 Okay, so let's see So you all know MPC you have n parties and your goal is somewhat to construct such a trusted guy in the middle there The challenge of course is that certain guys are dishonest and now it's well known that many protocols You can use to to achieve this talk task. However now Let's look at this situation here. We have an incomplete network. Okay. We want to do the same We want to build a trusted party Okay, what can you do? Well It's well known what you do first you complete the network using secure message transmission And then in the second step you can do MPC on top Now if you look at classical secure message transmission protocols What they have in common is that the network graph of the incomplete network is assumed to be public knowledge Okay, and the protocol may depend on that Knowledge now if you consider certain networks like real-life applications the network might contain Confidential information for instance if your network is based on social a social network. Okay, so you know certain guys and you talk with those Well, maybe you want to hide that information. Okay, so Therefore it would be bad if you would use a classic secure message transmission protocol if you want to hide this information This led to the notion of topology hiding communication, which was introduced at last year's TCC And the goal there is okay. You still want to complete the network, but this time the graph is the secret Okay, so no one should learn it Now it's so if it's clear that Somehow parties need to know at least some information about the graph. Okay, for instance, you need to communicate with your neighbors You know your friends. Okay, so For instance, if you consider that guy here He knows Those his neighbors here, but he should not learn more about the graph, right? He should not learn that for instance Those two guys here know each other Okay, so more formally. Here's our communication model We have this those end parties up to T of them are dishonest we look at synchronous communications of protocols proceeding rounds This incomplete network. Okay, it consists of private secure channels Then we have the network graph, which is from some family of graphs. Okay They should be at least connected. Otherwise, it's hard to complete the network and It could be an arbitrary graph out of this family of graphs. Okay, and kind of this family That's all the information, you know about the graph As I said before you can communicate with your neighbors and this means that the adversary knows the neighborhood of all dishonest parties Okay, so The security we consider a simulation base. So the idea is in the real world. You have the incomplete network You you run your secure message transition protocol and here on the right in the ideal what you have is you have the complete network and Additionally have still given the incomplete network and you have to simulate whatever you see in the real Using this ideal world here The idea is that the incomplete network is completely independent of the graph of the graph of the network You have given and so the only information the adversary learns in the ideal world is actually kind of the neighborhood of dishonest parties Okay, so that's kind of the idea of this topology hiding communication So what is known well as I said it was introduced at last year's TCC by Moran et al And so they looked at the feasibility of this topology hiding communication in various models So here's bad news if you consider unbounded adversaries. It seems not to be possible. There will be some leakage In general The same is true if you look at fail stop adversaries Okay, so kind of an adversary who can just make its party stop at any time The issue here is that if you have a cut vertex in your graph for instance this guy here So the adversary can actually find out whether guys cut vertex or not Okay, just stop it and then see whether you can still communicate over the whole graph or not Okay, so these limits the possibilities we have So what they show is actually that if you have computationally bounded semi honest adversaries, so curious adversaries Then it's possible. Okay, you can achieve static security against an arbitrary amount of corruption The idea of their protocol is to use MPC in MPC in MPC in MPC. Okay to hide the network topology They use this recursive MPC approach like virtual parties However, this makes it a bit Involved and also inefficient. Okay, it gives you a huge blow up. For instance, what they they need is Public key encryption in a white box manner in an MPC. So you need to do Encryption and decryption of in the MPC. Okay, and then you do this recursively Okay, so the question is can you do this with less heavy tools? Okay, and for instance the natural question is can you do it just with encryption? Okay, we want to hide information. So let's encrypt and Our results are well, we have the same setting here. So computationally bounded semi honest adversaries and In this work here, we present a protocol which is just based on the DDH assumption We only use black box encryption Okay, so we do not have any MPC in MPC. It's just plain encryption and sending around messages And this leads to a simple protocol structure. Okay, and on top of such a protocol We then also describe applications. I mean classical application as before is MPC as was introduced in the TCC result Well, we especially focus on in our paper is topology hiding anonymous broadcast. So this is a broadcast way not only Hides the sender of the message, but you also hide any information about the network. So that's kind of complete anonymous communication Now in the rest of this talk, I want to focus on this protocol I want to give you some idea of how you can achieve topology hiding communication just using a threshold encryption Okay, but first let's start simple. Let's try to do this Communication so first of all as we are in the semi honest setting it's enough to actually construct binary broadcast Okay, once you have binary broadcast you can broadcast public keys and then you can complete the network Okay, so from now on we just want to focus on binary broadcast Okay, so here's the first attempt. How can we do this? Well, it's simple. Okay We have a sender here with its bit and we want to broadcast that value. So simply flood it Okay, it sends it to all its neighbors and so on and so on until you do this like a diameter many rounds You're done. Okay, then everyone in the network has actually learned this bit However, it's quite clear that this approach is not topology hiding at all Okay, for instance, if you consider that guy here, he can actually learn its distance to the sender by just Timing we have rounds. Okay timing the number of rounds until it gets the bit Okay, it's even worse. He can actually find the direction to the sender Okay, he now knows that those two guys sent him the bit So he knows the shortest path to the sender is actually over this or that note Okay, so this means the message pattern in this case leaks information about the network topology Okay, so can we do better? Yes, we can It's simply by using an ore flooding Okay, so in this case when you not only have this bit of the sender, but everyone has a bit Okay, sender has its bit B and the others have the input bit zero And so what we do now in this ore flooding is the following in each round You just send your current bit to all your neighbors Okay, and you compute the ore of the received bits. Okay, for instance, if you consider that guy here in the middle He receives all the bits of its neighbors and from the sender. He actually receives the real bit Okay, it computes the ore and this gives him the actual bit of the sender and you now repeat this process Enough rounds and then everyone has actually the bit of the sender So in the end what we do in this or flooding we compute the ore of all input bits However, it's quite clear that this is also not topology hiding because if say the sender has an input one Then you can do the same timing attack as before you just count the number of rounds until you see a first one And then you know the distance to the sender Okay, so not only message pattern, but also the message content leaks information about the topology And that's where we can now go and use encryption. Okay, so here's a third attempt Now assume that out of the nowhere suddenly parties have a public key Okay, everyone has the same public key and there is some trusted guy here at the bottom who has the secret key Okay, no one else knows the secret key. So what you can do now is you encrypt your message Okay, and now we do the same as before we just do this or flooding using encrypted values Okay, so you send around cipher text you compute the ore on the cipher text And if you do this in off rounds in the end what you have is a cipher text here Which contains the ore of all bits? Okay, and then you can send this cipher text to the trusted party the trusted party decrypt it for you and voila You have binary broadcasts Okay, there's there are some issues here. Okay first we have now assumed setup. This is bad We would like to do this without setup Second to compute the ore on us on cipher text. That's not so easy. Normally cipher texts are homomorphic with respect to addition So it's not so clear how we can do this or computation there and third obviously We do not have a trusted party which decrypts the values. Okay So how can we solve those problems? Well, the answer is our main tool is threshold encryption Okay, so here's the classical way of one looks at threshold encryption So you have a trusted party which computes you a public key and key secret key shares Okay secret key shares are given to the shareholders and the public key is given to some guy who wants to encrypt values Okay, but the guy has a message he can encrypt it and give it to someone else who has now the cipher text And now to decrypt what you need to do is you need to send the cipher text to the shareholders Okay, which then compute you what we call a decryption share and Using all those decryption shares you then can get back the message. Okay. Now in our case the threshold It's it's a full threshold. So n out of n threshold So you need all decryption shares in order to decrypt the message However, we cannot use directly this traditional threshold encryption because we do not have such a trusted guy who Distributes keys. So what we need is a decentralized way to generate the shared key So instead of having a trusted party what we need is we need a local key generation So part is the key the shareholders here. They can actually compute their own key keys Okay, public key and a secret key and what you can do then you can send around those public keys You can homomorphically add them up. Okay, and what you get is then this kind of composed public key Okay, and with this public key you can then do the same thing as before and We also assume same similar way that decryption shares are also homomorphically. Okay So now we no longer have a trusted party, but we can now decentralize generate the public keys And we can also decentralize do this decryption Okay, now, how can you achieve that? That's I mean, that's a nice property But how can you do that? Well, you can use do that using a DDH based encryption So Ilga Mol style threshold encryption will do the job Okay, this is a special property if you look at by encryption. It's not so clear if you have this property So that's quite cool that we have this type of encryption. So how can we now do the setup? Okay, so ideally as I said before ideally everyone has now this composed public key Okay, where shareholders all the parties have a key share. Okay, and then you could do this encryption stuff However, there's a problem. You need to be able to distribute that key. Okay, so that's kind of a circle So we have to weaken our goal. And so the idea is each party gets its own key. Okay Again, the key is still shared among everyone So in order to decrypt under that public key, you need actually all the key holders So all parties but Now every party has their own key and moreover, we do not distribute the key yet. So the key is just locally. Okay And how can you do that? Well, here's the idea If you have a graph of a diameter delta all parties are within my delta neighborhood. Okay So now you can recursively compute a public key which is shared among all parties Okay, so the idea is we do not compute one key We compute the whole series of keys. Okay, like pkk where this pkk is actually shared among my k neighborhood So k neighborhood means all parties within distance k of myself Okay, so this looks then like the following. So we have here pi in the middle who wants to have say a level k Public key. So what what do we do? Well, it's simple the part all its neighbors actually compute the level k minus one public key Okay, a public key, which is shared among their k minus one neighborhood And send it to the PI and PI and I can just Add them up and then you have a level k public key Okay, why is this topology hiding? Well, it turns out you cannot do it for one party Directly you have to do it in parallel for all parties. Okay, otherwise the message pattern will get you So here's the protocol idea So in the first round, okay, you do a level zero keys level zero keys That's just yourself you use this local key generation compute the public key and the secret key, which is now your key share How again, how do you get the level one key? Well simple send your level zero key to all your neighbors Okay, and now you receive the bunch of level zero keys You just add them up and now we have a level one key Okay So a key where the the secret keys are is shared among your immediate neighborhood and now you can continue this scheme As I said before here for level k You just need k minus one keys and if you do this long enough like diameter many rounds Eventually every party holds a public key which is shared among all the other parties Okay, so all we need to know here is let's say an upper bound on the diameter of the graph Okay, and that's how you actually compute the setup now here The next step was this or computation. Okay, so in the flooding protocol We had the ore computation during this flooding in each round you computed an ore. However, it's actually enough If you compute this or a right once, okay So the idea is each party has its own composed public key Okay, and it has an input bit the idea is the sender inputs his real message bit all the other parties input zero And so the ideal output would kind of be the ore which is encrypted of course under your own public key And the idea would be yeah, if it's zero if all bits of zero otherwise, it's one Okay, but you cannot have that. Okay, the issue is here Ciphertexts are homomorphic with respect to addition so you cannot directly get this So here we use a trick We encode the ore. Okay, so instead of saying zero one what we do is we just say, okay If all bits are zero we have zero and otherwise, it's just the random value inside the encryption And that you can get actually again in a recursive manner using this Neighborhood trick what you do is you actually compute Summs weight and sums of the bits where the weights are random Okay, so if your bits are all zero independent of the weight the whole sum is zero Otherwise, if you have at least one bit, which is non-zero you have a uniform random value in here So okay, and hopefully with The bit is non-zero. Okay, so you have a slight error probability in here, but if you have a large enough field, that's fine Okay, so this way you can now actually compute a ciphertext for each party which contains the ore Okay, you do this again in parallel for all parties to hide the message pattern Now all the remains is decryption and the idea of decryption is as follows the input is now this ciphertext containing your encoded ore and All the parties now have key shares. Okay for my public key And so we what we do is we want to decrypt this and we can do this similar to this or computation So the idea is I send out my ciphertext. Okay, which I want to do have to grip it Use when I send out this ciphertext actually you have to be careful. You cannot just send it out You have to blind it. Otherwise you leak information And what I get back are those Decryption shares which we can homomorphically add up so essentially ciphertext goes out and decryption shares come in Which allows me then to decrypt the ciphertext So in summary the protocol works as follows first you generate this setup so At the end of the setup every party has its composed public key Then we compute the ore Okay, the idea is that this ore Contains the actual bit of the sender if everyone else input zero. We are in the semi honest setting. That's fine And then we decrypt. Okay, so this way you can actually achieve binary broadcast just using threshold encryption Yeah That's it questions