Proof of 1-Privacy

Theorem 8. The Secure Propagation protocol 1-privately computes the output of a general message-passing algorithm in the semi-honest model. Furthermore, all communication takes place only between nodes that are neighbors on the original graph, and SMPC is never invoked on more than two parties.

Proof. First, it is easy to see that Secure Propagation does in fact compute the same output as the original message-passing protocol; the proof of this, which is quite straight-forward, is omitted.

In order to show that Secure Propagation is 1-private (i.e. that it meets Definition 4 with

k = 1), we must show that it is possible to simulate the view of any individual party given only this party’s private input and output. The argument used here relies on the standard notion of an oracle-aided protocol. (See, for example, Volume II of Goldreich’sIntroduction to Cryptography [38].) For each node Xi, we will first show that Xi’s view of the protocol

can be simulated if each invocation of secure two-party computation is treated as a black box or oracle call. Then, using the fact that any application of secure two-party computation involvingm parties is known to bem-private, we will show that the full view ofXi in Secure

Propagation can also be simulated.

Imagine an oracle-aided protocol ΠO in which each application of S2PC is replaced with an oracle call where the values returned to each node by the oracle are the output values the nodes would have received from a real application of S2PC. We must show that it is possible to simulate the view of any node Xi during this oracle-aided protocol. Recall that the view

of Xi consists of Xi’s input, random bits, and incoming communication from other parties;

we must then show that given Xi’s input and randomness, we can simulate the incoming

communication in such a way that the simulated view is computationally indistinguishable

from the true view. We show how to simulate each message received by Xi during the

First, it is necessary to simulate the initial key generation and swapping phase. Since each node in the graph is assumed to generate its public and private keys from a fixed generator G,Xi can simulate this phase by generating public and private key pairs for itself

and for every other node within two hops using G. Xi can simulate the one-time messages

received from the nodes two hops away using the generated public keys; the secret keys can be discarded.

Throughout the remainder of the protocol, Xi will receive two types of messages: those which (by design) appear to be distributed uniformly at random (i.e. the shares of states and messages that are the results of local applications of S2PC), and those that are encrypted by its neighbors or its neighbors’ neighbors (i.e. the encryptions of the message shares and the encryptions of the state shares). The former can clearly be simulated by drawing values uniformly at random; by design, these new values will be computationally indistinguishable from the shares returned by the S2PC applications.

To simulate a message that is encrypted using the public key of node Xj, the simulator

simply generates a random string m and uses the value Encpk0(Xj)(m) where pk

0

(Xj) is the

simulated public key forXj that was generated during the simulation of the key distribution phase above. As discussed in Appendix B.1, it is the case that for any semantically secure encryption scheme, for any two strings m and m0, the encryption of m is computationally indistinguishable from the encryption ofm0. Since the simulated value pk0(Xj) is drawn from the same distribution as the public key pk(Xj) used in an actual execution of the protocol, Encpk0(Xj)(m) will be computationally indistinguishable from the true message received by

Xi.

Note that on rounds in which Xi plays the role of the distinguished neighbor, it will be

necessary to deal with the case in which Xj = Xi. In this case, we additionally need to

make sure that thedecryption ofEncpk0(Xj)(m) is computationally indistinguishable from its

counterpart in a real execution of the protocol. Becausemwas chosen uniformly at random, the decryption of Encpk0(Xj)(m) will of course yield a value that is distributed uniformly –

but this will also be the case in the real execution, since the decrypted values will be message shares that are distributed uniformly at random from the perspective of Xi.

We have shown how to design a simulatorS_iOto simulate the view ofXiin the oracle-aided

protocol ΠO_{. Letf}

1, . . . , f` be the functions computed by the`applications of S2PC in which Xi is involved. By Theorem 7, we can construct private two-party protocols Πf1, . . . ,Πf` to

execute each of these computations. Furthermore, from Definition 4, we know there must exist polynomial-time computable functionsSf1

i , . . . , S f`

i that simulate the view of Xi in each

of these protocols.

Let Π be the Secure Propagation protocol. By definition, this protocol is simply the oracle-aided protocol ΠO with the protocol Πfi _{plugged in for each application of S2PC for}

computingfi. Consider a simulatorSi designed as follows. Run the simulatorSiO as defined

above, but in place of each oracle call, run the appropriate simulatorSfi

i with the input and

output produced by S_iO. We will show that the view of Xi in Π must be computationally indistinguishable from the output of the simulator Si using a hybrid argument.

For j = 1, . . . , `, let H_ij be a hybrid simulator defined in the following way. Start by generating the view of Xi in a real execution of the protocol Π. Now, in place of the first j

applications of S2PC in this view, substitute the simulated view of Xi using the simulator Sfk

i for k = 1, . . . , j. (Note that the view of Xi in the execution of the real protocol will

specify the input and output of each S2PC invocation and so the simulators can be run on this real input and output.)

Suppose that the view ofXiin Π is not computationally indistinguishable from the output

of the simulator Si. By a standard hybrid argument (see, for example, Goldreich [38]), it must be the case that either simulated view ofXi using Hi1, the simulated view ofXi using Si is distinguishable from the simulated view of Xi using Hi`, or for some j ∈ {1, . . . , `−1},

the view of simulated view of Xi using H_ij is distinguishable from the simulated view of

Xi using Hij+1. The second and third scenarios cannot occur due to Theorem 7. The first

scenario cannot occur due to the above proof that the output of SO

indistinguishable from the view of Xi in ΠO. Thus it must be the case that the view of Xi

in Π is computationally indistinguishable from the output of the simulator Si, and Secure

Propagation is secure.