Topology-Hiding Computation for Large Diameter Graphs Adi Akavia Tal Moran The Academic College of Tel-Aviv Jaffa IDC Herzliya MPC [Yao’86, GMW’87]: multiple parties can jointly compute a function of their private inputs, while revealing nothing beyond the output MPC [Yao’86, GMW’87]: multiple parties can jointly compute a function of their private inputs, while revealing nothing beyond the output Many applications MPC [Yao’86, GMW’87]: multiple parties can jointly compute a function of their private inputs, while revealing nothing beyond the output Many applications Today: protect also meta-data! Motivation: Private social network Today: Facebook = “trusted third party”. • Holds: • Computes: personal data & “social graph” functions on data & graph Motivation: Private social network Today: Facebook = “trusted third party”. • Holds: • Computes: Goal: personal data & “social graph” functions on data & graph Privacy preserving social network No trusted third party! Privacy for data & graph MPC does NOT Suffice MPC does NOT Suffice • MPC: Communication topology is public MPC does NOT Suffice • MPC: Communication topology is public – Typically: – Also: Complete graph General topologies (publicly known) [ …. Halevi-Ishai-Jain-Kushilevitz-Rabin’2016] MPC does NOT Suffice • MPC: Communication topology is public – Typically: – Also: Complete graph General topologies (publicly known) [ …. Halevi-Ishai-Jain-Kushilevitz-Rabin’2016] • Social network: Communication topology ≈ social graph MPC does NOT Suffice • MPC: Communication topology is public – Typically: – Also: Complete graph General topologies (publicly known) [ …. Halevi-Ishai-Jain-Kushilevitz-Rabin’2016] • Social network: Communication topology ≈ social graph topology is private MPC does NOT Suffice • MPC: Communication topology is public – Typically: – Also: Complete graph General topologies (publicly known) [ …. Halevi-Ishai-Jain-Kushilevitz-Rabin’2016] • Social network: Communication topology ≈ social graph topology is private Not protected by MPC! Want: Topology Hiding MPC [MOR’15] Topology hiding MPC is MPC that hides both inputs and communication graph. More Motivation: Private Topology • Mobile Networks • Vehicle-to-Vehicle communication • Mesh networks • Internet-of-things Topology Hiding MPC [MOR’15] a Settings: • Parties (=nodes) have private inputs, • Parties know their neighbors, communicate directly only with neighbors. g b d e c h f Topology Hiding MPC [MOR’15] a Settings: • Parties (=nodes) have private inputs, • Parties know their neighbors, communicate directly only with neighbors. g b d e c h The Goal: Compute any function of the inputs while revealing nothing beyond function’s output Reveal no info about the graph* f Topology Hiding MPC [MOR’15] a Settings: • Parties (=nodes) have private inputs, • Parties know their neighbors, communicate directly only with neighbors. g b d e c h The Goal: Compute any function of the inputs while revealing nothing beyond function’s output Reveal no info about the graph* *Need minimal info about the graph (e.g. bounds on diameter / #nodes) f Topology Hiding MPC [MOR’15] a Settings: • Parties (=nodes) have private inputs, • Parties know their neighbors, communicate directly only with neighbors. g b d e c h Broadcast suffices The Goal: Compute any function of the inputs while revealing nothing beyond function’s output Reveal no info about the graph* *Need minimal info about the graph (e.g. bounds on diameter / #nodes) f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h • Not topology hiding – E.g. reveals distance to broadcaster f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h • Not topology hiding – E.g. reveals distance to broadcaster f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h • Not topology hiding – E.g. reveals distance to broadcaster f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h • Not topology hiding – E.g. reveals distance to broadcaster f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h • Not topology hiding – E.g. reveals distance to broadcaster – Not hiding even with encrypted messages f Is Topology Hiding MPC Possible? Some Challenges: • Consider Naïve protocol: “OR and forward” a g b d e c h • Not topology hiding – E.g. reveals distance to broadcaster – Not hiding even with encrypted messages • Who has the private key? f Impossible against Active Adversary Impossible against Active Adversary Active (=malicious) adversary: Can deviate from the protocol (e.g., abort). Theorem [MOR’15]: Against an active adversary, Topology-hiding broadcast is impossible Impossible against Active Adversary Active (=malicious) adversary: Can deviate from the protocol (e.g., abort). Theorem [MOR’15]: Against an active adversary, Topology-hiding broadcast is impossible Impossible already for simple graphs weak adversary (chains) (fail-stop) Feasible against Passive Adversary Feasible against Passive Adversary Passive (=honest-but-curious) adversary: Follows the protocol (but tries to learn secrets). Small diameter network graph: Distance between nodes at most logarithmic. Feasible against Passive Adversary Passive (=honest-but-curious) adversary: Follows the protocol (but tries to learn secrets). Small diameter network graph: Distance between nodes at most logarithmic. Theorem [MOR’15, HMTZ’16]: Topology-hiding broadcast exists on small-diameter network graphs against passive adversary (assuming trapdoor permutations exist / DDH) Feasible against Passive Adversary Passive (=honest-but-curious) adversary: Follows the protocol (but tries to learn secrets). Small diameter network graph: Distance between nodes at most logarithmic. Theorem [MOR’15, HMTZ’16]: Topology-hiding broadcast exists on small-diameter network graphs against passive adversary given bounds on (assuming trapdoor permutations exist / DDH) diameter & degree This Work Our question: Is small-diameter necessary? This Work Our question: Is small-diameter necessary? Our Main Result: Topology-hiding broadcast exists on large-diameter network graphs against passive adversary (under standard assumptions, e.g., DDH) This Work Our question: Is small-diameter necessary? given number of nodes* Our Main Result: Topology-hiding broadcast exists on large-diameter network graphs against passive adversary (under standard assumptions, e.g., DDH) This Work: Results Result 1: Topology-hiding broadcast is feasible for large-diameter graphs, including: This Work: Results c d e f Result 1: chains Topology-hiding broadcast is feasible for large-diameter graphs, including: This Work: Results Result 1: Topology-hiding broadcast is feasible for large-diameter graphs, including: f a g e b e c d d chains cycles This Work: Results Result 1: Topology-hiding broadcast is feasible for large-diameter graphs, including: a f a g e b d d g b d e e c c chains h cycles trees f This Work: Results Result 1: Topology-hiding broadcast is feasible for large-diameter graphs, including: a f a g e b d d g b d e a e c h cycles f d e f c c chains g b trees h Smallcircumference graphs This Work: Results Result 1: Topology-hiding broadcast is feasible for large-diameter graphs, including: a f a g e b d d g b d e a e c h cycles f d e f c c chains g b trees h Smallcircumference graphs This Work: Results Result 1: Topology-hiding broadcast is feasible for large-diameter graphs, including: a f a g e b d d g b d e a e c h cycles f d e f c c chains g b trees h Smallcircumference graphs This Work: Results Result 2: Topology hiding broadcast on cycles Topology hiding broadcast on trees This Work: Results Result 3: Topology hiding broadcast for 1) cycles and 2) small-diameter graphs Topology hiding broadcast for small-circumference graphs This Work: Results Result 3: Topology hiding broadcast for 1) cycles and 2) small-diameter graphs Topology hiding broadcast for small-circumference graphs Extensions: We define: We show: A distributed algorithm is “info-local” if output of each party depends only on k-local neighborhood Our reductions hold for arbitrary graph with “info-local” algorithm for spanning-tree neighbors Remarks • Even with known overall topology, topology-hiding is still non-trivial – Example – Cycles: nodes order may be sensitive. Remarks • Even with known overall topology, topology-hiding is still non-trivial – Example – Cycles: nodes order may be sensitive. • Voting parallel broadcast: – voting & mix-networks inspiration Tool: PKCR-encryption Public key encryption, which is: 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: Tool: PKCR-encryption Public key encryption, which is: 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: PKCR-enc exists under DDH assumption. Tool: PKCR-encryption Public key encryption, which is: Notation: [m]k = Enck(m). 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: PKCR-enc exists under DDH assumption. Tool: PKCR-encryption Public key encryption, which is: Notation: [m]k = Enck(m). 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: – Public keys are a group with efficiently computable k1*k2, k–1 PKCR-enc exists under DDH assumption. Tool: PKCR-encryption Public key encryption, which is: Notation: [m]k = Enck(m). 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: – Public keys are a group with efficiently computable k1*k2, k–1 – Given secret key sk can efficiently: PKCR-enc exists under DDH assumption. Tool: PKCR-encryption Public key encryption, which is: Notation: [m]k = Enck(m). 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: – Public keys are a group with efficiently computable k1*k2, k–1 – Given secret key sk can efficiently: a) Computed corresponding public-key pk(sk). b) PKCR-enc exists under DDH assumption. Tool: PKCR-encryption Public key encryption, which is: Notation: [m]k = Enck(m). 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: – Public keys are a group with efficiently computable k1*k2, k–1 – Given secret key sk can efficiently: a) Computed corresponding public-key pk(sk). b) AddLayer( [m]k , sk ) = [m]k*pk(sk) PKCR-enc exists under DDH assumption. Tool: PKCR-encryption Public key encryption, which is: Notation: [m]k = Enck(m). 1. Rerandomizable: Given pk and c [m]k Can produce fresh ciphertext c’ [m]k. 2. Privately key-commutative: – Public keys are a group with efficiently computable k1*k2, k–1 – Given secret key sk can efficiently: a) Computed corresponding public-key pk(sk). b) AddLayer( [m]k , sk ) = [m]k*pk(sk) c) DelLayer ( [m]k , sk ) = [m]k*pk(sk)-1 PKCR-enc exists under DDH assumption. Our Techniques: 5 Topology-Hiding Voting on Cycles 4 Phase 1. Aggregate Encrypted Votes: Phase 2. Mix & Decrypt: 1 2 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: v1 1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: k1 , v1 1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: k1 , [v1]k1 1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 k1 , [v1]k1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 k1*k2, [v1]k1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 k1*k2, [v1]k1*k2 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 k1*k2, [v1]k1*k2 [v2]k1*k2 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 2 5 k1*k2, [v1]k1*k2 [v2]k1*k2 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 2 5 k=k1*k2*k3, [v1]k [v2]k [v3]k 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 k=k1*…*k4*k5, [v1]k … [v5]k 2 5 … 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 1. Aggregate Encrypted Votes: 1 k=k1*…*k4*k5, [v1]k … [v5]k 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 k=k1*…*k4*k5, [v1]k … [v5]k 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 k=k1*…*k4*k5, [v(1) [v[v 1]k ]… 5]k(5)]k k… 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 k’=k1*…*k4, [v(1)]k’ … [v (5)]k’ 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 2 5 k’=k1*…*k4, [v(1)]k’ … [v (5)]k’ 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 2 5 k‘=k1*…*k4, … [v(1)]k’ … [v (5)]k’ 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 k1, [v’(1)]k1 … [v’(5)]k1 2 5 k‘=k1*…*k4, 4 3 …[v (1)]k’ … [v (5)]k’ Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: 1 k1, [v’(1)]k1 … [v’(5)]k1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: k1, [v’(1)]k1 … [v’(5)]k1 1 2 5 4 3 Our Techniques: Topology-Hiding Voting on Cycles Protocol Phase 2. Mix & Decrypt: v’’(1) … v’’(5) 1 2 5 4 3 Our Techniques: Reductions Toy Problem: Our Techniques: Reductions 1 Toy Problem: Settings: Arbitrary graph, 2 5 4 3 Our Techniques: Reductions 1 Toy Problem: 5 Settings: Arbitrary graph, with cycle traversing the nodes. 2 4 3 Our Techniques: Reductions 1 Toy Problem: 5 Settings: Arbitrary graph, with cycle traversing the nodes. 4 Nodes know their local-view on cycle. 2 3 Our Techniques: Reductions 1 Toy Problem: 5 Settings: Arbitrary graph, with cycle traversing the nodes. 4 Nodes know their local-view on cycle. Observe: Topology-hiding voting on cycle-traversal Topology-hiding voting on underlying graph. 2 3 Our Techniques: Reductions 1 Toy Problem: 5 Settings: Arbitrary graph, with cycle traversing the nodes. 4 Nodes know their local-view on cycle. 2 3 Observe: Topology-hiding voting on cycle-traversal Topology-hiding voting on underlying graph. Reductions Outline (simplified): 1. Find cycle-traversal (local views) while hiding topology 2. Run topology-hiding voting on this cycle-traversal Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Can it be found efficiently? Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Can it be found efficiently? Can it be found topology-hiding? Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Yes, in every (connected) graph. Can it be found efficiently? Can it be found topology-hiding? Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Yes, in every (connected) graph. Can it be found efficiently? Can it be found topology-hiding? Yes, in every (connected) graph. Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Yes, in every (connected) graph. Can it be found efficiently? Can it be found topology-hiding? Yes, in every (connected) graph. Yes, in trees. Finding Cycle-Traversal Questions: Does a cycle-traversal always exist? Yes, in every (connected) graph. Can it be found efficiently? Yes, in every (connected) graph. Can it be found topology-hiding? Yes, in trees. Roughly, in small-circ. Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a g b d e c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d g 1 2 e 4 3 c h f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a a a b d g 1 2 e 4 3 b f d d c h g e e e e c h g f Finding Cycle-Traversal in Trees Convert-to-Cycle(N(v)=(u1,…,ud)) Forward messages arriving from ui to ui+1 a b d a b g 1 2 e 4 3 a f d g g e e f c h c d e h e Finding Cycle-Traversal in Trees What’s the cycle’s length? a b d a b g 1 2 e 4 3 a f d g g e e f c h c d e h e Finding Cycle-Traversal in Trees What’s the cycle’s length? • #(copies of v) = deg(v) a b d a b g 1 2 e 4 3 a f d g g e e f c h c d e h e Finding Cycle-Traversal in Trees What’s the cycle’s length? • #(copies of v) = deg(v) • Cycle’s length = sum of degrees a b d a b g 1 2 e 4 3 a f d g g e e f c h c d e h e Finding Cycle-Traversal in Trees What’s the cycle’s length? • #(copies of v) = deg(v) • Cycle’s length = sum of degrees = 2|E| a a b d b g 1 2 e 4 3 a f d g g e e f c h c d e h e Finding Cycle-Traversal in Trees What’s the cycle’s length? • #(copies of v) = deg(v) • Cycle’s length = sum of degrees = 2|E| a a = 2(n-1) b (for trees) b d g 1 2 e 4 3 a f d g e g e f c h c d e h e Finding Cycle-Traversal in k-Circumference Graphs Main Steps: I. Devise info-local algorithm for finding cycle-traversal. Finding Cycle-Traversal in k-Circumference Graphs Main Steps: I. Devise info-local algorithm for finding cycle-traversal. 1. Find spanning-tree T, info-locally 2. Find cycle-traversal on T. Finding Cycle-Traversal in k-Circumference Graphs Main Steps: I. Devise info-local algorithm for finding cycle-traversal. 1. Find spanning-tree T, info-locally 2. Find cycle-traversal on T. II. Hide-topology: Finding Cycle-Traversal in k-Circumference Graphs Main Steps: I. Devise info-local algorithm for finding cycle-traversal. 1. Find spanning-tree T, info-locally 2. Find cycle-traversal on T. II. Hide-topology: Run “under-the-hood” using topology-hiding MPC: “find cycle-traversal & topology-hiding voting on it” Finding Cycle-Traversal in k-Circumference Graphs Main Steps: I. Devise info-local algorithm for finding cycle-traversal. 1. Find spanning-tree T, info-locally 2. Find cycle-traversal on T. On k-neighborhood k-diameter graph II. Hide-topology: Run “under-the-hood” using topology-hiding MPC: “find cycle-traversal & topology-hiding voting on it” Conclusions & Subsequent Works This work: Topology-hiding broadcast is feasible for large-diameter graphs, including: cycles, trees, low-circumference graphs. Conclusions & Subsequent Works This work: Topology-hiding broadcast is feasible for large-diameter graphs, including: cycles, trees, low-circumference graphs. Open Questions (summer 2016): – Fail-stop / Active Adversary? – Other large-diameter graphs? Peek Preview: Subsequent Works • Ball-Boyle-Malkin-Moran (to appear): Topology-hiding computation against fail-stop adversary for all graphs* using secure hardware *with (unavoidable) bounded leakage • Akavia-LaVigne-Moran (to appear): Topology-hiding computation against passive adversary for all graphs without secure hardware! Open Questions Spring 2017 • Fail-stop / Active Adversary without secure hardware? • Dynamic graphs? (work in progress) T a n k h u Y o ! u
© Copyright 2026 Paperzz