Topology-Hiding Computation on All Graphs

Abstract

A distributed computation in which nodes are connected by a partial communication graph is called topology hiding if it does not reveal information about the graph beyond what is revealed by the output of the function. Previous results have shown that topology-hiding computation protocols exist for graphs of constant degree and logarithmic diameter in the number of nodes (Moran–Orlov–Richelson, TCC’15; Hirt et al., Crypto’16) as well as for other graph families, such as cycles, trees, and low circumference graphs (Akavia–Moran, Eurocrypt’17), but the feasibility question for general graphs was open. In this work, we positively resolve the above open problem: we prove that topology-hiding computation is feasible for all graphs under either the decisional Diffie–Hellman or quadratic residuosity assumption. Our techniques employ random or deterministic walks to generate paths covering the graph, upon which we apply the Akavia–Moran topology-hiding broadcast for chain graphs (paths). To prevent topology information revealed by the random walk, we design multiple graph-covering sequences that, together, are locally identical to receiving at each round a message from each neighbor and sending back a processed message from some neighbor (in a randomly permuted order).

Appendices

Appendix A. Quadratic Residue-Based PKCR  Encryption

To keep this paper self-contained, in this section we will go over the results from [26]. Specifically, we will be proving that the algorithms we referenced in Sect. 3.1.5, re-randomization, and proxy re-encryption are correct and sound. This will finish the proofs in Sect. 3.1.5, showing that Cocks’ public-key encryption scheme is a PKCR  encryption scheme.

1.1 A.1. The QR Assumption, Jacobi Symbol, and Other Preliminaries

Before going into the re-randomization and re-encryption algorithms, we will first explain some notation and the assumption used in Cocks’ scheme. First, let \(\mathbf {QR}_N\) be the set of quadratic residues mod N, so

$$\begin{aligned} \mathbf {QR}_N := \{ a \in {\mathbb {Z}} _N^* : \exists b \text{ s.t. } b^2 \equiv a \mod N \}. \end{aligned}$$

Next, we use the standard notation for the Jacobi symbol: \(\left( \frac{a}{N} \right) \in \{\pm 1\}\), which is polynomial time computable via the law of quadratic reciprocity and has the property that is multiplicative. So, for \(N = pq\) (primes p and q),

$$\begin{aligned} \left( \frac{a}{N} \right) = \left( \frac{a}{p} \right) \cdot \left( \frac{a}{q} \right) \text{ and } \left( \frac{ab}{N} \right) = \left( \frac{a}{N} \right) \cdot \left( \frac{b}{N} \right) . \end{aligned}$$

where \(\left( \frac{a}{p} \right) = 1\) (called the Legendre symbol because p is prime) if and only if \(a \in \mathbf {QR}_p\) (same for q).

The QR assumption states that it is hard to tell whether an element in \({\mathbb {Z}} _N\) with Jacobi symbol 1 is a square or not. That is, we cannot tell whether \(a \in {\mathbb {Z}} _N\) is both a square mod p and mod q or is neither a square mod p or q.

Definition A.1

The quadratic residuosity assumption states that for all PPT adversaries \({{\mathcal {A}}}\), if \({{\mathcal {A}}}\) is given a composite RSA modulus \(N = pq\), and an element \(a \in {\mathbb {Z}} _N^*\) such that \(\left( \frac{a}{N} \right) = 1\), then

$$\begin{aligned} \left| \textit{Pr}\left[ {{\mathcal {A}}}(N, a) = 1 : a \in \mathbf {QR}_N \right] - \textit{Pr}\left[ {{\mathcal {A}}}(N, a) = 1 : a \not \in \mathbf {QR}_N \right] \right| < \text {negl}(|N|). \end{aligned}$$

1.1.1 A.1.1. More Notation and the Ring of Ciphertexts

Linear-function ciphertexts will be critical in proving that we can re-randomize Cocks’ ciphertexts as well as get \(\textsf {AddLayer}\) and \(\textsf {DelLayer}\) functionality.

Within \({\mathbb {Z}} _N\), we let \({\mathbb {J}}_1\) denote elements with Jacobi symbol 1 and \({\mathbb {J}}_{-1}\) denote the elements with Jacobi symbol \(-1\). Squares mod N are \(\mathbf {QR}_N\), and squares mod p are \(\mathbf {QR}_p\).

1.1.2 A.1.2. Linear-Function Ciphertexts

Recall from Sect. 3.1.5 given a modulus N and public key \(R \in \mathbf {QR}_N\), an encryption of a message \(m \in \{0,1\}\) is choosing a random \(t \in {\mathbb {Z}} _N\) such that \(\left( \frac{t}{N}\right) = (-1)^m\) and setting the ciphertext \(c = t + Rt^{-1}\). Decryption is computing \(\left( \frac{2r + c}{N} \right) = (-1)^{m'}\). Recall that the reason this worked was because \(2r + t + Rt^{-1} \equiv t^{-1}(t + r)^2 \pmod {x^2 - R}\).

So, instead of having our ciphertext be represented by \(2x + c\) (where we only need c to be the ciphertext since 2x is assumed), we can actually have a ciphertext be any linear function \(ax + b\) such that the decryption \(\left( \frac{ar + b}{N}\right) = (-1)^m\), which was done in the work of Clear et al. [10]. The downside is that the ciphertexts have doubled in length, but the plus side is that we get an easy way to compute homomorphisms. For two ciphertexts \(a_1 x + b_1\) and \(a_2x + b_2\) encrypting \(m_1\) and \(m_2\), respectively, \(a_3 x + b_3 = (a_1x + b_1) \cdot (a_2 x + b_2) \pmod {x^2 - R}\) is the homomorphic addition of the two ciphertexts because when we decrypt, we have

$$\begin{aligned} \left( \frac{a_3 r + b_3}{N} \right)= & {} \left( \frac{(a_1r + b_1)(a_2r + b_2) + h(r)(r^2 - R)}{N} \right) \\= & {} \left( \frac{a_1 r + b_1}{N} \right) \cdot \left( \frac{a_2 r + b_2}{N}\right) = (-1)^{m_1 \oplus m_2}. \end{aligned}$$

What we have just done is multiplying two elements in the ring \({\mathbb {Z}} _N[x]/(x^2 - R)\), and we have shown that our decryption algorithm respects this multiplication as homomorphic addition.

Rings of Ciphertexts As just shown, we will be working heavily in the ring \({\mathbb {Z}} _N[x]/(x^2 - R)\). We will introduce some notation for this ring and its counterparts. Let \({{\mathcal {R}}}_N = {\mathbb {Z}} _N[x]/(x^2 - R)\), \({{\mathcal {R}}}_p = {\mathbb {Z}} _p[x]/(x^2 - R)\), and \({{\mathcal {R}}}_q = {\mathbb {Z}} _q[x]/(x^2 - R)\). To denote the multiplicative groups of these rings, we write \({{\mathcal {R}}}_N^*\), \({{\mathcal {R}}}_p^*\), and \({{\mathcal {R}}}_q^*\). Note that \(|{{\mathcal {R}}}_N^*| = |{{\mathcal {R}}}_p^*| \cdot |{{\mathcal {R}}}_q^*| = (p^2 - 2p + 1)(q^2 - 2q + 1)\). So \({{\mathcal {R}}}_N^*\) is the overwhelmingly large fraction or \({{\mathcal {R}}}_N\), which has order \(p^2q^2\); almost all elements in \({{\mathcal {R}}}_N\) have multiplicative inverses, and we can show that if \(ax + b\) does not have an inverse, then either \(a/b = r\) or \(a^2R + b\) has a common factor with N (so, either we violate the QR assumption, or we factor N).

A ciphertext \(ax + b\) decrypts to 1 if \(\left( \frac{ar + b}{N} \right) = 1\) and to \(-1\) if \(\left( \frac{ar + b}{N} \right) = -1\). We denote the set of ciphertexts in \({{\mathcal {R}}}_N^*\) that decrypt to 1 as \({{\mathcal {C}}}_1\) and those that decrypt to \(-1\) to be \({{\mathcal {C}}}_{-1}\). Note that when using \({{\mathcal {C}}}_{1}\) and \({{\mathcal {C}}}_{-1}\), we are only referring to ciphertexts in the multiplicative group \({{\mathcal {R}}}_N^*\) (since getting anything without an inverse would imply breaking the QR assumption or factoring N).

1.1.3 A.1.3. Working Modulo a Prime p

In proving that we properly re-randomize a ciphertext, we will be relying on the Chinese remainder theorem (CRT), and so understanding how \({{\mathcal {R}}}_p\) (and also \({{\mathcal {R}}}_q\)) behave is important.

Lemma A.2

If \(ar + b\) is a square mod a prime p, then we can write \(ax + b\) as \((cx + d)^2\) in \({{\mathcal {R}}}_p^*\). If \(ar + b\) is a non-square mod a prime p, then we can take any \(u \not \in \mathbf {QR}_p\) and write \(ax + b\) as \(u(cx + d)^2 \pmod {x^2 - R}\).

Proof

Let \(u \in {\mathbb {Z}} _p^*\), but \(u \not \in \mathbf {QR}_p\).

All squares in \({{\mathcal {R}}}_p^*\) can be written as \((cx + d)^2\). Notice that \(u(cx + d)^2\) cannot be a square in \({{\mathcal {R}}}_p^*\). Since squares account for exactly half of \({{\mathcal {R}}}_p^*\), we can write all non-squares as \(u(cx + d)^2\) – u as a member of the group is a bijection as a multiplicative map from \({{\mathcal {R}}}_p\) to itself, and thus \(u(cx + d)^2\) maps to a different non-square for each square \((cx + d)^2\).

For a contradiction, assume \(ar + b \in \mathbf {QR}_p\), but \(ax + b\) is not a square. This means \(ax + b = u(cx + d)^2 \pmod {x^2 - R}\) for some \(cx + d\). But, when we evaluate at r, \((ar + b) = u (cr + b)^2\),

$$\begin{aligned} \left( \frac{u(cr + b)^2}{p} \right) = \left( \frac{u}{p} \right) \cdot \left( \frac{cr + b}{p} \right) ^2 = -1 \ne \left( \frac{ar + b}{p} \right) . \end{aligned}$$

This is a contradiction, and so \(ar + b\) being a quadratic residue mod p implies \(ax + b\) is a square in \({{\mathcal {R}}}_p^*\).

If we let \(ar + b \not \in \mathbf {QR}_p\). We get that \(ax + b = u(cx + d)^2\) for the same reason: if \(ax + b = (cx + d)^2\), then evaluation at r results in a contradiction. \(\square \)

1.1.4 A.1.4. Working in \({{\mathcal {R}}}_N\)

Lemma A.3

All \(ax + b \in {{\mathcal {C}}}_1\) are of the form \((a'x + b')^2/t\) where \(\left( \frac{t}{N} \right) = 1\). Similarly, all linear-function encryptions \(ax + b \in {{\mathcal {C}}}_{-1}\) are of the form \((a'x + b')^2/t\) where \(\left( \frac{t}{N} \right) = -1\).

Proof

First, assume \(ax + b \in {{\mathcal {C}}}_1\). We have two cases of decryption to deal with: one where \(ar + b\) is a square in both \({\mathbb {Z}} _p\) and \({\mathbb {Z}} _q\) and the other where it is a square in neither.

• \(ar + b \in \mathbf {QR}_p\) and \(\mathbf {QR}_q\). From Lemma A.2, we know that \(ax + b\) is a square in both \({{\mathcal {R}}}_p^*\) and \({{\mathcal {R}}}_q^*\). This means that mod p, we can write \(ax + b = (c_p x + d_p)^2\) and mod q, \(ax + b = (c_q x + d_q)^2\). By the Chinese remainder theorem (CRT) , we can thus write \(ax + b = (cx + d)^2\). Now let \(\gamma \in {\mathbb {Z}} _N^*\),

  $$\begin{aligned} ax + b = \frac{(\gamma cx + \gamma d)^2}{\gamma ^2} = \frac{(a'x + b')^2}{\gamma ^2}, \end{aligned}$$

  and \(\gamma ^2\) is guaranteed to have Jacobi symbol 1 because it is a square.

• \(ar + b \not \in \mathbf {QR}_p\) or \(\mathbf {QR}_q\). Again from Lemma A.2, \(ax + b\) is neither a square in \({{\mathcal {R}}}_p^*\) or \({{\mathcal {R}}}_q^*\). Again by CRT and Lemma A.2, \(ax + b = u(cx + d)^2\) where \(u \in {\mathbb {J}}_1\) and \(u \not \in \mathbf {QR}_N\). Now, we can do the same trick as before, to get

  $$\begin{aligned} ax + b = \frac{(\gamma cx + \gamma d)^2}{\gamma ^2/u} = \frac{(a'x + b')^2}{\gamma ^2/u}. \end{aligned}$$

  Notice that \(\gamma ^2/u\) is neither a square mod p or mod q and thus has Jacobi symbol 1 mod N.

The case where \(ax + b \in {{\mathcal {C}}}_{-1}\) is similar. Now, without loss of generality, we can assume \(ar + b \in \mathbf {QR}_p\) and \(ar + b \not \in \mathbf {QR}_q\). Lemma 3 tells us that mod p, \(ax + b = 1 \cdot (c_p x + d_p)^2 \mod p\) and \(ax + b = u_q(c_q x + d_q)^2 \mod q\). By the Chinese remainder theorem, we can find a \(t \in {\mathbb {Z}} _N\) so that \(t \equiv 1 \mod p\) and \(t \equiv 1/u_q \mod q\), as well as \(a' \equiv c_p \mod p\) and \(c_q \mod q\) and \(b' \equiv d_p \mod p\) and \(d_q \mod q\). We can rewrite

$$\begin{aligned} ax + b \equiv _N (a'x+ b')^2/t \pmod {x^2 - R}. \end{aligned}$$

Now we have \(\left( \frac{t}{N} \right) = \left( \frac{1}{p} \right) \cdot \left( \frac{u_q}{q} \right) = -1\) as desired. \(\square \)

1.2 A.2. Re-randomization of Cocks’ Ciphertexts

We now have a method for getting the correct decryption of homomorphically added linear-function ciphertexts using the linear-function representation (as in Clear et al. [10]). Now we need to convert a linear-function ciphertext into a proper Cocks’ ciphertext.

1.2.1 A.2.1. Converting a Linear-Function Ciphertext to a Cocks’ Ciphertext

We define the following helper function, \(\mathsf {Convert}\), which takes in two elements a and b of \({\mathbb {Z}} _N^*\), a public key R, and returns a proper Cocks ciphertext that will decrypt to the same message as \(\left( \frac{ar + b}{N}\right) \).

Claim A.4

[26] \(\mathsf {QR}.\mathsf {Convert}(a, b, R)\) outputs c such that \(\left( \frac{ar + b}{N}\right) = \left( \frac{2r + c}{N}\right) \) in polynomial time.

Proof

There are two things to prove: first that \(\mathsf {Convert}\) is correct and second that it terminates in polynomial time.

Correctness of\(\mathsf {QR}.\mathsf {Convert}\) Correctness is easy. Notice from our computation in the previous section, \(ax + b\) decrypts to the same element after each loop. Now, once \(\left( \frac{2/a}{N} \right) = 1\), then when we return \(c = 2a/b\), we are really computing \((2/a)(ax + b) = 2x + 2b/a\) and returning the constant term. So, when we decrypt c like a Cocks ciphertext, we get

$$\begin{aligned} \left( \frac{2r + c}{N} \right) = \left( \frac{2r + 2a/b}{N} \right) = \left( \frac{2/a}{N} \right) \cdot \left( \frac{ar + b}{N} \right) = \left( \frac{ar + b}{N} \right) , \end{aligned}$$

which is exactly the decryption of the linear-function ciphertext.

Runtime of\(\mathsf {QR}.\mathsf {Convert}\) Time is a bit less straightforward, but as long as \(ax + b\) has an inverse in the \({{\mathcal {R}}}_N\), we can prove that with constant probability, we will find d, e such that the resulting a has \(\left( \frac{2/a}{N}\right) = 1\). Recall that only a negligible fraction of elements \(ax + b \in {{\mathcal {R}}}_N\) do not have inverses (and finding non-invertible elements breaks the cryptosystem), and so we can expect \(\mathsf {Convert}\) never to deal with that case. We will show that if \(ax + b \in {{\mathcal {R}}}_N\) has a multiplicative inverse, then

$$\begin{aligned} \textit{Pr}_{c,d {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {Z}} _N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_1}\left[ \left( \frac{a'}{N} \right) = 1 \text{ where } a'x + b' = (ax + b)(dx + e)^2t^{-1} \right] = \frac{1}{2}. \end{aligned}$$

And therefore \(\textit{Pr}[\left( \frac{a/2}{N} \right) = 1] = \frac{1}{2}\) after each loop. So, we are only expected to loop two times.

We will be using the machinery and notation from Sect. 6, rewriting \(ax + b\) in terms of being a square in \({{\mathcal {R}}}_p\) and \({{\mathcal {R}}}_q\) or not, and then going through the cases.

First, we know that we can rewrite \(ax + b = (a'x + b')^2t'^{-1}\) where \(\left( \frac{t'}{N} \right) = \left( \frac{ar + b}{N} \right) \) by Lemma A.3. Now, the term in our probability \((ax + b)\left( (cx + d)^2t^{-1}\right) \) becomes \(((a'x + b')(dx + e))^2(tt')^{-1}\). Since \(a'x + b'\) will also have an inverse in \({{\mathcal {R}}}_N\), and we are choosing \(dx + e\) at random, we are just as likely to choose c, d as we are to choose \(c', d'\) where \((c' x + d') = (a'x + b')(dx + e) \pmod {x^2 - R}\). The term we are trying to bound the probability on is \(\frac{(dx + e)}{t}\) where \(\left( \frac{t'}{N} \right) = \left( \frac{ar + b}{N} \right) \).

Let \(m = \left( \frac{ar + b}{N} \right) \), the decryption of our ciphertext. We now have that the probability we are looking at is

$$\begin{aligned}&\textit{Pr}_{c,d {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {Z}} _N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_1}\left[ \left( \frac{e}{N} \right) = 1 \text{ where } ex + f = (ax + b)\frac{(dx + e)^2}{t} \right] \\&\quad =\textit{Pr}_{c,d {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {Z}} _N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_{m}} \left[ \left( \frac{e}{N} \right) = 1 \text{ where } ex + f = \frac{(dx + e)^2}{t}\right] . \end{aligned}$$

Now, we expand \(\frac{1}{t} \cdot (dx + e)^2 \pmod {x^2 - R}\), our linear term is just \(\frac{2}{t} cd\). We can analyze

$$\begin{aligned}&\textit{Pr}_{c,d {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {Z}} _N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_m}\left[ \left( \frac{2cd/t}{N} \right) = 1\right] = \sum \limits _{\gamma \in {\mathbb {J}}_1} \textit{Pr}_{c,d {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {Z}} _N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_m} \left[ \frac{2cd}{t} = \gamma \right] \\&\quad = \sum \limits _{\gamma \in {\mathbb {J}}_1} \sum \limits _{T \in {\mathbb {J}}_m}\textit{Pr}_{t \in {\mathbb {J}}_m}[t = T] \sum \limits _{C \in {\mathbb {Z}} _N^*}\textit{Pr}_{c \in {\mathbb {Z}} _N^*}[c = C] \cdot \textit{Pr}_{d \in {\mathbb {Z}} _N^*}\left[ d = \frac{T\gamma }{2C}\right] \\&\quad = \sum \limits _{\gamma \in {\mathbb {J}}_1} \sum \limits _{T \in {\mathbb {J}}_m} \frac{2}{\phi (N)} \sum \limits _{A \in {\mathbb {Z}} _N^*}\frac{1}{\phi (N)} \cdot \frac{1}{\phi (N)}\\&\quad = \frac{\phi (N)}{2} \cdot \left( \frac{\phi (N)}{2} \frac{2}{\phi (N)}\right) \left( \phi (N) \cdot \frac{1}{\phi (N)}\right) \cdot \frac{1}{\phi (N)} = \frac{1}{2}. \end{aligned}$$

\(\square \)

1.2.2 A.2.2. Using \(\mathsf {Convert}\) to Re-randomize

Now that we have \(\mathsf {QR}.\mathsf {Convert}\), we can define the three algorithms for \(\text {PKCR} \): randomization, adding a layer, and removing a layer. First, given any ciphertext and public key, the re-randomizing algorithm will produce a ciphertext computationally indistinguishable from a randomly generated fresh ciphertext of the same message.

Lemma A.5

[26] \(\mathsf {QR}.\textsf {Rand}(c, R)\) for an encryption c of a message m outputs a \(c'\) statistically (and therefore computationally) indistinguishable from a fresh encryption of m.

Proof

We will show that choosing d, e,  and t statistically randomizes \(2x + c\) as a ciphertext \(ax + b\) in \({{\mathcal {C}}}_m\). Once we have this, \(\mathsf {QR}.\mathsf {Convert}\) turns \(ax + b\) into a random ciphertext in \({{\mathcal {C}}}_m\) where \(\left( \frac{a/2}{N}\right) = 1\), meaning the resulting Cocks ciphertext will be random in the space of \({{\mathcal {C}}}_m\) of the form \(2x + c'\).

So, let’s show that choosing d, e, t results in statistically randomizing \(2x + c \)in \({{\mathcal {C}}}_m\). First, let’s define the distribution \({{\mathcal {D}}}_{ax + b}\) for an element \(ax + b\) in \({{\mathcal {R}}}_N\),

$$\begin{aligned} {{\mathcal {D}}}_{ax + b} := \left\{ (ax + b)\frac{(dx + e)^2}{t} : dx + e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {R}}}_N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_1 \right\} , \end{aligned}$$

which is statistically close to the output from the third line in \(\mathsf {QR}.\textsf {Rand}\) (when we compute \(a'x + b'\)). We say statistically close because d and e are chosen randomly from \({\mathbb {Z}} _N\). When it is obvious what \(ax + b\) is (it will be \(2x + c\), the linear function version of the Cocks’ ciphertext we start with unless otherwise specified), we will drop the subscript, writing \({{\mathcal {D}}}\).

With overwhelming probability, \(dx + e\) will have a multiplicative inverse in \({{\mathcal {R}}}_N^*\). So, we will prove that \({{\mathcal {D}}}\) randomizes ciphertexts that have inverses, and because the distribution from \({{\mathcal {D}}}\) is statistically close to the actual output of \(\textsf {Rand}\) and the set of ciphertexts that have inverses is statistically close to the set of all ciphertexts, \(\textsf {Rand}\) statistically re-randomizes a ciphertext.

Recall that our goal is to show that if \(2x + c \in {{\mathcal {C}}}_1\), then

$$\begin{aligned} {{\mathcal {D}}}\equiv \left\{ fx + g \text{ where } fx + g {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {C}}}_1\right\} , \end{aligned}$$

and if \(2x + c \in {{\mathcal {C}}}_{-1}\), then

$$\begin{aligned} {{\mathcal {D}}}\equiv \left\{ fx + g \text{ where } fx + g {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {C}}}_{-1}\right\} . \end{aligned}$$

We will define an alternative distribution. Let \(m = \left( \frac{ar + b}{N} \right) \), and let \({{\mathcal {D}}}'\) be

$$\begin{aligned} {{\mathcal {D}}}' := \left\{ (dx + e)^2/t : dx + e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {C}}}_1, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_m \right\} . \end{aligned}$$

We will first show that \({{\mathcal {D}}}\equiv {{\mathcal {D}}}'\). We can rewrite \(2x + c = (a'x + b')^2t'^{-1}\) for some t with Jacobi symbol 1 using Lemma A.3. So, expanding our output from \({{\mathcal {D}}}\), \((2x + c) =(({\hat{a}}x + {\hat{b}})(dx + e))^2(tt')^{-1}\). Since we are choosing \((dx + e)\) from the multiplicative group \({{\mathcal {R}}}_N^*\) at random and \({\hat{a}}x + {\hat{b}}\) is also in \({{\mathcal {R}}}_N^*\), the probability of \({{\mathcal {D}}}\) choosing \((dx + e)\) for its output is the same as the probability of \({{\mathcal {D}}}\) choosing \(({\hat{a}}x + {\hat{b}}) (dx + e) \pmod {x^2 - R}\). Since \(\left( \frac{tt'}{N} \right) = \left( \frac{t}{N} \right) \), the probability \({{\mathcal {D}}}\) outputs a specific \(\frac{(dx + e)^2}{t}\) with \(\left( \frac{t}{N} \right) = m\) being equivalent to the probability \({{\mathcal {D}}}'\) outputs that element in \({{\mathcal {R}}}_N^*\).

Our goal now is to show that \({{\mathcal {D}}}'\) outputs, uniformly, a ciphertext that decrypts to m. Note that, by counting, \(|{{\mathcal {C}}}_1| = |{{\mathcal {R}}}_N^*|/2\), since exactly half of the elements in \({{\mathcal {R}}}_N^*\) are squares divided by elements of Jacobi symbol 1 and the other half are squares divided by elements of Jacobi symbol \(-1\). This means the probability that a uniform distribution on \({{\mathcal {C}}}_1\) outputs \(fx + g\) is \(\frac{2}{|{{\mathcal {R}}}_N^*|}\).

Let \(fx + g \in {{\mathcal {C}}}_1\). We will analyze the probability \({{\mathcal {D}}}'\) outputs \(fx + g\). By Lemma A.3, \(fx + g = \frac{(e'x + f')^2}{\gamma }\) where \(\gamma \in {\mathbb {J}}_1\). We have two cases, \(\gamma \in \mathbf {QR}_N\) and \(\gamma \not \in \mathbf {QR}_N\):

• \(\gamma \in \mathbf {QR}_N\). The probability that \({{\mathcal {D}}}'\) outputs \(fx + g\) is the probability that \(\frac{(dx + e)^2}{t} = \frac{(f'x + g')^2}{\gamma }\) when we randomly choose \(dx + e \in {{\mathcal {R}}}_N^*\) and \(t \in {\mathbb {J}}_1\):

  $$\begin{aligned}&\textit{Pr}_{dx + e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {R}}}_N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_1}\left[ \frac{(dx + e)^2}{t} = \frac{(f'x + g')^2}{\gamma }\right] \\&= \sum \limits _{T \in {\mathbb {J}}_1} \textit{Pr}_{t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_1}[t = T] \cdot \textit{Pr}_{dx + e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {R}}}_N^*}\left[ (dx + e)^2 = \frac{T}{\gamma }(f'x + g')^2 \right] . \end{aligned}$$

  Notice that this equation only has a solution in \(dx + e\) if \(t \in \mathbf {QR}_N\). Otherwise, we are trying to solve \((dx + e)^2 = \frac{t}{\gamma } (e'x + f')^2 \pmod {x^2 - R}\) when \((dx + e)^2\) is a square, but \(\frac{t}{\gamma }(f'x + g')^2\) is not.

  Now, assuming that \(T/\gamma \in \mathbf {QR}_N\), we can let \(k^2 = T/\gamma \) and rewrite \(k^2(f'x + g'^2) = (kf'x + kg')^2 = ({\hat{f}} x + {\hat{g}})^2\). We are looking for the probability that a random \(dx + e\) is a solution to \((dx + e)^2 = ({\hat{f}}x + {\hat{g}})^2 \pmod {x^2 - R}\). We need to know how many solutions there are to this. We will use CRT.

  Mod p, there are exactly two solutions \(dx + e \in {{\mathcal {R}}}_p^*\) to \(({\hat{f}}x + {\hat{g}})^2\): at least two because \(\pm ({\hat{f}}x + {\hat{g}})\) are both solutions, and no more than two because the size of squares is exactly half of \({{\mathcal {R}}}_p^*\). Mod q there are also exactly two solutions. This means, mod N, there are four total solutions. Now, when we continue to analyze this probability, we have

  $$\begin{aligned}&\sum \limits _{T \in {\mathbb {J}}_1} \textit{Pr}_{t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_1}[t = T] \cdot \textit{Pr}_{dx + e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {R}}}_N^*}\left[ (dx + e)^2 = (T/\gamma )(f'x + g')^2 \right] \\&\quad = \sum \limits _{T \in \mathbf {QR}_N} \frac{2}{\phi (N)} \cdot \frac{4}{|{{\mathcal {R}}}_N^*|}\\&\quad = \left( \frac{\phi (N)}{4} \cdot \frac{2}{\phi (N)}\right) \cdot \frac{4}{|{{\mathcal {R}}}_N^*|}\\&\quad =\frac{2}{|{{\mathcal {R}}}_N^*|}. \end{aligned}$$

  So, in this case, the distribution \({{\mathcal {D}}}'\) is the same as uniform.

• \(\gamma \not \in \mathbf {QR}_N\). We can use the same analysis tricks, except T must also not be in \(\mathbf {QR}_N\), but still must have Jacobi symbol 1. So,

  $$\begin{aligned}&\textit{Pr}_{dx + e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{{\mathcal {R}}}_N^*, t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}{\mathbb {J}}_{-1}}\left[ (dx + e)^2/t = (f'x + g')^2/\gamma \right] \\&\quad = \sum \limits _{T \not \in \mathbf {QR}_N} \frac{2}{\phi (N)} \cdot \frac{4}{|{{\mathcal {R}}}_N^*|}\\&\quad = \left( \frac{\phi (N)}{4} \cdot \frac{2}{\phi (N)}\right) \cdot \frac{4}{|{{\mathcal {R}}}_N^*|}\\&\quad =\frac{2}{|{{\mathcal {R}}}_N^*|}. \end{aligned}$$

The case where \(2x + c, fx + g \in {{\mathcal {C}}}_{-1}\) is proved in exactly the same manner. \(\square \)

1.3 A.3. Adding and Deleting Layers from a Cocks’ Ciphertext

The strategy here is taken from LaVigne’s work in proxy re-encryption [26]. At a high level, c is a valid ciphertext for a message m encrypted under a public key \(\mathsf {pk}\) if \(\left( \frac{c \mathsf {sk}+ 2}{N}\right) = (-1)^m\). So, if we want to decrypt c (encryption of m under \(\mathsf {pk}\)) with a combined secret key \(\mathsf {sk}\cdot \mathsf {sk}'\) (corresponding to public key \((\mathsf {sk}\cdot \mathsf {sk}')^2\)) instead of \(\mathsf {sk}\), we let \(c' = c/\mathsf {sk}'\), and then decryption is guaranteed to produce the same output. Of course, \(c'\) is not a random-looking ciphertext, so then we apply \(\mathsf {QR}.\textsf {Rand}\) to get our output.

Lemma A.6

For any public key \(\varvec{{\mathsf {k}}}'\) and \((\mathsf {pk}, \mathsf {sk})\) in Cocks, and \(c = \mathsf {QR}.\mathsf {Enc}(\varvec{{\mathsf {k}}}, m)\), the following are equivalent distributions:

$$\begin{aligned} \{ \mathsf {QR}.\textsf {AddLayer}(c, \mathsf {sk}) \} \equiv _s \{ \mathsf {QR}.\mathsf {Enc}(\varvec{{\mathsf {k}}}'\cdot \mathsf {pk}, m) \} \end{aligned}$$

and for \(c' = \mathsf {Enc}(\varvec{{\mathsf {k}}}' \cdot \mathsf {pk}, m)\),

$$\begin{aligned} \{ \mathsf {QR}.\textsf {DelLayer}(c', \mathsf {sk}) \} \equiv _s \{ \mathsf {QR}.\mathsf {Enc}(\varvec{{\mathsf {k}}}', m) \} \end{aligned}$$

Proof

First, we will analyze \(\mathsf {QR}.\textsf {AddLayer}\). The combined public key for adding a layer is \(\varvec{{\mathsf {k}}}' \cdot \mathsf {pk}= (\mathsf {sk}' \cdot \mathsf {sk})^2\), with corresponding combined secret key \(\mathsf {sk}' \cdot \mathsf {sk}\), and we define a ciphertext c as a valid encryption of m under public key \(\mathsf {pk}\) if decryption results in \((-1)^m\), i.e., \(\left( \frac{c\mathsf {sk}+ 2}{N} \right) = (-1)^m\).

The input to \(\mathsf {QR}.\textsf {Rand}\) is the ciphertext \(c'\) under public key \(R' = \varvec{{\mathsf {k}}}' \cdot (\mathsf {sk})^2 \in \mathbf {QR}_N\). Let the secret key for \(\varvec{{\mathsf {k}}}'\) be \(\mathsf {sk}'\) (the square root of \(\varvec{{\mathsf {k}}}'\)). Notice that decryption of the ciphertext c is just taking the symbol of \(c \mathsf {sk}' + 2\). Now, if we plug in the combined secret key \(\mathsf {sk}' \cdot \mathsf {sk}\), we get that \(c'\mathsf {sk}' \cdot \mathsf {sk}+ 2 = c \mathsf {sk}' + 2\), and so the decryption is the same: \(\left( \frac{c' \mathsf {sk}'\cdot \mathsf {sk}+ 2}{N} \right) = \left( \frac{c \mathsf {sk}' + 2}{N} \right) \). Thus, \(c'\) is a valid ciphertext encrypting the same message as c under the combined public key \(\varvec{{\mathsf {k}}}' \cdot (\mathsf {sk})^2 = \varvec{{\mathsf {k}}}' \cdot \mathsf {pk}= R'\). Then, when we apply \(\mathsf {QR}.\textsf {Rand}\) to \(c'\), the output is a ciphertext statistically indistinguishable from a fresh encryption of that message under the key \(R'\).

We can go through the same logic for \(\mathsf {QR}.\textsf {DelLayer}\). The un-combined public and secret keys are \(\varvec{{\mathsf {k}}}\) and \(\mathsf {sk}\). The input to \(\mathsf {QR}.\textsf {Rand}\) is the ciphertext \(c' = c \cdot \mathsf {sk}_2\), and so the decryption of \(c'\) under the un-combined key is \(\left( \frac{c' \mathsf {sk}' + 2}{N} \right) = \left( \frac{c \mathsf {sk}' \cdot \mathsf {sk}+ 2}{N} \right) \). This makes \(c'\) a valid encryption of the same message of c under public key \(\varvec{{\mathsf {k}}}'\). Since \(\mathsf {QR}.\textsf {Rand}\) produces a ciphertext that is statistically indistinguishable from a fresh encryption of the same message, the output from \(\textsf {DelLayer}\) is a ciphertext indistinguishable from a fresh encryption of the message under the public key \(\varvec{{\mathsf {k}}}'\). \(\square \)

Appendix B. Compiling Broadcast to Secure Multiparty Computation

Our method for proving that topology-hiding computation (THC) possibly involves compiling general MPC protocols using UC-secure topology-hiding broadcast (THB) and public-key cryptography. In this section, we will go into detail about the model of MPC we realize (semi-honest adversaries statically corrupting any subset of nodes with synchronous communication). Then, we will formally prove that UC-secure THB along with public-key cryptography can compile any MPC protocol in this model into a topology-hiding MPC using our security definition, detailed in Sect. 4.

1.1 B.1. The MPC and THB Models

In this section, we go over our exact security models of what we need to achieve THC. First, we will describe the standard MPC model which is synchronous and secure against semi-honest adversaries. Then, we will adapt our definition for what UC-secure THB is, mainly so that it works well with the proof that our compilation of THB to THC works. Finally, we note that we need CPA-secure public-key encryption (secure against only chosen plaintext attacks) and provide a definition for it.

1.1.1 B.1.1. MPC Model: Semi-honest Adversaries

The material in this section is referenced one of the MPC models described by Goldreich [14].

First, we will explain some of our notation. The goal will be to compute an n-ary function \(f:(\{0,1\}^*)^n \rightarrow (\{0,1\}^*)^n\), where each of the n inputs corresponds to an input from one of the parties taking part in the computation, and the outputs will correspond to the output a party receives.

Let \(\Pi \) denote some protocol for n parties. \(\Pi \) assumes synchronous communication and point-to-point channels between each party. Every round, parties send and receive messages from each other along these channels and then perform some computations on them. For a function f with inputs \(\mathbf x = (x_1, \dots , x_n)\), respectively, from parties \(P_1, \dots , P_n\), \(\Pi \)realizes the functionality of f if by the end of the protocol, each party i gets the output \(f(\mathbf x)_i\).

Definition B.1

For a protocol \(\Pi \) for n parties, the view of a party is

$$\begin{aligned} {\textsc {view}}_i^\Pi (\mathbf x) = (x_i, r, m_1, m_T) \end{aligned}$$

and the view of any subsets of parties \(I \subset [n]\) is

$$\begin{aligned} {\textsc {view}}_I^\Pi (\mathbf x) = (I, ({\textsc {view}}_i^\Pi (\mathbf x))_{i \in I}). \end{aligned}$$

The outputs are defined similarly:

$$\begin{aligned} \textsc {output}_i^\Pi (\mathbf x) = f_i(x)\text{, } \text{ and } \textsc {output}_I^\Pi (\mathbf x) = (f_i(x))_{i \in I} \end{aligned}$$

Definition B.2

For a protocol \(\Pi \) realizing a functionality f, we say \(\Pi \)privately computesf if there exists a PPT algorithm \({{\mathcal {S}}}\) (a simulator), such that for all subsets \(I \subset [n]\),

$$\begin{aligned} \{{{\mathcal {S}}}(I, (x_i)_{i \in I}, f_I(\mathbf x)), f(\mathbf x)\} {\mathop {\approx }\limits ^{c}} \{{\textsc {view}}_I^\Pi (\mathbf x), \textsc {output}^\Pi \} \end{aligned}$$

This notion of being private computatable states exactly that if a PPT adversary corrupts some subset I of the parties, but follows the protocol \(\Pi \) (is semi-honest), then she has a negligible chance of distinguishing between the world where she is interacting with other parties and in the world where she interacts with the simulator \({{\mathcal {S}}}\). This is equivalent to our notion of secure MPC throughout this work.

1.1.2 B.1.2. Topology-Hiding Computation Model

Here, we will review what it takes for a protocol to be topology hiding. The formal definition, from Definition 4.1, states that we need a protocol that UC-realizes \(({\mathcal {F}}_{\text {graphInfo}}|| {\mathcal {F}})\) in the \({\mathcal {F}}_{\text {graph}}\)-hybrid model. Let \({\mathcal {F}}_{\text {graphInfo}}(I)\) represent the local graph information of parties in I in accordance with the functionality of \({\mathcal {F}}_{\text {graph}}\). So, we say that for a protocol to be a topology-hiding realization of a function f, there exists a PPT simulator \({{\mathcal {S}}}\) that only has access to the local graph information and local computation information to produce views computationally indistinguishable from views in the real protocol. That is, against a static, semi-honest adversary, we just need the following distributions to be computationally indistinguishable in order for a protocol to be topology hiding: for any subset of parties \(I \subset [n]\),

$$\begin{aligned} \{{{\mathcal {S}}}(I, {\mathcal {F}}_{\text {graphInfo}}(I), (x_i)_{i \in I}, f_(\mathbf x)), f(\mathbf x)\}_{\mathbf x \in (\{0,1\}^*)^n} {\mathop {\approx }\limits ^{c}} \{{\textsc {view}}_I^\Pi (\mathbf x), \textsc {output}^\Pi (\mathbf x)\}_{\mathbf x \in (\{0,1\}^*)^n} \end{aligned}$$

For an in-depth description of the UC model and for why this definition is UC, we refer the reader to Canettti’s work on universal composability [7].

1.1.3 B.1.3. CPA-Secure Public-Key Encryption

We will need one more element to go from THB to THC: a public-key encryption scheme secure against plaintext attacks (CPA-secure PKE). For completeness, we have included a definition here.

Definition B.3

A public-key encryption scheme (\(\textsf {KeyGen} \), \(\mathsf {Enc}\), \(\mathsf {Dec}\)) is CPA secure if any PPT adversary \({{\mathcal {A}}}\) cannot win the IND-CPA security game with probability greater than \(1/2 + \text {negl}(\kappa )\).

Now we define this security game:

Definition B.4

The IND-CPA security game works as follows:

1. 1.

   Setup. The challenger \({{\mathcal {C}}}\) gets public and secret keys \((pk, sk) \leftarrow \textsf {KeyGen} (\kappa )\) and sends pk to \({{\mathcal {A}}}\).

2. 2.

   Challenge phase. The adversary performs as many encryptions as she wants using pk and then sends challenge messages \(M_0\) and \(M_1\). \({{\mathcal {C}}}\) chooses a random bit b and sends the ciphertext \(\mathsf {Enc}(pk, M_b)\) to \({{\mathcal {A}}}\).

3. 3.

   Output phase. \({{\mathcal {A}}}\) outputs \(b'\) and wins if \(b = b'\).

1.2 B.2. Compiling MPC to Topology-Hiding MPC with Broadcast and Public-Key Encryption

In this section we will prove that with THB and CPA-secure PKE, we get a topology-hiding realization of any MPC protocol \(\Pi \). Since there exist MPC protocols against static, semi-honest adversaries for all efficiently computable functions, it follows that we get topology-hiding computation for all efficiently computable functions.

Theorem B.5

(Compiling THC from THB and PKE) Assume UC-secure THB and CPA-secure PKE exist. Then, for any PPT protocol \(\Pi \) that privately computes a function \(f:(\{0,1\}^*)^n \rightarrow (\{0,1\}^*)^n\), there exists a PPT protocol \(\Pi '\) that is a topology-hiding realization of the functionality of f.

Proof

\(\Pi \) is a PPT multiparty protocol: instructions are either to run a local computation or, at each round, to send some messages from one party to another along a point-to-point channel. \(\Pi '\) will operate as \(\Pi \) except there will be a setup phase and point-to-point communication will be handled with broadcast and public-key encryption.

Let \(\phi \) be the topology-hiding broadcast protocol. \(\Pi '\) works as follows:

• Setup phase. Every party creates a public–secret-key pair \((pk_i, sk_i)\). Then, every party broadcasts their public key \(pk_i\) via \(\phi \).

• Point-to-point communication. If party i needs to send a message m to party j in protocol \(\Pi \), \(\Pi '\) dictates the following. First, party i computes \(c_i \leftarrow \mathsf {Enc}(pk_j, m)\). Then, party i broadcasts \(c_i\) using \(\phi \) under a session ID corresponding to that channel. Finally, party j, upon receiving \(c_i\), decrypts \(m_i \leftarrow \mathsf {Dec}(sk_i, c_i)\).

• Internal computation. Any internal computation run on information gathered from other parties or from randomness is carried out exactly as in \(\Pi \).

Now we have to prove that \(\Pi '\) realizes the ideal, topology-hiding functionality of \(\Pi \). First, \(\Pi '\) is correct. This follows from correctness of \(\Pi \) in computing the functionality and from the correctness of encryption and decryption.

Proving that this is topology hiding is more involved. Since \(\Pi \) privately computes f, there exists a simulator \({{\mathcal {S}}}\) so that for any adversary controlling \(I \subset [n]\) parties, \({{\mathcal {S}}}\) can simulate the views of the adversary without any knowledge of the other parties’ inputs. We will show that there exists a simulator \({{\mathcal {S}}}'\) simulating an adversary’s view of \(\Pi '\) and furthermore that \({{\mathcal {S}}}'\) requires no knowledge of other parties’ inputs or the structure of the graph beyond the adversary’s local neighborhood. This will prove that \(\Pi '\) is a topology-hiding MPC.

First, let’s examine the view of any subset I of parties, comparing the view of \(\Pi \) and the view of \(\Pi '\):

$$\begin{aligned} {\textsc {view}}_I^\Pi (\mathbf x)&= ((x_i)_{i \in I}, r, m_1, \dots , m_T) \\ {\textsc {view}}_I^{\Pi '}(\mathbf x)&= ((x)_{i \in I}, r, r', R_1, \dots R_T) \end{aligned}$$

where each \(R_i\) is actually a collection of messages representing the communication at round i in the original protocol \(\Pi \). So, we can split \(R_i\) into the communication for each point-to-point channel using the session ID’s. We will show, with a series of hybrids, that we can create a simulated view computationally indistinguishable from the actual view of \(\Pi '\).

• Hybrid 0. The simulator \({{\mathcal {S}}}'\) emulates the real-world view exactly. \({{\mathcal {S}}}\) requires all party inputs and the structure of the graph G. Here, we will write \({{\mathcal {S}}}'_0\) as the simulator that emulates the real-world view exactly, so

  $$\begin{aligned} \{({{\mathcal {S}}}'_0(I, {\mathcal {F}}_{\text {graphInfo}}([n]), \mathbf x, f(\mathbf x), f(\mathbf x)\} \equiv \{{\textsc {view}}_I^\Pi (\mathbf x), \textsc {output}_I^\Pi (\mathbf x)\} \end{aligned}$$

• Hybrid 1.1 to 1.n. In these hybrids, we examine the setup phase and, instead of having our simulator use G to compute the topology-hiding broadcast for each key \(pk_i\) for party \(i \in [n]\) and we replace it with a simulated broadcast from \({{\mathcal {S}}}_\mathrm{THB}(I, {\mathcal {F}}_{\text {graphInfo}}(I), (x_i)_{i \in I}, f(\mathbf x) = pk_j)\), which does not require knowing the graph structure beyond \({\mathcal {F}}_{\text {graphInfo}}(I)\). Formally, the simulator in hybrid 1.j is identical to the simulator in hybrid \(1.(j-1)\) except that it simulates communication in the topology-hiding broadcast for broadcasting key \(pk_j\) with \({{\mathcal {S}}}_\mathrm{THB}\).

• Hybrids 2.1 to 2.n. We still need to account for the keys broadcast during the setup phase: \({{\mathcal {S}}}'\) still needs to know what public and secret keys each party has. \({{\mathcal {S}}}'\) now replaces the public keys generated by other parties with public keys that \({{\mathcal {S}}}'\) generates with \(\textsf {KeyGen} \) and ignores the secret keys of all parties \(j \not \in [I]\). More explicitly, for each \(j \in [n]\), \(j \not \in I\), \({{\mathcal {S}}}'\) replaces the input \(pk_j\) to the setup phase key broadcast with a key from \(\textsf {KeyGen} \). Each hybrid in this part corresponds to \(j \in [n]\) (notice if \(j \in I\), hybrid 2.\((j-1)\), is equivalent to hybrid 2.j).

  Notice now that for the setup phase of our compiled algorithm, \({{\mathcal {S}}}'\) does not need any information outside of \({\mathcal {F}}_{\text {graphInfo}}(I)\) and the inputs from parties in I.

• Hybrids 3.1 to 3.\(n^2\). In these hybrids, \({{\mathcal {S}}}'\) replaces the real-world communication dictated by the topology-hiding broadcast protocol \(\phi \) with simulated messages using the topology-hiding broadcast simulator \({{\mathcal {S}}}_\mathrm{THB}\). That is, for each of the \(n^2\) possible channels representing communication between i and j, we replace the perfectly simulated broadcast with messages from \({{\mathcal {S}}}_\mathrm{THB}(I,{\mathcal {F}}_{\text {graphInfo}}(I), (x_i)_{i \in I}, f_{i\rightarrow j}(\mathbf x) = m_{i \rightarrow j})\).

  So, \({{\mathcal {S}}}'\) no longer requires knowing any of the topological information of the graph (all information was communicated via broadcast, and now all broadcasts have been replaced with messages from a simulator that does not need extra topological information). So, \({{\mathcal {S}}}'\) takes as input \(I, {\mathcal {F}}_{\text {graphInfo}}(I), \mathbf x\), and \(f(\mathbf x)\) (notice that \({{\mathcal {S}}}'\) still depends on inputs from parties not in I).

• Hybrids 4.1 to 4.T. Notice that our simulator in hybrid 3.\(n^2\) still requires knowing each of the messages that every party sends to every other party, so that it can give the correct input to the broadcast subroutines. For each \(t \in [T]\), hybrid 4.t will look exactly like \(4.(t-1)\) except if \(m_t\) is encrypted under \(pk_j\) for some \(j \not \in I\), we replace it with an encryption of 0.

• Hybrid 5. In hybrid 4.T, we require knowing all parties’ messages so that we can compute the correct messages for parties in I. In this hybrid, we change all messages received by parties in I to simulated messages using the simulator \({{\mathcal {S}}}\) for the multiparty protocol \(\Pi \), which takes as input \({{\mathcal {S}}}(I, (x_i)_{i \in I}, (f_i(\mathbf x))_{i \in I})\)). This completes the task of eliminating the simulator’s need to see real messages or inputs from parties not in I. Now, the simulator only needs to take as input \({{\mathcal {S}}}(I, {\mathcal {F}}_{\text {graphInfo}}(I), (x_i)_{i \in I}, (f_i(\mathbf x))_{i \in I})\).

So, by the end of these hybrids, our simulator only needs local information about the corrupted parties I. Now we will prove that each hybrid is indistinguishable from its neighboring hybrids, which will finish the proof that \(\Pi '\) is topology hiding.

• Hybrid 0 is computationally indistinguishable from hybrid 1. For any subset of parties I, \({{\mathcal {S}}}_\mathrm{THB}\) produces a set of messages simulating the broadcast of \(pk_1\). The set of simulated messages will be computationally indistinguishable from the parties of I interacting with the real world from the definition of topology hiding.

• Hybrid 1.i is computationally indistinguishable from hybrid \(1.(i+1)\). This is for the same reason as before. Replacing the broadcast of public key \(pk_{i+1}\) with simulated messages from \({{\mathcal {S}}}_\mathrm{THB}\) is computationally indistinguishable from the real-world communication for any subset of parties I.

• Hybrid 1.n is indistinguishable from hybrid 2.1. We are just replacing a public key generated by a party’s own randomness with the simulator’s randomness. The distribution of public keys will be identical.

• Hybrid 2.i is indistinguishable from hybrid 2.\((i+1)\). This is true for the same reason as above.

• Hybrid 2.n is computationally indistinguishable from hybrid 3.1. Here, we replace one message channel with simulated messages from \({{\mathcal {S}}}_\mathrm{THB}\). Since the message channel was represented by a broadcast, we get the same functionality, and the output from simulator \({{\mathcal {S}}}_\mathrm{THB}\) will be computationally indistinguishable from the real-world views by the definition of topology hiding. It is important to note that we are running many of these broadcasts, one after another, but since we have a broadcast secure in the UC model against a passive adversary, running multiple of them simultaneously keeps the topology-hiding and privacy properties.

• Hybrid 3.i is indistinguishable from hybrid \(3.(i+1)\). This is true for the same reason as above: changing a channel from real-world communication to the simulated communication from \({{\mathcal {S}}}_\mathrm{THB}\) is computationally indistinguishable to any PPT adversary controlling parties in I.

• Hybrid 3.\(n^2\) is computationally indistinguishable from hybrid 4.1. Here, we may replace an encryption of an actual message with an encryption of 0. If \(m_1\) in the original protocol \(\Pi \) is sent to \(j \in I\), then there is no change between the hybrids, so they will be indistinguishable to an adversary controlling parties in I. However, if \(m_1\) is sent to \(j \not \in I\), then \(c_1\) becomes an encryption of 0. The broadcast means that \({\textsc {view}}_I\) includes \(c_1\). However, because no parties in I have a secret key associated with \(c_1\), even an adversary controlling all parties in I could not distinguish between the two hybrids without breaking the IND-CPA security of the encryption.

• Hybrid 4.i is computationally indistinguishable from hybrid \(4.(i+1)\). This is true for the same reason as above. Either \(m_{i+1}\) is sent to a party in I, so there is no change between these hybrids, or \(m_{i+1}\) is sent to a party not in I, and the IND-CPA security of the encryption allows us to get away with encrypting 0 instead of the actual message.

• Hybrid 4.T is computationally indistinguishable from hybrid 5. This is because \(\Pi \) privately computes f, so there exists a simulator \({{\mathcal {S}}}\) for \(\Pi \). The purpose of \({{\mathcal {S}}}\) is to simulate views for every party in I during the computation so that the corrupted parties in I cannot distinguish if they are interacting with a simulator or with other parties. So, when we change the perfectly simulated messages for parties to messages from the simulated views for I using \({{\mathcal {S}}}\), we still get that no PPT adversary can distinguish these two worlds without breaking the privacy-preserving property of \(\Pi \).

So, our simulator \({{\mathcal {S}}}'(I, {\mathcal {F}}_{\text {graphInfo}}(I), (x_i)_{i\in I}, f_I(\mathbf x))\), only requires local knowledge for any subset of parties and is indistinguishable from the 0 hybrid, where \({{\mathcal {S}}}'\) was identical to the real world:

$$\begin{aligned} \{{{\mathcal {S}}}'(I, {\mathcal {F}}_{\text {graph}}(I), (x_i)_{i \in I}, f_I(\mathbf x)), f(\mathbf x)\}&{\mathop {\approx }\limits ^{c}} \{({{\mathcal {S}}}'_0(I, {\mathcal {F}}_{\text {graphInfo}}([n]), \mathbf x, f(\mathbf x), f(\mathbf x)\}\\&\equiv \{{\textsc {view}}_I^\Pi (\mathbf x), \textsc {output}^\Pi (\mathbf x)\} \end{aligned}$$

Therefore, \(\Pi '\) is a topology-hiding realization of f. \(\square \)

The following corollary is just a formal statement that we can get topology-hiding computation for all efficiently computable functions from THB and CPA-secure PKE.

Corollary B.6

Assume UC-secure THB and CPA-secure PKE exist. Then, for any efficiently computable function \(f:(\{0,1\}^*)^n \rightarrow (\{0,1\}^*)^n\), there exists a PPT protocol \(\Pi '\) that is a topology-hiding realization of the functionality of f.

Proof

For every efficiently computable function f, there exists an MPC protocol \(\Pi \) [15, 16, 35]. From Theorem B.5, this means there exists a protocol \(\Pi '\) which is the topology-hiding realization of \(\Pi \). \(\square \)