1 Introduction

Reliable communication between a set of mutually distrustful parties lies at the core of virtually any distributed protocol, ranging from consensus tasks [15, 19] to secure multiparty computation [5, 9, 11, 21]. Classical protocols from the ’80s considered complete communication graphs between the parties, where each pair of parties is connected by a communication channel. However, in many real-life scenarios the parties are not pairwise connected; this raises the need for distributed interactive computations, and in particular communication protocols, over an incomplete graph. Often, the network topology itself may be sensitive information that should not be revealed by the protocol.

Topology–Hiding Broadcast. With this motivation, Moran et al. [18] formalized the concept of topology–hiding computation (THC). Here, the goal is to allow parties who see only their immediate neighborhood (and possibly know that the graph belongs to some class), to securely compute arbitrary functions without revealing any additional information about the graph topology other than the output (computations on the graphs, e.g., establishing routing tables, are also supported). THC is of theoretical interest, but is also motivated by real-world settings where it is desired to keep the underlying communication graph private. These include social networks, ISP networks, ad hoc (or mesh) networks, vehicle-to-vehicle communications, and possible approaches for contact tracing.

Given the existence of general MPC protocols, achieving THC for arbitrary functions hinges on communicating in a topology–hiding way, rather than on keeping inputs private. In particular, a core bottleneck for achieving general THC is the special case of topology–hiding broadcast (THB), where a designated party (the broadcaster) reliably sends its message to all other parties. Indeed, given an MPC protocol for a function f defined in the broadcast model (where all communication is sent via a broadcast channel, possibly encrypted),Footnote 1 the parties can replace the broadcast channel by a THB protocol to obtain a THC protocol for the function f.

Although broadcast is a privacy-free task, realizing THB turns out to be challenging, even in the semi-honest setting where all parties follow the protocol. This is in stark contrast to standard (topology-revealing) broadcast, which is trivially achievable in the semi-honest setting, e.g., simply “flooding” the network, forwarding received messages. For general semi-honest corruptions, the best THB constructions follow from a series of works [1, 2, 12, 16, 18], culminating in THB (as well as THC) protocols for all graphs. However, even for THB, all known protocols require structured public-key cryptographic assumptions, such as QR, DDH, or LWE.Footnote 2 The use of strong assumptions was justified by Ball et al. [3] who showed that without an honest majority, even THB implies oblivious transfer (OT).Footnote 3

A central paradigm in standard (topology–revealing) secure computation is to exchange cryptographic assumptions with an honest-majority assumption [5, 9, 20]. A recent work of Ball et al. [4] asked whether such a paradigm can be applied in the topology-hiding realm. The results of [4] demonstrated that answering this question is more subtle than meets the eye, even when considering the basic case of one semi-honest corruption. On the one hand, they showed that information-theoretic THB (IT-THB) can be achieved for the graph class of cycles, where the protocol hides the ordering of parties within the cycle. On the other hand, they identified that THB for paths of \(n\ge 4\) nodes (again hiding ordering) implies key agreement.

This Work. In a sense, [4] unveiled the tip of the iceberg, revealing a range of questions: Which aspects of the topology can be hidden information theoretically, and which require cryptographic hardness? Is key agreement sufficient for 1-corruption THB, or are there graph classes that require stronger assumptions?

In this paper we study the cryptographic power of THB. The main question that we ask is:

What are the minimal cryptographic assumptions required for THB for a given class of graphs?

We focus on a minimal setting, with a small number of parties and a single, or few, semi-honest corruptions, which we denote by t-THB for t corruptions. This makes our lower bounds stronger; and, as we demonstrate, even this simple setting offers a rich multi-layered terrain, and provides insights and implications for more general settings (including THC).

Before proceeding to state our results, we note that prior THB protocols actually achieved the stronger property of topology-hiding anonymous broadcast (THAB), where the identity of the broadcaster remains hidden [7, 8]. From the definitions of these primitives, we have that

$$ \text {\textsf {THC}} \quad \Longrightarrow \quad \text {\textsf {THAB}} \quad \Longrightarrow \quad \text {\textsf {THB}}. $$

Thus, all lower bounds for THB (such as the one from [4] and our own results) apply also for THAB and THC. As we will show, there are classes of graphs where THB is possible information theoretically, but THAB, and thus THC, require strong cryptographic assumptions. Understanding for which topologies the reverse implications hold is addressed here in part, but the full answer remains an interesting open question.

1.1 Our Results

This work makes significant strides in mapping the landscape of THB, THAB, and THC in minimal settings, in the process developing new techniques that may be useful to achieve a full understanding of its complexities. As standard in the THC literature, we consider a synchronous setting, where the protocol proceeds in rounds.Footnote 4

New Lower Bounds and Techniques

  • THB . We explore which properties of graph topology are “hard” to hide, in the sense of requiring cryptographic assumptions to do so. We show that hiding any one of the properties of direction, distance, and/or distance-of-neighbors to the broadcaster is hard—while revealing all three but nothing else (in fact, only revealing distance-of-neighbors) can always be achieved information theocratically, using the trivial flooding protocol.

  • THAB . We observe that t-THAB for any graph class containing a graph that is not \((t+1)\)-connectedFootnote 5 implies key agreement. We further show that hiding the number of participants in certain graph classes implies infinitely often oblivious transfer, even for 1-THAB.

Unconditional & KA-Based Upper Bounds.

  • Unconditional. We provide a construction of 1-THAB for all 2-connected graphs, whose complexity grows with the number of potential graphs in the class (in particular, it is efficient for constant-size graphs), which achieves statistical information-theoretic security.

  • Key Agreement. Assuming the existence of key agreement, we achieve 1-THB for all graphs, and 1-THAB for all graphs of \({\ge }3\) nodes.

Corollaries and Conclusions

  • Dichotomy for 1-THC with \({\ge }3\) parties. An interesting corollary of our results is a dichotomy for 1-THC with a fixed and known set of at least three partiesFootnote 6 (i.e., where all graphs share the same vertex set): if all graphs in a class are 2-connected, the class supports information-theoretic 1-THC; otherwise, key agreement is necessary and sufficient for 1-THC.

  • Dichotomy for 1-THAB with \({\ge }3\) parties. A similar result holds for 1-THAB for a dynamic set of parties (i.e., the vertex set of every graph is a subset of [n]) as long as each graph contains at least three nodes: if all graphs in a class are 2-connected, the class supports information-theoretic 1-THAB; otherwise, key agreement is necessary and sufficient for 1-THAB.

  • Characterization of 1-THB for small graphs. Our results introduce several new constructions and analysis techniques; as a demonstration of their wider applicability, we provide a characterization of the more complex case of 1-THB for all graph classes on four nodes or fewer. Note that the feasibility boundaries of 1-THB are more complex than 1-THAB since, as we show, certain lower bounds for 1-THAB do not apply to 1-THB.

  • THB without OT. Our upper bounds constitute the first protocols using machinery “below” oblivious transfer,Footnote 7 aside from the specific graph class of cycles of fixed length (that was shown in [4]).

We next describe these results in more detail.

Lower Bounds. We begin by investigating the conditions under which THB and THAB for a graph class \(\mathcal {G}\) necessitate cryptographic assumptions.

THB : Hiding direction, distance, or distance-of-neighbors. Recall that restricting attention to a class of graphs \(\mathcal {G}\) captures that a THB protocol hides partial information about a graph topology. For example, if all graphs in \(\mathcal {G}\) have property P, then the THB protocol need not hide whether P is satisfied when providing indistinguishability within this class. Our question thus becomes: for which properties of a graph topology is it the case that hiding necessitates cryptography?

Consider as a baseline the trivial “flooding” protocol, which in general is not topology hiding. Parties flood the network: on receiving the broadcast message, a party forwards it to all neighbors from which it was not previously received. Indeed, this protocol reveals information; e.g., the round number in which a party first receives the message corresponds directly to its distance from the broadcaster. However, even for this simple protocol, the amount of information revealed is limited. The leakage can be quantified precisely: each party learns exactly the distance from the broadcaster of each of its neighbors,Footnote 8 or “distance-of-neighbors.” In particular, this includes the information of (a) direction of the broadcaster (i.e., which neighbors are on a shortest path to the broadcaster), and (b) distance to the broadcaster. Since the flooding protocol can be executed unconditionally for any graph class \(\mathcal {G}\), it can only be some combination of this leaked distance-of-neighbors information for which hiding requires cryptography.

Examining the lower bound of [4], we observe that it constitutes an example where hiding the direction of the broadcaster from a given party necessitates key agreement (KA). This is embodied via the class of two graphs \({\mathcal {G}_{\mathsf {4-path}}}= \{ (A-B-\mathbf {C}-D), (B-\mathbf {C}-D-A)\}\) on a path, where party C is unaware whether the broadcasting party A lies to its left or right. Indeed, broadcaster direction is central to their lower bound, where KA agents Alice and Bob emulate the THB parties B and D, respectively, and jointly emulate C. Each flips a (private) coin to decide whether to also emulate A on their corresponding side. The two parties can detect cases where both (or neither) party decided to emulate A. In the remaining cases both parties agree on which side the broadcaster appears: this will serve as the secret common key bit.

At a high level, the security of this KA protocol relies on the fact that the eavesdropper’s view is essentially that of party C—who, by topology hiding, cannot distinguish the relative direction of A. Thus, one may naturally ask whether hiding the direction to the broadcaster captures the essence of the cryptographic power of THB.

Our first result shows that the direction to the broadcaster is not the complete answer. We present a class of graphs \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) for which any constant-round 1-secure THB implies infinitely often key agreement,Footnote 9 but for which the direction to the broadcaster is always known. Specifically, we consider the class of 5-path graphs where the broadcaster A is always on the left,Footnote 10 i.e.,

$$ {\mathcal {G}_{\mathsf {oriented- 5- path}}}= \Big \{ (A- B- C- D- E), (A- E- B- C- D), (A- D- E- B- C), (A- C- D- E- B) \Big \}. $$

Because of this structure, the lower-bound techniques of Ball et al. [4] do not apply. Proving a key-agreement implication for \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) requires a new, more subtle approach, which we discuss in Sect. 2. In particular, unlike [4], we must leverage the fact that topology hiding holds for any choice of corrupted party. For example, party C cannot distinguish between \((A- B- C- D- E)\) and \((A- E- B- C- D)\), and party B cannot distinguish between \((A- E- B- C- D)\) and \((A- D- E- B- C)\).

Taking a broader view of this example, we observe that while the direction of the broadcaster is public for \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\), the information to be hidden corresponds directly to the distance of the given parties to the broadcaster. One may thus once again wonder whether revealing both the direction and distance to the broadcaster dictates unconditional THB feasibility.

Our second result reveals that the answer is even more intricate. We demonstrate a class of graphs for which each party publicly knows both its direction and distance to the broadcaster, but for which 1-THB still implies key agreement.

Specifically, we consider the class \({\mathcal {G}_{\mathsf {triangle}}}\) consisting of a triangle, with possibly one of its edges missing (see Fig. 1). Interestingly, this is a very basic communication pattern: if a party has two neighbors it does not know if its neighbors are directly connected or not, but a party with one neighbor knows the entire topology. Notably, direction and distance from the broadcaster are both clearly identifiable to each party given just its neighbor set; the only information hidden from a party is its neighbor’s distance to the broadcaster. We show that this is enough to imply KA (see Sect. 2 for details).

Fig. 1.
figure 1

The class \({\mathcal {G}_{\mathsf {triangle}}}\).

Full size image

To summarize, for each strict subset of the properties that are leaked by the flooding protocol (namely, direction and/or distance to the broadcaster), we demonstrate a graph class for which hiding only these properties implies public-key cryptographic assumptions. Complementarily, if all three properties (essentially, just the distance-of-neighbors) are known then one can use the flooding protocol to obtain THB information theoretically.

Theorem 1

(\({\mathsf {THB}}\) lower bounds, informal). We consider THB with 1 semi-honest corruption.

  • 1-secure THB for the graph class \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) of 5-path graphs for which the broadcasting party is always in the leftmost direction (see above) implies infinitely often key agreement.

  • 1-secure THB for the graph class \({\mathcal {G}_{\mathsf {triangle}}}\) (Fig. 1), for which the broadcasting party is always at a known distance and direction, implies key agreement.

In contrast, for any class \(\mathcal {G}\) such that for every party the distance of each of its neighbors to the broadcaster is fixed and known across all graphs, there exists an unconditionally 1-secure THB protocol.

THAB: Key Agreement and Beyond. We next turn to topology-hiding anonymous broadcast (THAB). As mentioned above, any lower bound for THB is also a lower bound for THAB; however, we show even stronger results for THAB.

The connection between anonymous communication and cryptographic hardness was previously studied by Ishai et al. [13]. They showed that in a communication network that provides sender-anonymity (under relatively strong adversarial observation), key agreement exists unconditionally; i.e., each pair of parties within the system can agree on a secret key. Our setting is slightly different, however, using the lower-bound technique from [4] a similar observation can be made: sender-anonymous communication over a path of three nodes implies the existence of standard Alice-Bob key agreement, where the eavesdropper can see which party sends which message.

This clear-cut impossibility of information-theoretic 1-THAB (in fact, 1-secure anonymous broadcast) on arbitrary incomplete networks stands in contrast to 1-THB, where the determination of when a graph class yields an implication to key agreement was demonstrably complex. Concretely, consider the following (singleton) class \({\mathcal {G}_{\mathsf {\{a- b- c\}}}}\):

$$ {\mathcal {G}_{\mathsf {\{a- b- c\}}}}= \left\{ (A-B-C) \right\} . $$

THB for this class is glaringly trivial (indeed, there is no information to hide because the topology is fixed); however, as discussed, 1-THAB on this class implies key agreement. For completeness, in Sect. 5.1 we prove this implication as a direct corollary of the key-agreement lower bound of Ball et al. [4], where the “direction” of the broadcaster (either A or C) in this case is hidden from the intermediate party B by anonymity.

At this moment, the reader may pause, ensnared in the underwhelming nature of the above class \({\mathcal {G}_{\mathsf {\{a- b- c\}}}}\). However, by a standard player-partitioning argument (“projecting” a larger graph down onto the 3-path), the above result yields a much broader statement.

Proposition 1

(THAB lower bound 1, informal, [4,13]). Let \({\mathcal {G}} \) be a class of graphs that contains a graph with at least \((t+2)\) nodes that is not \((t+1)\)-connected. Then t-secure THAB for \({\mathcal {G}} \) implies KA.

In our final lower-bound result, we demonstrate an even more extreme form of separation between THB and THAB. We consider the graph class \({\mathcal {G}_{\mathsf {2-vs-3}}}\) that consists of all possible 2-path and 3-path graphs over three parties, i.e.,

$$ {\mathcal {G}_{\mathsf {2-vs-3}}}= \left\{ (A- B), (A- C), (B- C), (A- B- C), (B- C- A), (C- A- B)\right\} . $$

In this class, for example, if A is only connected to B, it does not know whether B has a second neighbor or not. It is easy to see that 1-secure THB exists unconditionally (by the flooding protocol); however, we show that 1-secure THAB implies infinitely often oblivious transfer.Footnote 11 We emphasize that as opposed to other classes of graphs discussed thus far, the “hardness” of the class \({\mathcal {G}_{\mathsf {2-vs-3}}}\) is based on hiding the number of nodes participating in the protocol. We refer the reader to Sect. 2 and 5.2 for further details on the lower bound.

Overall, we obtain the following theorem.

Theorem 2

(\(\mathsf {THAB}\) lower bound 2, informal). 1-secure THAB for \({\mathcal {G}_{\mathsf {2-vs-3}}}\) implies infinitely often OT.

We remark that these results separate THB from THAB for very simple graph classes, where THAB requires computational assumptions whereas unconditional THB exists via the trivial flooding protocol. Later, in Section 1.1 we will show a more interesting separation via the “butterfly” graph, where the existence of information-theoretic THB itself is non-trivial.

Upper Bounds.

Before stating our results, we recall the state-of-the-art for semi-honest THB and THAB with one corruption. Assuming oblivious transfer (OT), 1-THAB can be obtained for all graphs following the construction approach of Moran et al. [18].Footnote 12 Without assuming OT, the only previously known nontrivialFootnote 13 construction of THB or THAB is the information-theoretic 1-THAB for the specific graph class of cycles on a known number of nodes in [4].

We consider three settings of upper bounds: (1) with information-theoretic security, (2) assuming only key agreement, and (3) converting generically from THB to THAB.

Information-Theoretic Security. First, we consider protocols for achieving 1-THAB (and THB) in the information-theoretic setting, without cryptographic assumptions. Recall that the lower bound in Proposition 1 above rules out the possibility of 1-THAB for any graph class containing a graph that is not 2-connected. We show that conversely, if a class of graphs \(\mathcal {G}\) contains only 2-connected graphs, then 1-THAB for \(\mathcal {G}\) is feasible.

The protocol’s communication grows polynomially in the size of the class \(\mathcal {G}\) and its computation grows polynomially in the size of \(\mathcal {G}\) and exponentially in the maximal degree of any \(G\in {\mathcal {G}} \). However, our results are meaningful despite this caveat: First, the protocol is efficient when considering a constant number of parties (or appropriate graph classes of polynomial size). Second, since the protocol remains secure against computationally unbounded adversaries, it is still meaningful to consider protocols that are inefficient in the class.

Theorem 3

(1-\(\mathsf {IT}\)-\(\mathsf {THAB}\) for 2-connected, informal). Let \({\mathcal {G}} \) be a class containing only 2-connected graphs. Then, there exists a statistical information-theoretic 1-THAB for \({\mathcal {G}} \) whose communication complexity is polynomial in the size of \({\mathcal {G}} \), and whose computation complexity is polynomial in the size of \({\mathcal {G}} \) and exponential in the maximal degree of \({\mathcal {G}} \).

Combining Proposition 1 and Theorem 3 gives a characterization for information-theoretic 1-THAB: Namely, a protocol exists if and only if all graphs in the class are 2-connected (with the exception of the trivial class containing only the 2-path). For the case of 1-THB such dichotomy does not hold and, as we show, there exist graph classes with 1-connected graphs that still admit information-theoretic 1-THB protocols.

Remark 1

(1-IT-THB for \(\mathcal {G}_\mathrm{butterfly}\)). Consider the 5-node, 1-connected butterfly graph (Fig. 2) and let \({\mathcal {G}_{\mathsf {butterfly}}}\) contain all permutations of the nodes on the graph (where parties’ positions are permuted). In Sect. 6.2, we show that although the simple flooding protocol does not directly hide topology, there exists a (perfectly secure) information-theoretic 1-THB protocol for \({\mathcal {G}_{\mathsf {butterfly}}}\).

Fig. 2.
figure 2

The butterfly graph.

Full size image

Upper bounds from KA. Recall that from the lower bounds presented above (see Sect. 1.1), key agreement is a necessary assumption for 1-THB and 1-THAB for many classes of graphs. This begs the question of when key agreement is also a sufficient assumption for 1-THB and 1-THAB. We show that assuming key agreement there exist 1-secure THB for all graphs, and 1-secure THAB for all graphs containing at least 3 nodes.

Theorem 4

(1-\(\mathsf {THAB}\) and 1-\(\mathsf {THB}\) from KA, informal). 

  • Let \({\mathcal {G}} \) be a class consisting of graphs with at least three nodes. Assuming key agreement, there exist 1-THAB for \({\mathcal {G}} \).

  • Let \({\mathcal {G}} \) be a class of graphs. Assuming key agreement, there exist 1-THB for \({\mathcal {G}} \).

We note that in the first item of Theorem 4, removing the restriction of at least three nodes would require bypassing black-box separation results, due to Theorem 2 that asserts the necessity of (infinitely often) OT for the class \({\mathcal {G}_{\mathsf {2-vs-3}}}\). On the other hand, by [18], assuming OT there exists 1-THAB for all graphs, essentially closing the gap in this regime.

THC Dichotomy. Upon closer inspection, we observe that our upper bounds—both the information-theoretic protocols for 2-connected graphs, as well as the results from KA above—give something even stronger than 1-THAB: they give topology-hiding secure message transmission, i.e., emulating pairwise secure point-to-point channels. In this case, assuming that the number of parties is fixed and known across all graphs, we can run the semi-honest “BGW” protocol [5], which only requires pairwise secure channels and works for an honest majority. Thus, together with our lower bounds, we arrive at the following dichotomy for 1-THC:

Corollary 1

(1-secure THC dichotomy, informal). Consider a class of graphs \(\mathcal {G}\) on \(n\ge 3\) nodes. Then, the following hold regarding existence of THC for \(\mathcal {G}\) secure against 1 semi-honest corruption:

  • If all graphs \(G \in \mathcal {G}\) are 2-connected, then there exists a statistically information-theocratically secure, 1-THC protocol for \(\mathcal {G}\), whose communication is polynomial in the size of \(\mathcal {G}\) and whose computation is polynomial in the size of \(\mathcal {G}\) and exponential in the maximal degree of \(\mathcal {G}\).

  • If there exists \(G \in \mathcal {G}\) that is not 2-connected, then KA is necessary and sufficient for 1-secure THC for \(\mathcal {G}\).

Generically converting THB to THAB. Our results have demonstrated a number of nontrivial separations between THB and THAB, identifying classes of t-connected graphs and computational assumptions which admit t-THB protocols but provably cannot obtain t-THAB. This includes, for example, \({\mathcal {G}_{\mathsf {\{a- b- c\}}}}\) and \({\mathcal {G}_{\mathsf {butterfly}}}\) for information theoretic vs. key agreement, as well as \({\mathcal {G}_{\mathsf {2-vs-3}}}\) for information theoretic vs. oblivious transfer.

Finally, we show that graph connectivity is, indeed, a critical property for determining the relation between THB and THAB on a class of graphs. Specifically, we show that \((t+1)\)-connectivity is a sufficient condition for equivalence of the two notions against t corruptions.

Theorem 5

(t-THB\(\Rightarrow \) t-THAB given (t+1)-connectivity, informal). Let \(n\in {\mathbb {N}}\) and let \({\mathcal {G}} \) be a class consisting of \((t+1)\)-connected graphs over n nodes. If there exists t-THB for \({\mathcal {G}} \) then there exists t-THAB for \({\mathcal {G}} \).

Our reduction builds upon the “Dining Cryptographers” approach for anonymous broadcast due to Chaum [8]. Recall in THAB there exists a unique broadcaster who wishes to convey its input bit \(x \in \{0,1\}\) to all parties without revealing its identity (or the topology). To do so, each party first additively secret shares its input—defined to be 0 for any non-broadcaster—across its neighbors, locally sums all received shares to \(s_i \in \{0,1\}\), and then acts as broadcaster within the underlying (non-anonymous) THB with input value \(s_i\). After this phase, all parties receive the vector of shares \((s_1,\ldots ,s_n)\), which can be summed to yield the original input x. It was shown by [8] that if the graph is \((t+1)\)-vertex connected (so as to ensure that the adversary cannot corrupt a vertex cut), then the protocol is anonymous. We observe that the protocol further preserves the topology hiding of the underlying THB protocol. Indeed, given \((t+1)\)-connectivity, the vector of broadcasted shares \((s_1,\ldots ,s_n)\) will be uniform conditioned on the necessary sum, independent of the graph structure.

Summary and Characterization of Graphs with up to Four Nodes.

We summarize our combined contributions in Table 1, together with relevant prior results.

Table 1. Summary of Upper and Lower Bound Results. Read as “[row label] is necessary/sufficient for [column label].” E.g. the IT setting suffices to construct 1-THAB for any 2-connected family of graphs, whereas KA is needed to construct 1-THB for \({\mathcal {G}_{\mathsf {triangle}}}\).
Full size table

In addition, and as a demonstration of the power and applicability of the techniques developed, in the full version of this work we provide a characterization of the feasibility of 1-THB and 1-THAB for all graph classes on up to 4 parties. The characterization uses a partition of the 4-node graphs into multiple classes, each of which can be handled by a separate technique.

Organization of the Paper. We proceed in Sect. 2 to provide an overview of the core new techniques toward proving our main results. In Sect. 3 we provide the necessary definitions and preliminaries. In Sect. 4 and Sect. 5 we present an abbreviated version of our THB and THAB lower bounds, respectively. And, in Sect. 6 and Sect. 7 we include a short version of our information-theoretic and KA-based upper bounds. We refer the reader to the full version of this paper for detailed treatment of these results, as well as corollaries and implications to characterization of 1-THB, 1-THAB, and 1-THC.

2 Technical Overview

We next highlight a selection of our new analysis and protocol-construction techniques, described in Sects. 2.1 and 2.4. We will describe two analysis techniques that are used in our lower bounds: “phantom jump” and “artificial over-extension.” In addition, we will describe two protocol-design techniques that are used in our upper bounds: “censored brute force” and “dead-end channels.”

2.1 Analysis Technique: “Phantom Jump”

The “phantom jump” technique is a means for proving indistinguishability of the transcript of messages sent across a given edge \(A - B\) in THB executions on two different graphs, via a sequence of intermediate indistinguishability steps, each appealing to THB security for a different graph pair. In applications, the initial and final graphs will have a party “jump” from one side of the graph to the other, which will be used within the key-agreement implication analysis.

This technique is used within some of our key-agreement lower bounds. We focus here on a specific example for the class \({\mathcal {G}_{\mathsf {triangle}}}\) (of a triangle graph with a potential edge missing). We point the reader to more elaborate examples on 4-node graph classes in the full version.

We start by recalling how a 1-THB protocol \(\pi \) for \({\mathcal {G}_{\mathsf {4-path}}}=\{(A- B- C- D), (B- C- D- A)\}\) was used to construct key agreement in [4]. The idea is for Alice to choose two long random strings \(r_1\) and \(r_2\) and send them to Bob in the clear. Next, Alice and Bob continue in phases as follows:

  • In each phase Alice and Bob locally toss coins \(x_\textsf {Alice}\) and \(x_\textsf {Bob}\), respectively.

  • They proceed to run two executions of \(\pi \) in which Alice always emulates B and C and Bob emulates D. In addition, if \(x_\textsf {Alice}=0\) then Alice emulates A (as a neighbor of B) broadcasting \(r_1\) in the first run; otherwise she emulates A broadcasting \(r_2\) in the second run. Similarly, if \(x_\textsf {Bob}=1\) then Bob emulates A (as a neighbor of D) broadcasting \(r_1\) in the first run; otherwise he emulates A broadcasting \(r_2\) in the second run.

  • If parties B and D output \(r_1\) in the first run and \(r_2\) in the second, Alice and Bob output their bits \(x_\textsf {Alice}\) and \(x_\textsf {Bob}\), respectively; otherwise, they execute another phase.

Clearly, if \(x_\textsf {Alice}=x_\textsf {Bob}\) in some iteration then Alice and Bob will output the same coin, and by the assumed security of \(\pi \), the eavesdropper Eve will not be able to learn who emulated A in the first run and who in the second. If \(x_\textsf {Alice}\ne x_\textsf {Bob}\), then in at least one of the runs nobody emulates the broadcaster A, so with overwhelming probability Alice and Bob will detect this case.

We now show how to adjust this argument to \({\mathcal {G}_{\mathsf {triangle}}}\). Constructing the KA protocol is rather similar, where Alice always emulates B and Bob always emulates C, and each party emulates the broadcaster A based on their local coins \(x_\textsf {Alice}\) and \(x_\textsf {Bob}\) (see Fig. 3). Proving correctness follows exactly as in the argument from [4]; however, proving security is more involved. Indeed, in \({\mathcal {G}_{\mathsf {4-path}}}\) the view of Eve corresponds to a partial view of the intermediate node C who is never a neighbor of A, and so by the security of \(\pi \), never learns its direction to A. When considering \({\mathcal {G}_{\mathsf {triangle}}}\), the view of Eve consists of the communication between B and C, and one of them must be a neighbor of A.

This is where the new phantom-jump technique comes into play. As opposed to [4], we do not construct a reduction from Eve to the security of the THB protocol; rather, we use a direct indistinguishability argument. Notice that the KA construction required the use of only two graphs \((A- B- C)\) and \((B- C- A)\). The third graph (the triangle) is needed for the proof.

Fig. 3.
figure 3

1-THB on \({\mathcal {G}_{\mathsf {triangle}}}\) implies KA.

Full size image

As depicted in Fig. 3, the view of Eve consists of the communication between B and C. By THB security B cannot distinguish between the 3-path \((A- B- C)\) and the complete triangle; in particular, the distribution of the messages on the channel between B and C is indistinguishable in both cases. Similarly, by THB security C cannot distinguish between the 3-path \((B- C- A)\) and the complete triangle; in particular, the distribution of the messages on the channel between B and C is indistinguishable in both cases. By a simple hybrid argument it follows that the messages between B and C are indistinguishable when communicating in \((A- B- C)\) and when communicating in \((B- C- A)\). It follows that the distinguishing advantage of Eve is negligible.

2.2 Analysis Technique: “Artificial Over-Extension”

The artificial over-extension technique is used for proving two of our lower bounds. First, Theorem 1 where 1-THB for \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) is used to construct infinitely often KA (see also Sect. 4.1); and second, Theorem 2 where 1-THAB for \({\mathcal {G}_{\mathsf {2-vs-3}}}\) is used to construct infinitely often OT (see Sect. 5.2). In the following, we focus on the latter.

Recall that in the class \({\mathcal {G}_{\mathsf {2-vs-3}}}\) a party (say \(\mathsf {A}\)) that has a single neighbor (say \(\mathsf {B}\)) does not know whether \(\mathsf {B}\) has another neighbor \(\mathsf {C}\) or not. This uncertainty is the source of the cryptographic hardness we present; indeed, if the parties know that an honest majority cannot be assumed (i.e., there are only two parties) then 1-THAB is trivial, whereas if an honest majority can be assumed (i.e., there are three parties) then 1-THAB exists assuming KA (by Theorem 4). We also note that without anonymity, 1-THB trivially exists in \({\mathcal {G}_{\mathsf {2-vs-3}}}\) (via the flooding protocol).

We start with an intermediate goal, that of constructing oblivious transfer from a two-round 1-THAB protocol \(\pi \) for the graph class \(\mathcal {G}_{\mathsf {2-vs-3}}\),Footnote 14 and later explain how the novel “artificial over-extension” technique allows us to extend this construction to arbitrary constant-round protocols. Note that using this technique we can only construct infinitely often OT, and extending the implication to a full-blown OT is left as an interesting open question.

OT from two-round 1-THAB. Given a two-round 1-THAB protocol \(\pi \) we construct a secure two-party protocol for Boolean AND (which in turn implies OT [14]).

In the protocol, Alice and Bob will emulate an execution of the 1-THAB protocol on a path, where each extends the length of the path (by emulating an extra party) if their input is 1. More concretely, Alice simulates a single node \(\mathsf {B}\) if her input is 0, and two nodes \(\mathsf {A}-\mathsf {B}\) if her input is 1. Similarly, Bob simulates a single node \(\mathsf {\mathsf {C}}\) if his input is 0 and two nodes \(\mathsf {\mathsf {C}}-\mathsf {A}\) if his input is 1 (see Fig. 4). Next, Alice chooses a message \(m{{\mathop {\leftarrow }\limits ^{R}}}\{0,1\}^\lambda \) at random, sends it to Bob in the clear, and initiates an execution of \(\pi \) on message m on the graph with her left-most node (either \(\mathsf {B}\) or \(\mathsf {A}\)) as broadcaster. At the conclusion of \(\pi \), Bob identifies whether his right-most emulated party (either \(\mathsf {C}\) or \(\mathsf {A}\)) correctly outputs m. If so, then Bob outputs 0; if not, he outputs 1.

Fig. 4.
figure 4

Boolean AND from two-round 1-THAB for \(\{\mathsf {B}-\mathsf {C}, \mathsf {A}-\mathsf {B}-\mathsf {C}, \mathsf {B}-\mathsf {C}-\mathsf {A}\}\)

Full size image

We show that this protocol securely computes AND of Alice and Bob’s inputs.

  • For security, we exploit the fact that the only case where there is something to hide (namely, if a party holds input 0) is where the respective party has control over just a single node in \(\pi \). Security therefore follows from the fact that \(\pi \) is a THAB protocol with security against one corruption. For example, the views of a corrupt Alice emulating \(\mathsf {B}\) within executions over graphs \(\mathsf {B}-\mathsf {C}\) (Bob has input 0) and \(\mathsf {B}-\mathsf {C}-\mathsf {A}\) (Bob has input 1) are indistinguishable. Note here that for security it is crucial that \(\pi \) is an anonymous broadcast protocol, because in case \(x=0\), Alice broadcasts from node \(\mathsf {B}\) and in case \(x=1\) from node \(\mathsf {A}\). (In fact, as noted above, 1-THB can be achieved trivially on \({\mathcal {G}_{\mathsf {2-vs-3}}}\).)

  • For correctness, first note that when at least one party has input 0, the corresponding graph is an element of \(\{\mathsf {B}-\mathsf {C}, \mathsf {A}-\mathsf {B}-\mathsf {C}, \mathsf {B}-\mathsf {C}-\mathsf {A}\}\subset {\mathcal {G}_{\mathsf {2-vs-3}}}\), in which case proper delivery of m to Bob’s right-most node is guaranteed by correctness of \(\pi \). On the other hand, when \(x\wedge y=1\) (i.e., both Alice and Bob emulate node \(\mathsf {A}\)) the parties effectively emulate \(\pi \) over an “invalid” length-4 path \(\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\). While behavior of \(\pi \) within such execution is unclear, since \(\pi \) runs in only 2 rounds, the message m simply cannot reach the right-most node emulated by Bob at distance 3. Thus, Bob will correctly output 1.

Infinitely often OT from constant-round 1-THAB. Note that correctness of the construction above crucially relies on efficiently detecting an execution of \(\pi \) on the graph \(\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\), leveraging its insufficient round complexity. However, this argument is no longer guaranteed when \(\pi \) completes in more than two rounds. This is where the “artificial over-extension” technique comes into play.

The insight is that either an execution of \(\pi \) on graph \(\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\) can indeed be efficiently detected, in which case the protocol above extends (and we are done), or \(\pi \) actually provides a stronger form of topology hiding that we can further leverage. Namely, if neither Alice nor Bob can identify when \(\pi \) is executed on \(\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\) as opposed to a legal graph, then in particular \(\pi \) provides 1-THAB for the larger graph class \({\mathcal {G}_{\mathsf {2-vs-3}}}^{\prime } := {\mathcal {G}_{\mathsf {2-vs-3}}}\cup \{\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\}\).

In this case, we can take a similar approach to above, but with the graphs \(\{\mathsf {A}-\mathsf {B}, \mathsf {C}-\mathsf {A}-\mathsf {B},\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\} \subset {\mathcal {G}_{\mathsf {2-vs-3}}}'\), with Alice emulating \(\mathsf {A}\) or \(\mathsf {C}-\mathsf {A}\), and Bob emulating \(\mathsf {B}\) or \(\mathsf {B}-\mathsf {C}-\mathsf {A}\), and hope that \(\pi \) identifiably breaks down on the “over-extended” path \(\mathsf {C}-\mathsf {A}-\mathsf {B}-\mathsf {C}-\mathsf {A}\) of length 5. If not, this argument repeats, until—via this artificial over-extension technique—ultimately we reach a graph class \(\mathcal {G}\) for which:

  • \(\pi \) is 1-THAB on \({\mathcal {G}} \), including \(\{\mathsf {Y}-\mathsf {Z}, \mathsf {X}-\mathsf {Y}-\mathsf {Z}, \mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\} \subset {\mathcal {G}} \)

  • \(\pi \) is not 1-THAB on \({\mathcal {G}} \cup \{ \mathsf {X}-\mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\}\),

where \(\mathsf {X},\mathsf {Y},\mathsf {Z}\in \{\mathsf {A},\mathsf {B},\mathsf {C}\}\), and \({{ \varvec{P}}}\) is a path of length upper-bounded by the round complexity of \(\pi \). Once we do, then the original secure-AND protocol approach will succeed, modulo some differences described below, with Alice emulating \(\mathsf {Y}\) or \(\mathsf {X}-\mathsf {Y}\), and Bob emulating \(\mathsf {Z}\) or \(\mathsf {Z}-{{ \varvec{P}}}\).

To argue that eventually we find a path \(\mathsf {X}-\mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\) for which \(\pi \) identifiably breaks down, we again appeal to its bounded round complexity, i.e., \(\pi \) must fail identifiably (with probability 1) once the length of the path exceeds the round complexity. The limitation of constant rounds is a subtle side effect of the corresponding hybrid argument, to argue that there must be some step where we jump sufficiently from indistinguishable to efficiently identifiable.

Consider the resulting secure-AND protocol, once an appropriate \(\mathsf {X},\mathsf {Y},\mathsf {Z},{{ \varvec{P}}}\) are found. The only modification from the simpler two-round version is how to detect the (over-extended) case \(x\wedge y=1\). When \(\pi \) was two rounds, identifying this event was immediate: Bob’s right-most party simply will not receive the delivered message. Here, this is not necessarily the case, as the identifiable “breakdown” of \(\pi \) may occur before the length of \(\mathsf {X}-\mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\) exceeds \(\pi \)’s round complexity. Thus, instead, the parties will run the distinguisher that—roughly speaking—exists from the fact that \(\pi \) is not 1-THAB on \({\mathcal {G}} \cup \{\mathsf {X}-\mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\}\). This is the reason why our final protocol guarantees correctness only for infinitely many \(\lambda \in {\mathbb {N}}\): All we can say is that either the protocol \(\pi \) is 1-THAB on \({\mathcal {G}} \cup \{ \mathsf {X}-\mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\}\) and we can continue with the extension argument, or \(\pi \) is not 1-THAB, i.e., there exists a distinguisher that efficiently detects the “too-long” path \(\mathsf {X}-\mathsf {Y}-\mathsf {Z}-{{ \varvec{P}}}\) with noticeable advantage for infinitely many \(\lambda \in {\mathbb {N}}\). Finally, in order to boost correctness towards negligible correctness error (for infinitely many \(\lambda \)), Alice and Bob simply run the protocol \(\pi \) and the distinguisher sufficiently many times, each time on input of a fresh message m, and take a corresponding majority vote.

2.3 Protocol Design: “Censored Brute Force”

This technique enables constructing unconditionally secure pairwise channels between each pair of parties which further guarantees sender anonymity. Such anonymous and private channels are used for proving Theorem 3 and Corollary 1, by constructing 1-THAB and 1-THC with information-theoretic security for any class \({\mathcal {G}} \) for which all graphs are 2-connected (see Sect. 6.1 for more details). Recall that the communication complexity of the resulting protocols is polynomial in the size of \({\mathcal {G}} \) (which could be superpolynomial) and the computation complexity is polynomial in the size of \({\mathcal {G}} \) and exponential in the maximal degree of \({\mathcal {G}} \).

The high-level idea is twofold: For any single 2-connected graph G, we show how to unconditionally perform sender-anonymous point-to-point communication on G with an ability for any party to (anonymously) “censor” the communication, i.e., yielding delivery of random garbage instead of the intended message. Then, for a given class of 2-connected graphs \({\mathcal {G}} \), the parties will simultaneously execute (in parallel) a separate anonymous-communication protocol for every graph \(G \in {\mathcal {G}} \); for each such G-execution, a party will censor the execution if its true neighborhood is inconsistent with its neighborhood in G. As such, the only protocol execution that remains uncensored will be the one corresponding to the correct execution graph G (and the identity of which G this corresponds to can be made hidden to the receiving party). We elaborate on these two aims below.

Communicating Anonymously in a 2-Connected Graph. More concretely, suppose we have a single 2-connected graph G on vertex set [n], and fix some designated source and target nodes \(\sigma \ne \tau \in [n]\). Let \(H_{\sigma \tau }\) denote an arbitrary \(\sigma \tau \)-orientation of G,Footnote 15 i.e., a directed acyclic graph with unique sink \(\tau \) and unique source \(\sigma \) formed by assigning a direction to each edge in G. Moreover, label all nodes \(1,2,\dots ,n\) according to a topologically consistent ordering of \(H_{\sigma \tau }\) (beginning with \(\sigma \) and ending at \(\tau \)). We consider the numbering/orientation of any graph G to be a public parameter, computed according to some deterministic procedure (see full version).

Now suppose node u wishes to send a message m to the target node \(\tau \) anonymously and securely on the graph G. In the first round, the source \(\sigma \) (i.e., the node labeled 1) prepares additive shares of 0 (or of m if \(\sigma =u\)) for each of its outgoing edges in \(H_{\sigma \tau }\). In round 2, the source \(\sigma \) sends the corresponding share to its neighbor node labeled 2, who then prepares secret shares of what it received (\(+m\) if it is u) for each outgoing edge. More generally, in round \(i<n\) all nodes with an edge to the \(i\)th node send their shares to the \(i\)th node. The \(i\)th node, having received shares on all incoming edges, then sums up what it receives (adds m if it is u) and prepares additive shares of the result for each of its outgoing edges. In round n, all nodes with edges to \(\tau \) (the target node) send their shares to \(\tau \) and \(\tau \) outputs their summation.

Correctness follows from the homomorphic properties of additive secret sharing. To see why this protocol is secure (namely, that it hides u and m), note that the 2-connectivity of G implies that there are at least 2 vertex-disjoint \(\sigma \tau \)-paths in \(H_{\sigma \tau }\). Thus, the messages any intermediate party (corresponding to \(2,\ldots ,n-1\)) receives are uniformly random because that node is in some sense always missing at least one share (corresponding to a disjoint \(\sigma \tau \)-path); the source \(\sigma \) does not receive anything at all, and the view of the target \(\tau \) is simply a random sharing of its output m.

This protocol enjoys some other useful properties. Most notably, any non-sink node can covertly “censor” communication by simply preparing (and sending) shares of a uniformly random message, instead of preparing shares corresponding to what they received (as per the protocol). The view of every other party is identically distributed, with the exception of \(\tau \) who now receives secret shares of a uniformly random message in the final round.

Compiling to Hide Topology. Now, let \({\mathcal {G}} \) be a class of 2-connected graphs on vertex set [n]. Loosely speaking, the parties will simulate the above protocol for every possible graph in \({\mathcal {G}} \) simultaneously. Each node will covertly censor every protocol corresponding to a graph that is not locally consistent with their local neighborhood (sending random messages at the appropriate times). As a result, exactly one protocol (corresponding to the “real” graph) will give the correct output message and all others will give uniformly random output.

To be slightly more concrete, all nodes will execute the protocol above for each graph in the class in parallel. To keep track of which message is which, for every node but \(\tau \) we will label the messages with the graph/protocol that the message corresponds to. If an edge is missing from the real graph, but present in a graph corresponding to one of the simulated protocols, the corresponding message cannot be sent. However, the receiving node knows not to expect a message either. From this and the uniformly random nature of non-terminal messages in the above protocol, nothing is leaked locally by labeling the simulations. However, sending labeled messages to \(\tau \) would clearly identify the “real” topology. So instead, all parties will send all final protocol messages in randomly permuted order. To enable \(\tau \) identifying the real output, the sender will append a long checksum to the message. The target \(\tau \) will try all message combinations (this is the reason for the exponential dependency in the maximal degree) and output the unique one with a correct checksum (or abort if more than one message has a valid checksum).

2.4 Protocol Design Technique: “Dead-End Channels”

The Dead-End Channels technique is used to obtain 1-THAB for all graphs of at least 3 nodes (and 1-THB for all graphs), assuming existence of key agreement. Recall that before the present work, such results were only known assuming oblivious transfer [18].

The high-level idea of our 1-THAB protocol, as in Moran et al. [18], is to broadcast the message via flooding, but in a way that hides from the parties at which round they received the broadcast message. This can be achieved by passing the message between virtual parties, each consisting of two real parties that hold additive secret shares of the message (depicted, e.g., as purple bars for each neighboring pair of parties below). Only in the final round will the parties exchange their secret shares and recover the message.

figure a

The challenge thus becomes passing the messages between virtual parties. In [18] this is solved by using oblivious transfer (OT) to run an MPC protocol realizing the virtual party, and allowing every adjacent pair of virtual parties to securely compute the OR of their messages.

In our setting, we do not have the ability to perform secure computations pairwise between parties without OT. Instead, we leverage the fact that given at least three nodes we are guaranteed an honest majority, and can therefore (once the parties establish secure channels using the key agreement protocol) build on techniques from information-theoretic secure computation to appropriately pass along the message.

However, this itself is not so straightforward. For example, in the image above, the neighboring parties \(2 - 3 - 4\) would wish to jointly emulate a three-party secure computation to perform the secure transfer from \(2- 3\) to \(3 - 4\). But, the issue is that parties cannot reveal whether they truly have neighbors with which to jointly compute: for example, party 2 above must then emulate a nonexistent neighbor 1 to hide its true degree. Thus grouping parties in three, including possibly a simulated neighbor, would allow the adversary to gain control over a majority. (On the other hand, building on secure computation including four our more neighbored parties, the same party could appear several times in the protocol and therefore potentially learn about the connectivity of its neighbors.)

Our approach builds on the following idea: We will give one party within each group of three the role of a dealer to deal OT correlations, which can be used to establish a secure OT channel between two other parties. This alone is not sufficient, as one of the parties could be simulated by the dealer (in the case that the dealer has degree one), and therefore allows the dealer to gain full control over the OT channel, and in particular learn the honest parties’ inputs. To prevent this, we observe that—again using OT correlations—one can establish dead-end channels (i.e., information sent via such a channel cannot be read by anyone apart from the sender) if and only if the receiver is a simulated party. Therefore, even if the dealer simulates one of the parties, it does not learn anything about the honest parties’ inputs. Note that it is crucial that dead-end channels are indistinguishable from secure channels from the view of the sender. Further, a key observation is that using OT correlations to establish dead-end channels does not leak anything about the topology, even if the dealer of the OT correlations has degree one. This is the case, because the only thing the dealer could potentially learn from the other party is whether its degree is one—but if the dealer has degree one it already knows that the degree of its neighbor must be at least two (as we are guaranteed a connected graph with a strict honest majority).

3 Preliminaries

Notations. For \(n\in \mathbb {N}\) let \([n]=\{1,\cdots ,n\}\). In our protocols we sometimes denote by \(B\) an upper bound on the number of participating parties, by n the number of actually participating parties, and by t an upper bound on the number of corrupted parties. The security parameter is denoted by \(\lambda \).

Graph Notations and Properties. A graph \(G=(V,E)\) is a set V of vertices and a set E of edges, each of which is an unordered pair \(\{v,w\}\) of distinct vertices. A graph is directed if its edges are instead ordered pairs (vw) of distinct vertices. An oriented graph is a directed graph having no symmetric pair of directed edges, and an orientation of an undirected graph is an assignation of a direction to each of its edges so as to make it oriented. A graph is k-connected if it has more than k vertices and remains connected whenever fewer than k vertices are removed. A graph class \({\mathcal {G}} \) is k-connected if every graph \(G\in {\mathcal {G}} \) is k-connected. Throughout this paper we only consider connected graphs, even if we do not systematically make this explicit. The (open) neighborhood of a vertex v in an undirected graph G, denoted \(\mathcal {N}_{G}(v) \), is the set of vertices sharing an edge with v in G. The closed neighborhood of v in G is in turn defined by \(\mathcal {N}_G[v] := \mathcal {N}_{G}(v) \cup \{v\}\).

UC Framework. We work in the UC framework of Canetti [6]. Unless stated otherwise, we will consider computationally unbounded, static, and semi-honest adversaries and environments.

Topology-Hiding Computation (THC). We recall the definition of topology-hiding computation from [4, 18]. The real-world protocol is defined in a model where all communication is transmitted via the functionality \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \) (described in Fig. 5). The functionality is parametrized by a family of graphs \({\mathcal {G}} \), representing all possible network topologies (aka communication graphs) that the protocol supports. We implicitly assume that every node in a graph is associated with a specific party identifier, \(\mathsf {pid}\). To simplify the notation, we will consider that \({P} _v\) in the protocol is associated with node v in the graph.

Initially, before the protocol begins, \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \) receives the network communication graph G from a special graph party \({{P} _\mathsf {graph}} \), makes sure that \(G\in {\mathcal {G}} \), and provides to each party \({P} _v\) with \(v\in V\) its local neighbor-set. Next, during the protocol’s execution, whenever party \({P} _v\) wishes to send a message m to party \({P} _w\), it sends (vwm) to the functionality; the functionality verifies that the edge (vw) is indeed in the graph, and if so delivers (vwm) to \({P} _w\).

Note that if all the graphs in \({\mathcal {G}} \) have exactly n nodes, then the exact number of participants is known to all and need not be kept hidden. In this case, defining the ideal functionality and constructing protocols becomes a simpler task. However, if there exist graphs in \({\mathcal {G}} \) that contain a different number of nodes, then the model must support functionalities and protocols that only know an upper bound \(B\) on the number of participants. In the latter case, the actual number of participating parties n must be kept hidden.

Given a class of graphs \({\mathcal {G}} \) with an upper bound \(B\) on the number of parties, we define a protocol \(\pi \) with respect to \({\mathcal {G}} \) as a set of \(B\) ppt interactive Turing machines (ITMs) \(({P} _1,\ldots ,{P} _B)\) (the parties), where any subset of them may be activated with (potentially empty) inputs. Only the parties that have been activated participate in the protocol, send messages to one another (via \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \)), and produce output.

Fig. 5.
figure 5

The communication graph functionality

Full size image

An ideal-model computation of a functionality \(\mathcal {F}_{\mathsf {}} \) is augmented to provide the corrupted parties with the information that is leaked about the graph; namely, every corrupted (dummy) party should learn its neighbor-set. Note that the functionality \(\mathcal {F}_{\mathsf {}} \) can be completely agnostic about the actual graph that is used, and even about the family \({\mathcal {G}} \). To augment \(\mathcal {F}_{\mathsf {}} \) in a generic way, we define the wrapper-functionality \(\mathcal {W}_{\mathsf {graph- info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {}})\), that runs internally a copy of the functionality \(\mathcal {F}_{\mathsf {}} \). The wrapper \(\mathcal {W}_{\mathsf {graph- info}} ^{\mathcal {G}} (\cdot )\) acts as a shell that is responsible to provide the relevant leakage to the corrupted parties; the original functionality \(\mathcal {F}_{\mathsf {}} \) is the core that is responsible for the actual ideal computation.

More specifically, the wrapper receives the graph \(G=(V,E)\) from the graph party \({{P} _\mathsf {graph}} \), makes sure that \(G\in {\mathcal {G}} \), and sends a special initialization message containing G to \(\mathcal {F}_{\mathsf {}} \). (If the functionality \(\mathcal {F}_{\mathsf {}} \) does not depend on the communication graph, it can ignore this message.) The wrapper then proceeds to process messages as follows: Upon receiving an initialization message from a party \({P} _v\) responds with its neighbor set \(\mathcal {N}_{G}(v) \) (just like \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \)). All other input messages from a party \({P} _v\) are forwarded to \(\mathcal {F}_{\mathsf {}} \) and every message from \(\mathcal {F}_{\mathsf {}} \) to a party \({P} _v\) is delivered to its recipient.

Note that formally, the set of all possible parties \(V^*\) is fixed in advance. To represent a graph \(G'=(V',E')\) where \(V'\subset V^*\) is a subset of the parties, we use the graph \(G=(V^*,E')\), where all vertices \(v\in V^*\setminus V'\) have degree 0.

Definition 1

(Topology-hiding computation). We say that a protocol \(\pi \) securely realizes a functionality \(\mathcal {F}_{\mathsf {}} \) in a topology-hiding manner with respect to \({\mathcal {G}} \) tolerating a semi-honest adversary corrupting t parties if \(\pi \) securely realizes \(\mathcal {W}_{\mathsf {graph- info}} ^{\mathcal {G}} (\mathcal {F}_{\mathsf {}})\) in the \(\mathcal {F}_{\mathsf {graph}} ^{\mathcal {G}} \)-hybrid model tolerating a semi-honest adversary corrupting t parties.

Broadcast and Anonymous Broadcast. In this work we will focus on topology-hiding computation of two central functionalities. The first is the broadcast functionality (see Fig. 6), where a designated and publicly known party, named the broadcaster, starts with an input value m. Our broadcast functionality guarantees that every party that is connected to the broadcaster in the communication graph receives the message m as output. In this paper, we assume the communication graphs are always connected. However, the broadcaster may not be participating, in which case it is represented as a degree-0 node in the communication graph (and all the participating nodes are in a separate connected component.)

Parties that are not connected to the broadcaster receive a message that is supplied by the adversary (we can consider stronger versions of broadcast, but this simplifies the proofs).

We denote the broadcast functionality where the broadcaster is \({P} _i\) by \(\mathcal {F}_{\mathsf {bc}} ({P} _i)\).

Fig. 6.
figure 6

The broadcast functionality

Full size image

Definition 2

(t-THB). Let \({\mathcal {G}} \) be a family of graphs and let t be an integer. A protocol \(\pi \) is a t-THB protocol with respect to \({\mathcal {G}} \) if \(\pi ({P} _v)\) securely realizes \(\mathcal {F}_{\mathsf {bc}} ({P} _v)\) in a topology-hiding manner with respect to \({\mathcal {G}} \), for every \({P} _v\), tolerating a semi-honest adversary corrupting t parties.

The second is the anonymous-broadcast functionality (see Fig. 7). This functionality is similar to broadcast with the exception that the broadcaster is not known and its identity is kept hidden even after the computation completes. Namely, the environment will activate exactly one of the parties with an input value, informing this party that it is the broadcaster. We denote the anonymous broadcast functionality \(\mathcal {F}_{\mathsf {anon - bc}} \).

Fig. 7.
figure 7

The anonymous-broadcast functionality

Full size image

Definition 3

(t-THAB). Let \({\mathcal {G}} \) be a family of graphs and let t be an integer. A protocol \(\pi \) is a t-THAB protocol with respect to \({\mathcal {G}} \) if \(\pi \) securely realizes \(\mathcal {F}_{\mathsf {anon - bc}} \) in a topology-hiding manner with respect to \({\mathcal {G}} \), tolerating a semi-honest adversary corrupting t parties.

4 THB Lower Bounds

In this section we demonstrate that achieving broadcast while hiding certain graph properties necessitates cryptographic assumptions.

4.1 Hiding Distance Requires io-KA (The Oriented 5-Path)

In this section, we show that hiding the distance from the broadcaster, in constant rounds, requires infinitely-often Key Agreement (io-KA). In particular, we will show that any constant-round protocol for the class \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) (Fig. 8), implies io-KA.

Fig. 8.
figure 8

The class \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) of oriented paths, rooted in \({P} _1\). Communication is bidirectional, arrows simply indicate that nodes can deduce the broadcaster’s direction.

Full size image

In this class the nodes ,,, always know the direction of the broadcaster, (it’s in the direction of their lowest-valued neighbor, mod 5), but cannot distinguish (from their local neighborhood) whether they are distance 2 or 3 from the broadcaster. E.g.  cannot distinguish between —- and —-, as in both cases its local neighborhood is –. Note that if just distance is leaked to this class, the trivial flooding protocol is secure.

Intriguingly, the resulting key agreement construction is not fully-black-box, nor is it even explicit. Further, our result critically requires the \(\mathcal {G}_{\mathsf {oriented- 5- path}}\)-THB to be efficient in round complexity. We remark that such a limitation is inherent, as we demonstrate that \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\) unconditionally admits an \(\epsilon \)-secure topology-hiding broadcast protocol that works in \(O(1/\epsilon )\) rounds, for any \(\epsilon >0\).Footnote 16 In contrast, the key agreement construction of Sect. 4.2 is fully black-box and rules out the existence of such an upper bound for the class \({\mathcal {G}_{\mathsf {triangle}}}\). It remains open whether an \(\epsilon \)-secure \({\mathcal {G}_{\mathsf {oriented- 5- path}}}\)-THB in \(<1/\epsilon \) rounds requires io-KA, or more generally whether negligible security in polynomial rounds requires io-KA.

Theorem 6

If there exists a constant-round 1-THB protocol for the class \(\mathcal {G}_{\mathsf {oriented- 5- path}}\), then infinitely-often key-agreement also exists.

The proof introduces an argument called ‘artificial over-extension’ (Sect. 2) which involves using the 1-THB on longer and longer graphs (outside of the scope of its correctness and security guarantees) until the protocol breaks in an identifiable way. Details are deferred to the full version of this paper.

4.2 Hiding Neighbor Distances Requires KA (The Triangle)

Consider the class \({\mathcal {G}_{\mathsf {triangle}}}=\{G_\mathsf {tr}^0,G_\mathsf {tr}^1,G_\mathsf {tr}^2\}\) as represented in Fig. 9, which we (abusively) call ‘the Triangle’. The players are \(P_1,P_2,P_3\) with the broadcaster always being \(P_1\); \(P_2\) and \(P_3\) are connected, and \(P_2\) and/or \(P_3\) is connected to \(P_1\).

Fig. 9.
figure 9

The class \({\mathcal {G}_{\mathsf {triangle}}}\).

Full size image

The secret of the topology can be summarized as follows: if one of the two non-broadcasting parties \(P_2\) or \(P_3\) is connected to the broadcaster, it does not know if the other is as well. Note that preserving the secret of the topology of \({\mathcal {G}_{\mathsf {triangle}}}\) can also be reformulated as ‘hiding the neighbor distances’ from the parties. Indeed, for \(P_2\) (resp. \(P_3\)) knowing the topology means knowing if \(P_3\) (resp. \(P_2\)) is at distance one or two from the broadcaster.

Theorem 7 (Broadcast on ‘The Triangle’ requires KA)

If there exists a 1-THB(1) protocol for the class \({\mathcal {G}_{\mathsf {triangle}}}\) then there exists a key-agreement protocol.

In order to prove this theorem, we explicitly construct a key-agreement scheme from a 1-THB(1) protocol \(\pi \) on \(\mathcal {G}_{\mathsf {triangle}}\). The construction of this KA protocol follows very closely the proof of Theorem 3.1 (and the associated Protocol 3.2) in Ball et al. [4], but we use a novel technique (the phantom jump argument to reduce the security of the key-agreement scheme to the topology-hiding properties of \(\pi \). See description in Sect. 2.1; the details of the proof are deferred to the full version of this paper.

5 THAB Lower Bounds

5.1 Low Vertex Connectivity Requires KA

In this section we show how t-THAB on a class which contains even a single graph with at least \(t+2\) vertices and which is not \((t+1)\)-connected implies Key-Agreement. It should be noted that this is a relatively weak result on its own, as testified by the fact that even non topology-hiding anonymous broadcast on such a class already implies KA, but we present it here for completeness’ sake and because it matches the upper bound of Theorem 11.

Proposition 2

t-THAB on a class containing a graph with at least \((t+2)\) vertices which is not \((t+1)\)-vertex-connected implies KA.

The result is similar in spirit to that of Ishai et al. [13]—who showed how anonymity can be leveraged to obtain privacy—. We show it using techniques from [4] however, which are more directly applicable as their setting is the same as ours. The proof is deferred to the full version of this paper.

5.2 Uncertain Honest Majority Requires io-OT (The 2-vs-3 Paths)

In the previous section we showed that, for a large number of graph classes, key-agreement is necessary to achieve 1-THAB. A natural follow-up question is to ask whether key agreement is sufficient to achieve 1-THAB on all graphs or not. We answer this question negatively by showing that constant-round 1-THAB on the class of paths of length two and three implies infinitely often oblivious transfer.

This is similar to the result of Ball et al. [3], who showed no honest majority can imply oblivious transfer in the 2-corruption setting. Note though that our result requires inherently different techniques, as in the one-corruption setting there exists only one graph with no honest majority, namely the path of length 2. 1-THAB on this graph only is trivial, as the only party that is not the broadcaster knows that the other party must be the broadcaster. But, adding the path of length 3 (where in fact there is always a honest majority), we can prove an implication to infinitely-often oblivious transfer (io-OT). From a certain point of view, we show that one cannot hide how far information travels, unless always guaranteed an honest majority.

Theorem 8

Let \(\pi \) be a constant-round 1-THAB protocol for \({\mathcal {G}_{\mathsf {2-vs-3}}}\). Then, there exists a uniform infinitely-often OT protocol secure in the presence of a semi-honest adversary.

In order to prove this theorem, we show that a constant-round 1-THAB for \(\mathcal {G}_{\mathsf {2-vs-3}}\) can be used to build a secure two-party infinitely often AND functionality, which in turn implies infinitely often OT. The proof closely follows that of Theorem 6, which introduced the “artificial over-extension” technique, and is described in Sect. 2.2. The details are deferred to the full version of this paper.

6 Information-Theoretic Upper Bounds

In this section, we present our information-theoretic constructions: in Sect. 6.1, 1-IT-THAB for 2-connected graphs, and in Sect. 6.2, 1-IT-THB for the 1-connected butterfly graph.

6.1 2-Connectivity is Sufficient for 1-IT-THAB

On an intuitive level, \((t+1)\)-vertex-connectivity could be a sufficient condition to perform t-IT-THAB since messages exchanged between distant parties in the graph can be secret-shared among \(t+1\) vertex-disjoint paths. This way, privacy of communication can be ensured (since, with only t corruptions, an adversary cannot recover all the shares). The core challenge, however, is how to have the parties route message shares consistently on general, unstructured graphs, in a topology-hiding fashion (in particular, message routing can only be done locally). We prove this intuition to be true for \(t=1\), and provide a way for parties to route secret-shares in 2-connected graphs.

Theorem 9

Let \(n\in {\mathbb {N}}\), let \({\mathcal {G}} \) be a class of 2-connected graphs of vertex set size at most n, let \({d_\textsf {max}} \) is the maximal degree of any graph in \({\mathcal {G}} \), and let \(\delta >0\). Then, there exists a protocol that securely realizes \(\mathcal {F}_{\mathsf {anon - bc}} \) with security \(\delta \) in a topology-hiding manner with respect to \({\mathcal {G}} \), tolerating a single semi-honest corruption.

Moreover, the protocol completes within n rounds with total communication complexity \(O(n^2{d_\textsf {max}} \cdot |{\mathcal {G}} |\cdot ({\ell } +\log (n/\delta )+{d_\textsf {max}} \cdot \log |{\mathcal {G}} |))\) and computation complexity \(O(|{\mathcal {G}} |^{{d_\textsf {max}}})\) per node.

The proof revolves around a technique we call “censored brute-force” (see Sect. 2.3). Full details are deferred to the full version of this paper.

6.2 2-Connectivity is Not Necessary for 1-IT-THB (Butterfly Graph)

Section 5.2 shows a separation between 1-THAB and 1-THB, with the class \({\mathcal {G}_{\mathsf {2-vs-3}}}\): 1-THAB implies infinitely often OT, yet 1-THB is possible information-theoretically by flooding. In order to understand if the separation is really meaningful or due to an edge case of the definition of THB, we ask whether there is a class which separates the two functionalities and for which 1-THB is not trivial (i.e., cannot be achieved by simple flooding). To this end, we prove there exist graph classes on which 1-IT-THAB is impossible and flooding is not topology-hiding, but there still exist 1-IT-THB. One such class is the family of butterfly graphs (Fig. 10), on which 1-IT-THAB is impossible by Proposition 2.

Fig. 10.
figure 10

The class of butterfly graphs consists of all possible permutations of the graph depicted above with nodes in \(\{1,2,3,4,5\}\).

Full size image

Theorem 10

(IT -THB on butterfly). There exists a 1-IT-THB protocol with respect to \({\mathcal {G}_{\mathsf {butterfly}}}\) with perfect security.

What makes this problem non-trivial is that the center node cannot learn which of its neighbors are connected, while the other nodes cannot learn which node is the center node. We present an information-theoretic protocol which runs in two phases. In the first, the broadcaster sends the message to all its neighbors which ensures the center node gets hold of it. In the second phase, the center node broadcasts the message in parallel on a bunch of subgraphs. Each of these is the graph induced by the center and any other two parties. Note that each of these subgraphs is either a triangle or a 3-path, much like in ‘the Triangle’, described in Sect. 6.1. Crucially, we ensure the center node does not learn which of them are triangles and which are 3-paths, while also preventing the other parties learning the identity of the center node. Now, every neighbor of the center—i.e., every party—knows the broadcast bit. The protocol is detailed in the full version of the paper.

7 Key-Agreement Upper Bounds

We show that key-agreement is sufficient to achieve 1-THAB on all graphs with at least 3 nodes—in other words, on all graphs where we are guaranteed an honest majority. As shown in Sect. 5.2 this is the best we can hope to achieve for general graph classes. This result can then be extended to 1-THB for all graphs.

Theorem 11

(KA is sufficient for 1-THAB on all graphs of size at least 3). If there exists a key-agreement protocol, there exists a 1-THAB protocol on the class of all graphs with at least 3 and at most B vertices.

Based on [18], the idea is to broadcast the message via flooding, but in a way that hides from the parties at which round they received the broadcast message. We leverage the fact there is a guaranteed honest local majority nearly everywhere in the network to run a protocol between locally simulated virtual parties.Footnote 17 The weakened assumption when compared to [18] (KA instead OT) means we have to take extra steps to run secure protocols locally; to that effect we introduce the trick of ‘dead-end channels’. The details of this construction are deferred to the full version of this paper.

Theorem 12

(KA is sufficient for 1-THB on all graphs). If there exists a key-agreement protocol, there exists a 1-THB protocol on the class of all graphs with at most B vertices.

The proof of Theorem 12 follows almost immediately from that of Theorem 11, and only involves introducing a small step to handle the case of size-2 networks. Again, it is left to the full version.