator wll only use N to learn the corrupted partes neghborhood. 11 Intutvely, ths would correspond to the hdden graph model of [CC + 15]. 9

10 In ths work we take a slghtly dfferent, but equvalent n ts effect, approach to avod the above hack of ncludng a specal purpose honest party. We assume that each party provdes ts desred neghborhood to N as (a specal part of) ts nput. Snce the nputs are explctly chosen by the envronment, we are effectvely achevng the same topology-hdng property as [MOR15] but wthout the extra specal-purpose honest party. In the remander of ths secton we provde a formal specfcaton of our network functonalty (also referred to as network resource) and our formal securty defnton of topology-hdng computaton. The Network The network topology s captured by means of an undrected graph = (V, E) wth vertex-set V = P and edge-set E P P. An edge (P v, P u ) E ndcates that P u s n the neghborhood of P v, whch, ntutvely, means that P u and P v can communcate over a blateral secure channel. For a party P v denote by N (v) ts neghborhood n. We wll refer to N [v] = {P v } N (v) as P v s closed neghborhood. Furthermore let N [v] k be all nodes n whch have dstance k or less to P v. (Clearly P v N [v] k.) The network functonalty allows two types of access: (1) any party P v P can submt ts neghbors N [v], and (2) every party can submt a vector m of messages, one for each of ts neghbors, whch are then delvered n a batch form to ther ntended recpents. In order to be able to make statements for restrcted classes of graphs, e.g., expanders, we parameterze the network functonalty by a famly of setups and requre that N only allows (the envronment on behalf of) the honest partes to chose ther neghborhood from ths class. Note, that the adversary s not bound to choose a neghborhood from a graph n,.e., any vald neghborhood s accepted for corrupted partes. Ths s not an ssue n the sem-honest settng consdered n ths work as a sem-honest adversary wll submt whatever nput the envronment hands t. Thus, for the sem-honest case t suffces that the functonalty becomes unavalable (halts) upon recevng an nvald neghborhood from the adversary (or from some honest party). 12 In the full verson of ths paperwe also descrbe a network functonalty that adequately captures the guarantees needed to prevent a malcous adversary from usng the check of whether or not the neghborhood he submts results n an nvald-graph message from N to obtan nformaton on the neghborhood of honest partes. In the descrpton of N we use the followng notaton: For a graph wth vertex set V, and for any V V, we denote by V the restrcton of to the vertces n V,.e., the graph that results by removng from all vertces n V \ V and ther assocated edges. Functonalty N The network ntalzes a topology graph = (V, E) := (P, ). 12 Note that the envronment knows/chooses all the nputs and therefore knows whether or not the submtted neghborhoods are allowed by the graph class. 10

11 Info Step: 1. Every party P P (and the adversary on behalf of corrupted partes) sends (nput) (MyNegborhood, N []) to N ; f N [] s a vald neghborhood for P,.e., N [] {(P, P j) P j P}, then N updates E := E N []. 2. If there exst no such that = then N sets E := and halts. (Every future nput s answered by outputtng a specal symbol (BadNetwork) to the sender of ths nput.) Communcaton Step: 1. For each P P let N () = {P 1,..., P ν }. 2. Every P P sends N nput (send, m ), where m = (m,1,..., m,ν ); f P does not submt a vector m of the rght sze or format, then N adopts m = (,..., ). 3. Every P receves (output) m = (m 1,,..., m ν,) from N. An mportant feature of the above functonalty s that the communcaton pattern (.e., whch partes send or receve messages) does not reveal to the adversary any nformaton other than the neghborhood of corrupted partes. Thus, the smulator cannot use ths functonalty n the deal world to extract nformaton about the network. However, when usng ths network-functonalty (n the real-world protocol) to emulate, e.g., a complete communcaton network, the adversary mght use the messages exchanged n the protocol to extract nformaton that the smulator cannot. In fact, the challenge of a topology-hdng protocol s exactly to ensure that the exchanged messages cannot be used by the adversary n such a way. Defnton 1. Let be a famly of graphs wth vertex set P. Let also F be a functonalty and N denote the network functonalty (as specfed above) and π be a N -hybrd protocol. We say that π N securely realzes the functonalty F n a topology-hdng manner wth respect to network class f and only f π securely realzes the composte functonalty {F, N }. 3 Topology-Hdng Communcaton In ths secton we present a constructon whch allows to securely and topologyhdngly realze dfferent types of communcaton channels usng black-box PKE. The secton conssts of the followng four steps, each treated n a separate subsecton. RR-MHT-PKE: In Secton 3.1 we ntroduce mult-homomorphc threshold encrypton wth reversble randomzaton (RR-MHT-PKE), a specal type of threshold publc-key encrypton. In addton to the (common) homomorphc property of cphertexts RR-MHT-PKE features homomorphc publc-keys and decryptonshares. Ths allows for a decentralzed generaton of shared keys whch enables 11

12 partes to generate securely and topology-hdngly a publc-key setup where the prvate-key s shared among all partes. Its reversble randomzaton property allows partes to transmt publc-keys and/or cphertexts through the network such that the adversary can not track them. We also gve a practcal mplementaton of RR-MHT-PKE based on the DDH assumpton (see Appendx B). Topology-Hdng Encrypton: In Secton 3.2, we present a topology-hdng threshold encrypton protocol based on black-box RR-MHT-PKE. More precsely, we provde (1) a dstrbuted setup protocol, (2) an nformaton-transmsson protocol, and (3) a dstrbuted decrypton protocol. Topology-hdng Boolean-OR: In Secton 3.3 we present a protocol whch, for networks wth moderate degree and dameter, securely and topology-hdngly realzes the multparty Boolean-OR functonalty usng the topology-hdng threshold encrypton protocol from the prevous secton. Topology-hdng Broadcast and Secure Channels: Fnally, n Secton 3.4 we use the Boolean-OR functonalty to securely and topology-hdngly realze secure channels and broadcast. The man result of ths secton s the followng theorem. Theorem 1. ven a network N wth dameter D and maxmum degree d where d D = poly(κ) there exsts a protocol whch securely and topology-hdngly realzes broadcast usng black-box RR-MHT-PKE. The protocol communcates at most (d+1) D n λ bts wthn 5 D rounds, where λ s lnear (wth small constant, less than 5) n κ. 3.1 Mult-Homomorphc Threshold Encrypton wth Reversble Randomzaton In ths secton we ntroduce mult-homomorphc threshold encrypton wth reversble randomzaton, a specal type of threshold publc-key encrypton, whch wll allow us to securely and topology-hdngly realze a dstrbuted encrypton scheme. We frst start by recallng some standard defntons. A publc-key encrypton (PKE) scheme conssts of three algorthms, Keyen for key generaton, Enc for encrypton and Dec for decrypton. Snce n ths work we consder sem-honest adversares, we wll only need encrypton satsfyng the standard IND-CPA securty defnton. For completeness ths defnton s provded n Appendx A. Threshold publc-key encrypton (T-PKE) s PKE n whch the prvate key SK s dstrbuted among l partes p 1,..., p l, such that each party p holds a share (aka sub-key) sk of SK wth the property that any l 1 sub-keys have no nformaton on SK. Importantly, such a scheme allows for dstrbuted decrypton of any gven cphertext: any party p can locally compute, usng ts own sub-key sk of the prvate key SK, a decrypton share x, so that f someone gets a hold of decrypton shares (for the same c) from all partes (.e., wth each of the shares of the prvate key) he can combne them 12

13 and recover the plantext. For the classcal defnton of T-PKE we refer to Appendx A. Homomorphc (threshold) PKE allows to add up encrypted messages. Here, the message space M, + and the cphertext space C, are groups such that m 1 + m 2 = Dec(SK, Enc(PK, m 1 ; r 1 ) Enc(PK, m 2 ; r 2 )). for any key par (PK, SK) Keyen and any messages m 1, m 2 M. Mult-Homomorphc Threshold Encrypton We frst present mult-homomorphc threshold encrypton whch s n essence HT-PKE wth two addtonal propertes. The frst property s a decentralzed key-generaton. The dea s that partes locally generate publc/prvate-key pars. By combnng those local publc keys they can then generate a publc key wth shared prvate-key where the local prvate keys act as key shares. More formally, ts requred that the publc-key space PK, and the prvate-key space SK, + are groups. Moreover ts s requred (1) that there exsts a key-generaton algorthm Keyen, whch outputs a publc/prvate-key par (pk, sk ) PK SK, and (2) that for any key pars (pk 1, sk 1 ), (pk 2, sk 2 ) PK SK t holds that pk 1 pk 2 s the publc key correspondng to prvate key sk 1 + sk 2. In other words a multhomomorphc threshold encrypton scheme s homomorphc wth respect to publc/prvate keys. We pont out ths s not a standard property of threshold PKE schemes. For nstance, the scheme of [Pa99], does not satsfy ths property. Secondly, a versatle homomorphc threshold encrypton scheme s requred to be homomorphc wth respect to decrypton shares and prvate keys. That s, for any key pars (pk 1, sk 1 ), (pk 2, sk 2 ) and any cphertext c t must hold that ShareDecrypt(sk 1, c) ShareDecrypt(sk 2, c) = ShareDecrypt(sk 1 + sk 2, c). Defnton 2. A mult-homomorphc threshold encrypton (MHT-PKE) scheme wth securty parameter κ conssts of four spaces M, C, SK, and PK and four algorthms Keyen,Enc,ShareDecrypt, and Combne whch are parametrzed by κ where: 1. The message space M; +, the cphertext space C;, the publc-key space PK;, the prvate-key space SK; +, and the decrypton-share space DS; are cyclc groups of prme order. 2. The (probablstc) key-generaton algorthm Keyen outputs a publc key pk PK and a prvate key sk SK where for any key pars (pk 1, sk 1 ), (pk 2, sk 2 ) PK SK t holds that pk 1 pk 2 s the publc key correspondng to prvate key sk 1 + sk The (probablstc) encrypton algorthm Enc takes a publc key pk PK and a message m M and outputs a cphertext c Enc(PK, m; r). 4. The decrypton share algorthm ShareDecrypt takes a prvate key sk SK and a cphertext c C as nputs and outputs a decrypton share x ShareDecrypt(sk, c). For any cphertext c C and prvate keys sk 1, sk 2 SK where x 1 ShareDecrypt(sk 1, c) and x 2 ShareDecrypt(sk 2, c) t holds that x 1 x 2 = ShareDecrypt(sk 1 + sk 2, c). 5. The combnng algorthm Combne takes a decrypton share x DS and a cphertext c C and outputs a message m Combne(x, c). 13

14 A MHT-PKE scheme satsfes the followng correctness property: For any key pars (pk 1, sk 1 ),..., (pk l, sk l ) Keyen and any message m M t holds that m = Combne(x 1... x l, c) where x = ShareDecrypt(sk, c), c = Enc(pk, m; r) and pk = pk 1... pk l. Moreover, gven a message m and a cphertext c one can effcently nvert Combne,.e., compute a decrypton share x wth m = Combne(x, c). We defne the securty of MHT-PKE wth respect to a threshold varant of the IND-CPA securty defnton. Defnton 3. A MHT-PKE scheme s IND-TCPA secure f the adversary s advantage n wnnng the followng game s neglgble n κ. 1. The game generates key pars (pk 1, sk 1 ),... (pk l, sk l ) Keyen and chooses a random bt b. Then the adversary gets pk = pk 1... pk l, pk 1,..., pk l and sk 2,..., sk l. Ths allows hm to generate encryptons of arbtrary messages and to generate decrypton shares for all key pars except (pk 1, sk 1 ). 2. The adversary specfes two messages m 0 and m 1 and the game returns c = Enc(PK, m b ). 3. The adversary specfes a bt b. If b = b the adversary has won the game. Furthermore for any chosen publc-key pk PK, t should be hard to dstngush between (pk, pk pk 1 ) and (pk, pk 2 ) where pk 1, pk 2 are dstrbuted accordng to Keyen. More formally, we requre that the scheme has the ndstngushablty under chosen publc-key attack (IND-CKA) property. Defnton 4. A MHT-PKE scheme s IND-CKA secure f the adversary s advantage n wnnng the followng game s neglgble n κ. 1. The adversary specfes a publc key pk PK. 2. The game generates a key par (pk 1, sk 1 ) Keyen and chooses a unform random bt b. Then the adversary gets publc key pk 2 where { pk pk 2 = 1 f b = 0 pk 1 pk f b = 1 3. The adversary specfes a bt b. If b = b the adversary has won the game. Reversble Randomzaton We can now ntroduce mult-homomorphc threshold encrypton wth reversble randomzaton whch s MHT-PKE wth addtonal randomzaton propertes. Randomzaton of Publc Keys The frst property requred s the randomzaton of publc keys. More concretely, a MHT-PKE wth reversble randomzaton allows a party P wth publc key pk to randomze pk,.e., compute a new masked publc-key pk so that anyone seeng pk s unable to tell whether t s a freshly generated publc-key or a randomzed verson of pk. Importantly, we requre the randomzaton algorthm to be reversble n the followng sense. 14

15 The randomzaton algorthm must provde P wth nformaton rk, the derandomzer, whch allows t to map any encrypton wth pk back to an encrypton wth ts orgnal key pk. Lookng ahead, the randomzaton of publckeys property wll ensure that the adversary can not trace publc keys whle they travel the network. Ths allows us to buld a topology-hdng nformatontransmsson protocol. Randomzaton of Cphertexts The second property requred s the randomzaton of cphertexts. More concretely, a MHT-PKE wth reversble randomzaton allows a party P wth cphertext c to randomze c,.e., compute a new masked cphertext ĉ so that anyone seeng ĉ s unable to tell whether t s a freshly generated cphertext (usng an arbtrary publc-key) or an randomzed verson of c. Importantly, we requre the randomzaton algorthm to be reversble. Ths means t must provde P wth nformaton rk, the de-randomzer, whch allows t to map any decrypton share of ĉ and decrypton key sk back to a decrypton share of the orgnal cphertext c and sk. Lookng ahead, the randomzaton of cphertexts wll ensure that the adversary can not trace cphertexts and decrypton-shares whle they travel the network. Ths wll allow us to buld a topology-hdng decrypton protocol. We remark that ths property dffers from the usual cphertext re-randomzaton n homomorphc PKE schemes where one randomzes a cphertext by addng up an encrypton of 0. MHT-PKE wth Reversble Randomzaton We can now gve the formal defnton of a MHT-PKE wth reversble-randomzaton scheme. Defnton 5. A MHT-PKE wth reversble-randomzaton (RR-MHT-PKE) scheme s a MHT-PKE scheme wth extra algorthms RandKey, DerandCpher, RandCpher, DerandShare where: 1. The (probablstc) (key) randomzaton algorthm RandKey takes a publc key pk PK and outputs a new publc key pk PK and a de-randomzer rk RK P. 2. The (cphertext) de-randomzaton algorthm DerandCpher takes a derandomzer rk RK P and a cphertext c C and outputs a new cphertext c C such that the followng property holds. For any key par (pk, sk), ( pk, rk) RandKey(pk; r ), any message m M, and any cphertext c Enc( pk, m; r) there exsts an r such that Enc(pk, m; r) = DerandCpher(rk, c). Moreover, gven a cphertext c and a de-randomzer rk one can effcently nvert DerandCpher,.e., compute a cphertext c such that c = DerandCpher(rk, c). 3. The (probablstc) (cphertext) randomzaton algorthm RandCpher takes a cphertext c C and outputs a new cphertext ĉ C and a de-randomzer rk RK C. 4. The (share) de-randomzaton algorthm DerandShare takes a de-randomzer rk RK C and a decrypton share ˆx DS and outputs a share x DS such that the followng property holds. For any key par (pk, sk), any cphertext 15

16 c C, (rk, ĉ) RandCpher(c; r), and ˆx ShareDecrypt(sk, ĉ) we have DerandShare(rk, ˆx) = ShareDecrypt(sk, c). More over gven a decrypton share x and a de-randomzer rk one can effcently nvert DerandShare,.e., compute a decrypton shares ˆx such that x = DerandShare(rk, ˆx). For any publc key pk t should be hard (for the adversary) to dstngush between (pk, RandKey(pk)) and (pk, pk ) where pk s freshly generated usng Keyen. Smlar, for any cphertext c t should be hard to dstngush between (c, RandCpher(c)) and (c, c ) where c s a randomly chosen cphertext. More formally, the scheme should have the ndstngushablty under chosen publckey and chosen cphertext attack (IND-CKCA) property. Defnton 6. A RR-MHT-PKE scheme s IND-CKCA secure f the adversary s advantage n wnnng the followng game s neglgble n κ. 1. The adversary specfes a publc key pk PK and a cphertext c C. 2. The game generates key pars (pk 1, sk 1 ), (pk 2, sk 2 ) Keyen and a unform random message m M. The game then chooses unform random bts b 1 and b 2. The adversary gets publc key pk and cphertext ĉ where { RandKey(pk) f b 1 = 0 pk = pk 1 f b 1 = 1 and ĉ = { RandCpher(c) f b 2 = 0 Enc(pk 2, m) f b 2 = The adversary specfes bts b 1 and b 2. If b 1 = b 1 or b 2 = b 2 the adversary has won the game. The securty of a RR-MHT-PKE scheme s defned wth respect to the above securty propertes. Defnton 7. A RR-MHT-PKE scheme s secure f t s IND-TCPA, IND- CKA, and IND-CKCA secure. DDH based RR-MHT-PKE One can practcally mplement secure RR- MHT-PKE usng an extended varant of the Elamal cryptosystem [El84] over a group of prme order q(κ) where the DDH assumpton holds. We refer to Appendx B for more detals. Lemma 1. ven a DDH group one can securely mplement RR-MHT-PKE. 3.2 Topology-Hdng Threshold Encrypton In ths secton we buld a topology-hdng threshold encrypton protocol usng a secure RR-MHT-PKE scheme. More precsely, we provde (1) a dstrbuted setup protocol, (2) an nformaton-transmsson protocol, and (3) a dstrbuted decrypton protocol. Lookng ahead, those protocols wll allow us to topologyhdngly realze the Boolean-OR functonalty. 16

17 The RR-MHT-PKE Scheme: We assume that the partes have access to a secure RR-MHT-PKE scheme wth securty parameter κ, where n = poly(κ). In partcular, each party has local (black-box) access to the algorthms of the RR- MHT-PKE scheme. The Network raph: A prerequste for our protocols to work s that the network graph of N s connected. Otherwse (global) nformaton transmsson s not possble. The partes also need to know upper bounds on the maxmum degree and the dameter of the network graph. We therefore assume that the partes have access to an ntalzed network N d,d where the graphs n the famly are connected, have a maxmum degree of d n, and a dameter of at most D n where d and D are publcly known. For smplcty we restrct ourselves to present protocols for d-regular network graphs. We pont out that one can extend the presented protocols to the general case where partes may have less than d neghbors. The dea s that a party whch lacks d neghbors pretends to have d neghbors by emulatng (messages from) vrtual neghbors (cf. [MOR15]). Setup Protocol In ths secton we present a protocol whch allows to topologyhdngly generate a threshold-setup where each party P holds a publc key PK such that the correspondng prvate-key s shared among all partes. The hghlevel dea of our protocol s as follows. We frst observe that the D-neghborhood of P conssts of all partes. The setup thus provdes party P wth a publc key where the correspondng prvate-key s shared among the partes n the D-neghborhood N [] D of P. Ths mples that one can generate the setup recursvely. In order to generate a k-neghborhood publc-key PK (k), P asks each of ts neghbors to generate a publc key where the prvate key s shared n the neghbors (k 1)-neghborhood. It can then compute PK (k) by combnng the receved publc-keys. Defnton 8. A setup for topology-hdng threshold encrypton over a network conssts of the followng parts. N d,d Prvate-Key Shares: Each party P holds a vector (SK (0),..., SK (D) ) of D +1 prvate keys whch we call ts prvate-key shares. For any 0 k D we denote by PK (k) the publc key correspondng to SK (r). Publc-Keys: Each party P holds a vector (PK (0) keys where PK (0) = PK (0) and PK (k) = PK (k),..., PK (D) ) of D + 1 publc. We call P j N () PK(k 1) j PK (k) the level-k publc-key of P and denote by SK (r) the correspondng (shared) prvate key. The publc-key of P s PK := PK (D) and the shared prvate-key s SK := SK (D). Local Pseudonyms: Each party P prvately holds a njectve random functon ν ( ) : N () {1,..., d} whch assgns each neghbor P j N () a unque local dentty ν (j) {1,..., d}. W.l.o.g. we wll assume that ν () = 0. 17

18 We remark that the condton on the publc-keys ensures that any 0 k D (and for reasonably large PK) the prvate key SK (k) s properly shared among the k neghborhood of P,.e., each party n the k-neghborhood holds a non-trval share. Defnton 9. A protocol s a secure (topology-hdng) setup protocol over a network N d,d f t has the followng propertes. Correctness: The protocol generates wth overwhelmng probablty a setup for topology-hdng threshold encrypton over the network N d,d. Topology-Hdng Smulaton: The adversaral vew n an actual protocolexecuton can be smulated wth overwhelmng probablty gven the neghborhood of dshonest partes n N d,d and the output of dshonest partes,.e., gven the values { N (), ν ( ), SK (0),..., SK (D), PK (0),..., PK (D) } P H The smulaton property ensures n partcular that (a) the adversary does not learn more about the network topology and that (b) the adversary does not learn the prvate key correspondng to the publc key PK of party P unless t corrupts the entre k-neghborhood of P. Protocol eneratesetup Requre: Partes have access to an ntalzed N d,d. 1: Each P generates the local denttes ν ( ) and sub-key par (PK (0), SK (0) ) Keyen. Then t sets PK (0) = PK (0). 2: for k = 1,..., D do 3: Each P sends PK (k 1) 4: Each P generates sub-key par (PK (k) 5: Each P computes PK (k) 6: end for Output: P outputs ν ( ), (SK (0) to each P j N () usng N., SK (k) ) Keyen. = PK (k) P j N () PK(k 1) j.,..., SK (D) ), and (PK (0),..., PK (D) ). Lemma 2. ven a secure RR-MHT-PKE scheme the protocol eneratesetup s a secure setup protocol. The protocol communcates D d n log PK bts wthn D rounds. Proof. (sketch) Correctness: It follows drectly from protocol nspecton that the setup generated by eneratesetup s vald for N d,d. Topology-Hdng Smulaton: The vew of the adversary durng an actual protocol executon s { N (), ν ( ), {PK (k), PK (k) } {, SK (k), 0 r D 18 PK (k) j } P j N (),0 r D 1 } P H.

19 { Now consder the vew where the publc keys PK (k) j replaced by freshly generated publc keys usng Keyen,.e., { N (), ν ( ), {PK (k), PK (k) } {, SK (k), 0 r D } P j N () H,0 r D 1 are } PK (k) } j P. H P j N () H,0 r D 1 Note that the second vew can be easly computed by a smulator gven the outputs of dshonest partes. It remans to show that those vews are computatonally ndstngushable. Note that for any P j N (H) H the publc-key PK (k) j has the form pk 1 pk where pk 1 = PK (k) j and pk = P N (j) PK(k 1). The ndstngushablty therefore follows from the IND-CKA securty of the RR- MHT-PKE scheme. Communcaton Complexty: The protocol runs for D rounds and n each round n d publc-keys are sent. Informaton-Transmsson Protocol In ths secton we present a topologyhdng nformaton-transmsson protocol. Here, each party has a message m and a publc-key pk 13 as nput. The output of party P s a cphertext c under the publc key pk. If all partes nput the 0-message, c s an encrypton of 0. Otherwse, c s an encrypton of a random, non-zero message. The nformatontransmsson protocol has a recursve structure and s thus parametrzed by a level k. The protocol requres that partes have generated local pseudonyms. We therefore assume that the partes have access to a setup for topology-hdng threshold encrypton over N d,d. Defnton 10. A protocol s a level-k (topology-hdng) secure nformatontransmsson protocol over a network N d,d f t has the followng propertes. Setup, Inputs, and Outputs: The partes ntally hold a setup for topologyhdng threshold encrypton over N d,d (cf. Defnton 8). Each party holds as nput a message m M and a publc key pk PK (not necessarly part of ts setup).the output of each party P s a cphertext c C. Correctness: Wth overwhelmng probablty the output c s the encrypton of message s under pk and randomness ρ (.e. c = Enc(pk, s ; ρ )) wth { 0 f mj = 0 for all P s = j N [] k x f m j 0 for at least one P j N [] k where x M \ {0} unform at random. Topology-Hdng Smulaton: The adversaral vew n a real protocol-executon can be smulated wth overwhelmng probablty gven the followng values { N (), m, pk, c, ν ( ) } P H { s, ρ } N [] k H. 13 For notatonal smplcty we use uppercase letters for publc-/prvate-keys whch are part of the setup for N d,d and lowercase letters for arbtrary publc-/prvate-keys. 19