1 Introduction

In the setting of secure multiparty computation (MPC) [8, 15, 21, 33], a set of mutually distrusting parties wish to jointly perform a computation, such that no coalition of cheating parties can learn more information than their outputs (privacy) or affect the outputs of the computation any more than by choosing their own inputs (correctness). Seminal results initiated in the 1980s [8, 15, 21, 33], showed feasibility of MPC for general functions in many settings. The original definitions—and most works in the rich field of research they gave rise to—assume the participants are connected via a complete graph: i.e., any pair of parties can communicate directly with each other. However, in many settings the communication graph is in fact partial (either by design or by necessity). Moreover, as we discuss below, the network topology itself may be sensitive information to be hidden.

Several lines of work have studied secure computation over incomplete networks, in different contexts, but without attempting to hide the communication graph. For example, beginning with classical results in Byzantine agreement [17, 20], a line of work studied the feasibility of reliable communication over (known) incomplete networks (cf. [4,5,6, 9, 13, 18, 19, 28]). More recent lines of work study secure computation with restricted interaction patterns, motivated by improving efficiency, latency, scalability, usability, or security, including [7, 10, 11, 14, 22,23,24]. Some of these works utilize a secret communication subgraph of the complete graph that is available to the parties as a tool to achieve their goal; e.g., [10, 11, 14] use this idea in order to achieve communication locality.

Topology-Hiding Computation. Moran et al. [31] initiated the study of Topology-Hiding Computation (THC), addressing the setting where the communication graph is incomplete and sensitive. Here, the goal is to allow parties who see only their immediate neighborhood (and possibly know that the graph belongs to some class), to securely compute arbitrary functions without revealing any other information about the graph topology. THC is of theoretical interest, but is also motivated by real-world settings where it is desired to keep the underlying communication graph private. These include social networks, ISP networks, vehicle-to-vehicle communications, wireless and ad-hoc sensor networks, and other Internet of Things networks.

THC protocols have been studied within two adversarial settings. In the semi-honest setting, the adversary follows the prescribed protocol but attempts to extrapolate disallowed information. In the fail-stop setting, the adversary may additionally abort the computation of parties at any point. Most existing THC protocols focus on the former, semi-honest setting, and this will also be our focus in this paper. We mention that in the fail-stop setting, Moran et al. [31] showed that THC is not possible except for extremely limited graphs/adversarial corruption patterns, and Ball et al. [3] and LaVigne et al. [29] showed how to achieve it with small leakage, assuming a secure hardware setup assumption, and assuming the hardness of decisional Diffie-Hellman (DDH), quadratic residuosity (QR), or learning with errors (LWE).

For the rest of this paper we assume the semi-honest setting (although some of our results could potentially be extended to fail-stop or malicious settings). In this regime, after several protocols achieving THC for various subclasses of graphs (log-diameter, cycles, trees, etc.) [1, 26, 31] from different cryptographic assumptions, Akavia et al. [2] showed how to achieve THC for all graphs from the DDH or QR assumptions, and LaVigne et al. [29] from LWE.

Our Question: Information-Theoretic THC. Existing topology-hiding computation protocols provide a strong notion of hiding all information about the graph against an adversary who can corrupt an arbitrary number of parties. On the other hand, these existing protocols use structured cryptographic assumptions such as DDH, oblivious transfer (OT), or public-key encryption (PKE) with special properties, or even stronger assumptions such as a secure hardware box [3] to achieve more practical efficiency.

In this paper, we ask whether we can hide topology information theoretically, against a computationally unbounded adversary (in the plain model, with no correlated randomness or other trusted setup). A similar question, albeit only for (non-private) communication, was considered by Hinkelmann and Jakoby [25]. They claim an impossibility result for the class of all graphs, as well as a positive result showing an information-theoretic all-to-all communication protocol that leaks specific information about the graph (routing tables) but no other information. In contrast, here we are interested in (positive and negative) results for subclasses of graphs, as it is typically the case in applications of THC that the graph belongs to a certain known class. Looking ahead, we will see that what graphs are allowed and how they are chosen plays a crucial role for the feasibility of information-theoretic THC.

Ball et al. [3] have also considered this question, and showed that in their setting—semi-honest, arbitrary number of corruptions—the answer is negative. Specifically, they prove that even semi-honest secure topology-hiding broadcast for four parties or more, implies OT. Note that standard information-theoretic MPC for broadcast (where topology can be revealed) is trivial in the semi-honest setting, since there is nothing to hide: simply “flooding”—i.e., forwarding received messages to all neighbors—for sufficiently many rounds, works. Their proof crucially depends on the adversary corrupting at least half of the parties, namely no honest majority. This brings up a natural question, which we study in this paper:

Can we take advantage of a low corruption threshold to achieve information-theoretic topology-hiding computation?

This question is particularly natural when we consider how fruitful this approach had been in the realm of standard (topology-revealing) secure computation. Indeed, classical results [8, 15, 32] show information-theoretic protocols for secure computation of general functions with an honest majority. However, in the topology-hiding realm, this question remained open (and explicitly mentioned in previous works such as [3]). In fact, the question was open even for the special case of topology-hiding broadcast (THB), where no privacy of inputs is required.

In this paper, we prove several results answering the above question, both negatively and positively, in different settings. All our positive results hold for general THC and all our negative results hold even for THB. Below we first describe our results for the standard definition of THC. We then discuss a new weaker definition of distributional-topology-hiding computation that we put forward, together with our results for this definition (as well as motivation and applications of this relaxation). Our results deepen our understanding of the nature of topology hiding, and point to a rich terrain of possibilities and applications of THC.

1.1 Our Results: Standard (Strong) Topology Hiding

We start by presenting both feasibility and infeasibility results of information-theoretic THC according to the standard definition from [30].

Broadcast on a Line Implies Key Agreement. We identify a large class of graphs for which information-theoretic THC is not possible, even when the semi-honest adversary can corrupt just a single party, and even without relying on input privacy.

Theorem (informal): Topology-hiding broadcast for a graph with four parties on a line, resilient to one semi-honest corruption, implies key agreement.

Note that this theorem is for THB. Information-theoretic THC is trivially not possible here because the graph is only 1-connected, hence no privacy is possible with one corruption [18] (recall that we do not have any setup or correlated randomness).

At a high level, our key-agreement protocol considers two permutations of the four nodes: \(G_0=(1-2-3-4)\) and \(G_1=(2-3-4-1)\) (see Fig. 1), with party 1 acting as the broadcaster. In this setting, a corrupted party 3 cannot distinguish which topology is being used: namely, whether 1 is a neighbor of 2 or of 4. This gap can be used to achieve a two-party key-agreement protocol. Consider an execution of the THB where Alice emulates parties 1, 2, and 3 while Bob emulates party 4, and another execution where Alice emulates parties 2 and 3 while Bob emulates parties 4 and 1. In both cases the messages that are exchanged by Alice and Bob—and so can be heard by an eavesdropper—consist of a partial view of party 3 in the THB protocol.

The key-agreement protocol now comprises of repeated phases, where in each phase Alice and Bob run two executions of the THB protocol. Each party tosses a private coin to decide whether to emulate the broadcaster party 1 in the first execution or the second. If Alice and Bob toss different coins, then either both emulate party 1 or nobody does. In this case they simply discard this phase and continue to the next one. However, if they toss the same coin, an eavesdropper will not be able to guess with more than negligible probability whether Alice emulated 1 in the first run and Bob in the second, or vice versa; hence, Alice and Bob can agree on this bit.

Fig. 1.
figure 1

Four-party THB implies two-party key agreement. At the top are two configurations of the line, where party 3 is connected to party 2 on the left and to party 4 on the right. Party 3 does not know the location of party 1. At the bottom is the induced KA protocol, where Alice and Bob simulate executions of the THB protocol. The transcript visible to Eve forms a partial view of party 3’s view in the THB; hence, Eve cannot distinguish between both scenarios.

Full size image

Extension to Broader Classes of Graphs. Clearly, this theorem holds for any class of graphs that includes all lines over \(n\ge 4\) parties (topology-hiding here means that the order of the parties on the line, other than the two neighbors of the corrupted party, is not known, and in particular, the location of the broadcaster is hidden).

Our theorem further extends by a standard player-partitioning argument to more general classes of graphs, namely, any graph that can be partitioned into 4 “subsets” on a line. An example for such a class, most relevant to our positive result (below), are cycles of seven parties or more and with two corruptions (see Fig. 2).

Information-Theoretic THC on a Cycle. Our negative result rules out information-theoretic THC on cycles with two corruptions. Does a similar result hold even when we have a single corruption? Our next result shows that the answer is no. We construct a perfectly secure THC protocol on cycles, resilient to a single corruption.

Theorem (informal): THC on a cycle with one corruption can be achieved information theoretically, with perfect correctness.

Note that this does not contradict the negative result claimed by Hinkelmann and Jakoby [25]. While that result precludes information-theoretic THC for the class of all graphs, here the parties know they are on a cycle (but do not know in which order the parties are arranged on the cycle).

The proof consists of two parts. Initially, we show how to realize anonymous and private pairwise communication. That is, each party can send a message to any other party on the cycle, but without knowing to whom he is sending, and from whom he is receiving messages. Instead, the sender can send the messages to the relative location on the cycle, i.e., he can send one message to a party that is 2 hops to his right, another message to a party that is 3 hops to his left, and so on. To send a message to a party that is j hops to his right (i.e., \(n-j\) hops to his left), the sender secret shares the message and sends one share to his right neighbor and the second to his left neighbor. A party that receives a message from one of his neighbors forwards the message to his other neighbor. As there are \(n-1\) hops in the cycle, sending a message takes \(n-1\) rounds, and the sender (that is sending to the party that is j hops to his right) starts sending the right share after \(n-j\) rounds and the left share after j rounds. This way, after \(n-1\) rounds, the receiver obtains both shares and can reconstruct the message.

Once establishing private pairwise channels, the parties can compute any function using the BGW protocol [8]. However, BGW cannot be executed immediately over an anonymous network, since to process input wires the real identities should be known, rather than the alias IDs (e.g., for computing \((x_1+x_2)\cdot x_3\)). To overcome this obstacle, we first observe that symmetric functions f can be implemented immediately via BGW over an anonymous communication network. Then, we generically reduce arbitrary f to the symmetric case, by having parties submit their real ID as part of their input \((i,x_i)\), and computing the modified symmetric function \(f'\) which acts equivalently on all input pairs via multiplexing.

Fig. 2.
figure 2

Reducing a seven-node cycle to a four-node line. Consider the partition of the seven nodes into \({\mathcal {P}} _1=\{1\}\), \({\mathcal {P}} _2=\{2,3\}\), \({\mathcal {P}} _3=\{4,5\}\), and \({\mathcal {P}} _4=\{6,7\}\). The cycle on the left yields \(({\mathcal {P}} _1-{\mathcal {P}} _2-{\mathcal {P}} _3-{\mathcal {P}} _4)\) and the cycle on the right yields \(({\mathcal {P}} _2-{\mathcal {P}} _3-{\mathcal {P}} _4-{\mathcal {P}} _1)\).

Full size image

1.2 Our Results: Distributional-Topology Hiding

Having shown that information-theoretic THC is impossible for a large class of graphs even in the honest-majority setting, a natural question is whether we can construct weaker—but still useful—variants of THC for such settings. In particular, suppose we do not aim to hide everything about the graph, but rather just hide something about the graph, which will allow us to use the protocol as a building block in other applications.

As a motivating example, consider the work of Boyle et al. [11], who showed a protocol achieving adaptively secure MPC, where the actual communication graph has a sublinear cut, and thus is not an expander. Their protocol is in the so-called hidden-channel model, introduced in [14], where the adversary is unaware of the communication between honest parties (otherwise a trivial attack would separate the graph).Footnote 1 Intuitively, the adaptive security of their protocol hinges on the fact that the adversary cannot find which parties are on the small cut; if it could corrupt those parties, the security would be compromised. Thus, although hiding information about the topology was not their goal, it seems that the main tool used by [11] to prove their result is that something about the topology (where the sublinear cut is) is hidden. Intuitively, their protocol captures some notion of topology hiding.

Trying to formalize this claim and prove it within the existing framework of THC quickly fails. Indeed, the standard definition of THC (considered in Sect. 1.1 and in all prior work) captures security in “worst-case” graphs; hence, the communication graph is chosen by the environment. Since the environment can choose which parties to corrupt in a correlated way, it can simply corrupt the parties on the cut and break security of the protocol (even with static corruptions). This motivates us to define a weaker notion:

We define distributional topology-hiding computation, where, informally, the environment only knows the distribution from which the graph is chosen, not the specific graph.

Defining Distributional-Topology Hiding. Formalizing this definition poses some subtleties. In its most intuitive form, this definition resembles the hidden-graph model from [14]. In this model, the graph is sampled according to some predefined distribution, and each party learns its local neighborhood. Chandran et al. [14] used this model to construct adaptively secure MPC with sublinear communication locality; however, their protocol was not meant to hide topology, and indeed each graph was only valid for a one-time use. In the distributional-topology-hiding case, we wish to construct protocols that do hide the topology, and so can reuse the same graph.

To support hidden topology during the computation along with strong composition capabilities, we allow the environment to receive the communication graph from the ideal functionality (either the communication-graph functionality in the real world, or the graph-information functionality in the ideal world), before announcing its decision-bit: real or ideal. Once the environment has learned the graph, we fall back to a similar state as in the classical THC setting, and we cannot base the security of the protocol on the graph’s entropy. For this reason, after the environment receives the graph, the ideal functionality will stop processing any further messages, and in a sense, the communication network enters an “out of order” state.

However, the environment might still attempt to misuse this additional power, and after receiving the communication graph, corrupt a set of parties in a way that will break security (e.g., corrupt the entire sublinear cut in the example above). This attack is quite subtle, since essentially, after learning the graph the environment has the capability to learn all of the inputs that were used in the protocol just from the messages received by a small set of parties (recall that we consider information-theoretic protocols in the plain model). Clearly, the simulator will not be able to simulate such an attack. One way to protect against this attack is to rely on secure data erasures and instruct every party to erase all of the received and sent messages as soon as the network goes out of order. However, since secure erasures form a strong assumption that cannot always be realized, and thus limit the model, we resort to an alternative, more general, solution. To overcome this subtlety, once the environment receives the graph the ideal functionality will provide the simulator with all of the input messages it received from honest parties. This new information will allow the simulator to simulate additional corruption requests that are issued as a function of the graph, and will balance the additional advantage the environment gained.

In a sense, the new definition guarantees privacy of the communication network as long as it is active; however, if the network enters an “out of order” state, it does not retain the privacy of the protocols that used it, unless secure data erasure are employed.

We note that since the new definition hides the communication graph from the environment while it is active, computation that depend on the communication graph itself (e.g., finding shortest paths) cannot be supported - this is another weakening of the original definition.

Relation to Classical THC. Having formalized distributional-THC, one may ask whether this definition can be used to achieve meaningful computations, and whether it implies standard THC. We show that this definition can capture the intuitive topology-hiding property of the protocol in [11], discussed above. In fact, we modify their protocol to show a strong separation between the definitions. We construct a distribution \(\mathcal{D} \) which, on the one hand, can be used for computing any function while hiding a sublinear cut between two cliques (tolerating a linear number of adaptive corruptions), and on the other hand, even broadcast cannot be computed in a topology-hiding manner (in the classical sense) using any graph in the support of \(\mathcal{D} \) (tolerating merely a sublinear number of static corruptions).

Theorem (informal): We show a distribution \(\mathcal{D} \) over graphs with n nodes such that:

  • Distributional-THC of every function can be achieved with respect to \(\mathcal{D} \), with information-theoretic security, against an adaptive semi-honest adversary.

  • For any class of graphs \(\mathcal {C}\) with \(\mathcal {C}\cap \mathsf{supp}(\mathcal{D}) \ne \emptyset \), even broadcast cannot be computed information theoretically in the strong THC setting, even with static semi-honest corruptions (as it implies key agreement).

Connection to Adaptively Secure Low-Locality MPC. Finally, we demonstrate the power of our new definition via a new connection to adaptively secure low-locality MPC, where distributional-THC enables parties to “reuse” a secret low-degree communication graph even in the face adaptive corruptions. Concretely, this will enable sequential composition of the adaptively secure MPC protocol from [14] while maintaining sublinear locality. The starting point of [14] was any adaptively secure MPC protocol over pairwise private channels. They used the hidden-graph model to sample an Erdős-Rényi graph G (with sublinear degree and polylog diameter) and showed how to emulate pairwise private communication over the graph G. In addition, an elegant distributed sampling algorithm for a Erdős-Rényi graph was given in [14] (based on [13, 27]).

However, as discussed above, their protocol does not hide the topology of G, and so a fresh graph is used for every communication round. For this reason, their protocol can be used for executing MPC protocols with sublinear many communication rounds, and maintains sequential composition of sublinear many computations (otherwise the locality will blow up).

We show that if the private pairwise communication can be instantiated in a distributional-THC manner, the adaptively secure MPC protocol from [14] will be able to reuse the same secret Erdős-Rényi communication graph for polynomially many rounds, and so will remain secure under arbitrary sequential composition.

Theorem (informal): If there exists an adaptively secure distributional-THC protocol for private pairwise communication with respect to the Erdős-Rényi distribution from [14] (tolerating a linear number of semi-honest corruptions), then there exists an honest-majority adaptively secure MPC protocol with sublinear locality (tolerating the same corruptions) that remains secure under polynomially many sequential executions.

We note that this theorem does not present a new feasibility result, as we do not yet know how to implement the required underlying adaptively secure distributional-THC protocol. We leave this as an interesting open problem. Instead, the theorem demonstrates the power and usefulness of our definition (despite its weakness compared to the original).

1.3 Open Problems

Our results from Sect. 1.1 characterize the feasibility of information-theoretic THC over lines and cycles. Ultimately, the desire is to provide a similar characterization for all graphs. An interesting starting point is to extend our understanding in broader classes of graph, e.g., wheel graphs or 3-regular graphs.

Another intriguing question to come up with more distributions over graphs that can be computed in a distributional-THC manner.

Finally, as mentioned above, it is not clear whether private pairwise communication can be realized with distributional-THC security with respect to the Erdős-Rényi distribution. Answering this question will have implications on low-locality adaptively secure MPC.

Additional Related Work. In an independent and concurrent work, Damgård et al. [16] investigate the feasibility of information-theoretic THC. Their setting is different from ours, as they consider a trusted setup phase to generate correlated randomness for the parties.

Organization of the Paper. The preliminaries can be found in Sect. 2. Initially, we consider the standard THC definition and present our lower bound in Sect. 3, followed by the positive results in Sect. 4. We proceed to define distributional-THC in Sect. 5, show a separation between the definitions in Sect. 6. Due to space limit, some of the proofs and the connection to low-locality MPC are deferred to the full version.

2 Preliminaries

Notations. For \(n\in \mathbb {N}\) let \([n]=\{1,\cdots ,n\}\). We denote by \({\kappa } \) the security parameter, by n the number of parties, and by t an upper bound on the number of corrupted parties. The empty string is denoted by \({\epsilon } \).

UC Framework. We consider the UC framework of Canetti [12]. Unless stated otherwise, we will consider computationally unbounded and semi-honest adversaries and environments. We will consider both static corruptions (where the corrupted parties are chosen before the protocol begins) and adaptive corruptions (where parties can get corrupted dynamically during the course of the computation), and explicitly mention which type of corruption is considered in every section.

We will consider the standard secure function evaluation (SFE) functionality, denoted \(\mathcal {F}_{\mathsf {sfe}} ^f\). Informally, the functionality is parametrized by an efficiently computable function \(f:({\{0,1\}^*})^n\rightarrow {\{0,1\}^*}\). Every honest party forwards its input received from the environment to the ideal functionality, and the simulator sends the corrupted parties’ inputs. The functionality computes \(y=f(x_1,\ldots ,x_n)\) and returns y to every party. Broadcast is a special case of SFE for the function that receives an input from a single party, named the broadcaster, (formally, every other party gives the empty string \({\epsilon } \) as input) and delivers this value to every party as the output. We denote the broadcast functionality by \(\mathcal {F}_{\mathsf {bc}} \).

Topology-Hiding Computation (THC). We recall the definition of topology-hiding computation from [31]. The real-world protocol is defined in a model where all communication is transmitted via the \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \) functionality (described in Fig. 3). The functionality \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \) is parametrized by a family of graphs \({\mathcal {G}} \). Initially, before the protocol begins, \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \) receives the network communication graph G from a special graph party \({{P} _\mathsf {graph}} \), makes sure that \(G\in {\mathcal {G}} \), and provides to each party his local neighbor-set. Next, during the protocol’s execution, the functionality receives a message to be delivered from a sender \({P} _v\) to a receiver \({P} _w\) and delivers the message if the edge (vw) appears in the graph.

An ideal-model computation of a functionality \(\mathcal {F}_{\mathsf {}} \) is augmented to provide the corrupted parties with the information that is leaked about the graph; namely, every ideal (dummy) party should learn his neighbor-set. To capture this, we define the wrapper-functionality \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {}})\), that runs internally a copy of the functionality \(\mathcal {F}_{\mathsf {}} \). The wrapper receives the graph \(G=(V,E)\) from \({{P} _\mathsf {graph}} \), makes sure that \(G\in {\mathcal {G}} \), and upon receiving an initialization message from a party \({P} _i\) responds with its neighbor set \({\mathcal {N}_G[i]} \) (just like \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \)). All other input messages are forwarded to \(\mathcal {F}_{\mathsf {}} \) and every message from \(\mathcal {F}_{\mathsf {}} \) is delivered to its recipient.

Fig. 3.
figure 3

The communication graph functionality

Full size image

Definition 1 (Topology-hiding computation)

We say that a protocol \(\pi \) securely realizes a functionality \(\mathcal {F}_{\mathsf {}} \) in a topology-hiding manner with respect to \({\mathcal {G}} \) tolerating semi-honest t-adversaries if \(\pi \) securely realizes \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {}})\) in the \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \)-hybrid model tolerating semi-honest t-adversaries.

We note a few technical changes in the definition above compared to [31]. First, we let the graph functionality \(\mathcal {F}_{\mathsf {graph}} \) and the wrapper \(\mathcal {W}_{\mathsf {graph\text {-}info}} \) be parametrized by a family of graphs \({\mathcal {G}} \). This captures the fact that certain properties of the graphs might be inherently leaked e.g., the diameter of the graph [31] or that the graph is a cycle or a tree [1]. This technical adjustment has also been considered in [26]. A second difference is that we define the graph-information as a wrapper functionality around \(\mathcal {F}_{\mathsf {}} \) rather than a separate functionality that is composed with \(\mathcal {F}_{\mathsf {}} \). Although this difference is only syntactic with respect to the definition above, it will enable a cleaner definition of distributional THC in Sect. 5.

3 TH-Broadcast on a Line Implies Key Agreement

In this section, we show that a topology-hiding broadcast protocol of four parties (or more) connected in a line that tolerates one semi-honest corruption, implies the existence of two-party key-agreement protocols.

We define the following class of graphs \({\mathcal {G}_{\mathsf {line}}} =\{G_0,G_1\}\), where each graph has four nodes on a line: \(G_0=(1-2-3-4)\) and \(G_1=(2-3-4-1)\) (see Fig. 1). Consider party 1 to be the broadcaster, then a corrupted party 3 will not know whether 1 is a neighbor of 2 or of 4. We next show how to utilize this property to achieve a two-party key-agreement protocol. The high-level idea is that either Alice will emulate parties 1, 2, and 3 and Bob will emulate party 4, or that Alice will emulate parties 2 and 3, and Bob will emulate parties 4 and 1. An eavesdropper listening to their communication will in fact hear all the messages exchanged between party 3 and party 4 in the THB protocol, and therefore will not be able to guess with more than negligible probability who emulates party 1.

Theorem 1

The existence of four-party topology-hiding broadcast with respect to class \({\mathcal {G}_{\mathsf {line}}} \) secure against semi-honest adversaries that may make a single corruption implies the existence of key agreement.

High-Level Idea. Our key-agreement protocol proceeds in phases. In a given phase, Alice and Bob will jointly simulate the topology-hiding broadcast protocol on a line graph of nodes 1, 2, 3, 4. Alice will always simulate nodes 2 and 3 and Bob will always simulate node 4. Alice and Bob will flip private coins to determine if they simulate 1. Note that it may be that neither or both of them simulate node 1. It will always be the case that node 2 has an edge to node 3 which is in turn has an edge to node 4. If Alice’s coin is heads she will simulate node 1 with a unique edge to node 2. Similarly, if Bob’s coin is heads, he will simulate node 1 with a unique edge to node 4. The node 1 will always be broadcaster, and will correspond to the bit agreed upon. The eavesdropper, Eve, will of course see the messages between 3 and 4 as Alice and Bob communicate to simulate the protocol execution. We will design our protocol so that Alice and Bob can identify when both or neither are controlling node 1 so they can throw them out, as the protocol will have no guarantees in this case. In the other cases, whether Alice or Bob controls 1 will indicate the bit agreed upon. This bit will be obvious to both Alice and Bob; however, it will be obscured from Eve. In particular, any advantage Eve has in guessing the bit can be used to break the topology hiding of the protocol. To increase the probability of successfully agreeing on a bit the protocol can simply be repeated. However, for simplicity we will specify and analyze the low-success version.

Proof

Let \(\pi \) be a topology-hiding broadcast protocol with respect to \({\mathcal {G}_{\mathsf {line}}} \), where node 1 is the broadcaster. Via sequential composition, we may assume \(\pi \) is a \({\kappa } \)-bit broadcast protocol without. We use \(\pi \) to construct the following key-agreement protocol.

Protocol 2

(Two-party key agreement)

  1. 1.

    Alice sends two random \({\kappa } \)-bit strings, \(r_1\) and \(r_2\), to Bob. These will be the strings broadcasted in the simulations of \(\pi \).

  2. 2.

    Alice and Bob each flips a coin: \(c_A,c_B\leftarrow \{0,1\}\), respectively. They will jointly simulate the protocol twice.

    • If \(c_A=1\), Alice will first simulate nodes 1 (broadcasting \(r_1\)), 2, and 3 in \(\pi \). The second time, Alice will just simulate nodes 2 and 3. If \(c_A=0\), Alice will just simulate nodes 2 and 3 the first time and additionally simulate node 1 (broadcasting \(r_2\)), the second time.

    • If \(c_B=1\), Bob will first simulate nodes 1 (broadcasting \(r_1\)) and 4 in \(\pi \). The second time, Bob will just simulate node 4. If \(c_B=0\), Bob will just simulate node 4 the first time, and additionally simulate node 1 (broadcasting \(r_2\)), the second time.

  3. 3.

    Alice and Bob jointly simulate \(\pi \) twice according to the roles designated above, communicating messages between 3 and 4 as needed.

    • If node 2 did not output either \(r_1\) in the first simulation of \(\pi \) or \(r_2\) in the second simulation of \(\pi \), Alice outputs \(\bot \). Otherwise, Alice outputs \(c_A\).

    • If node 4 did not output either \(r_1\) in the first simulation of \(\pi \) or \(r_2\) in the second simulation of \(\pi \), Bob outputs \(\bot \). Otherwise, Bob outputs \(1-c_B\).

There are 4 cases for how \((c_A,c_B)\) is chosen (each occurring with probability 1/4. We will divide them into two sets (each occurring with probability 1/2): \(c_A=c_B\) and \(c_A\ne c_B\). We claim that in the first case both Alice and Bob output \(\bot \) with probability \(\ge 1-2^{1-{\kappa }}\). In the second case, we claim that both Alice and Bob output \(c_A\) with overwhelming probability and that Eve’s output can be at most negligibly correlated with \(c_A\). Thus, conditioned on Alice and Bob not outputting \(\bot \) (which happens with probability negligibly close to 1/2), Alice and Bob will agree on a bit (with overwhelming probability) that is negligibly correlated with any bit outputted by an efficient eavesdropper. Therefore, it suffices to prove the claim for each case.

The case of \(c_A=c_B\). If both \(c_A=1\) and \(c_B=1\), then neither Alice nor Bob is simulating the broadcasting node 1 in the second simulation. In which case, all outputs of \(\pi \) in this simulation is independent of \(r_2\). Thus, the probability that either node 2 or node 4 outputs \(r_2\) in the simulation is at most \(2/2^{\kappa } \). Conversely, if both \(c_A=0\) and \(c_B=0\), then neither party is simulating node 1 in the first simulation and all outputs are independent of \(r_1\). And similarly the probability that either node 2 or node 4 outputs \(r_1\), in this case, is at most \(2/2^{\kappa } \).

In either case there is a simulation where both node 2 and node 4 fail to output the chosen string with probability at least \(1-2^{1-{\kappa }}\). Thus, both Alice and Bob will output \(\bot \) with probability at least \(1-2^{1-{\kappa }}\).

The case of \(c_A\ne c_B\). In this case, in each simulation exactly one of Alice and Bob is simulating node 1, the broadcaster. By correctness, all nodes (including nodes 2 and 4) will output the string \(r_1\) in the first simulation and \(r_2\) in the second simulation with overwhelming probability. Thus, both Alice and Bob will output \(c_A\) (note that \(c_A=1-c_B\), in this case) with overwhelming probability.

On the other hand, suppose Eve outputs a bit b such that \({\mathrm {Pr}}[b=c_A]=1/2+\alpha \). Note that Eve only sees the correspondence between nodes 3 and 4. We can use such an Eve to distinguish between running \(\pi \) on \(G_0\) or \(G_1\) with advantage at least \(\alpha /3\). Moreover, it will distinguish with respect to a specific distribution of broadcast messages and topology: the one where both message and topology are chosen uniformly and independently.

A semi-honest adversary that has corrupted node 3 will wait until the protocol has completed and the output r has been received before simulating Eve. The adversary will flip a bit \(b'\): effectively guessing the opposite topology of actual execution 1-2-3-4 (in the case that \(b'=0\)) or 2-3-4-1 (in the case that \(b'=1)\). After the protocol has completed, the adversary will sample a random string \(r'\) and run Eve on a transcript comprised of r, \(r'\), the actual communication between nodes 3 and 4, and a communication between nodes 3 and 4 in a simulated execution where \(r'\) is broadcasted over the guessed topology. The simulated Eve will output a bit b. If \(b=1\), the adversary will output the 1-2-3-4 topology, and the 2-3-4-1 topology otherwise.

In the case that the adversary guessed correctly (which happens with probability 1/2), the transcript Eve is given is identically distributed to the that of the key-agreement protocol. In this case, the simulated Eve’s bit will be \(\alpha \)-correlated with the actual topology. In the other case, when Eve is given two independent invocations of the protocol on the same graph, Eve’s output must be negligibly close to 1/2 and the security of \(\pi \). Therefore, the probability the adversary outputs the correct topology is at least

$$ 1/4-\textsf {negl}(\kappa )+1/4+\alpha /2>1/2+\alpha /3. $$

So, by the topology-hiding property, \(\alpha \) must be negligible.

This concludes the proof of Theorem 1.    \(\square \)

Next, we extend the lower bound to more classes of graphs using the player-partitioning technique.

Corollary 1

Let \({\mathcal {G}} \) be a class of (connected) graphs with n nodes such that there exists a partition of the nodes into four subsets \({\mathcal {P}} _1, {\mathcal {P}} _2, {\mathcal {P}} _3, {\mathcal {P}} _4\), and there exists graphs \(\tilde{G}_0,\tilde{G}_1\in {\mathcal {G}} \) such that:

  • In \(\tilde{G}_0\): there are no edges \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _3\), or \((i,j)\in {\mathcal {P}} _2\times {\mathcal {P}} _4\), or \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _4\),

  • In \(\tilde{G}_1\): there are no edges \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _3\), or \((i,j)\in {\mathcal {P}} _2\times {\mathcal {P}} _4\), or \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _2\).

Let \(t=|{\mathcal {P}} _3|\). Then, a THB protocol with respect to \({\mathcal {G}} \) tolerating semi-honest, static t-adversaries, implies the existence of key agreement.

Proof

Let \(\pi \) be such a THB protocol, and without loss of generality assume that the broadcaster is in \({\mathcal {P}} _1\). We will construct the following four-party broadcast protocol on a line with respect to the class of two graphs \({\mathcal {G}_{\mathsf {line}}} =(G_0,G_1)\), where

  • \(G_0=(1-2-3-4)\),

  • \(G_1=(2-3-4-1)\).

To define the protocol, every party i, for \(i\in [4]\), emulates in its head the parties in \({\mathcal {P}} _i\) executing protocol \(\pi \). Whenever a party \({P} _j\in {\mathcal {P}} _i\) wishes to send a message m to a party \({P} _{j'}\), proceed as follows: (1) If \({P} _{j'}\in {\mathcal {P}} _i\), party i simulates in its head party \({P} _{j'}\) receiving the message m from party \({P} _j\). (2) If \({P} _{j'}\in {\mathcal {P}} _{i'}\) for some \(i'\ne i\), send the message \((j,j',m)\) to party \(i'\); in this case, party \(i'\) simulates party \({P} _{j'}\) receiving the message m from party \({P} _j\).

Note that for \(b\in \{0,1\}\), an execution of the four-party THB over \(G_b\) corresponds to an execution of the protocol \(\pi \) over \(\tilde{G}_b\). Since \(|{\mathcal {P}} _3|=t\) and \(\pi \) is t-secure, it holds that the new protocol is secure tolerating a single corruption of party \({P} _3\). The proof now follows from Theorem 1.    \(\square \)

An example for a family of graphs that satisfies the above requirements are cycles of seven nodes tolerating two corruptions. Indeed, consider the partition

$$ {\mathcal {P}} _1=\{1\}, \quad {\mathcal {P}} _2=\{2,3\}, \quad {\mathcal {P}} _3=\{4,5\}, \quad {\mathcal {P}} _4=\{6,7\}. $$

Then, the two cycle-graphs \(\tilde{G}_0=(2-1-3-4-6-7-5)\) and \(\tilde{G}_1=(2-3-4-6-1-7-5)\) satisfy the properties of the corollary, as illustrated in Fig. 2.

4 Perfect THC on a Cycle

In this section, we show a perfectly secure topology-hiding computation protocol tolerating a single semi-honest corruption with respect to cycles. Note that in this setting we are only hiding a permutation of the nodes.

Theorem 3

Let \(n>2\), and let f be an efficiently computable n-party function. Then, \(\mathcal {F}_{\mathsf {sfe}} ^f\) can be securely realized in a topology-hiding manner with respect to the class of graphs that includes all cycles on n nodes, tolerating a single, semi-honest corruption. Moreover, the protocol is perfectly correct and perfectly secure.

To prove Theorem 3, we will first show how to realize anonymous secure channels without revealing the topology of the cycle. Given anonymous secure channels, it is not difficult to realize general THC on a cycle.

Private Anonymous Communication over a Cycle. We begin by defining the anonymous communication functionality. This randomized functionality initially assigns aliases to all parties based on their location, so that the parties can address each other by these aliases. Specifically, the functionality will choose a random party to be assigned with the alias ‘1’, and will choose a random orientation of “left” and “right” for its outgoing edges. This will define an alias for each other party, in an increasing order going to the left. Each party will receive its alias and orientation (hence allowing it to compute the alias of any party that is a certain number of hops away in each direction). Then, each party can privately send messages to any alias of their choice. The party associated with the alias will receive the message along with the alias of the sender. A full description is provided in Fig. 4.

Fig. 4.
figure 4

The anonymous communication functionality

Full size image

Let \(\mathcal {G}_{\mathsf {cycle}} (n)\) be the class of cycles over n nodes. Next, we show how to perfectly securely realize \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}_{\mathsf {cycle}} (n)}(\mathcal {F}_{\mathsf {anon}})\) in the \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}_{\mathsf {cycle}} (n)}\)-hybrid model.

High-Level Idea. At a high level, our protocol proceeds in two phases. In the first phase, a fixed designated party \({P} ^*\), will randomly assign an alias in [n] for itself, as well as an orientation of left and right. This defines aliases for the rest of the parties based on their distance from \({P} ^*\) and its randomly chosen alias. A protocol is then performed to securely provide all parties with their alias and orientation. In the communication phase, parties use their output from the initialization phase and the 2-connectedness of the cycle to securely communicate with other parties (specified via their aliases, indicating how many hops away they are). Before specifying the full protocol in Fig. 5, we give some intuition.

To begin, suppose that \(n=2k\) is even, and that a party \({P} _v\) wishes to send a message m to the party directly opposite it on the cycle (denote that party as \({P} _u\), although \({P} _v\) does not know \({P} _u\)’s identity, just location). This can be done easily by uniformly sampling r and forwarding \(m \oplus r\) to the right and r to the left (where right and left are from some arbitrary orientation). If other parties forward received messages in the same direction, after exactly k rounds, \({P} _u\) will receive \(m\oplus r\) and r simultaneously and can compute \((m\oplus r)\oplus r=m\). Because every other party sees either \(m\oplus r\) or r, but not both, this will be uniformly distributed ensuring privacy of the message. By delaying timing of messages to left and right appropriately, we can adjust the protocol to allow any party to deliver a message to any other party that is a given number of hops away.

Once aliases have been agreed upon by all parties, the above will in fact suffice for the communication phase, as there will be nothing more to hide. However, for the initialization phase, if the designated party \({P} ^*\) simply uses the above to deliver aliases to other parties, this will leak the distance from the sender \({P} ^*\). Hence, we will have all parties perform the above secure message sending protocol to all other parties, in parallel. The designated party \({P} ^*\) will send the actual aliases to each other party, while all other parties will perform the above as if sending 0 to all other parties. Note that message privacy here is only being used to hide the location of the designated party.

To perform the above in parallel, in each round parties will take the message received from the left in the previous round, XOR it with what they should send to the right themselves according to the secure message passing above, and then send the result to the right. They behave identically with respect to messages travelling in the other direction. In the final round, all parties simply XOR what they received from the left and right to receive their own alias. Moreover, because up to that point the view of any single party is simply a sequence of random messages, the location of \({P} ^*\) remains hidden. (The final messages of \({P} ^*\) will not be uniform, but XOR to 0.)

Lemma 1

Let \(n>2\). Protocol \(\pi _{\mathsf {anon\text {-}cycle}}\) perfectly securely realizes \(\mathcal {F}_{\mathsf {anon}} \) in a topology-hiding manner with respect to the class of graphs that includes all cycles on n nodes, tolerating a single semi-honest adversary.

Proof

(sketch). Let \(\pi :[n]\rightarrow [n]\) denote the map such that \(\text {id}_i \mapsto i\) for the \(\text {id}\)’s implicitly defined by \({P} ^*\). Let \(\alpha :[n]\rightarrow [n]\) denote the cyclic permutation such that \(i\mapsto i+1\) for \(i<n\) and \(n\mapsto 1\). Additionally, let \(\alpha ^{(k)}\) denote k sequential applications of \(\alpha \). We take left and right to denote the orientation selected by \({P} ^*\) in the initialization phase.

Fig. 5.
figure 5

Securely realizing \(\mathcal {F}_{\mathsf {anon}} \) in a topology-hiding manner, for cycles

Full size image

For correctness, consider the sequence of messages: the message sent left by the party left of \({P} _u\) in the first round, the message send left by the party two nodes left of \({P} _u\), and so on until the message that is delivered to \({P} _u\) from the right in final round. Each subsequent message is formed by XORing with the previous message in the sequence. Because all parties other than \({P} ^*\) behave identically with respect to each direction in this phase, we may assume they all chose an orientation consistent with \({P} ^*\). Then, we can observe that \({P} _{u}\) receives \(\pi ^{-1}(u) \oplus \bigoplus _{j=1}^{n-1} r^{\pi (\alpha ^{(j)}(\pi ^{-1}(u)))}_j\) on the right in the final round of the initialization phase. Via the same argument, we can see \({P} _u\) receives \(r^{\pi (\alpha ^{(j)}(\pi ^{-1}(u)))}_j\) on the left of the initialization phase.

For security, note that if we view the \(r_j^i\) values each party sends to the right and left as traveling around the cycle in either direction (having values XORed with them), the only other party that sees both is the one that they arrive at simultaneously in the last round. Thus, to all other parties, they are uniformly distributed.

Therefore, the view of the corrupted party \({P} _c\) is simply uniformly distributed messages in each round, until the last. In the last round, if \({P} _c\ne {P} ^*\), party \({P} _c\) receives two random messages (one from each side) that XOR to a random \(i\in [n]\). If \({P} _c={P} ^*\), party \({P} _c\) receives two random messages that XOR to zero. This can be simulated by simply sending random messages until the last round, where the messages XOR to a uniformly drawn \(i\leftarrow [n]\) if \({P} _c\ne {P} ^*\) and 0 otherwise. Because of this simulation the view of any party is clearly independent of the ordering of parties outside that party’s immediate neighborhood.

The correctness and security of the communication phase proceed similarly, except here we will use the fact that the relative positions of \(\text {id}_c\) and the \(\text {id}_i\) to start simulating via uniformly random values on a given side. The full simulator is described below.

  • Initialization Phase:

    • Let \({P} _u\) be the corrupted party. Get \({\mathcal {N}_G[u]} \) from \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {anon}})\).

    • Invoke \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {anon}})\) with \({\mathcal {N}_G[u]} \) (as the input to \(\mathcal {F}_{\mathsf {anon}} \)) and receive back \(\text {id}_u\) and the orientation.

    • If \({P} _u\ne {P} ^*\), deliver uniformly random messages from neighbors for first \(n-2\) rounds. In final round, deliver uniformly random messages conditioned on them XORing to \(\text {id}_u\).

      Otherwise, deliver uniformly random messages from neighbors to either side for the first \(n-2\) rounds. In the final round, deliver uniformly random messages that XOR to 0.

  • Communication Phase: In each communication “round,” get from the environment the tuples \(\{(\text {id}_u,i,m^i_{\text {id}_u})\}_{i\ne u}\) (as the input of \({P} _u\)).

    In the \(i\)’th sub-phase of each “round,”

    • From round \(\text {id}_u - i \pmod n\) of the sub-phase until the penultimate round, give \({P} _u\) uniformly random messages from the right.

    • From round \(i-\text {id}_u \pmod n\) of the sub-phase until the penultimate round, give \({P} _u\) uniformly random messages from the left.

    • In the final round if \(\text {id}_u\ne i\), give \({P} _u\) random messages conditioned on them XORing to \(m^i_{\text {id}_u}\).

      If \(\text {id}_u=i\), \({P} _u\) doesn’t receive anything throughout the phase.

   \(\square \)

THC from Secure Anonymous Channels. Equipped with secure anonymous point-to-point channels, we can now use standard honest-majority MPC techniques to achieve general THC.

Lemma 2

Let \(n\in {\mathbb {N}}\), let \(t\le n/2\), and let f be an efficiently computable n-party function. Then, \(\mathcal {F}_{\mathsf {sfe}} ^f\) can be UC-realized with perfect security in \(\mathcal {F}_{\mathsf {anon}} \)-hybrid model, tolerating t semi-honest corruptions.

Proof

(sketch). Without loss of generality, it suffices to consider functionalities that give the same output to all parties. Let \(f'\) denote the symmetric functionality that takes in n tuples of the form \((i,x_i)\in [n]\times \{0,1\}^n\) and outputs \(f(x_1,\ldots ,x_n)\) if all i are distinct, and \(\bot \) otherwise. Note that for any permutation \(\pi \) of [n] (describing \(i\mapsto \text {id}_i\), the alias of \({P} _i\)), it holds that

$$ f'\left( \left( \pi ^{-1}(1),x_{\pi ^{-1}(1)}\right) ,\ldots ,\left( \pi ^{-1}(n),x_{\pi ^{-1}(n)}\right) \right) \equiv f(x_1,\ldots ,x_n). $$

So, to complete the proof, parties simply securely evaluate \(f'\) under their aliases, where the input of \({P} _i\) with alias \(\text {id}_i\) is \((i,x_i)\), using the BGW protocol [8] over secure anonymous channels (between aliased identities) provided by \(\mathcal {F}_{\mathsf {anon}} \).    \(\square \)

Putting together Lemmas 1 and 2, and using UC-composition, completes the proof of Theorem 3, our positive result for cycles with one corruption.

5 Distributional-Topology-Hiding Computation

In this section, we present a relaxed notion of topology-hiding computation. Namely, it is not required that all of the topology of the graph will remain hidden, but only certain properties of the graph. The crucial difference to THC is that the functionality does not receive the graph from a graph party; rather, the communication-graph functionality is parametrized by a distribution over graphs and locally samples a graph from this distribution. As a result of this modification, the environment is ignorant of the actual graph that is used during the communication phase.

Fig. 6.
figure 6

The distributional-graph-communication functionality

Full size image

As discussed in Sect. 1.2, we require strong composition capabilities from this definition. Therefore, the environment is allowed to ask for the graph. This is done via a special graph party \({{P} _\mathsf {graph}} \). Unlike in classical THC, where \({{P} _\mathsf {graph}} \) is used to give the graph to the functionality, here \({{P} _\mathsf {graph}} \) is used to ask the graph from the functionality. Once the environment asks for the graph, the communication functionality enters an “out of order” state and stops processing other messages (Fig. 6).

Fig. 7.
figure 7

The distributional-graph-information wrapper functionality

Full size image

As before, the ideal-model computation of a functionality \(\mathcal {F}_{\mathsf {}} \) needs to be augmented to provide the simulator with the appropriate leakage on the graph, i.e., the neighbor-set of each corrupted party. Toward this purpose, we define a graph-information wrapper functionality around \(\mathcal {F}_{\mathsf {}} \), denoted \(\mathcal {W}_{\mathsf {dist\text {-}graph\text {-}info}} ^\mathcal{D} (\mathcal {F}_{\mathsf {}})\). Initially, the wrapper samples a graph from the distribution and provides every corrupted party with the neighbor-set. All subsequent input messages are forwarded to \(\mathcal {F}_{\mathsf {}} \) and all messages from \(\mathcal {F}_{\mathsf {}} \) are delivered to their recipients.

To keep the graph hidden from the environment during the computation phase, \(\mathcal {W}_{\mathsf {dist\text {-}graph\text {-}info}} ^\mathcal{D} (\mathcal {F}_{\mathsf {}})\) does not send the neighbor-set to honest parties. The environment can adaptively issue corruption requests, and upon any such adaptive corruption \(\mathcal {W}_{\mathsf {dist\text {-}graph\text {-}info}} ^\mathcal{D} (\mathcal {F}_{\mathsf {}})\) outputs the neighbor-set of the newly corrupted party.

As before, the environment can request the communication graph via a special graph party \({{P} _\mathsf {graph}} \). After receiving this request from \({{P} _\mathsf {graph}} \), the wrapper functionality stops processing further messages, other than corruption requests. As explained in Sect. 1.2, to balance the advantage given to the environment, that now can corrupt parties as a function of the graph, after giving the graph to \({{P} _\mathsf {graph}} \), the wrapper gives the simulator all of the input messages it received (Fig. 7).

Definition 2 (Distributional topology hiding)

Let \(\mathcal{D} \) be a distribution over graphs with n nodes. A protocol \(\pi \) securely realizes a functionality \(\mathcal {F}_{\mathsf {}} \) in a distributional-topology-hiding manner with respect to \(\mathcal{D} \) tolerating semi-honest t-adversaries, if \(\pi \) securely realizes \(\mathcal {W}_{\mathsf {dist\text {-}graph\text {-}info}} ^\mathcal{D} (\mathcal {F}_{\mathsf {}})\) in the \(\mathcal {F}_{\mathsf {dist\text {-}graph}} ^\mathcal{D} \)-hybrid model tolerating semi-honest t-adversaries.

The Relation Between the Definitions. We show that Definition 2 is indeed a relaxation of Definition 1. We start by showing that every protocol that satisfies Definition 1 will also satisfy Definition 2, at least as long as the functionality does not depend on the graph. Next, in Sect. 6, we will show a separation between the definitions.

Consider an environment \(\mathcal{Z} \) of the form \(\mathcal{Z} =(\mathcal{Z} _1,\mathcal{Z} _2)\), where \(\mathcal{Z} _1\) invokes \({{P} _\mathsf {graph}} \) with a graph \(G\in {\mathcal {G}} \) and receives back its output, and \(\mathcal{Z} _2\) interacts with the parties and the adversary (without knowing the output received by \(\mathcal{Z} _1\)) and outputs the decision bit. We say that an n-party functionality \(\mathcal {F}_{\mathsf {}} \) does not depend on the communication graph if for every family \({\mathcal {G}} \) of graphs with n nodes and every environment \(\mathcal{Z} =(\mathcal{Z} _1,\mathcal{Z} _2)\) as described above, the output of \(\mathcal{Z} \) (i.e., the output of \(\mathcal{Z} _2\)) in an ideal computation of \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {}})\) is identically distributed as the output of \(\mathcal{Z} \) in an ideal computation of \(\widetilde{\mathcal {W}}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {}})\), where \(\widetilde{\mathcal {W}}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} \) acts like \(\mathcal {W}_{\mathsf {graph\text {-}info}} ^{\mathcal {G}} \) with the exception that it ignores the graph G it receives and chooses an arbitrary graph from \({\mathcal {G}} \) instead. In the modified functionality, the input provided by the environment is independent of the communication graph; hence, if the output of the functionality is identically distributed in both cases, it can’t be dependent on the graph structure.

Theorem 4

Let \(\mathcal {F}_{\mathsf {}} \) be functionality that does not depend on the communication graph and let \(\mathcal{D} \) be an efficiently sampleable distribution over graphs with n nodes. If \(\mathcal {F}_{\mathsf {}} \) can be securely realized in a topology-hiding manner with respect to \(\mathsf {supp} (\mathcal{D})\), then \(\mathcal {F}_{\mathsf {}} \) can be securely realized in a distributional-topology-hiding manner with respect to \(\mathcal{D} \).

Proof

Assume that \(\mathcal {F}_{\mathsf {}} \) cannot be securely realized in a distributional-topology-hiding manner with respect to \(\mathcal{D} \), i.e., for every protocol and every simulator for the dummy adversary, there exists an environment \(\mathcal{Z} \) that can create a non-negligible distinguishing advantage. Note that initially, \(\mathcal{Z} \) knows only the distribution \(\mathcal{D} \) but not the actual graph, but at any point can invoke \({{P} _\mathsf {graph}} \) to obtain the graph. We will show that \(\mathcal {F}_{\mathsf {}} \) cannot be securely realized in a topology-hiding manner with respect to \(\mathsf {supp} (\mathcal{D})\).

We use \(\mathcal{Z} \) to construct an environment \(\mathcal{Z} '\) as follows. Initially, \(\mathcal{Z} '\) samples a graph \(G\leftarrow \mathcal{D} \) and sends it to \({{P} _\mathsf {graph}} \) to initialize the communication graph functionality (or the graph-information functionality). Next, \(\mathcal{Z} '\) invokes \(\mathcal{Z} \) and forwards any message from \(\mathcal{Z} \) to the parties or the adversary, and vice versa. Once an honest party receives its neighbor-set from the functionality, \(\mathcal{Z} '\) does not forward the message to \(\mathcal{Z} \), but upon a corruption of a party \(\mathcal{Z} '\) provides its neighbor-set to \(\mathcal{Z} \). If \(\mathcal{Z} \) asks \({{P} _\mathsf {graph}} \) to get the graph, \(\mathcal{Z} '\) responds with the graph G and proceed to process only corruption requests from \(\mathcal{Z} \). Finally, \(\mathcal{Z} '\) outputs the output of \(\mathcal{Z} \) and halts. Clearly, \(\mathcal{Z} '\) has the same distinguishing probability as \(\mathcal{Z} \), and the proof follows.    \(\square \)

6 Distributional-THC with Hidden Sublinear Cuts

In this section, we show a distributional-THC protocol that hides sublinear cuts between two linear-size cliques in the communication graph, and tolerates a linear number of adaptive semi-honest corruptions. The protocol is based on a recent work by Boyle et al. [11], that constructed an adaptively secure MPC protocol in the dynamic-graph setting (where every party can talk to every other party, but dynamically decides on its neighbor-set).

In Sect. 6.1, we present the protocol in the distributional-THC setting that can hide sublinear cuts against adaptive corruptions, and in Sect. 6.2 we show that a similar result cannot be achieved in the classical THC setting.

6.1 Feasibility in the Distributional-THC Model

We start by defining the distribution of potential communication graphs in the n-party protocol.

Definition 3

Let \(n=4m+1\) for \(m\in {\mathbb {N}}\), and let \(n'=\log ^c{n}\) for a constant \(c>1\). Denote

$$ {\mathcal {P}} _1=\{1,\ldots ,m\},\quad {\mathcal {P}} _2=\{m+1,\ldots ,2m\}, \quad {\mathcal {P}} _3=\{2m+1,\ldots ,3m\}, \quad {\mathcal {P}} _4=\{3m+1,\ldots ,4m\}. $$

Given a bit \(b\in \{0,1\}\) and two vectors \({ \varvec{i}}=(i_1,\ldots ,i_{n'})\) and \({ \varvec{j}}=(j_1,\ldots ,j_{n'})\) in \([m]^{n'}\) with distinct coordinates, i.e., \(i_k\ne i_{k'}\) and \(j_k\ne j_{k'}\) for \(k\ne k'\), define the graph \(G_n(b;{ \varvec{i}};{ \varvec{j}})\) as follows:

  • Two cliques of size 2m, \({\mathcal {P}} _1\cup {\mathcal {P}} _2\) and \({\mathcal {P}} _3\cup {\mathcal {P}} _4\).

  • The edges \((m+i_k,2m+j_k)\) for every \(k\in [n']\) (i.e., a sublinear cut between \({\mathcal {P}} _2\) to \({\mathcal {P}} _3\)).

  • The edges \((4m+1,i)\), for every \(i\in {\mathcal {P}} _1\) if \(b=0\), or for every \(i\in {\mathcal {P}} _4\) if \(b=1\) (i.e., connecting \(4m+1\) to either \({\mathcal {P}} _1\) or \({\mathcal {P}} _4\)).

We define the distribution \({\mathcal{D} _{\mathsf {cut}}(n,c)} \) over graphs of n nodes by uniformly sampling a bit \(b\in \{0,1\}\) and \({ \varvec{i}},{ \varvec{j}}\leftarrow [m]^{n'}\) with distinct coordinates, and returning \(G_n(b;{ \varvec{i}};{ \varvec{j}})\) (Fig. 8).

Fig. 8.
figure 8

A graph \(G_n(b;{ \varvec{i}};{ \varvec{j}})\) with \(n=4m+1\) nodes in support of the distribution \({\mathcal{D} _{\mathsf {cut}}(n,c)} \).

Full size image

Theorem 5

Let \(n\in {\mathbb {N}}\), let \(\beta <1/4\) and \(c>1\) be constants, and let f be an efficiently computable n-party function. Then, \(\mathcal {F}_{\mathsf {sfe}} ^f\) can be securely realized in a distributional-topology-hiding manner with respect to \({\mathcal{D} _{\mathsf {cut}}(n,c)} \) with statistical security tolerating an adaptive, semi-honest, computationally unbounded \(\beta n\)-adversary.

To prove Theorem 5, we construct a protocol \(\pi _{\mathsf {hide \text {-}cuts}}\) in the \(\mathcal {F}_{\mathsf {dist\text {-}graph}} ^{{\mathcal{D} _{\mathsf {cut}}(n,c)}}\)-hybrid model that securely realizes \(\mathcal {W}_{\mathsf {dist\text {-}graph\text {-}info}} ^{\mathcal{D} _{\mathsf {cut}}(n,c)} (\mathcal {F}_{\mathsf {sfe}} ^f)\) (see Fig. 12). More specifically, the protocol is defined in a hybrid model with the additional ideal functionalities \(\mathcal {F}_{\mathsf {share\text {-}to\text {-}committee}} \), \(\mathcal {F}_{\mathsf {recon\text {-}compute}} \), and \(\mathcal {F}_{\mathsf {out\text {-}dist}} \) (all functionalities are explained and formally defined in Sect. 6.1). These functionalities need not be defined and realized in a topology-hiding manner, since each such functionality will be called by a pre-defined subsets of parties that forms a clique in the communication graph, and so they can be instantiated using a “standard” MPC protocol such as BGW.

In Lemma 3 (below) we prove that the protocol \(\pi _{\mathsf {hide \text {-}cuts}}\) securely realizes \(\mathcal {F}_{\mathsf {sfe}} ^f\) in a distributional-topology-hiding manner with respect to \({\mathcal{D} _{\mathsf {cut}}(n,c)} \). We start by defining the ideal functionalities that are used to define the protocol.

Ideal Functionalities Used in the Construction

The Share-to-Committee Functionality. In the share-to-committee m-party functionality, \(\mathcal {F}_{\mathsf {share\text {-}to\text {-}committee}} \), every party \({P} _i\in \{{P} _1,\ldots ,{P} _{2m}\}\) sends his input \(x_i\in {\{0,1\}^*}\), a share \(s_i\) (that can be the empty string), and a bit \(b_i\in \{0,1\}\) indicating whether \({P} _i\) has a neighbor in \(\{{P} _{2m+1},\ldots ,{P} _{3m}\}\). The functionality first tries to reconstruct the value \(x_{4m+1}\) from the shares \(s_1,\ldots , s_m\). Next, each party secret shares its input value \(x_i\) and sends the shares to the parties with \(b_i=1\). The formal description of the functionality can be found in Fig. 9.

Fig. 9.
figure 9

The share-to-committee functionality

Full size image
Fig. 10.
figure 10

The reconstruct-and-compute functionality

Full size image

The Reconstruct-and-Compute Functionality. The reconstruct-and-compute functionality, \(\mathcal {F}_{\mathsf {recon\text {-}compute}} \), is a 2m-party functionality. Denote the party-set by \(\{{P} _{2m+1}, \ldots , {P} _{4m}\}\). Every party \({P} _{2m+i}\) has an input value \(x_{2m+i}\in {\{0,1\}^*}\), and additional values consisting of shares of \((x_1,\ldots ,x_{2m},x_{4m+1})\). The functionality starts by using the additional inputs to reconstruct \((x_1,\ldots ,x_{2m},x_{4m+1})\). Next, the functionality computes \(y=f(x_1,\ldots ,x_{4m+1})\) and hands y as the output for every party. The formal description of the functionality can be found in Fig. 10.

The Output-Distribution Functionality. The 2m-party output-distribution functionality receives input values from (some) of the parties and sends one of them as output to all the parties (looking ahead, in the protocol there will be a single input value). The formal description of the functionality can be found in Fig. 11.

Fig. 11.
figure 11

The output-distribution functionality

Full size image

The Protocol. We now describe the protocol \(\pi _{\mathsf {hide \text {-}cuts}}\) and prove its security.

Lemma 3

Protocol \(\pi _{\mathsf {hide \text {-}cuts}}\) UC-realizes the wrapped functionality \(\mathcal {W}_{\mathsf {dist\text {-}graph\text {-}info}} ^{\mathcal{D} _{\mathsf {cut}}(n,c)} (\mathcal {F}_{\mathsf {sfe}} ^f)\) in the \((\mathcal {F}_{\mathsf {dist\text {-}graph}} ^{{\mathcal{D} _{\mathsf {cut}}(n,c)}}, \mathcal {F}_{\mathsf {share\text {-}to\text {-}committee}}, \mathcal {F}_{\mathsf {recon\text {-}compute}}, \mathcal {F}_{\mathsf {out\text {-}dist}})\)-hybrid model tolerating an adaptive, semi-honest, computationally unbounded \(\beta n\)-adversary, for any constant \(\beta <1/4\).

The proof of Lemma 3 can be found in the full version.

6.2 Impossibility in the Classical THC Model

The protocol \(\pi _{\mathsf {hide \text {-}cuts}}\) was defined in the weaker distributional-THC model. To justify the weaker model, we show that a similar result cannot be achieved in the stronger (classical) THC model. The reason is that according to this model (Definition 1) the environment, who chooses the communication graph, knows exactly which parties are on the cut and can corrupt them. This means that without relying on cryptographic assumptions or some correlated-randomness setup phase, two honest parties from opposite sides of the cut cannot communicate privately [18].

Fig. 12.
figure 12

Hiding low-weight cuts in the \((\mathcal {F}_{\mathsf {share\text {-}to\text {-}committee}},\mathcal {F}_{\mathsf {recon\text {-}compute}},\mathcal {F}_{\mathsf {out\text {-}dist}})\)-hybrid model

Full size image

We prove this intuition using our lower bound from Sect. 3.

Theorem 6

Let \(c>1\) be a constant and let \(t=\log ^c(n)\). Then, \(\mathcal {F}_{\mathsf {bc}} \) cannot be securely computed in a topology-hiding manner with respect to \(\mathsf {supp} ({\mathcal{D} _{\mathsf {cut}}(n,c)})\) tolerating computationally unbounded, semi-honest, static t-adversaries.

Proof

Let \(n=4m+1\) and let \(\pi \) be an n-party t-resilient broadcast protocol where party \({P} _{4m+1}\) is the broadcaster. Let \({ \varvec{i}}=(i_1,\ldots ,i_{n'})\) and \({ \varvec{j}}=(j_1,\ldots ,j_{n'})\) in \([m]^{n'}\) with distinct coordinates, and consider the following partition of the nodes:

figure a

For \(b\in \{0,1\}\), consider the graph \(\tilde{G}_b=G(b;{ \varvec{i}};{ \varvec{j}})\in \mathsf {supp} ({\mathcal{D} _{\mathsf {cut}}(n,c)})\). By definition, it holds that

  • In \(\tilde{G}_0\): there are no edges \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _3\), or \((i,j)\in {\mathcal {P}} _2\times {\mathcal {P}} _4\), or \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _4\),

  • In \(\tilde{G}_1\): there are no edges \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _3\), or \((i,j)\in {\mathcal {P}} _2\times {\mathcal {P}} _4\), or \((i,j)\in {\mathcal {P}} _1\times {\mathcal {P}} _2\).

Since \(t=|{\mathcal {P}} _3|\), by Corollary 1 there is no THB protocol with respect to \({\mathcal {G}} \) tolerating semi-honest, static t-adversaries with information-theoretic security.    \(\square \)