 Hello, thank you for listening to this talk about topology-hiding communication from minimal assumptions. This is joint work with these lovely people, Marshall Ball, Iled Boyle, Rhan Cohen, Lizzacolle, and Zitalz Malkin, and Moran. Our weak cryptographers are naturally distrusting people. If we run some joint computation, we'll want to keep our inputs private, if at all possible. And we can do this by running a secure multiparty computation protocol, or MPC. This is possible in this case because everyone is both willing and able, thankfully, to communicate with everyone else. As you can see, the communication graph where each edge represents a secure point-to-point channel is a complete one. However, in most real-world peer-to-peer networks, it won't be the case. It will actually be an incomplete network. To make matters worse, the structure of the network will often reveal sensitive information the parties would rather keep private. For instance, if I get to know who's talking to who, I may learn such things as geographic proximity between participants, friendship relations, absence of friendship, or I could learn about some back-channeling I wasn't supposed to know about. So in this case, the parties will want to run, instead, a topology-hiding computation protocol, or THC. I'll define it in a minute, but it essentially means that at the start, each player only gets to know his local view of the network, and the computation running it should not leak any information about the structure of the graph at all. So what do I mean by a local view? Considering this example from the point of view of party number four, here in red, four only gets to see who his direct neighbors in the graph are, not who else may be participating in the computation, nor how the other players may or may not be communicating. Now that we have this, we can define roughly what topology-hiding computation is. Parties know their local view, but that's it. They should not learn anything else when running the topology-hiding computation protocol. Now, what makes this notion harder to achieve than normal MPC? Well, we have a restricted communication model, restricted information available to the players about the network, and an extra privacy requirement that the topology should not leak. All of this makes it harder. So much harder, in fact, that if you look at the history of THC, the entirety of the first era, so for the antiquities of the latest, if you will, was all about trying to achieve THC against semi-honest adversaries. Now, the approach they used of incrementally starting with achieving THC for small graphs, extending to large but very structured graphs, such as paths and cycles, to finally achieve the topology-hiding computation on all graphs, is insightful, and it's an approach that's kept in later words, this idea that if you want to understand the topology-hiding computation, it's always a good idea to start with simpler graph classes to develop an intuition about what's going on for more complex ones, and even that simple graph classes are interesting on their own. So in the second phase, the remissance, if you want, the question was to try and go even beyond semi-honest adversaries and tolerate even stronger corruption models, and skipping ahead, a recent work tackles the problem of dealing with asynchronous networks. And if I summarise one way of summarising all these works, red, blue and green, is to say that they all roughly tried to establish protocols for topology-hiding computation in the hardest possible conditions, the hardest possible settings, adversarial settings. And they did so using strong tools, such as public cryptography or secure hardware. In contrast, there was a trend, what we call modern THC, which emerged, and which was all about revisiting simpler settings. Indeed, works predating the term topology-hiding computation itself suggested that it would be impossible to achieve the notion of information theoretically, if you wanted to do it on all graphs. But that left a bit of leeway of considering simple graph classes and very few corruptions. And there was a push to investigate this last year, and they raised the question of trying to understand when is information theoretically topology-hiding computation possible. This work, in many ways, laid the foundation for our own. So what we're doing, in a sense post-modern THC, is all about trying to deconstruct it and understand the core difficulty of it by stripping it down to the very minimalistic setting. We'll consider only the simplest functionalities of the broadcast type, and only the simplest kind of add series, a single semi-honest corruption, which honestly is almost, it's almost not adversarial at all. And in this minimal setting, we would like to understand what are the minimal tools that are required to hide the topology. So I'll be using the abbreviation 1thb and 1thab to use a secret to denote topology-hiding broadcast and the nominal broadcast against one semi-honest corruption. The setting is so minimal that it's actually could be essentially trivial if we didn't care about hiding the topology. But concretely, the problem we prefer to solve is the following. You give me a graph class, and I'll tell you what kind of assumption, what kind of tools you'll need in order to do the topology-hiding broadcast and the nominal broadcast against one corruption. Now perhaps surprisingly, you might think that since there are so many graph classes, it might be that there's a whole zoo of assumptions. As it turns out, there are only three of them that we've found. So what kind of results do we get? I'll start by presenting a simplified version, when instead of showing you our results for all graph classes, I'll focus on the maximal classes, so for instance, all two connected graphs, all graphs, that sort of thing. And already for topology-hiding broadcast, we have this nice dichotomy between the what is possible information theoretically and what is equivalent to key-agreement. What's nice is that there's a nice correspondence between the purely cryptographic notion of what kind of tools you'll need and the purely graph-theoretic property of true connectivity. And if you look at what happens for anonymous broadcast, it's essentially the same thing, except you now have a second dichotomy, this time between key-agreement and oblivious transfer. So the separation in this case is about having a guaranteed on its majority or not. Having the path of length two somewhat complicates things, and makes it so that you sometimes have to require OT. So for the remainder of this talk, I'll focus on showing you two of our results. The first is why introducing this path of length two implies OT sometimes, and the second result I'd like to show is our main feasibility result. How can you achieve information theoretically polytyping broadcast on the class of all two connected graphs? Let's now show our first result, the oblivious transfer low-round. This is our setting. We'd like to show you that topology and not hiding anonymous broadcasts on this class of paths of length two and three requires OT. And we'll actually start by showing something simpler, that if you can do such an anonymous broadcast in two rounds only, then you get OT. And we'll show it by taking such a protocol and explicitly constructing a two-party semi-honest AND functionality from it, which in turn implies OT. This is the setting for the two-party AND. Two players, Alice and Bob, hold inputs x and y, and they'd like to compute the AND of their inputs. In the first step, Alice samples a long random string and sends it to Bob. Then she's going to emulate virtual parties depending on her input, either one of them or two of them. And Bob does something similar. They're now going to collect their virtual parties on the line, with Alice's notes on the left and Bob's notes on the right, and they're going to run the topology-hiding anonymous broadcast protocol on this path, having Alice's left-most party always broadcast the long random string R. Now Bob looks at the result of this anonymous broadcast. If all of his notes output the long random string R, he sets his output to 0. If they don't, he'll set it to 1. And Alice learns from Bob what this is. So why is this protocol correct? Well, there are four cases for what may be going on. Four different paths. In the first three cases, your notes at the paths obtained are perfectly within the graph class. Therefore, by correctness guarantee of the anonymous broadcast protocol, all of the players, in particular all of Bob's players, are going to output the long random string R. However, in the last case, I claim that one prime cannot possibly output the long random string. Why is that? Well, the protocol runs in two rounds, and one prime is three steps away from the broadcaster. So he can't get the message in time. This means that Bob, who is simulating party one prime, gets to identify this case. This is the case where x and y are both equal to 1, which is exactly the case where the AND of x and y is equal to 1. This means that Bob, by just looking at whether all of his parties output the long random string or not, can determine what the AND of Alice's and Bob's inputs are. Therefore the scheme I described is correct. Let's now argue why it's secure. Well, recall that the key observation is that in a two-party AND functionality, if a player holds input 1, he knows everything. Why? Because if he holds input 1, then he knows that the other player's input is exactly the output. So the only case in which we have to hide something from a player is if he holds input 0. So for instance, what happens if Alice holds input 0? Well by design, she's only simulated one player. That means that since the topology-hiding and randoms broadcast protocol is secure against one corruption, that means that Alice has no hope in distinguishing between the two paths 2-3 and 2-3-1 prime. But knowing that topology is exactly the same thing as knowing what Bob's input is, that's why. Therefore, she knows absolutely nothing about Bob's input. And something completely similar is going on for when Bob holds input 0, which means that when one of them, whoever holds input 0, knows nothing about the other player's input, which guarantees security of the scheme I described. So recall, the scheme is, they simulate passes according to their input bit, they put them on a line, they run the topology-hiding and randoms broadcast protocol on it, and depending on whether all of Bob's nodes output a long random shape or not, they output 0 or 1. So I showed that if you had a two-round anonymous broadcast, then you had OT. Can we do better? So where did we use the fact that the protocol ran in two rounds? It was so Bob could identifiably know when the case was that X and Y were both 1. So the protocol would break when we run it on two longer paths. Now what happens if I just run this protocol to the exact same thing, but now using a topology-hiding anonymous broadcast protocol, on which you gave me no guarantees on the round complexity? Well in that case, there are two options, either the protocol still breaks when I run it on this path 1, 2, 3, 1 prime, or it doesn't. If it breaks, we're good, we can just, as before, the frame works exactly as before, but if it doesn't break, it means that the protocol you gave me is actually topology-hiding against a stronger class than just path 2 and 3. It's the path 2 and 3 plus you can add in this new path 1, 2, 3, 1 prime. And what we could show, and we do it in the full version of the paper, is that if you take this new class and basically bootstrap the protocol on itself, having Alice and Bob now simulate longer and longer half-paths than rather than this half-paths of length 1 or 2, then you can try again and see if the protocol breaks, and so on and so on, and bootstrap it again and again until you've constructed half-paths so long that the paths will have to be longer than the round complexity can make secure. So what this means is that if you have a constant round protocol for topology-hiding broadcast, you'll be able to get a previous transfer from it, but that's just the vague idea and I refer you to the full version of the paper for the details. Let's now show our second result, that topology-hiding anonymous broadcast against one passive corruption is possible information theory. So this is our setting, but for simplicity I'll restrict the graph class to only those graphs with exactly n vertices that all the players. And instead of showing you how to achieve anonymous broadcasts, I'll instead show how any two players here, s and t, can emulate a secure channel between them. So this is in fact sufficient in this case to achieve anonymous broadcasts, but I won't show it, just trust me. So what are the requirements for this functionality? s wants to send a message securely to t, meaning t should get the message, none of the other players should learn it, and we still want to hide the topology. And I'll put it to protocol in three steps. First, I'll show how to achieve the secure message transmission functionality if the network is public. Then, I'll show how this can still be done if knowledge of the graph is now distributed and the players only each only knows their local views, but in this case we won't mind if t learns topology. And finally, in the last step, I'll show how this can be tweaked so that no one learns the topology, so that it's in fact topology hiding. So starting with the case when the graph is public, since it's public we can canonically fix a bipolar orientation from s to t, otherwise known as an s-t orientation. So what this does is it fixes an origin from 1 to n, where s has rank 1 and t, to sync, has rank n. And the protocol works as follows. In the first round, s additively secretures the message for t in two parts and sends them to a descendants, so 1 part for 2, 1 part for 3. In the second round, the player with rank 2 in the ordering takes the share she received from s and secretures it between 3, 4 and 5. 3, 4 and 5. In the third round, player with rank 3 adds the share he received from s in the first round and the share he received from 2 in the second round, takes the sum, additively secretures it in two parts and sends 1 share to 4, 1 share to 6. When it's the turn of a neighbor t, 4, they do the same, but for now they hold on to the share they prepared for t. This isn't strictly necessary now, but will be very useful in later protocols. So after all is said and done, I claim that the message that t intended for s, sorry s intended for t, is additively secretured in the neighborhood of t, here between 4, 5 and 6, or rather the parties with ranks 4, 5 and 6 in the ordering. So these parties can just send their shares t and t can reconstruct the message. This scheme terminates and is correct because the orientation of the graph is a cyclic and by properties of additively secretaring and resharing of shares. And I claim that the intermediate parties, ranked 2 to 6, don't turn to bit because the graph is too connected. That means that a single corruption cannot intercept all the shares, as they'll always be around from s to t, which avoids this corruption and which passes part of the message from s to t. But this was the case where you had a single graph and the topology was known. Now what to do when the topology is not known? Parties now only know their local views and t is the only one who is allowed to learn the topology from that. So we'll fix an orientation for each graph in the class. So here h i is the orientation we assigned to g i, still s t orientations from s to t, all of them. And from the point of view of parties, so a single party, here's the red note, might have very different ancestors, the x i's, what are possibly your crimes, ranks, so here 3, 4, 3, 5 and 7, and very different descendants, here's a y's, in different orientations corresponding to different networks. And the protocol works by running in parallel modified iterations of the primitives I detailed before for a single graph, and running in parallel one per possible topology. And we'll show you how to combine them just in a minute. So the modified protocol is as follows. The one corresponding to topology g i will be, you do as exactly as before, except now, when it's the red party's turn, there are two options. Either what he sees of the network corresponds to his neighborhood in g i, in which case he does exactly the same thing, he sums the messages he receives from the x's and secretures it and splits it for the y's, or the neighborhoods don't match. In which case, the red note completely disregards whatever the x's try to send him and sends random noise to those of the y's to which he's actually connected, because recalls that since the neighborhoods are different, it might be that the red is not even connected to party y1, in which case he doesn't send anything. It's for those to which he is connected, he just sends random noise. Now, I claim that what this does is that once you reach the stage where all of these protocols reach the step where the message is secretured in the neighborhood of t, is that the neighbors now hold vectors of shares and that the shares corresponding to the real topology, so here m2, m2 prime and m2 second, will still sum up to the real message. Why is that? It's because since basically every party had recognized their local view on the topology, therefore they just ran the same protocol as before. But in all other cases, at least one party, noticed that the neighborhood in the real graph in the network was different than that in the GI. And by doing the modification we presented, like completely ignoring the shares you received and replacing them with random noise, they completely mocked up the computation for everyone else. Now it's a random message. Okay, but we're not quite done because what would happen if the neighbors x1, x2, x3 just sends these vectors t for reconstruction, t with sum up term by term and obtain the real bit, that's true, but lost in a vector of random noise and wouldn't be able to know which was the correct message. This is a music fix. Simply make the messages along the vectors and make sure that you add the real message with a lot of zeros. That makes it distinguishable from a random message, a random vector. And in this case, t learns the topology because of course, once you reconstructed the message, so if you recognize the one starting with a lot of zeros, you realize it was m2 plus m2 prime plus m2 second, which means he knows the real graph is t2. So how do we prevent t from learning this real topology? Simply, just before sending these vectors to t, the neighbors will permute them independently and randomly. What this does is that if t now wants to reconstruct the message, he'll have to try all possible combination of summing one chair from x1, one chair from x2 plus one chair from x3. So with good probability, a bit lower, you'll still find only one combination which sums up to a message starting with a lot of zeros, but now he won't be able to tell what the real graph is from because the shares have been terminated. Therefore, this protocol is now completely topology hiding because before, the other place didn't learn the topology because they were just passing on chance and now even t doesn't know it. So this concludes our claim that topology hiding among the broadcasts is possible against one production on the class of all two connected graphs. Today, we saw two of our main results, one lower bound and one first bound. So going back to the picture very quickly, I said we had clean results for maximum graph classes, to form all graphs of that. However, we also know the minimal assumption for a great many more classes. All of them, in fact, except for this gray area for which we only know that T-equipment is necessary and that OTA is sufficient, leaving open the interesting question of completely categorizing the minimal requirements for TAC. And with that, thank you again for listening and goodbye.