Scalable and Secure Aggregation in Distributed Networks

Scalable and Secure Aggregation in Distributed Net w orks S ´ ebastien Gam bs 1 , Rac hid Guerraoui 2 , Hamza Hark ous 2 Florian Huc 2 , and Anne-Marie Kermarrec 3 1 Univ ersit´ e de Rennes 1 – INRIA/IRISA 2 ´ Ecole P olytechnique F ´ ed´ erale de Lausanne (EPFL) 3 INRIA Rennes Bretagne-A tlantique Abstract. W e consider the problem of computing an aggregation function in a se cur e and sc alable w ay . Whereas previous distributed solutions with similar securit y guaran tees ha ve a comm unication cost of O ( n 3 ), we present a distributed proto col that requires only a communication complexit y of O ( n log 3 n ), whic h we prov e is near-optimal. Our proto col ensures p erfect security against a computationally-b ounded adversary , tolerates ( 1 2 −  ) n malicious no des for any constant 1 2 >  > 0 (not depending on n ), and outputs the exact v alue of the aggregated function with high probabilit y . 1 In tro duction A ggr e gation functions are a sp ecific class of functions that compute a global function from the lo cal v alues held by no des in a distributed system. Examples of aggregation functions include simple functions such as the a verage computation but also more sophisticated ones such as an election with multiple candidates. Such functions are particularly imp ortant in large-scale systems in which they are typically used to compute global system prop erties (e.g. for monitoring purp oses). While such computations may be ac hieved through a trusted cen tral entit y gathering all inputs [BFP + 01], distributed v ariants are app ealing for scalability and priv acy reasons. In this pap er, we address simultaneously three issues related to computing an aggregation function in a distributed fashion, namely correctness, priv acy and scalability . Indeed, the prob- lem of computing an aggregation function is a sp ecific instance of the m uch broader problem of secure multipart y computation. Generic constructions can thus b e used [GMW87,BOG88] for solving the problem while tolerating up to n/ 2 − 1 malicious no des, where n is the num b er of no des in the netw ork. How ever, these constructions are often exp ensiv e with a global com- m unication cost that is quadratic or cubic in the n umber of no des in the netw ork [BTH08], In addition, most of them assume the existence of a broadcast channel, which is rarely av ailable in large scale netw orks. Sim ulating such a c hannel is p ossible but has a communication cost of Ω ( n 2 ). Ideally , we would like the communication complexity to compute an aggregation function to b e linear in the n umber of no des. The fundamental question is whether an algorithm for computing an aggregation function with a communication cost of O ( n ) in a secure and accurate w ay in the presence of a constant fraction of malicious no des exists. Clearly , this is imp ossible to ac hieve with certain ty . Indeed, to b e certain that a message sent by a no de is not altered b y a collusion of malicious nodes, it needs to b e sen t at least m + 1 times, where m is the n umber of malicious no des (otherwise the malicious no des could simply drop the message). Suc h an algorithm w ould induce O ( nm ) = O ( n 2 ) messages when m = O ( n ). Therefore, instead of seeking certaint y , we inv estigate algorithms that output the exact v alue of the aggregation function with high pr ob ability (whp) . In fact, our first contribution is to pro ve a low er b ound stating that at least Ω ( n log n ) messages are required to compute an y m ultiparty function (not only aggregation) in an accurate wa y and with high probabilit y . The lo w er bound proof lev erages a strategy that consists for the adv ersary to control all the no des to which a sp ecific no de sends its messages, whilst honest no des hide as muc h as p ossible the selection of no des that will treat their v otes. Our second con tribution is a near-optimal distributed protocol for computing the output of an y aggregation function while protecting the priv acy of individual inputs, and tolerating up to ( 1 2 −  ) n malicious no des, for n the n umber of no des in the netw ork and  > 0 an y constant indep enden t of n . This proto col outputs the exact v alue of the aggregation function with high probabilit y as n tends to infinit y , has a global communication cost of O ( n log 3 n ), and is bal- anced. It is based on a distributed version of the proto col presen ted in [AS09] to build an o v erlay of clusters of size O (log n ), such that each of them contains a ma jority of honest no des (the construction of such a la yout is a necessary condition to ensure the accuracy of our proto col.). It uses this lay out to compute the aggregation function using existing cryptographic to ols at the level of the clusters, that would otherwise b e to o exp ensive (in terms of comm unication complexit y) to run at the level of the netw ork. W e supp ort our theoretical ev aluations with an implementation of a distributed p olling proto col, based on our aggregation proto col, on the Emulab testb ed [WLS + 02]. W e show its comm unication, computation, and time efficiency compared to a non-la yout based secure ag- gregation proto col. The rest of the paper is organized as follo ws. In Section 2, we discuss the mo del and related w ork. Afterwards, w e pro ve a low er b ound on the minimal communication complexit y of com- puting an aggregation function in Section 3. The proto col is described and analyzed in Section 4. Finally , we rep ort on the results of an exp erimen tal ev aluation of the proto col in Section 5 and w e conclude in Section 6. 2 Preliminaries and Bac kground 2.1 Mo del W e consider a dynamic and distributed system comp osed of no des that can join and lea ve at an y time. W e assume that the num b er of no des in the system is alw ays linear in a parameter n . F urthermore, some of the no des (that we refer to hereafter as malicious ) might displa y an undesirable b ehaviour and cheat during the execution of the proto col in order to learn information of honest no des, to perturb the functionality of the system, or simply to make it crash. W e mo del these malicious no des through a static and active adversary controlling and co ordinating them (see [Gol01] for a formal definition). At an y p oin t in time, the adversary has a complete kno wledge of the structure of the system while an honest no de has only a lo cal kno wledge of its neighbourho o d. When a no de joins the net w ork, this adversary can corrupt it to make it a malicious no de, otherwise the no de would b e called honest. Of course, during the execution of a proto col, an honest no de has no idea whether or not it is currently interacting with an honest no de or a malicious no de. W e assume that τ , the fraction of malicious no des con trolled by the adversary , is less than 1 2 −  for s ome constan t 1 2 >  > 0 indep enden t of n . In order to construct the o verla y of the system, we rely on a distributed version of the proto col prop osed in [AS09]. The analysis of this proto col has b een conducted in the following setting: first, only the honest no des are present in the net work and there has b een enough leav e and join op erations from these honest no des, then the adv ersary has the malicious no des join the net work. After this initialisation phase, the no des can leav e and join arbitrarily , but still while conserving a maxim um fraction τ malicious no des in the system. R emark 1. It has b een prov ed that the proto col of [AS09] guarantees to maintain a partition of the no des in to clusters of size Ω (log n ), such that in eac h cluster, there is a ma jorit y of honest no des under the h yp othesis that the fraction of malicious no des controlled by the adv ersary , is less than 1 2 −  and that the adversary cannot force an honest node to leav e the system. The partition can b e made further resilien t to other attac ks (particularly denial-of-service attacks 2 whic h result in honest no des leaving the system), b y using the proto col prop osed in [AS07]. Ho wev er, in this case, the fraction of malicious no des controlled by the adversary , is required to b e less than 1 5 −  . The results presented in this pap er can b e straightforw ardly adapted to this latter situation. W e further assume that each no de has a pair of secret/public keys for signature that is assigned to it by a (trusted) Certification Authorit y (CA). Note that this CA is dedicated to key managemen t and cannot b e used to ac hieve other computations. Some decen tralized implemen tations of such a CA are p ossible but they are out of the scop e of this pap er. More precisely , when a new no de joins the netw ork, it receiv es a certificate signed b y the CA that con tains its public k ey and that can b e shown to other no des, as well as the corresp onding priv ate key . As the public key of a no de is unique and chosen at random, it can b e considered as b eing the identifier of this no de. W e also assume that all no des in the system can comm unicate via pairwise secure c hannels (these secure channels can b e obtained for instance via a public k ey infrastructure or a key generation proto col), which means that all the communications exc hanged b etw een tw o no des are authen ticated and confidential from the p oint of view of an external ea vesdropper. P erio dically , the no des curren tly within the system compute, in a distributed manner, an aggregation function f that dep ends on individual inputs of the no des, x 1 , . . . , x n , where x i is tak en from a set of k differen t p ossible v alues (i.e., x i ∈ { ν 1 , . . . , ν k } ). This aggregation function can b e used for instance to compute a distributed p olling or an y global prop erty of the net work that can b e obtained by a linear combination of the lo cal inputs. In the rest of the pap er, we assume that these v alues corresp ond to integers. A simple example of suc h a function is the computation of the a verage (or the sum) of these v alues (i.e., f ( x 1 , . . . , x n ) = 1 n P n i =1 x i ). Due to the presence of malicious no des, the computation needs to b e ac hieved in a secure w ay , in the sense that it should offer some guaran tees on the priv acy (Definition 1) of lo cal inputs of honest no des and on the correctness of the output, and this against any actions that the activ e adversary might do. Definition 1 (Priv acy – active adv ersary [Gol01]). A distribute d pr oto c ol is said to b e priv ate with resp ect to an active adversary c ontr ol ling a fr action τ of no des, if this adversary c annot le arn (exc ept with ne gligible pr ob ability) mor e information fr om the exe cution of the pr oto c ol than it c ould fr om its own input (i.e., the inputs of the no des he c ontr ols) and the output of the pr oto c ol. Priv acy can either be information-the or etic (unconditional), if an adversary with unlimited computational pow er cannot break the priv acy of the inputs of honest no des, or crypto gr aphic , if it only holds against a computationally-b ounded adversary that do es not ha ve enough computing resources to break a cryptographic assumption (suc h as factorising the product of tw o big prime n umbers or solving the discrete logarithm problem). F urthermore, we aim at ensuring correctness (Definition 2), ev en if the malicious no des controlled by the adversary misbehav e. Definition 2 (Correctness – active adv ersary). A distribute d pr oto c ol is said to b e correct with resp ect to an active adversary c ontr ol ling a fr action τ of the no des, if the output of the pr oto c ol is guar ante e d to b e exact with high pr ob ability. Ho wev er, malicious no des cannot b e denied from c ho osing their o wn inputs as they wan t as long as these inputs are v alid (i.e. they are within the range of the p ossible ones). Neither can w e av oid the situation in which a malicious no de simply refuses to participate to the proto col, in which case the proto col should b e run without taking in to accoun t this no de. If a malicious no de leav es the proto col during its execution then the proto col should b e robust enough to carry 3 out the computation instead of simply ab orting. This corresp onds to a type of denial-of-service attac k on the global functionality computed by the protocol. Moreo ver, w e seek sc alable proto cols whose global communication cost and computational complexit y is as close as p ossible to the low er b ound Ω ( n log n ) that we prov e in Section 3. The term scalable reflects the property of a protocol to remain efficien t when the size of the system increases, and hence its suitability to b e implemented in large scale systems. As the notion of scalabilit y imp oses a b ound on the communication and computational complexity , it has an impact on the type of cryptographic tec hniques that can b e used. F or instance as men tioned in Section 2.3, general results in secure m ultiparty computation can b e used to compute any dis- tributed function in a secure manner as long as the n umber of malicious participan ts is less than n/ 3 when aiming for information-theoretic security [CCD88] or less n/ 2 for achieving crypto- graphic security [GMW87]. How ev er, these proto cols hav e a communication and computational complexities that are at least quadratic or cubic in the n umber of no des n . Apart from scalability , w e also aim at ac hieving a b alanc e d protocol (Definition 3) in which eac h no de receives and sends approximately the same quantit y of information. Definition 3 ( ( C in , C out ) -balanced). A distribute d pr oto c ol among n no des whose c ommuni- c ation c omplexity is C total is said to b e ( C in , C out )-balanced , if e ach no de sends O ( C in C total /n ) and r e c eives O ( C out C total /n ) bits of information. F or instance, in a (1 , 1)-balanced proto col, eac h no de sends and receiv es the same num b er of bits (up to a constan t factor), whereas in a ( n, n )-balanced protocol a single no de ma y do all the w ork. In this pap er, we will conisder as b alanc e d a proto col that is ( P oly (log n ) , P oly (log n ))- balanced. 2.2 Homomorphic encryption In our work, we rely on a cryptographic primitive known as homomorphic encryption , which allo ws to p erform arithmetic op erations (such as addition and/or m ultiplication) on encrypted v alues, thus protecting the priv acy of the inputs of honest no des. Definition 4 (Homomorphic cryptosystem). Consider a public-key (asymmetric) cryp- tosystem wher e (1) Enc pk ( a ) denotes the encryption of the message a under the public key pk and (2) Dec sk ( a ) = a is the de cryption of this message with the se cr et key sk . (In or der to sim- plify the notation, we dr op the indic es and write Enc ( a ) inste ad of Enc pk ( a ) and Dec ( a ) inste ad of Dec sk ( a ) for the r est of the p ap er.) A cryptosystem is additively homomorphic if ther e is an efficient op er ation ⊕ on two encrypte d messages such that Dec ( Enc ( a ) ⊕ Enc ( b )) = a + b . Mor e- over, such an encryption scheme is c al le d affine if ther e is also an efficient sc aling op er ation  taking as input a cipher-text and a plain-text, such that Dec ( Enc ( c )  a ) = c × a . P aillier’s cryptosystem [P ai99] is an instance of a homomorphic encryption scheme that is b oth additive and affine. Moreov er, Paillier’s cryptosystem is also semantic al ly se cur e [Gol01], whic h means that a computationally-b ounded adversary cannot derive non-trivial information ab out the plain text m encrypted from the cipher text Enc ( m ) and the public k ey pk . Definition 5 (Semantic security [Gol01]). A n encryption scheme is said to b e semantically secure if a c omputational ly-b ounde d adversary c annot derive non-trivial information ab out the plain text m encrypte d fr om the cipher text Enc ( m ) and the public key pk . F or instance, a computationally-b ounded adversary who is given tw o different cipher texts encrypted with the same k ey of a semantic cryptosystem cannot even decide with non-negligible 4 probabilit y if the tw o cipher texts corresp ond to the encryption of the same plain text or not. This is b ecause a seman tically secure cryptosystem is by essence pr ob abilistic , meaning that ev en if the same message is encrypted t wice, the tw o resulting cipher-texts will b e differen t with high probability . In practice, the semantic securit y is achiev ed b y injecting in each possible op eration of the cryptosystem (encryption, addition and multiplication) some fresh randomness. Ho wev er, if tw o participants agree in adv ance to use the same seed for randomness, this renders the encryption scheme deterministic. F or instance, if tw o different participants each add together t wo encrypted v alues, Enc ( m 1 ) and Enc ( m 2 ), using the addition op eration of the cryptosystem, this normally results in tw o different cipher-texts (but still corresp onding to the same plain- text), unless the participants agree in adv ance to use the same randomness. In this pap er, w e use a thr eshold version of the Paillier’s cryptosystem due to D ˚ amgard and Jurik [DJ01]. Definition 6 (Threshold cryptosystem). A ( t, n ) threshold cryptosystem is a public cryp- tosystem wher e at le ast t > 1 no des out of n ne e d to actively c o op er ate in or der to de crypt an encrypte d message. In p articular, no c ol lusion of even ( t − 1) no des c an de crypt a cipher text. However, any no de may encrypt a value on its own using the public-key pk . After the thr eshold cryptosystem has b e en set up, e ach no de i gets as a r esult its own se cr et key sk i (for 1 ≤ i ≤ n ). 2.3 Related W ork – Secure Multipart y Computation The main goal of secure m ultiparty computation is to allow participants to compute in a dis- tributed manner a join t function ov er their inputs while at the same time protecting the priv acy of these inputs. This problem w as first in tro duced in the bipartite setting in [Y ao82] and as since b ecame one of the most activ e fields of cryptograph y . Since the seminal pap er of Y ao, generic constructions hav e b een developed for the multipart y setting that can b e used to com- pute securely (in the cryptographic sense) any distributed function as long as the n umber of malicious no des is strictly less than n/ 2 [GMW87]. F or some functions, it has b een prov en that these proto cols are optimal with resp ect to the n umber of malicious no des that can b e toler- ated. Subsequently , complementary w ork [CK91] has shown that the only functions that can b e computed even when a ma jority of no des are malicious (up to n − 1) are those that consist in a X OR-combination of n Bo olean functions. In the information-theoretic setting, generic results for secure m ultiparty computation also exist that can tolerate up to n/ 3 malicious no des without relying on an y cryptographic assumptions [BOG88,CCD88]. All these generic constructions hav e constan t ov erheads (indep enden t of the function to b e computed), in terms of communication and computation, that are at least quadratic or cubic in the n um b er of no des [BTH08]. How ever, for solving sp ecific tasks it is often p ossible to dev elop more efficient proto cols. F urthermore, con trary to us, some of these constructions assume the av ailabilit y of a secure broadcast c hannel, i.e it is assumed that a broadcast can b e performed for a communication cost which is the size of the message. Recen tly , [HZ10] has prop osed a proto col for simulating such a channel that can tolerate up to n/ 2 malicious nodes with a global communication cost of Θ ( n 2 ). W e use this proto col as a subroutine in our approach to broadcast messages to a small set of no des. Notice that this broadcast proto col is prov ed to b e secure against an adaptive adv ersary , which is a stronger adversary than the one we consider (the static one). Therefore, one could argue that using this proto col is too strong and that we should rely on a simpler one. Assuming a particular structure of the underlying netw ork can sometimes lead to efficiency gains. F or instance, a recen t proto col [BDNP08] achiev es the secure multipart y computation of any function in at most 8 rounds of comm unication. This proto col uses a cluster comp osed of m no des (for m < n ) to sim ulate a trusted cen tral entit y , has a global communication cost of O ( m 2 + nm ) and can tolerate up to m/ 2 honest-but-curious no des (a w eaker form of 5 adv ersary model in whic h nodes do not cheat actively but can share their data in order to infer new information). This proto col can b e used to compute priv ately an aggregation function as long as the num b er of honest-but-curious no des is small (i.e. O (log n )) but do es not aim at pro viding securit y against malicious no des as we do. A related tec hnique, frequen tly used in the context of scalable distributed consensus, is universe r e duction , which consists in selecting a small subset of the n no des, among which the fraction of malicious no des is similar to the fraction of malicious no des in the entire system with high probabilit y . This subset of no des can run exp ensive proto cols and disseminate the results to the rest of the netw ork. Up to our kno wledge, no solution for this problem with a sub-quadratic global communication complexity has b een found in presence of an adversary con trolling a constant fraction of the no des, without an y simplifying assumptions. F eige’s lightest bin proto col [F ei99] solv es the problem when all no de ha ve access to a broadcast c hannel, and it has b een adapted to the message passing mo del b y [KSSV06], with a complexit y p olynomial in n , the original netw ork size. Another solution prop osed in [BOPV06] has a quasi-polynomial communication complexity (i.e. the total n umber of bits sent by honest no des is O ( n log n )). Other proto cols b y [KKK + 08] and [KS10] claim sub- quadratic communication complexity against a malicious adv ersary con troling less than n/ (6+  ) (for some constan t  > 0) and n/ 3 no des resp ectiv ely , but they assume that all no des kno w all the iden tities of all the other no des in the system, which in itself hides an Ω ( n 2 ) comm unication complexit y to propagate this information. Aggregation functions also hav e a clear connection with election problems. In particular for these problems, it is of paramoun t imp ortance to protect the priv acy of v oters. In [BFP + 01], a proto col was prop osed that computes the outcome of an electronic election while providing cryp- tographic security for a global comm unication cost of O ( n ). Ho w ever contrary to our approach, this proto col requires the av ailabilit y of a trusted en tit y . Another proto col [JCJ10] ac hieves the prop ert y of co ercion-resistance, i.e. a voter cannot pro duce any pro of of the v alue of its v ote, th us preven ting any p ossibility to force or buy its v ote. This proto col has a complexity of O ( n 2 ), where n is the num b er of voters, which (quoting the authors) is not practical for large scale elections. Finally , our w ork is to b e compared with [GGHK10], in which the authors prop ose a proto col computing an √ n -appro ximation of an aggregation function even in the presence √ n/ log n rational no des (a slightly w eaker form of adversary than malicious no des) with a global comm unication cost of O ( n 3 / 2 ) but without relying on cryptographic assumptions. 3 Lo w er Bound In this section, we prov e that no balanced algorithm can compute an aggregation function with a global communication complexity o ( n log n ) provided that the n umber of malicious no des is linear in the n umber of no des in the system. Theorem 1. Given a pr oto c ol that c omputes a function in a distribute d manner, whose inputs ar e held by n no des and among which n ar e malicious for some p ositive c onstant  < 1 (in- dep endent of n ). If a fr action cn of the no des send no mor e than ω + ( n ) messages (for some ω + ( n ) = o (log n ) and c onstant 1 > c > 0 ) and that no no de r e c eives mor e than ω − ( n ) messages with ω + ( n ) e ω + ( n ) ω − ( n ) = o ( n ) , then with high pr ob ability (in n ) ther e is a no de whose messages ar e al l inter c epte d by malicious no des. Pr o of. If the structure of the o verla y is fixed using deterministic arguments b efore the adv ersary c ho oses which no des he corrupts, he can alw ays target a particular no de b y corrupting the ω + ( n ) no des with whom this honest node will communicate. Similarly , if the set of no des receiving all the messages of a giv en no de are not chosen uniformly at random, the adv ersary may p ossibly use this bias to increase the c hances that all the no de in the determined set are malicious. 6 The b est strategy for a no de to a void to send all its messages to malicious no des, is to c ho ose the recipients (we call recipient for x , a no de that receives a message from no de x ) of its messages uniformly at random. The ob jectiv e of our pro of is to sho w that even under this strategy , there is at least a no de that will send all its messages to malicious ones. F or this, w e consider sev eral disjoint sets, each con taining all the recipients of a particular no de. T o find suc h disjoin t sets of no des, we pro ceed in a greedy wa y . Given a node x 1 that sends less than ω ( n ) messages, w e set S 1 to b e the set of recipien ts for x 1 . By assumption, this set in tersects at most ω − ( n ) ω + ( n ) sets of recipients of other no des. W e then pro ceed recursiv ely b y discarding all the no des sending their messages to these sets. At the end of the pro cess, we obtain k = cn/ ( ω − ( n ) ω + ( n )) no des that send all their messages to disjoin ts sets S 1 , ..., S k . W e now wan t to pro v e that with high probabilit y , one of these sets is composed exclusively of malicious no des. The adversary can c ho ose arbitrarily the no des he w ant to corrupt to b e malicious. Ho wev er, w e assume that once its choice is made, it is fixed and the adv ersary cannot c hange it later. Recall that the sets S i , 1 ≤ i ≤ k hav e b een chosen at random. Given the set S i , we denote by S = ∪ k i =1 S i and m S the num b er of malicious no des in S , the tw o follo wing pro cesses generate the same probabilit y distribution: 1. Cho ose n malicious no des, and then take disjoint sets S 1 , ..., S k among the n p ossible ones. 2. Draw m S , the n umber of malicious no des in S , according to the binomial distribution B i ( , | S | ), and then choose at random m S malicious no des from S . Note that we do NOT assume that the malicious no des ar e chosen at r andom . Rather w e state that if t wo pro cesses lead to the same probability distribution, pro ving a result for one of the tw o pro cesses implies the same result for the other pro cess. Let us recall that the malicious no des are corrupted b y the adversary at the time they join the netw ork. When choosing m S malicious no des from S , w e hav e a non-indep enden t probability for a no de to b e malicious or not, whereas, if we had indep endence, the pro of would b e easy . Therefore our ob jectiv e is now to introduce indep endence. Notice that choosing m S no des at random in S gives the same distribution as first c ho osing m 0 S < m S no des at random, and then m S − m 0 S other no des at random. Moreo ver, choosing m 0 S no des at random has the same probability distribution as the pro cess of choosing malicious no des suc h that each no de is malicious with probabilit y m 0 S /S , knowing that exactly m 0 S no des are c hosen. T o summarize, the following process leads to the sam e probability distribution: 1. Cho ose m S according to the binomial distribution B i ( , | S | ). 2. Cho ose at random and indep enden tly for eac h no de if it is malicious with probability m S / 2 | S | . This giv es m 0 S malicious no des. 3. With high probability m S > m 0 S . Cho ose m S − m 0 S other malicious no des at random. Step 3 can be prov ed using standard Chernoff ’s b ound argumen ts (more precisely b y sho wing that m 0 S is close to m S / 2), so if we can prov e that after Step 1, there is a set containing exclusiv ely malicious no des, the theorem is pro ved. W e therefore proceed in this direction. W e denote by M al the set containing all the malicious no des. A set S i has the follo wing probabilit y to con tains exclusiv ely malicious no des: P r ob ( | S i ∩ M al | = | S i | ) ≥ ( m S / 2 | S | ) ω + ( n ) . Q is the even t in whic h no set is composed exclusiv ely of malicious no des and has the following 7 probabilit y: P rob ( Q ) ≤ (1 − ( m S / 2 | S | ) ω + ( n ) ) k . Ho wev er, with high probability , we hav e: lim n →∞ (1 − ( m S / 2 | S | ) ω + ( n ) ) k = lim n →∞ e − ( m S / 2 | S | ) ω + ( n ) ∗ k = lim n →∞ e − cn ( m S / 2 | S | ) ω + ( n ) / ( ω − ( n ) ω + ( n )) = 0 b ecause 1) ω + ( n ) e ω + ( n ) ω − ( n ) = o ( n ) and 2) with high probabilit y , m S / 2 | S | > / 4. Therefore, for big enough n , we will hav e an honest node that will send all its messages exclusiv ely to malicious no des. In this case, the malicious no des can discard all its messages th us preven ting the computation of the output to b e exact. Corollary 1. A ( P oly (log n ) , n ) -b alanc e d pr oto c ol that c omputes with high pr ob ability the exact value of a function in a distribute d manner, whose inputs ar e hold by n no des among which n ar e malicious for some p ositive c onstant  < 1 (indep endent of n ), induc es a total of Ω ( n log n ) messages. Pr o of. By contradiction, supp ose that the proto col induces o ( n log n ) messages. W e ha ve some ω + ( n ) = o (log n ) and some constan t 1 > c > 0 such that cn no des send less than ω + ( n ) messages. As the proto col is ( P ol y (log n ) , n )-balanced, no no de receiv es more than ω − = P ol y (log n ) ∗ o (log n ) = P ol y (log n ) messages. These ω + and ω − v erify the conditions of The- orem 1, thus implying the existence of an honest no de whose messages ha ve b een sent only to malicious no des. Therefore as this node is “surrounded” by malicious no des, they can decide to discard all its messages, th us prev enting its input to b e taken into account in the computation, and as a consequence the outcome cannot b e exact. 4 Distributed Aggregation Proto col 4.1 Ov erview W e no w provide a high-lev el view of the proto col that distributively computes an aggregation function (see also Figure 1). Our proto col uses a distributed version of the proto col of [AS09], whic h we describ e in 4.2. It provides us with a partition of the n no des into g clusters, C 1 , . . . , C g , of equal size, which are organized in a ring suc h that all no des of a cluster C i are connected to all no des of the previous cluster ( C i − 1 mod g ) and the next cluster ( C i +1 mod g ). Assuming that a threshold homomorphic cryptosystem has b een set up and that all no des know the public k ey pk of this threshold cryptosystem, the aggregation function can b e computed by the following steps: 1. Each node encrypts its input under the public key of the threshold homomorphic cryptosys- tem and securely broadcasts it to all the other no des in its cluster. Secure broadcast ensures that (i) all honest play ers ev entually output an iden tical message, whatev er the sender do es (consistency), and (ii) this output is the sender’s message, if it is honest (v alidity) [HZ10]. 2. ) The no des in a giv en cluster agree on a common random string rand , and then each no de adds the encrypted input it received from its o wn cluster, using the addition operation of the homomorphic cryptosystem by taking r and as the randomness injected into the homo- morphic encryption. The result of this addition is called the lo c al aggr e gate and is the same for eac h honest no de of the cluster. 8 a 3 a 2 a 1 b 1 b 2 b 3 c 3 c 2 c 1 A B C B C P a i P b i P c i A B C B C S A A P a i P c i + P b i + P a i P a i + P b i Fig. 1. Main idea of the algorithm. First, all no des start by encrypting their inputs and broadcasting them to all the other no des of the cluster. Within each cluster, each no de computes the lo cal aggregate ( P a i , P b i and P c i ), whic h is then propagated along the ring. After this, the no des of cluster B know P a i + P b i , and those in C , P a i + P b i + P c i . The nodes of the last cluster (here C ) collab orate to perform the threshold decryption and to obtain S , the output of the aggregation function. 3. Starting from cluster C 1 , the no des add their local aggregate with the partial aggregate they receiv ed from the previous cluster, with the exception of the no des of cluster C 1 that hav e receiv ed no partial aggregate and hence skip this phase. The no des of the cluster then send the result of this aggregation (the new p artial aggr e gate ) to all the no des of the next cluster. The nodes of the next cluster then consider as the new partial aggregate the encrypted v alue app earing in a ma jority (to correct p otentially inconsisten t messages that hav e b een sent b y malicious no des). This process is repeated g − 1 times until the partial aggregate reaches the last cluster. Then, w e say that the p artial aggr e gate has b ecome the glob al aggr e gate . 4. The no des of the last cluster perform a threshold decryption of the glob al aggr e gate revealing the output of the aggregation function. R emark 2 (Bo otstr apping). The distributed aggregation proto col is meant to b e used in a dy- namic netw ork, but still a certain stability of the partition of the cluster is required while this computation is taking place. T o achiev e this, when a no de wan ts to start the computation of an aggregation function, it launc hes the proto col by broadcasting a time windo w during which the aggregation proto col will b e p erformed. An y join op eration o ccurring during this time window will be p ostp oned, and similarly , an y op eration induced by the ”leav e rule” (cf Section 4.2) , except a no de lea ving itself, will be p ostp oned. Using the lay out, any no de can p erform a broadcast for a comm unication cost of O ( n log n ) by first broadcasting it to its cluster, and then the clusters recursiv ely forward the message along the ring. 4.2 The o verla y F or the purpose of the aggregation protocol, w e need the no des to b e organized in a la yout consisting in a partition of the no des into clusters C 1 , . . . , C g of size O (log n ). T o achiev e this, w e assume that the no des join the netw ork according to a distributed version of the proto col presen ted in [AS09]. This proto col uses a central authorit y and we explain how to discard this requiremen t at the end of the section, but first we describ e its functionnality . The cen tral athority 9 is used to assign to each no de a random n umber b etw een 0 and 1, n umber which stands for the p osition of the no de in the segmen t [0 , 1). By inducing ch urn when a no de joins the system, the proto cols ensures that each segmen t of size c log ( n ) /n , for some sp ecific c , contains a ma jorit y of honest no des as long as the adversary controls at most a fraction of 1 2 −  of malicious no des, for some constan t 1 2 >  > 0. The clusters C 1 , . . . , C g are comp osed of the no des whose p ositions are in the resp ectiv e segments [0 , c log n/n ) , . . . , [1 − c log n/n, 1). In order to efficiently distribute the proto col, we first arrange the clusters in a Chord-like o verla y [YKGK10]. The adapted join-lea ve proto col m ust further ensure that, for all 1 ≤ i ≤ g , the no des from cluster C i kno w all the no des from C i +2 j , for all 1 ≤ j ≤ log 2 g , resulting in O (log 2 n ) connections p er node (c.f. Figure 2). C 8 C 4 C 2 C 1 C 0 Fig. 2. Chord o verla y . As in [AS09], we assume that initially , the net work is comp osed of only honest no des (this assumption is also typical in sensor netw orks or in net works created b y trusted p eers). This as- sumption allows to b ootstrap the lay out construction by building an initial ov erla y b y assigning to each initial no de a p osition in [0 , 1). W e no w describ e how to adapt the join rule of [AS09], kno wn as the cuck o o rule, and ho w to maintain the ov erlay . W e further sho w ho w to adapt the lea ve rule of [AS07] that is required when the adversary can force a no de to leav e the netw ork (for instance through a denial-of-service attac k). W e will rely on tw o subroutines to distribute these rules. 1. Inter-cluster communication: A no de from a cluster C receiving a message from a no de of a cluster C 0 accepts it if and only if C 0 is a neighbor of C in the Chord ov erlay , and at least half of the no des of C 0 ha ve sent the same message. 2. Random Num b er Generation: T o generate a num b er at random (t ypically b et ween 0 and log n ), the nodes of a cluster C collab orate as follows: each no de of C chooses a random n umber in the desired range, and commits it to the other no des of C via a secure broadcast. Once all no des ha ve done so or after a given time-out if some nodes do not participate, the committed v alues are revealed by sending the decryption keys again using the secure broadcast. All the v alid random num b ers are added mo dulo some predecided upp er b ound (log n in our example) and the result corresp onds to the generated random n umber, which is agreed up on b y all the honest no des. W e can now explain how the cuc kko rule is mo dified in order to discard the requiremen t of a cen tral authority 10 Join rule or cucko o rule: when a no de x joins the net work, w e supp ose that it can come in con tact with one of the no de of the netw ork. The no de gives the comp osition of an arbitrary cluster to x (this cluster is chosen among the clusters that the contacted no de kno ws). In turn, x contacts the whole cluster (i.e. all its members) with a join request. Afterwards, this cluster starts p erforming the cuc koo rule from [AS07], which corresp onds to choosing a p osition at random in [0 , 1) for x . Then the no des of the cluster con taining the c hosen p osition, which w e call C , are informed via messages routed using the Chord ov erlay that x is inserted at this p osition. A t this p oin t, extra ch urn is induced, and for a constant k > 1  , C c ho oses a new random position for all the nodes of C whose p ositions are in a segment of length k/n containing the previously c hosen p osition (c.f. [AS07] for more details). Whenever a no de x of a cluster C 0 is required to change its p osition to join a cluster C ”, all the no des that were adjacen t or that b ecome adjacen t to this no de, are informed of the change by messages sen t by the no des of C 0 and C ” resp ectively . This is imp ortan t since we need that at an y time, if t wo clusters C and C 0 are adjacent in the Chord ov erla y , all no des of C should kno w the exact comp osition of C 0 to decide whether or not it accepts a message from no des of C 0 during in ter-cluster comm unication. When the adversary can force any honest no de to leav e the netw ork, it is shown in [AS07] that c hurn needs to b e in tro duced whenev er a no de leav es. F or this, they designed a lea ve rule that can b e adapted as follo ws: L e ave rule: when a no de at p osition p leav es the system, the cluster C to whic h it b elongs c ho oses a segment of [0 , 1) of length k /n (recall that k > 1  ). All the no des of this segmen t replace the nodes of a randomly chosen segment of same length con tained in C . The old no des of the replaced segment are mo ved to p osition chosen at random in [0 , 1). Similar to the join op eration, all the no des that w ere adjacent or that b ecome adjacen t to the mov ed no des are informed of these c hanges. With high probability , the communication ov erhead of the distributed version of this proto col is O (log 3 n ) p er join or leav e op eration. Indeed, with high probability , the n umber of no des in a segmen t of size k /n is O ( k ), therefore with high probabilit y the proto col needs to generate a constan t num b er of random num b ers (for a constant depending on k and therefore on  ). This proto col ensures that each cluster con tains Ω (log n ) no des, among which there is a ma jority of honest no des as long as τ ≤ 1 / 2 −  when one do not consider denial-of-service [AS09], or for τ ≤ 1 / 5 −  otherwise [AS07]. 4.3 Aggregation computation In this section, we presen t the second phase of the proto col that computes the aggregation function. This proto col is optimal up to a logarithmic factor in terms of scalabilit y (i.e. com- m unication and computational complexity) and ac hieves p erfect priv acy , correctness against a computationally-b ounded adversary con trolling at most (1 / 2 −  ) n malicious no des, for a con- stan t 1 2 >  > 0 indep endent of n and is balanced. F or this, we rely on cryptographic techniques that w ould b e to o exp ensive to use on the whole netw ork, but whose costs are efficient when computed at the gran ularity of a cluster in the structured ov erlay . Setting up the threshold cryptosystem (Step 1) One particular cluster (that we refer thereafter as the thr eshold cluster ) will b e in charge of setting up the threshold cryptosystem. F or instance, we can decide arbitrarily this threshold cluster to b e the last one on the ring. This setup phase requires that all the no des of this threshold cluster engage themselv es in a 11 distributed k ey generation protocol [NS11] for the threshold homomorphic cryptosystem [DJ01]. A t the end of this key generation phase, all the no des in the threshold cluster receive the same public key pk and each one of them gets as priv ate input a different secret k ey , resp ectiv ely sk 1 , . . . , sk k log n . The threshold cryptosystem is such that any no de can encrypt a v alue using the public key pk but that the decryption of a homomorphically encrypted v alue requires the activ e co op eration of at least t of the no des. In our case, we can set t to b e close to k log n 2 to ensure that there will b e enough honest no des to co op erate for the final decryption of the result at the end of the proto col. Once the threshold cryptosystem has b een set up, the public key pk is communicated in the netw ork cluster by cluster, follo wing the ring structure. Thereafter, when w e say that a cluster c ommunic ates something to the next cluster , we mean that all the no des in the current cluster communicate the same v alue to all the no des in the next cluster, whic h results in a communication cost of O (log 2 n ). Once, a no de in one cluster has received all the k log n messages from the previous cluster, it decides to keep as final v alue for this particular round of interclu ster comm unication the v alue obtained b y performing a ma jorit y v ote. This v alue alw ays corresp onds to the unique v alue sen t by all the honest nodes of the previous cluster, which are themselv es in ma jority inside this cluster due to the prop erty of the structured o verla y . Lo cal aggregation (Step 2) The no des within a cluster communicate their v alue encrypted under the public k ey pk of the homomorphic encryption system to all the other no des of the cluster through a secure broadcast channel. When a no de sends a message in such a channel, it is received by all the other no des of the cluster, who kno w the identit y of the sender of this message. The complexit y of constructing such a channel is p olynomial in the num b er of no des of the cluster, whic h in our case is O (log 2 n ) and can be obtained for instance by using a recen t construction of Hirt and Zik as [HZ10] as long as the num b er of malicious no des is less than half of the no des, which is by assumption the case in our proto col. All the mem b ers of the curren t cluster encrypt their inputs under the public k ey pk and broadcast this encrypted v alue to all the members of the cluster along with a non-interactiv e zero-knowledge pro of that this input is v alid [YHM + 09] (i.e. c hosen from the range of v alid v alues { ν 1 , . . . , ν k } ). The purp ose of this non-interactiv e zero-knowledge pro of is to prev ent an adv ersary from tamp ering with the output of the proto col by providing as input an arbitrary v alue that is outside the range of the possible ones. The priv acy of the inputs is protected by the semantic prop ert y of the cryptosystem. Once all the no des in the cluster ha ve received the log n encrypted inputs from the other mem b ers, they add them together using the additiv e prop erty of the homomorphic cryptosystem. This pro duces as output the encryption of the sum of all the inputs within this cluster. With resp ect to the randomness used in the addition op eration of the homomorphic encryption, we assume that all the no des hav e agreed on a common v alue rand . This v alue can b e obtained for instance by concatenating all the encrypted inputs and then hashing them to obtain a unique random v alue. Global aggregation and threshold decryption (Step 3). The global proto col pro ceeds iterativ ely during n log n iterations, cluster by cluster, starting from the first cluster and following the ring structure of the o verla y . At each iteration, the current cluster p erforms the lo cal aggre- gation as describ ed ab o ve and also aggregates the sum of the lo cal inputs with the encrypted v alue receiv ed from the previous cluster to compute the partial aggregate. This partial aggregate corresp onds to the global aggregation of the inputs of the clusters visited so far. As mentioned previously , the encrypted v alue received from the previous cluster can b e computed lo cally by eac h no de of the current cluster by making a ma jority v ote on the k log n messages received from the previous cluster. Once the threshold cluster has b een reached (i.e. the last cluster on 12 the ring), the members of this cluster add their lo cal aggregated v alues to the encrypted v alue receiv ed from the previous cluster. This pro duces an encryption of the sum of all the v alues. Finally , the members of the threshold cluster co op erate to decrypt this encrypted v alue by using their priv ate k eys. Along with their decryption shares, the no des send a non-interactiv e zero-kno wledge pro of showing that they hav e computed a v alid decryption share of the final outcome [DJ01]. As the n umber of no des needed to decrypt successfully is t = k log n 2 and that w e hav e a ma jority of honest no des in the cluster, this threshold decryption is guaranteed to b e successful. The final output is forwarded cluster by cluster, following the ring structure of the o verla y . 4.4 Analysis of the proto col During the proto col, due to the use of the Paillier’s cryptosystem all the messages exc hanges will b e of constant size. The v alue of the constan t is directly prop ortional to a security parameter of the cryptosystem and will not b e larger than log n . In the follo wing, w e coun t it as O (log n ). Lemma 1 (Communication cost of the proto col). The pr oto c ol for the distribute d c om- putation of an aggr e gation function has an over al l c ommunic ation c omplexity of O ( n log 3 n ) and is ( P ol y (log n ) , P oly (log n )) -b alanc e d in the sense that no no de sends or r e c eives mor e than P ol y (log n ) bits of information for an aver age of O (log 3 n ) bits of information p er no de. Pr o of. During the setup of the threshold cryptosystem (Step 1) and the threshold decryption (Step 3), only one cluster is in volv ed and the comm unication cost of the primitives used (thresh- old cryptosystem setup, secure broadcast, and threshold decryption) is p olynomial in the size of the cluster, whic h corresp onds to a communication complexity of O ( P oly (log n )). During the lo cal aggregation (Step 2), in eac h cluster, each no de broadcasts its encrypted input and a broadcast induces a comm unication cost of O (log 3 n ). As there are O ( n/ log n ) clusters with O (log n ) nodes in eac h cluster, it results in a comm unication cost of O ( n log 3 n ). Finally , the in tercluster communication requires that all the n nodes send O (log n ) messages, each of size O (log n ), to the no des of the next cluster, resulting in a communication cost of O ( n log 2 n ). As a result, the proto col is dominated by Step 2 (the lo cal aggregation), which leads to a global comm unication cost of O ( n log 3 n ). Moreov er, it is easy to see from the description of the pro- to col that it is balanced in the sense that it requires O ( P ol y (log n )) comm unications from eac h no de. Lemma 2 (Security of the proto col). The pr oto c ol for the distribute d c omputation of an aggr e gation function ensur es p erfe ct se curity against a c omputational ly-b ounde d adversary, tol- er ates ( 1 2 −  ) n malicious no des for any c onstant f r ac 12 >  > 0 (not dep ending on n ), and outputs the exact value of the aggr e gate d function with high pr ob ability. Pr o of. The priv acy of the inputs of individual no des is protected b y the use of a cryptosystem that is semantically secure and also by the fact that the adversary cannot decrypt the partial aggregate b ecause it do es not know the necessary t secret k eys of the threshold cryptosystem to do so. The correctness is ensured b y a combination of sev eral tec hniques. First, the non- in teractive zero-knowledge pro of that each no de issues along with the encrypted version of its v alue guarantees that the malicious no des cannot cheat by choosing their v alues outside the range of the p ossible ones. Second, the secure broadcast ensures that honest no des in each cluster hav e the same lo cal aggregate. Third, the ma jority v ote p erformed every time the no des of a cluster communicate with the no des of the next cluster along with the fact that there is a ma jority of honest no des in eac h cluster due to the construction of the structured ov erlay ensures that the correctness of the partial aggregate will b e preserved during the whole computation. 13 Finally , the non-interactiv e zero-knowledge pro of of the v alidit y of the partial shares during the threshold decryption preven t the malicious no des from altering the output during the last step of the proto col. 5 Exp erimen tal Ev aluation In this section, w e ev aluate the practical p erformance of the proto col through experimenta- tions. More precisely , w e compare the comm unication and time complexity of our proto col to a non-la yout based proto col. W e implemented a distributed p olling proto col with tw o choices to select from, which is an instance of an aggregation proto col, where the no des’ v otes are enco ded in to inputs for the aggregation proto col and deco ded at the end. The exp erimen ts w ere run on Em ulab [WLS + 02], a distributed testb ed allowing the user to choose a sp ecific netw ork top ol- ogy using NS2 configuration file. In each exp eriment, w e used up to 80 p c3000 mac hines, Dell P ow erEdge 2850s systems, with a single 3 GHz Xeon pro cessor, 2 GB of RAM, and 4 a v ailable net work interfaces. Eac h mac hine ran F edora 8 and hosted 10 no des at a time. The no des w ere connected to the router in a star top ology , setting the maximum netw ork bandwidth to 1000Mb, and the comm unication relied on UDP . W e used the “Authenticated Double-Echo Broadcast algorithm” (as describ ed in [CGR11]) for secure broadcast and the “P aillier Threshold Encryp- tion T o olbox” [DL11] for threshold encryption. The no des adjust their message sending rate to b e uniformly distributed betw een 0 and 2 seconds. The only proto col that comes close to our proto col in terms of guarantees is a non-lay out based proto col in which each no de 1) securely broadcasts its encrypted input to all the other no des, 2) combines the v alues it receiv es, 3) securely broadcasts its decryption share to the others, and 4) combines the decryption shares to obtain the output. Such a proto col provides priv acy and correctness with certaint y against an honest ma jority for a communication complexity of this proto col is O ( n 3 ). Therefore, even for medium sized netw orks under test (200-800 no des), it reac hes prohibitiv e complexities, in the order of hundreds of millions of messages exchanged. Accordingly , to ev aluate this protocol in comparison to ours, w e measured the complexit y of sin- gle secure broadcast instances. Since the broadcast instances are assumed to b e run in sequence to av oid congestion, we can simply add the communication and time complexities. F or ease of implemen tation, w e used a centralized key generation authorit y for setting up the threshold P aillier cryptosystem, whose mo dulus is fixed to 1024 bits. When ev aluating our proto col, w e included the ov erhead of generating keys for the threshold cryptosystem, whereas we assume that the threshold cryptosystem is already set up for non-lay out based proto col. This is justi- fied b y the fact that these keys can b e k ept longer than in our case, where the keys need to b e generated eac h time the lay out is changed. Moreov er, we take the cluster size to b e 20 ∗ log n , whic h was found to b e adequate for an adversary fraction of 3 10 . a) Communic ation Cost: Comm unication cost is the total n umber of Megabytes sent during the proto col execution. Figure 3.a depicts the global comm unication cost for the tw o proto cols, on a semi-log scale, with a v arying netw ork size. It is apparent that our protocol (lab elled as D A ) features a muc h smaller cost growth than the non-lay out based one (lab elled as N L ) as the n umber of no des increases. With only 200 no des in the netw ork, the N L proto col is exp ected to require around 30 GB ov erall! T o get further insight, w e plot in Figure 3.b the communication cost p er no de. It is noticeable that the growth now is negligible with D A proto col, with a 20 MB cost p er no de while the trend remains as b efore with N L , reac hing 600 MB p er no de cost in a 400 no des net work. b) Exe cution Dur ation: In this exp eriment, for each netw ork size, we av erage the time tak en by a complete execution of the t wo proto cols ov er all the no des. This is represented 14 b y the bars in Figure 3.c. Similar to the previous exp erimen t, the gro wth is m uch smoother with our D A protocol. While the N L protocol reaches tens of hours of execution duration, our proto col remains within the scale of minutes. The ma jor part of this duration is communication dela ys as apparen t from Figure 3.d, which shows the duration of the ma jor computationally exp ensiv e steps. P articularly , w e plot the durations of the v ote encryption, share computation, and v ote decryption (share com bination) for the differen t decryption net work sizes. The first four corresp ond to the decryption cluster size in our proto col consecutively mapp ed to the same net work sizes as b efore (200, 400, 600, 800). This figure highligh ts the efficiency of our proto col and shows that computational complexity is small when compared to the global time complexit y . It further indicates that decryption is the most exp ensive step in such proto cols, th us supp orting our technique in delegating this task to small clusters. It is imp ortant to note that the goal of this implemen tation w as to pro vide the comparison b et ween the tw o proto cols and not to provide accurate p erformance measures of our proto col under v arious scenarios. Otherwise, several optimizations on the message size and message complexities can b e in tegrated to reduce the complexity in real-world implementations. 200 400 600 800 10 0 10 5 Number of nodes Cost (Mbytes) DA NL (a) Global communication cost 200 400 600 800 10 0 10 2 Number of nodes Cost (Mbytes) DA NL (b) Comm unication cost p er node 200 400 600 800 10 0 10 2 10 4 Number of nodes Duration (sec) DA NL (c) Time complexity 100 130 150 160 200 400 600 800 10 0 10 1 10 2 10 3 Number of decryption nodes Duration (sec) Vote Encryption Share Computation Vote Decryption (d) Computational complexity Fig. 3. Exp erimental ev aluation of our protocol (DA) against a non-lay out based one (NL). 6 Conclusion In this pap er, w e hav e prop osed a distributed proto col that computes aggregation functions in a distributed, scalable and secure wa y . The complexit y of our proto col is drastically lo wer than those of previously known algorithms and within a factor log 2 n of the optimal. Note that using 15 a binary tree structure instead of a ring allows to reduce the num b er of communication rounds from n log n curren tly to log 2 n . This can b e obtained by a slight mo dification of the proto col for constructing the structured o verla y but w ould not c hange the ov erall comm unication of the proto col. W e leav e as op en the p ossibilit y of deriving a proto col closing the gap b et ween the low er b ound of Ω ( n log n ) and the upper b ound O ( n log 3 n ) achiev ed b y our algorithm. W e also lea ve as future work the possibility of adapting our proto col to ac hieve other m ultiparty computations than aggregation functions and the p ossibilit y of tolerating strictly less than < n/ 2 instead of (1 / 2 −  ) n . References [AS07] Baruc h Awerbuc h and Christian Scheideler. T o wards scalable and robust ov erlay netw orks. In Pr o c. 6th Int. Workshop on Pe er-T o-Pe er Systems (IPTPS) . Citeseer, 2007. [AS09] Baruc h A werbuc h and Christian Scheideler. T ow ards a scalable and robust DHT. The ory of Computing Systems , 45(2):234–260, F ebruary 2009. [BDNP08] A. Ben-Da vid, N. Nisan, and Benn y Pink as. F airplayMP: a system for secure m ulti-party computation. In Pr oc e e dings of the 15th A CM c onfer enc e on Computer and c ommunic ations se curity , pages 257–266. A CM, 2008. [BFP + 01] O. Baudron, P .A. F ouque, D. Poin tchev al, J. Stern, and G. P oupard. Practical multi-candidate election system. In Pr o c e e dings of the twentieth annual ACM symp osium on Principles of distributed c omputing , pages 274–283. ACM, 2001. [BOG88] M Ben-Or and S Goldwasser. Completeness theorems for non-cryptographic fault-tolerant distributed computation. on Theory of computing , 1988. [BOPV06] Michael Ben-Or, Elan Pa vlov, and Vino d V aikun tanathan. Byzan tine agreement in the full- information mo del in o(log n) rounds. In Pr o c e e dings of the thirty-eighth annual ACM symp osium on The ory of c omputing , STOC ’06, pages 179–186, New Y ork, NY, USA, 2006. ACM. [BTH08] Z. Beerliov´ a-T rubinio v´ a and M. Hirt. Perfectly-secure MPC with linear communication complexit y. In Pr o c ee dings of the 5th c onferenc e on The ory of cryptogr aphy , pages 213–230. Springer-V erlag, 2008. [CCD88] Da vid Chaum, Claude Cr´ ep eau, and Iv an Damg ˚ ard. Multiparty unconditionally secure proto cols. Pr oc e e dings of the twentieth annual ACM symp osium on The ory of c omputing - STOC ’88 , pages 11–19, 1988. [CGR11] Christian Cac hin, Rachid Guerraoui, and Lu ´ ıs Rodrigues. Intr oduction to R eliable and Se cur e Dis- tribute d Pr o gr amming (2. e d.) . Springer, 2011. [CK91] Benn y Chor and Ey al Kushilevitz. A Zero-One Law for Bo olean Priv acy. SIAM Journal on Discr ete Mathematics , 4(1):36, 1991. [DJ01] I Damg ˚ ard and M Jurik. A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In Public Key Cryptogr aphy , num b er December, pages 119–136. Springer, 2001. [DL11] Data and Priv acy Lab. Paillier threshold encryption to olbox, July 2011. [F ei99] Uriel F eige. Noncryptographic selection proto cols. In Pr o ce e dings of the 40th A nnual Symp osium on F oundations of Computer Scienc e , FOCS ’99, pages 142–, W ashington, DC, USA, 1999. IEEE Computer So ciety . [GGHK10] A Giurgiu, R Guerraoui, K Huguenin, and A-M Kermarrec. Computing in Social Net works. L e ctur e Notes in Computer Scienc e , 6366/2010:332–346, 2010. [GMW87] O. Goldreich, S. Micali, and A. Wigderson. Ho w to play any mental game. In Pr o c e edings of the ninete enth annual A CM symp osium on The ory of c omputing , pages 218–229. A CM, 1987. [Gol01] Oded Goldreich. F oundations of crypto gr aphy: Basic tools . Cambridge Univ Press, 2001. [HZ10] Martin Hirt and V assilis Zik as. Adaptively secure broadcast. A dvanc es in Cryptolo gyEUROCR YPT 2010 , pages 466–485, 2010. [JCJ10] Ari Juels, Dario Catalano, and Markus Jak obsson. Co ercion-resistan t electronic elections. T owar ds T rustworthy Ele ctions , pages 37–63, 2010. [KKK + 08] Bruce Kapron, David Kempe, V alerie King, Jared Saia, and Vishal Sanw alani. F ast asynchronous b yzantine agreemen t and leader election with full information. In Pr o c e e dings of the ninete enth annual ACM-SIAM symp osium on Discr ete algorithms , SODA ’08, pages 1038–1047, Philadelphia, P A, USA, 2008. So ciety for Industrial and Applied Mathematics. [KS10] V alerie King and Jared Saia. Breaking the o(n2) bit barrier: Scalable byzan tine agreement with an adaptiv e adversary . In Pr oc e e ding of the 29th ACM SIGACT-SIGOPS symp osium on Principles of distribute d c omputing , PODC ’10, pages 420–429, New Y ork, NY, USA, 2010. ACM. 16 [KSSV06] V alerie King, Jared Saia, Vishal Sanw alani, and Erik V ee. Scalable leader election. In Pr oc e edings of the sevente enth annual ACM-SIAM symp osium on Discr ete algorithm , SOD A ’06, pages 990–999, New Y ork, NY, USA, 2006. ACM. [NS11] T ak ashi Nishide and Kouichi Sakurai. Distributed paillier cryptosystem without trusted dealer. In- formation Se curity Applic ations , pages 44–60, 2011. [P ai99] P Paillier. Public-k ey cryptosystems based on comp osite degree residuosity classes. A dvanc es in Cryptolo gy EUR OCR YPT’99 , 1999. [WLS + 02] Brian White, Ja y Lepreau, Leigh Stoller, Rob ert Ricci, Shashi Guruprasad, Mac Newb old, Mik e Hi- bler, Chad Barb, and Abhijeet Joglek ar. An integrated exp erimen tal environmen t for distributed systems and netw orks. In Pr o c. of the Fifth Symp osium on Op er ating Systems Design and Implemen- tation , pages 255–270, Boston, MA, December 2002. USENIX Asso ciation. [Y ao82] A C Y ao. Proto cols for secure computations. Pro c e e dings of the 23r d Annual IEEE Symp osium on , pages 160–164, Nov ember 1982. [YHM + 09] T. Y uen, Qiong Huang, Yi Mu, Willy Susilo, D. W ong, and G. Y ang. Efficient non-interactiv e range pro of. Computing and Combinatorics , pages 138–147, 2009. [YK GK10] Maxw ell Y oung, A. Kate, Ian Goldberg, and M. Karsten. Practical robust comm unication in DHTs tolerating a byzan tine adv ersary. In 2010 International Confer enc e on Distribute d Computing Systems , pages 263–272. IEEE, 2010. 17