 All right. Good morning. Thanks for coming. So today I'm going to tell you how to get topology hiding computation on all graphs But first, let's talk a little bit about Facebook. Facebook is great It connects millions of people all over the world with their friends and families and co-authors Allows you to exchange messages Tell them how you're doing what you're doing your likes your dislikes as long as all of that information goes through Facebook in this model Facebook is a trusted third party and Using Facebook it can compute functions on your personal data and the the social graph of friends that you have at the price of Facebook knowing all of your personal data and all of your friends and this is for example why one of our co-authors doesn't use Facebook so What if we wanted to get a decentralized social network that way I could talk to one of my co-authors over Facebook now So in this model we no longer have a trusted third party and your friends can talk to you can talk to your friends your friends can Talk back to you and you get privacy both for your personal information and For the social graph so you don't need to reveal Who all your friends are to anyone else? Now you might be thinking wait we already have something that does this we get privacy for your data with Multi-party computations set it in the 80s and the setting is you have multiple parties each with their own private inputs Who jointly want to compute a function without revealing anything beyond the output of that function? however The setting for MPC has the communication top topology being public Meaning you're either dealing with a complete graph where every party can talk to every other party Or if you have an incomplete communication graph It's public and everyone knows who's talking to whom So MPC does nothing to hide any of the metadata of the computation that goes on and unfortunately Metadata is a very powerful tool as the former director of the NSA once said you can kill people based on metadata The idea is you can infer a lot from who's talking to whom And that leads us to our goal. We want to get topology hiding computation Topology hiding computation is a kind of multi-party computation that hides both the input and the communication graph It is good for this social network example There are many applications and another application is Maybe you have a vehicular network where when cars are close to each other they can communicate and Disperse information about traffic patterns hazards weather On the highway, but maybe you don't want to reveal where you are relative to other cars in this network So more formally the setting for topology hiding computation Yeah, each party has their own input for a function and parties can communicate directly only with their neighbors Our goal will be given minimal information about the graph maybe a bound on the diameter of the graph or the number of nodes We want to be able to compute any function on the inputs while revealing nothing beyond the output and this includes revealing no more information about the graph to formally define this like the security of this Model we say that an adversary who statically corrupt some set of nodes Can't tell if he's interacting with a real graph or if he's interacting with a simulated graph That so the simulator knows the output of the function and it knows the local topology of The adversarily corrupted nodes notice the simulator doesn't have an edge between nodes one and two Because he doesn't know that exists and node six isn't in the simulated graph because the adversary can't tell that that note exists Okay, this seems difficult is this even possible Well, it turns out instead of having to prove that we can get any function at all in this model It's enough to prove that we can get topology hiding broadcast So our goal is going to be to get broadcast So the setting is let's consider a naive broadcast to demonstrate this we have a broadcast node node two Here who's got a broadcast bit and wants to let everyone in the graph know the broadcast bit So in the first round nodes one and three get the broadcast bit in the next round One and three send the bit to their neighbors who get the broadcast bit and then finally Node six gets the broadcast bit from from her neighbors This is not topology hiding For the reason that it reveals the distance to the broadcaster as soon as One and three get their message in the first round They know their distance one from the broadcaster these guys know their distance two and node six knows She's distance three away So it turns out that this is even harder than we Than than that it's impossible to get topology hiding computation against any kind of the almost any kind of active adversary like Say your adversary just has the power to abort to stop communicating communication from through his node in 2015 Michelson showed that Against a fail stop adversary topology hiding broadcast is impossible and they did this just by showing that if you have an adversary like this middle adversary here who can Stop working and disconnect the graph then this reveals something about the topology of the graph However, the good news is we can get some results. We already have some results on against passive adversaries So in 2015 and 2016 There were results on getting topology hiding broadcast on small diameter graphs and then earlier this year a caveat Moran showed That you could get topology hiding broadcast on some large diameter graphs including chains cycles and trees But the question remained open is topology hiding computation possible for all graphs Well, I wouldn't be standing here If the answer wasn't yes It is and that brings us to our formal results So assuming that Decisional Diffie helmet is hard topology hiding broadcast is feasible for all graphs Explicitly our contribution. So the a Kevian Moran protocol showed that given DDH We can can get this thing called or homomorphic privately key commutative Optimizable encryption and then we show that this gets us topology hiding broadcast for all graphs Now let's focus in on this or part here so Or implies broadcasts. So we're instead of just going straight for broadcast. We're going to show actually how to compute The or of a bunch of bits on a graph So this works because the output bit is actually equal to the or of the output bit with a bunch of zeros Great. So the source node is going to have his output bit All other nodes are going to have zeros and if at the end of the computation everyone gets the or of the output bit You will have broadcasted that bit So our goal will be to compute that however Note that naive oring is not topology hiding that is if you you know Just try broadcasting your bit to your neighbors and then oring the bits you get in return You run into the same problem that you did with naive broadcast if the output bit is one you know exactly when you receive that output bit So we're going to need these these tools the first tool is we need our encryption scheme to be or homomorphic so you have Two encrypted bits and you need to be able to Homomorphically or them to get there to get the encryption of two of the or of those bits Moreover, we need to hide the number of times. We've ordered a one or a zero Even if you can decrypt the message you shouldn't be able to tell that is an encryption of a one Needs to look just like an encryption of a one or with a zero homomorphic Lee needs to look just like an encryption of a one Or with a one homomorphic Lee Turns out you can get this just using Algamol All right, this brings to mind the following construction What if we just tried the naive oring protocol, but now we encrypted our bits first and then Ored them as we went along well We run into the problem that this doesn't quite work because how do you decrypt at the end? You you run into the problem of who has the secret key? How do you get the secret key to everyone else in the graph? So we need one more Property for our encryption scheme And that is where this privately key commutative randomizable encryption comes in Notice I have a picture of an onion on the screen That is because we will be able to add layers of public keys and delete layers of public keys Okay, how do you add layers to an onion? Maybe it's more of a parfait. I Digress So when we add a layer, what do we what are we what are we doing? We have an encrypted message Under one public key and then we have a secret key that is unrelated So we have a message encrypted under the blue public key and a yellow secret key And using this we can add a yellow public key layer to our message this image might be a little bit misleading We're not re-encrypting in an already encrypted message We're actually multiplying the two public keys together So what this actually is doing is producing a message that looks like it's encrypted or actually is encrypted under the product of the two public keys Now when you delete a layer You're just doing this process in reverse you have your encrypted message that's Got this layered property and you have a secret key corresponding to one of those public keys and then you can just remove that layer Great, this is also possible using El Gamal So now that we have both of these two tools We're ready to go through a warm-up protocol before getting to our actual protocol for all graphs So I'm going to discuss the Akivia Moran protocol on getting or on cycle graphs So they're going to be two phases The first phase is a forward phase where we're going to add layers going one way around the graph The next phase is a backwards phase where we're going to remove layers Going back around the other way on the graph Let's focus on How node one is going to get the correct output bit so in round one node one is going to encrypt his bid and Then send it to node two No, too round two is going to generate a new public secret key pair add a layer homomorphic homomorphically or her own bit and then send this resulting message to node three No, three does the same thing a new public secret key pair Adds a layer or is his own bit homomorphically sends this to node four. All right. We get the idea. Hopefully No, four adds a layer or is this bit sends it to node five node five doesn't need to add another layer It just needs to homomorphically or his own bit And now we have encrypted up here the output bit And now we can begin the backwards phase and start going back around the graph Hopefully you see where this is going so node five sends this entire message back to node four node four uses the red secret key to remove the red layer Sends this back to node three node three uses a light blue secret key to remove that layer Sends it back to node two who removes a layer Sends it back to node one now node one has the corresponding secret key here. So node one decrypts the message and now has in plaintext the aura of all bits in the graph great Well, node one has the output, but we now need to make sure that every other node in the graph also gets the output bit This isn't too hard. We'll just run the same protocol Simultaneously for each node So Correctness of the protocol and run one everyone, you know sends their bit to their neighbors Run the protocol for every node every node is going to get the output bit at the end To argue topology hiding of this protocol First we have to know it that you know, everyone knows they're in a cycle So what are you hiding? You're hiding the order of the nodes in the cycle And you can see this Intuitively because of the semantic security of the encryption means you can't tell when you get a one or a zero and the Rewanimization the adding of the new public keys mean that each node's view is indistinguishable from any other nodes view Great. So our work is going to essentially extend this whole like adding layers and oaring protocol The Kevian Moran protocol had this observation that if you had a path that covered the graph Your protocol would be correct So instead of taking a prescribed path around the graph We're just going to take a random walk and as long as a random walk covers the graph will be fine We can hit the same node more than once This won't matter because oaring a bit twice is it isn't going to change the output at all and And as long as every node runs a random walk every node will get the output bit at the end So this brings the following protocol to mind every node is just going to start a random walk and By as long as it runs long enough every random walk will cover the graph and every node will get the output bit This will not be enough For the following reason so let's say let's focus on node three So let's say every one of nodes three's neighbors decides to start the random walk by sending a message to node three Node three being a diligent node is randomly independently going to decide where those walks are going to go next Well now we have a problem nodes two and seven have now learned that node three has another neighbor other than themselves Node four has learned that node three has two other neighbors and Node five has even learned something probabilistically about the number of neighbors node three has So this is also not topology hiding So to fix this if you look at the title of the slide we're going to use correlated random walks and we're going to Make sure that the graph topology doesn't affect how many messages go along each edge So we're going to have one walk per direction on each edge. This will be clear hopefully in a moment So to correlate the walks node three is going to get messages from all his neighbors walks from all of his neighbors And then he's going to generate a fresh random permutation and Then of his edges is going to permute those messages around to decide where to send them next and then he's going to send those out He gets one message in on each edge one message out and sends one message out on each of his edges and As long as you invert the permutations on the way back The protocol is still going to be correct Speaking of correctness. We have to make sure that the random walks don't actually take too long to do that We're going to talk about the cover time of a graph G The cover time of a graph is the maximum expected time it takes to visit all nodes in a graph using a random walk And we have this convenient upper bound 4n cubed on the cover time of any graph on end nodes So this means if we take about end of the four steps We will cover the any random walk will cover the graph with overwhelming probability And so we prove correctness for all of the random walks in our graph just with a union bound and So we have correctness of our algorithm. Let's finish with some security so Let's focus again on node 3 node 3 gets encrypted messages from its neighbors every round He can't tell if he's getting a 0 or 1 because of semantic security Because he's doing all of this permuting of the messages everyone else is doing permuting Rerandomization adding a public key He can't tell where any of those messages have been for example He can't tell if the message he got from node 7 came from 8 or from node 6 And this means node 3 can't tell if he's interacting with a real graph Or if a sim or with a simulator who only knows the output bit and the local information of node 3's neighbors so in the forward phase of the walks the simulator just Sends encryptions of 0 through 3 and in the backwards phase the simulator just sends encryptions of the output bit by the end of Protocol node 3 gets the output bit as expected Now to One one more fun little note here is that we can de-randomize the walks This is interesting because it brings us one step closer to getting a perfectly correct topology hiding algorithm I say one step because unfortunately We have negligible error both in the walks and in the homomorphically Secure encryption scheme the Algamol is has a negligible probability of failing so We have our universal explorer up here And we're going to be using something called a universal exploration sequence to de-randomize these walks a Universal exploration sequence is just a set for for graphs of size n is just a set of instructions Such that if you follow them for a walk you're guaranteed to hit every node in the graph Any graph of size n and the best part about these walks is that they're all relative to position and locally computable So every node in the graph can compute the same set of Instructions the same universal exploration sequence All right, I'm going to conclude with a couple of open questions So it is impossible to get topology hiding computation if the adversary can disconnect the graph But what if we don't allow the adversary to disconnect the graph But we still will let him deviate from the protocol in some way then there's also the question of Dynamic graphs in the example where you have cars on a highway communicating locally with each other You always have cars entering the highway and leaving the highway So the graph is going to be changing but not adversarial II And finally here is a slide reviewing the algorithm Thank you