Privacy-Preserving Planarity Testing of Distributed Graphs

. We study the problem of privacy-preserving planarity testing of distributed graphs. The setting involves several parties that hold private graphs on the same set of vertices, and an external mediator that helps with performing the computations. Their goal is to test whether the union of their private graphs is planar, but in doing so each party wishes to deny from his peers any information on his own private edge set beyond what is implied by the ﬁnal output of the computation. We present a privacy-preserving protocol for that purpose which is based on the Hanani-Tutte theorem. That theorem enables translating the planarity question into the question of whether a speciﬁc system of linear equations over the ﬁeld F 2 is solvable. Our protocol uses a diverse cryptographic toolkit which includes techniques such as homomorphic encryption, oblivious Gaussian elimination, and private set intersection.


Introduction
A planar graph G = (V, E) is a graph that can be properly embedded in the two-dimensional plane R 2 in the following sense: there exists a bijection ϕ from the vertex set V to R 2 and a representation of each edge e = (u, v) ∈ E as a continuous simple curve in R 2 with ϕ(u) and ϕ(v) as its end points, such that no two curves intersect apart possibly at their end points.Letting K n denote the complete graph over n vertices (namely, the graph that has all n 2 edges) and K n,n denote the complete bipartite graph with n vertices in each part, then the graph K 4 is planar, since it has a planar drawing (Figure 1), but K 5 and K 3,3 are not (Figure 2).
Planar graphs constitute an attractive family of graphs, both in theory and in practice.In many applications where graph structures arise, it is needed to test the planarity of those graphs.A classical example is in the area of integrated circuit (IC) design.An IC consists of electronic modules and the wiring interconnections between them.It can be represented by a graph in which the vertices are the modules and the edges are the wires.An IC can be printed on the surface of a chip iff the graph is planar, because wires must not cross each other.Another setting in which planarity is a natural notion is in road maps.A set of cities  TRANSACTIONS ON DATA PRIVACY 12 (2019) and interconnecting roads can be thought of as a graph; the graph vertices are the cities while the edges are connecting roads.Such a map can be constructed with non-crossing roads (in order to avoid constructing bridges or obstructing the traffic flow by stop lights) iff the corresponding graph is planar.Apart from the above motivating examples, there are cases in which the planarity of a graph can be exploited in order to simplify and expedite the solution of some computational problems.Examples include sub-graph isomorphism [12], maximal clique [32], and maximum cut [19].
In this study we consider a distributed version of the planarity testing problem.In that problem there are several parties, P 1 , . . ., P d , each one holding a private graph on the same set of vertices.Namely, P h has a graph G h = (V, E h ) where V is publicly known and shared by all, while E h is private, 1 ≤ h ≤ d.They wish to determine whether the union graph G = (V, E), where E = d h=1 E h , is planar or not.As the edge sets E h , 1 ≤ h ≤ d, are private, the planarity testing should be carried out in a privacy-preserving manner.Namely, after the conclusion of the computational procedure P h must not learn anything on E k , k = h, beyond what is implied by G h and the planarity of G.For example, two (or more) companies may wish to check the possibility of printing the ICs which implement their products on the same chip.They prefer not to disclose to each other their own IC design, before they have verified that they could collaborate in that manner.The algorithmic solutions which we propose herein for privacy-preserving planarity testing could be used in that application scenario.
Well known characterizations for planar graphs were proposed by both Wagner [43] and Kuratowski [25].For example, the Wagner's characterization states that a graph is planar iff it does not have K 5 or K 3,3 as a minor (see Figure 2).Namely, K 5 or K 3,3 cannot be obtained from G by a sequence of these operations: contracting edges, deleting edges, and deleting isolated vertices.However, directly applying either Wagner's characterization, or the closely-related Kuratowski's characterization, in order to test the planarity of a given graph, yields exponential-time algorithms [33].
Optimal linear time planarity testing algorithms were proposed in [9,20].These algorithms are iterative and use a DFS-subroutine [33].Alas, those features of these algorithms turn out to be significant obstacles when trying to devise corresponding privacy-preserving variants of these algorithms.Thus, none of the above-mentioned approaches seem to be adequate in order to base on them an efficient privacy-preserving planarity testing protocol.
In this study we propose a privacy-preserving protocol for planarity testing of distributed graphs, which is based on the Hanani-Tutte theorem [34].Our protocols are protocols of Secure Multiparty Computation (SMC).In the general setting of SMC [44], there are several parties, P 1 , . . ., P d , where each P h holds a private value x h .The goal is to compute f (x 1 , . . ., x d ), where f is some publicly known function, so that each party does not learn anything about the private inputs of the other parties, except what is implied by his own input and the output f (x 1 , . . ., x d ).While generic SMC protocols apply in theory to a wide class of functions, their applicability in practice is limited to functions that have a compact representation as a Boolean or arithmetic circuit, due to their high computational and communication complexities.Further studies in this field aim at finding more efficient solutions for specific SMC problems, from a wide range of domains.Here we consider an SMC problem where the private inputs are graphs.Problems of SMC on distributed graphs are of much interest and importance.Nonetheless, due to their apparent difficulty, very few studies were published so far on such problems.The first such study was by [10] who presented new algorithms for privacy-preserving computation of the all-pairs-shortest-distance and single-source-shortest-distance problems.A more recent study is that of [2] who designed SMC techniques for the shortest path and the maximum flow problems.Another example is the work of [24] who presented oblivious implementations of several data structures for SMC and then offered a secure computation of Dijkstra's shortest path algorithm on general graphs, where the graph structure is secret.The problem of privacy-preserving computation of the Minimum Spanning Tree (MST) was considered in the recent study by [26].In that study, Laud shows how the MST-finding algorithm by [5] can be executed without revealing any details about the underlying graph, beside its size.Finally, we mention the work of [3] that proposed SMC protocols for computing vertex centrality in distributed graphs.We note that all of the above mentioned studies present protocols for privately computing arithmetic values over graphs, i.e., lengths of paths, values of flows, or vertex centralities.Ours is the first study that privately tests a geometric property of a distributed graph.Our protocol is based on the mediated model that was presented in [1].In that model, there exists an external mediator T to which the parties may export some computations, but the mediator should not learn information on the private inputs of the parties nor on the final output.The strict notion of perfect privacy-preservation is sometimes relaxed by allowing some leakage of information, if such a relaxation enables a more efficient computation and if the leakage of information is characterized (in order to decide, in any given application setting, whether the gain in efficiency justifies the reduction in privacy-preservation).There are many examples of studies that relax perfect privacy in order to allow practical solutions, from various domains such as distributed association rule mining [23,37], anonymization of distributed datasets [22,38,40], collaborative filtering [21,36], distributed graph mining [3], and distributed constraint optimization problems [16,17,18,27,39,41,42].In similarity to these studies, we too make the common assumption that the interacting parties (P 1 , . . ., P d and T ) are semi-honest.Namely, they follow the protocol correctly, and do not form coalitions, but they try to extract from their view in the protocol information on the private inputs of other parties.The outline of this work is as follows.In Section 2 we provide the relevant background on planarity testing, while in Section 3 we describe the main cryptographic toolkit that we use in our solution.We overview our solution and the two main stages of which it consists in Section 4. The subsequent Sections 5 and 6 include the detailed description and analysis of each of the two stages in our solution.In Section 7 we describe a variant of our solution with reduced time complexity.Our discussion in Sections 4-7 focuses on the case d = 2.In Section 8 we present protocols for any d.In Section 9 we discuss another computational problem on distributed graphs -testing 3-colorability; we devise there an efficient protocol for privacy-preserving testing of 3-colorability of distributed graphs that were already verified to be planar.Finally, in Section 10 we end this study with concluding remarks and outlining future research directions.A preliminary version of this study appeared in [6].The main additions in this study with respect to the preliminary version are the contributions described in Sections 7, 8, and 9.

Planarity testing using the Hanani-Tutte theorem
In this section we state the Hanani-Tutte theorem and then use it in order to translate the planarity question of a graph to the solvability of a system of linear equations over F 2 .To that end, we introduce the following definitions and notations: TRANSACTIONS ON DATA PRIVACY 12 (2019)  An (e, v)-move consists of taking a small section of the curve that represents e in D and deforming it in a narrow tunnel to make it pass over v, while not passing over any other vertex.The effect of an (e, v)-move in a drawing D is that parity D (e, f ) changes for all edges f that are adjacent to v, but it remains unchanged for all other edges f (see Figure 4).A remarkable consequence of this theorem is a planarity testing algorithm.The algorithm starts with an arbitrary drawing D of the input graph G, preferably a drawing in which parity D (e, f ) can be computed efficiently for every pair of independent edges in G.Then, the algorithm tries to find another drawing D , by making a series of (e, v) moves, in which parity D (e, f ) = 0 for all {e, f } ∈ E ind 2 .If it succeeds, then the graph is planar, otherwise it is not (see [34,Lemma 3.3]).The existence of D can be determined by considering the following system of linear equations.Define for each e ∈ E and v ∈ V \ {a(e), b(e)} a Boolean variable x e,v ; that variable equals 1 iff the transition from D to D includes an (e, v)-move.It follows that for any pair Hence, given the drawing D, there exists a drawing D in which parity D (e, f ) = 0 for all {e, f } ∈ E ind 2 iff there exists a solution to the following system of linear equations over F 2 : That is the Hanani-Tutte (HT hereinafter) system for the graph G = (V, E) (with respect to the drawing D).It consists of |E ind 2 | equations (one for each pair of independent edges) in |E| • (|V | − 2) unknowns (x e,v for all e ∈ E and v ∈ V \ {a(e), b(e)}).The graph G is planar iff that system is solvable.

Cryptographic toolkit
In this section we provide a birdseye view of the cryptographic primitives and procedures that we shall be using in the main part of this work, Sections 4-7.In the subsequent Section 8 we will use a special homomorphic encryption (due to Boneh, Goh and Nissim [8]), while our solution in Section 9 utilizes the BGW protocol [7].We postpone the discussion of those two cryptographic tools to the sections were they are used.

Homomorphic encryption
An encryption function F is called (additively) homomorphic if the domain of plaintexts is a commutative additive group, the domain of ciphertexts is a commutative multiplicative group, and for every two plaintexts, m 1 and m 2 , F(m 1 + m 2 ) = F(m 1 ) • F(m 2 ).When the encryption function is randomized (in the sense that F(m) depends on m as well as on a random string) then F is called probabilistic.Homomorphic encryption functions allow performing arithmetic computations in the ciphertext domain.The property of being probabilistic is essential for getting semantic security.There are many well known ciphers that are probabilistic and additively homomorphic.A basic example of such a cipher over F 2 , which we use in our protocols, is the Goldwasser-Micali cipher [15].

Deciding the solvability of an encrypted linear system
Nissim and Weinreb [31] presented a method for obliviously deciding whether an encrypted system of linear equations is solvable or not.They considered a setting that involves two parties -T and P .T holds an encrypted matrix F(M ), where M is a matrix of dimensions k a × k b , and an encrypted vector F(b), where b is a column vector of dimension k a .Both M and b are over the field F = F 2 , while F is an additively homomorphic encryption over that field, for which P holds the private decryption key.Their protocol is Monte Carlo in the sense that its output may be wrong.Specifically, at the conclusion of the protocol T gets F(β) for some bit β.If the system M x = b is not solvable then β will always be zero.Otherwise, if the system is solvable, then β = 1 with probability at least c for some positive constant c.Hence, by performing several independent runs of the protocol, it is possible to decide the solvability of the system with an error probability sufficiently small.TRANSACTIONS ON DATA PRIVACY 12 (2019) Privacy-Preserving Planarity Testing of Distributed Graphs 123

Overview of the proposed planarity testing protocol
Our planarity testing protocol has two stages.The first one consists of a preliminary check of the size of the unified edge set E. It is outlined in Section 4.1, and detailed in Section 5.The second stage includes the main protocol, in which the HT system of equations for the unified graph is constructed obliviously, and then its solvability is tested in a privacypreserving manner.We provide a birdseye view of that stage in Section 4.2, and dive into its details in Section 6.

Testing the number of edges in the unified graph
Let V = {v 1 , . . ., v n } denote the vertex set in the unified graph G = (V, E).A well-known result (see e.g.[33]) states that G is planar only if Hence, in the first stage, the three parties, P 1 , P 2 and T , engage in a secure protocol for checking whether inequality (2) holds or not.If it does not, they know that the unified graph G is not planar.If it does hold, they proceed to the second stage in the verification (Section 4.2).Running this stage is optional.On one hand, it leaks to the interacting parties information on |E| beyond the required output about the planarity of G. Indeed, if the verification of inequality (2) fails, then the parties will learn that the graph is not planar, and, in addition, that |E| > 3n − 6.On the other hand, it may enable the parties to detect non-planarity without running the costly computation of the second stage.Hence, if in the relevant application scenario the information regarding whether inequality (2) holds or not is deemed benign, it is recommended to run this stage.

A privacy-preserving implementation of the Hanani-Tutte planarity test
The three parties P 1 , P 2 and T construct the HT system of linear equations, Eq. ( 1), for the unified graph G. Towards that end, they begin by constructing the system of linear equations for the complete graph on V , denoted K V (i.e., K V is the graph on V that has all n 2 edges): x e,a(f here, K ind 2 is the set of all pairs of independent edges in K V .The number of equations in that system is System 3 can be constructed publicly with no privacy risks, since the vertex set V is known to all, and K V is the complete graph on V .The main effort is in letting the mediator T extract from the large system in Eq. (3) the subset of equations in Eq. (1).To protect the unified graph data from T , he will get only an encrypted version of the subset of linear equations corresponding to G. The last part of the protocol is dedicated to determining whether that system has a solution or not.The main difficulty here lies in the fact that no party actually sees the relevant system of equations: only T holds that system, but he holds TRANSACTIONS ON DATA PRIVACY 12 (2019)  an encryption of that system, where the corresponding decryption key is known only to P 1 .
To allow this approach, we must start with some drawing of K V , which, in turn, induces also a drawing of G.We consider the following embedding of V in R 2 .If V = {v 1 , . . ., v n }, then v j is mapped into the point Namely, the vertices v 1 , . . ., v n are mapped to equi-distant points on the unit circle, in a counter-clockwise order according to their index.The edge e i,j = (v i , v j ) is then represented by the straight line segment between ϕ(v i ) and ϕ(v j ). Figure 5 illustrates that basic drawing for a graph over n = 6 vertices.Figure 6 shows a drawing of some graph G, using the above-described embedding of its vertices and edges in R 2 , together with the corresponding complete graph.We shall henceforth denote this basic drawing of the graph in question, G, and its corresponding complete graph K V by D. Consider now an arbitrary pair of independent edges e i,j and e k, ; we may assume, without loss of generality, that i < j, k < , and i < k.Then it is easy to see that parity D (e i,j , e k, ) = 1 iff i < k < j < .

TRANSACTIONS ON DATA PRIVACY 12 (2019)
The corresponding HT system (3) can be constructed publicly, by each of P 1 , P 2 and T , for this drawing D of the complete graph K V .As stated earlier, the main problem will be to identify, among those N K V equations, the |E ind 2 | equations that relate to pairs of edges e and f that are both in E.Then, the graph G = (V, E) is planar iff that sub-system of |E ind 2 | equations has a solution.In Section 6 we provide the details of that computation.

First stage: Testing the size of the unified edge set
denote the set of all possible n 2 edges in G.
Hence, by Eq. ( 2), the unified graph G = (V, E) is planar only if In order to verify the latter inequality it is possible to invoke any of the multitude of protocols for private set intersection.Our solution, Protocol 1, is based on the first private set intersection protocol, proposed in [30], which is based on the Diffie-Hellman problem [11].
Protocol 1 Testing the size of the unified edge set 1: P1 and P2 select jointly a large multiplicative group Z * p (p is prime) and a hash function H whose range can be embedded in Z * p .2: P h selects a secret and random exponent 1 < α h < p − 1, h = 1, 2.
T compares the two received vectors and finds out the number z of matching entries in them.8: If z < n 2 − (3n − 6), T notifies P1 and P2 that the union graph is not planar.
As a result of Steps 1-6, which are self-explanatory, T receives two vectors, y 1 and y 2 , each of which is of length n 2 .The vector y h , h = 1, 2, includes the hash of all edges in E c h , raised to the exponent α 1 α 2 , while the remaining 1 ∩ E c 2 then both vectors y 1 and y 2 will include an entry that equals H(i, j) α1α2 ; hence, those two entries will be identified by T in Step 7 as matching entries and, consequently, T will increment the counter z by 1.However, we note that T may wrongly increment the counter z due to random false matchings.False matchings can occur if there are collusions in H, namely, if there exist two pairs (i, j) and (i , j ) such that H(i, j) = H(i , j ), or if P 1 and P 2 selected in Steps 3 and 4 TRANSACTIONS ON DATA PRIVACY 12 (2019) random entries ξ 1 and ξ 2 , respectively, so that ξ α1 2 = ξ α2 1 .By selecting a secure hash function with a sufficiently large range, the probability of such false matchings is negligible.The security of Protocol 1 follows from the hardness of the Discrete Log problem.The protocol entails O(n 2 ) hash function evaluations and exponentiations (for P 1 and P 2 ) and O(n 2 log n) comparisons for T .The protocol has only two rounds of communication in which O(n 2 log p) bits are transmitted.
Protocol 1 reveals to T the size of E. If P 1 and P 2 wish to prevent T from learning that information, they may modify Protocol 1 towards hiding that information.They can choose an integer K > 0 and then select at random an integer k ∈ [0, K].Next, they will select 2K − k random and distinct elements from Then, P 1 will add to y 2 additional K entries, at random locations, with the values a 1 , . . ., a k , b 1,1 , . . ., b 1,K−k , while P 2 will add to y 1 additional K entries, at random locations, with the values a 1 , . . ., a k , b 2,1 , . . ., b 2,K−k .Given those modifications, T will recover in Step 7 a value z that equals |E c | + k (with high probability).Hence, the inequality that needs to be verified now is whether z < n 2 − (3n − 6) + k.In the latter inequality, T knows the left hand side (z) while P 1 knows the right hand side, and the two parties need to verify the inequality without disclosing to each other information on the compared values beyond the information of whether the inequality holds or not.This is an instance of the celebrated Yao's millionaires' problem [44].By invoking any of the many available protocols for solving that problem (e.g.[28]), the two parties may find out securely whether . Such a modification of Protocol 1 prevents T from getting |E|.Higher values of K will imply higher levels of obfuscation, but at the same time also higher communication and computational costs.As implied by [17,Lemma 4], if K > n 2 then the probability of T not learning anything on |E| from z is exactly 1 − n 2 /(K + 1); in all other cases (namely, in probability n 2 /(K + 1), T will learn either a lower or an upper bound on |E|.

Second stage: Private planarity testing
Protocol 2 decides the planarity of the union graph G in a privacy-preserving manner.It begins with P 1 generating a key pair in a probabilistic additively homomorphic cipher, F, over F 2 .
Next, the three parties execute a sub-protocol, called CONSTRUCTHTSYSTEM (Step 2).The purpose of that sub-protocol is to construct the HT system for the union graph G, Eq. ( 1), in an oblivious manner.At the end of that sub-protocol T will hold an (entry-wise) Fencryption of the coefficient matrix of that system.T will actually get an "inflated" version of that system, in the following sense: instead of an encryption of the HT system for G, Eq.
(1), he will hold an encryption of the larger HT system for the complete graph K V , Eq. ( 3), where all equations that relate to pairs of edges in K ind 2 \ E ind 2 are zeroed.Then (Step 3), P 1 and T execute a sub-protocol, called DECIDESOLVABILITY, which decides the solvability of the encrypted system that was constructed in the previous step.T holds the encryption of the coefficient matrix and the right hand side vector for that system, while P 1 holds the relevant decryption key.The sub-protocol DECIDESOLVABILITY decides the solvability of the system in a privacy-preserving manner, that is -without decrypting the system.The Boolean flag that DECIDESOLVABILITY returns indicates the solvability of the system.If it is true then the system is solvable and, consequently, the union graph G is planar.Otherwise, if it is false, and then, with high probability (which may be tuned as desired), the system is not solvable and, hence, the union graph G is not planar.TRANSACTIONS ON DATA PRIVACY 12 (2019) In the next sub-sections (Sections 6.1 and 6.2) we discuss the implementation of the two main steps in Protocol 2.
Protocol 2 Privacy preserving HT planarity testing 1: P1 generates a key pair in a probabilistic additively homomorphic cipher, F, over F2.P1 notifies P2 and T of the public encryption key in F. 2: P1, P2 and T execute CONSTRUCTHTSYSTEM.At its conclusion, T holds an F-encryption of the HT system for the union graph, (r e,f : {e, f } ∈ K ind 2 ).3: P1 and T execute DECIDESOLVABILITY(r e,f : {e, f } ∈ K ind 2 ).4: if DECIDESOLVABILITY returns true then 5: Output "The union graph is planar".6: else 7: Output "The union graph is non-planar (with high probability)".8: end if

Constructing an F-encryption of the HT system
Here we discuss the sub-protocol CONSTRUCTHTSYSTEM, which is implemented in Protocol 3. Before starting to do so, we take a look at the HT systems for G and for the complete graph K V .The HT system for the complete graph K V , with respect to the drawing D described in Section 4.2, is given in Eq. ( 3).All parties can construct that system, since K V is a public graph.The HT system for G, Eq. ( 1), which determines the planarity of G = (V, E), is a sub-system (subset of equations) of ( 3).That sub-system includes only the equations relating to pairs {e, (namely, pairs of independent edges {e, f } where both e and f are in E).
Let V 2 := {e i,j = (v i , v j ) : 1 ≤ i < j ≤ n} denote the edge set in the full graph K V (consisting of all possible pairs of vertices from V ).The set K ind 2 consists of all pairs of independent edges in K V .Its size is N K V (Eq.( 4)), and it consists of all pairs of edges {e = (v i , v j ), f = (v k , v )} where all four indices i, j, k, are distinct (as the two edges are independent), and i < j, k < , and i < k.Our protocol, CONSTRUCTHTSYSTEM, assumes that the set K ind 2 is ordered.We assume hereinafter that it is ordered lexicographically by the 4-tuple (i, j, k, ).
For each edge e ∈ V 2 and h ∈ {1, 2}, let α h e be the Boolean variable denoting whether e ∈ E h or not.Then, e ∈ E iff α 1 e ∨ α 2 e = 1.Consequently, the equation that corresponds to the pair of independent edges {e, f } ∈ K ind 2 appears in the HT system for G, Eq. ( 1), iff In the first part of CONSTRUCTHTSYSTEM (Steps 1-3), T gets the F-encryption of χ e,f for all {e, f } ∈ K ind 2 , where χ e,f is the Boolean flag indicating whether {e, f } ∈ E ind 2 (Eq.( 8)), and F is the cipher that P 1 selected in Step 1 of Protocol 2. Towards that end, we observe that χ e,f := (α Hence, by opening the brackets on the right hand side of Eq. ( 9) and then applying F on both sides of that equation, we get, using the homomorphism of F and simple algebra, that and In view of the above derivations, P 1 sends to P 2 the three values α, β, and γ, for each of the N K V pairs {e, f } ∈ K ind 2 , where the triplets (α, β, γ) are ordered by the lexicographical order over K ind 2 (Step 1).P 2 can then use Eq. ( 10) in order to compute A and B, for each such pair.Note that all powers of α, β and γ in Eq. ( 10) are determined by Boolean variables owned by P 2 , while F(α 2 e • α 2 f ) can be computed by P 2 since he has the public encryption key of F. P 2 then computes and sends to T a vector u of length N K V , in which each entry includes the value Protocol 3 CONSTRUCTHTSYSTEM: Constructing an encryption of the HT system 1: P1 sends to P2 the vector ((α, β, γ) : {e, f } ∈ K ind 2 ) (see Eq. ( 11)).2: P2 computes the vector u := (F(χ e,f ) : {e, f } ∈ K ind 2 ).3: P2 sends to T the vector u.4: for all {e, f } ∈ K ind 2 , where e = ei,j, f = e k, , i < j, k < and i < k do 5: T allocates a vector r e,f of dimension N + 1 where N := n 2 • (n − 2).

end if 20: end for
The goal of the main loop in Steps 4-20 is to let T construct an entry-wise F-encryption of the HT system for G, Eq. (1).That system has |E ind 2 | equations over |E| • (n − 2) unknowns.It is a sub-system of the full system for K V , Eq. ( 3), which has N K V equations over N := n 2 • (n − 2) unknowns.The encrypted system that T constructs in the loop in Steps 4-20 will be of the same dimensions as the larger system for the full graph, but all rows in it that are not relevant for G will be zeroed.T will remain oblivious to the rows in the full system that he zeroes in this process.We proceed to explain how this is done.Consider the augmented matrix that describes the HT system for K V , Eq. ( 3).It has N K V rows, one for each pair {e, f } ∈ K ind 2 .Each row, r e,f , is a Boolean vector of length N + 1, where N = n 2 •(n−2), since it includes the coefficient of each unknown variable (and there are N such variables, one for each coupling of an edge and a non-adjacent vertex) plus the right hand side (parity D (e, f )).In the linear equation corresponding to the pair {e, f }, the coefficients of all variables are zero, except for four of those variables (see Eq. ( 3)).Hence, in the inner loop in Steps 7-14, T goes over the first N entries of r e,f ; in each of the four entries that should equal 1, T places the value F(χ e,f ) (those are values that T got from P 2 in Step 3), while in all the remaining ones he places the value F(0) (those are encryptions that T can compute on his own since he has the public encryption key of F).In the last position in r e,f , corresponding to the right hand side of the equation for the pair {e, f }, T places TRANSACTIONS ON DATA PRIVACY 12 (2019) the value F(χ e,f ) in case the two edges intersect in the basic drawing D, while otherwise he places the value F(0) (Steps [15][16][17][18][19].As a result, if χ e,f = 0, T constructs an encryption of the all-zero equation; but if χ e,f = 1, T constructs an encryption of the equation for the pair {e, f }, as in Eq. ( 1).In summary, T gets a system of N K V encrypted equations: |E ind 2 | of those equations are an F-encryption of the system (1), while the remaining ones are Fencryptions of the trivial equation (the equation in which all coefficients and right hand side are zero).

Determining the solvability of an encrypted linear system
The sub-protocol DECIDESOLVABILITY (Protocol 4) decides the solvability of a system of unknowns.Let M denote the N K V × N matrix of coefficients of that system, and b denote the right hand side vector (an N K Vdimensional column vector).The two parties that run the sub-protocol are P 1 and T .P 1 holds the decryption key in F (see Step 1 in Protocol 2) -a probabilistic additively homomorphic cipher over F 2 ; T , on the other hand, holds F(M ) and F(b).DECIDESOLVABILITY determines whether the system M x = b has a solution or not.It does so in a privacypreserving manner, i.e., without revealing to neither of the two parties information on the underlying matrix M and right hand side b.
To do so, the two parties execute the protocol due to Nissim and Weinreb [31] that we discussed in Section 3.2, which enables them to obliviously decide whether an encrypted system of linear equations is solvable or not.We refer to this protocol below by the name SOLVABILITYLINEARSYSTEM.The output of Protocol SOLVABILITYLINEARSYSTEM is F(β), where β is a bit that indicates the existence of a vector x for which M x = b.
We recall that the basic protocol due to Nissim and Weinreb is a true-biased Monte Carlo protocol.Namely, a true answer (i.e., the system is solvable) is always correct, while a false answer may be wrong.We assume herein that the procedure SOLVABILITYLINEARSYSTEM which is invoked in Step 1 of Protocol 4 executes the basic protocol due to Nissim and Weinreb a sufficient number of times so that the probability of a false answer to be incorrect is reduced to below some given desired threshold.
As the protocol SOLVABILITYLINEARSYSTEM is quite involved, we do not describe it here and simply relate to it as a black-box.Interested readers are referred to [31] for a detailed description of it.return false 8: end if

Privacy analysis
The potential leakages of information to any party is due to messages that he receives from other parties.We proceed to discuss the security of each of the steps in Protocol 2 that involves exchange of messages.
In Step 1 of Protocol 3 (which is invoked by Protocol 2), P 2 receives from P 1 information relating to E 1 .Specifically, for each pair of independent edges in K V , P 2 receives the values α := F(α 1 e ), β := F(α 1 f ), and γ := F(α 1 e • α 1 f ).However, as that information is encrypted by F, P 2 cannot extract information on E 1 , assuming that the chosen cipher F is semantically secure (as is the case with the Goldwasser-Micali cipher [15] which we propose to utilize here).Similarly for Step 3 of Protocol 3 in which T receives information on E; as it is encrypted by F, it is protected from T .
Finally, the security of Protocol 4 follows from the security of SOLVABILITYLINEARSYSTEM that was established in [31].

Computational and communication costs
We begin by assessing the computational and communication costs of the first two steps in Protocol 3. The computational cost of Protocol 3 for P 1 is 2 n 2 encryptions (for computing α and β for all edges in K V ), and, in addition, N K V (Eq.( 4)) encryptions, for computing γ for all pairs of edges in K ind 2 (Step 1).The computational cost of Protocol 3 for P 2 is dominated by the need to perform N K V encryptions (F(α 2 e • α 2 f )) in order to compute A for all pairs of edges in K ind 2 .The remaining operations for computing A and B (see Eq. ( 10)) in Step 2 are only multiplications (note that all exponents in Eq. ( 10) are 0, 1, or 2).The communication cost of Steps 1-2 in Protocol 3 is O(N K V ) bits.The computational costs for T due to Protocol 3 are negligible, as it has to perform no new encryptions, other than computing F(0) once.We note that the value F(0) appears in many entries in the encrypted HT linear system of equations.However, the procedure SOLVABILITYLINEARSYSTEM, which is executed in the next stage, is designed so that there is no need for T to generate here independent encryptions F(0) for each such entry.The main computational bottleneck is Protocol 4. Indeed, as the underlying matrix has ) columns, the computational cost of running an oblivious Gaussian elimination on it is of order ).Such a computational cost severely limits the applicability of our protocol to very small graphs.The main problem with Protocol 2 is that it runs the oblivious Gaussian elimination over an encrypted matrix that has N K V rows.We recall that the actual system, Eq. ( 1), has only ).Hence, one goal is to reduce the number of rows in the encrypted HT system from Therefore, another goal is to reduce the number of columns (unknowns) from O(n 3 ) to O(n 2 ).In the next section we present a variant of Protocol 2 that achieves those two goals, thus reducing the cost of the oblivious Gaussian elimination to O(n 6 ).While this time complexity still limits the scalability of the protocol, it allows its execution on graphs with several hundreds of vertices.Such time complexity renders our protocol viable for application settings such as the two motivating examples that were considered in the introduction (IC design and road networks).

Reducing the size of the HT system
In this section we present Protocol 5 which is a variant of Protocol 2 that has a reduced time complexity.In that protocol, the HT system that the parties construct (obliviously) has an equation for every pair of edges {e, f } ∈ E ind 2 , in contrast to Protocol 2 in which the constructed system had an equation for every pair of edges {e, f } ∈ K ind 2 , where all equations corresponding to {e, f } ∈ K ind 2 \ E ind 2 were obliviously zeroed.As a result, the system of equations whose solvability is tested in Step 3 has reduced dimensions and, consequently, reduced runtime, as explained above.
Protocol 5 Privacy preserving HT planarity testing 1: P1 generates a key pair in a probabilistic additively homomorphic cipher, F, over F2.P1 notifies T of the public encryption key in F. 2: P1, P2 and T execute CONSTRUCTREDUCEDHTSYSTEM.At its conclusion, T holds an Fencryption of the HT system for the union graph, (r e,f : {e, f } ∈ E ind 2 ).3: P1 and T execute DECIDESOLVABILITY(r e,f : {e, f } ∈ E ind 2 ).4: if DECIDESOLVABILITY returns true then 5: Output "The union graph is planar".6: else 7: Output "The union graph is non-planar (with high probability)".8: end if Such economization is achieved by invoking in Step 2 the subroutine CONSTRUCTRE-DUCEDHTSYSTEM, Protocol 6, instead of CONSTRUCTHTSYSTEM, as done in Protocol 2. We proceed to describe Protocol 6.
It begins with P 1 constructing an F-encryption of the full HT system (Steps 1-17).This construction is identical to the one that T performs in Steps 4-20 of Protocol 3, except that in Steps 7 and 13, P 1 inserts the value F(1), while in the equivalent steps in Protocol 3 (Steps 10 and 16), T inserted the value F(χ e,f ).Indeed, in Protocol 3 we had to use F(χ e,f ) so that the system that T constructs will have all irrelevant equations zeroed (but still included in the system which is then passed for solvability testing).Here, on the other hand, those equations will be removed from the system before passing on to the solvability testing stage.Hence, as at this stage we only construct an encryption of the full HT system for K V , we can use here the value F(1) in those entries.
After completing the construction of the full encrypted system, P 1 sends to T the system after secretly permuting its equations and unknowns (Steps 18-19).Those permutations are needed so that when T removes equations and unknowns, he will not know which equations and unknowns were removed, thus preventing T from learning information on E. (However, T may still learn information on the size of E; we discuss this information leakage later on.) Next, we proceed to the stage in which we eliminate the irrelevant equations and unknowns.This is done in Steps 20-27.First, T generates a key pair in a probabilistic additively homomorphic cipher, E, over F 2 , and he notifies P 1 and P 2 of its encryption key (Step 20).The subsequent Steps 21-23 result in the removal of irrelevant equations.(Those are exactly the same equations that were zeroed in Protocol 3 by using the value F(χ e,f ) in place of all 1-entries.)First (Step 21), P 1 and P 2 create a vector u which includes an entry for each pair of edges {e, f } ∈ K ind 2 , where the entry for {e, f } is E(1) if that pair of edges is also in E ind 2 and E(0) otherwise.That computation is done exactly as it was done in Steps 1-2 TRANSACTIONS ON DATA PRIVACY 12 (2019) of Protocol 3, only that the encryption function here is E (as opposed to F as was the case in Protocol 3).Then (Step 22), P 2 sends to T a π r -permutation of that vector.In Step 23 T proceeds to decrypt that vector and use the recovered binary flags to remove irrelevant rows from the full system that he had obtained earlier (Step 19) from P 1 .Note that the same permutation π r was applied by P 1 on the rows of the system (Step 19) and by P 2 on the entries of u (Step 22).
In Step 24-27, a similar procedure is implemented in order to enable T to remove columns that are irrelevant for the HT system for G. Recall that the full system includes a column for every unknown x e,v , where e is any edge in the complete graph (namely, e is any unordered pair of vertices from V 2 , see Eq. ( 6)) while v is any vertex not adjacent to e (namely, v is any vertex from V \ e).An unknown x e,v should be retained if e ∈ E = E 1 ∪ E 2 .In order to perform such elimination, P 1 and P 2 compute in Step 24 for each edge e ∈ V 2 the value E(χ e ), where χ e is a binary flag indicating whether e ∈ E (1) or not (0).As before, let α h e be the Boolean variable indicating whether e ∈ E h or not, h ∈ {1, 2}.Then χ e := α 1 e ∨ α 2 e = α 1 e + α 2 e − α 1 e • α 2 e .Hence, by the homomorphism of E, In view of the above, P 1 sends to P 2 the values E(α 1 e ) for all e ∈ V 2 .Then, P 2 proceeds to compute E(χ e ) using Eq. ( 12).Then, in Step 25, P 2 computes a vector u that includes the value E(χ e ) for every pair (e, v) where e ∈ V 2 and v ∈ V \ e.The order of the entries in u is as determined by π c .We note that each encrypted value E(χ e ) that was computed in Step 24 will appear in u exactly n − 2 times, since there are n − 2 variables of the form x e,v (since there are n − 2 vertices v that are not adjacent to e).To prevent T from being able to detect the groups of variables that correspond to the same edge e, P 2 uses the basic encryption E(χ e ) obtained in Step 24 for each edge e and he creates from it n − 3 additional independent encryptions by multiplying it with random encryptions of zero, E(0).Subsequently, P 2 sends the vector u to T , who proceeds to decrypt it and use it in order to reduce the number of unknowns (Steps 26-27).After performing those two reductions, T gets an encryption of the system in Eq. (1).That is the system on which the procedure DECIDESOLVABILITY is applied (Step 3 of Protocol 5).As explained at the end of Section 6.4, Protocol 5 is significantly more efficient than Protocol 2 since the Gaussian elimination that it performs is over the reduced HT system of linear equations and its computational cost is O(n 6 ) (as opposed to O(n 10 ) which was the cost of the Gaussian elimination in Protocol 2).However, Protocol 5 has two disadvantages in comparison to Protocol 2. First, it has larger communication costs, as P 1 needs to transfer to T O(n 7 ) bits.In addition, Protocol 5 enables T to infer |E| (as the final number of columns equals |E| • (n − 2)).If the latter value is deemed sensitive, P 1 and P 2 can obfuscate it by sending to T information that will result in keeping unnecessary columns, i.e., columns relating to variables x e,v where e / ∈ E. Such course of action will increase the computational cost, but will prevent T from inferring |E|.
Before we conclude our discussion of Protocol 5, we note that the full HT matrix has By examining the structure of the matrix, see Eq. ( 3), each of the k a rows has either four or five 1-entries, while the remaining entries are 0. Hence, in the encrypted matrix that P 1 sends to T in Step 19 of Protocol 6, there will be O(n 4 ) entries that equal F(1) and O(n 7 ) entries that equal F(0).Since encryptions are a costly operation, it is tempting to compute F(0) and TRANSACTIONS ON DATA PRIVACY 12 (2019) Protocol 6 CONSTRUCTREDUCEDHTSYSTEM: Constructing an encryption of the reduced HT system 1: for all {e, f } ∈ K ind 2 , where e = ei,j, f = e k, , i < j, k < and i < k do 2: P1 allocates a vector r e,f of dimension N + 1 where N := n 2 • (n − 2). 3: 4: (g, v) ← Φ(i) end if 17: end for 18: P1 and P2 agree on random permutations π r and π c on the NK V equations and N = n 2 • (n − 2) unknowns of the full HT system.19: P1 sends to T the F-encrypted system that he constructed in the loop above, after permuting its equations and unknowns using π r and π c .20: T generates a key pair in a probabilistic additively homomorphic cipher, E, over F2.T notifies P1 and P2 of the public encryption key in E. 21: P1 and P2 compute the vector u := (E(χ e,f ) : {e, f } ∈ K ind 2 ), where χ e,f is a binary flag indicating whether {e, f } ∈ E ind 2 (1) or not (0).22: P2 permutes the entries of u using π r and sends the permuted vector to T .23: T computes v := E −1 (u) and then he removes from the matrix all rows that correspond to 0entries in v. 24: P1 and P2 compute for each edge e ∈ V2 in the complete graph KV the value E(χe), where χe is a binary flag indicating whether e ∈ E (1) or not (0).25: P2 creates a vector u that includes the value E(χe) for every pair (e, v) where e ∈ V2 and v ∈ V \e.
The order of the entries in u is as determined by π c .26: P2 sends u to T .27: T computes v := E −1 (u) and then he removes from the matrix all columns that correspond to 0-entries in v.
F(1) just once and reuse those encrypted values wherever necessary.Alas, such a course of action will enable T to fully recover the plaintext matrix.Hence, encrypted values must not be reused.However, it is possible to generate those O(n 7 ) encrypted entries by performing only O(n 3.5 ) encryptions and then rely on the homomorphic property of F (which implies that F(0)•F(0) = F(0) and F(0)•F(1) = F(1)) in order to fill up all entries in the encrypted matrix without reusing encrypted entries.

Protocols for a general number of parties
In this section we discuss the changes needed in order to extend our protocols to the case of d > 2 parties.Namely, we consider a setting with d parties, P 1 , . . ., P d ; P h has a graph G h = (V, E h ) where V is publicly known and shared by all, while the edge set E h is private, The goal is to determine whether the union graph G = (V, E), E = d h=1 E h , is planar or not.

Testing the size of the unified edge set
In this setting, we have where, as before, for any subset A ⊆ V 2 , A c := V 2 \ A is its complement within V 2 (Eq.( 6)).
The unified graph G = (V, E) is planar only if |E| ≤ 3n − 6, namely, only if Protocol 7 is a straightforward generalization of Protocol 1 for the purpose of verifying inequality (13).
Protocol 7 Testing the size of the unified edge set; general d The only step that calls for explanation is Step 4. For the sake of simplicity we explain how it is performed when h = 1.In similarity to Step 3 in Protocol 1, P 1 sends to P 2 a vector x 1 of length n 2 where, for each edge (v i , v j ) ∈ E c 1 , i < j, x 1 includes an entry of the form H(i, j) α1 , while the remaining The order of x 1 's entries is random.Then, P 2 raises each entry in the received vector x 1 to the power α 2 and he sends the resulting vector to P 3 .This loop proceeds until the vector reaches P d that adds his own exponentiation layer by his secret exponent α d .After doing this, P d sends the resulting vector, denoted y 1 , to T .Note that each entry in that vector that corresponds to an edge (v i , v j ) ∈ E c 1 will store the value H(i, j) α , for α = d h=1 α h .On the other hand, every other entry distributes uniformly at random over Z * p since its initial setting was to a random element in Z * p , and exponentiations by the intermediate powers In similarity to Protocol 1, also Protocol 7 reveals to T the size of E. To mitigate this information leakage, P 1 , . . ., P d may add random entries to their vectors, as discussed in Section 5.

Private planarity testing
Here we discuss the extension of our more efficient protocol, Protocol 5, to the case of a general number of parties.The extension of Protocol 2 to any number of parties is similar and is therefore omitted.
Protocol 5 remains unchanged, except that CONSTRUCTREDUCEDHTSYSTEM (the procedure that it invokes in Step 2) is now executed by all d + 1 parties, P 1 , . . ., P d and T .We proceed to discuss the needed modifications in that procedure, as implemented in Protocol 6.Before doing so, we note that the second procedure in Protocol 5 -DECIDESOLVABILITY (invoked in Step 3), is indifferent to d and also in the case of a general d it will be executed by P 1 and T .The loop in Steps 1-17 in Protocol 6 is indifferent to d and, hence, remains unchanged.Also Steps 18-19 remain the same: P 1 , . . ., P d select jointly the row and column permutations, and then P 1 sends the doubly-permuted encrypted matrix to T .The purpose of the remaining computations (Steps 20-27) is to enable T to know which rows and which columns from the encrypted matrix that he had received from P 1 he should get rid of.Towards that goal, T generates a homomorphic cipher E and then the main computation goals of P 1 , . . ., P d in Steps 20-27 are: 1.For each e ∈ V 2 , Eq. ( 6), compute E(χ e ), where χ e := d h=1 α h e , and α h e is the Boolean variable denoting whether e ∈ E h or not.

For each {e
), where χ e,f = χ e • χ f .When d = 2, we were able to translate the Boolean expressions that define χ e and χ e,f into arithmetic expressions in the private Boolean variables, α h e , h = 1, 2, e ∈ V 2 .We could do the same also for higher values of d, but then the arithmetic expressions become more complex and less manageable.In order to simplify those computations, we suggest to use here the homomorphic encryption due to Boneh, Goh and Nissim [8] (BGN hereinafter).Using that special homomorphic encryption, it is possible to perform any number of additions in the ciphertext domain, as is the case with any additively homomorphic cipher; but, in addition, it is possible to perform also a single multiplication in the ciphertext domain.
In the BGN cipher there are two cyclic groups, G and G 1 , and a bilinear map between them, θ : G × G → G 1 (i.e., for all u, v ∈ G and a, b ∈ Z, we have e(u a , v b ) = e(u, v) ab ).
TRANSACTIONS ON DATA PRIVACY 12 (2019) Both groups are of order ν = q 1 q 2 , where q 1 and q 2 are two large primes.There are two encryption functions, one in G and one in G 1 , as described below: • The encryption function E : Z ν → G. Let g be a generator of G and let h be an element of order q 1 in G.Then, for any plaintext m ∈ Z ν , its E-encryption is given by E(m) = g m h r , for some random r ∈ F q1 .
• The encryption function E 1 : Z ν → G 1 .Define g 1 = θ(g, g) and h 1 = θ(g, h).It is easy to see that g 1 is a generator of G 1 and h 1 is an element of order q 1 in G 1 .Then, for any plaintext m ∈ Z ν , its E 1 -encryption is given by E 1 (m) = g m 1 h r 1 , for some random r ∈ F q1 .
Hence, the public key consists of ν, G, G 1 , g, h, g 1 and h 1 .The private key, on the other hand, is q 1 .In order to decrypt c := E(m) = g m h r , the owner of the private key q 1 computes c q1 .Since h is of order q 1 , we get c q1 = (g q1 ) m .To recover m from c q1 it is necessary to compute the discrete of c q1 with respect to the base g q1 .Such a computation is feasible only when the plaintext domain is sufficiently small to allow an efficient solution of that problem (say, by holding a pre-computed table of (g q1 ) m for all possible values of m).Similarly, to decrypt c 1 := E 1 (m) = g m 1 h r 1 , it is needed to find the value m for which c q1 1 = (g q1 1 ) m .In our case, as we shall see below, the range of possible plaintexts is large, in which case decryption is infeasible.However, in our implementation of the BGN cipher, the owner of the private key needs only to determine if the ciphertext corresponds to the plaintext m = 0 or not.Such a simplified question is easy to answer.The plaintext m equals zero if and only . We are now ready to describe the manner which we suggest to perform the computation that was previously done in Steps 20-27 of Protocol 6.We suggest to replace Steps 20-27 in Protocol 6 with the procedure that is described in Protocol 8.The main difference between Protocol 8 and Steps 20-27 in Protocol 6 is as follows: in Protocol 6 (for d = 2) we computed encryptions of the Boolean flags χ e,f and χ e that indicated the relevance of equations and unknowns, respectively, in the linear system; in Protocol 8 (for general d), on the other hand, we compute encryptions of integers that represent those Boolean flags.
Specifically, in Steps 2-4 of Protocol 8, P 1 , . . ., P d compute an E-encryption of the integer r e α e , where r e is any random multiplier from F * ν while α e = d h=1 α h e is the sum of the private Boolean flags.Clearly, if χ e = d h=1 α h e = 0 then r e α e = 0. On the other hand, if χ e = 1 then α e ∈ [1, d].Since the modulus ν = q 1 q 2 is a product of two large primes, then d < q 1 , q 2 and, therefore, α e ∈ F * ν .Since r e is selected uniformly at random from F * ν , it follows that also r e α e distributes uniformly in F * ν .Hence, the value r e α e discloses the value of the Boolean flag χ e , but nothing beyond that.If r e α e = 0 then χ e = 0; if r e α e = 0 then χ e = 1, but the value of r e α e in that case does not reveal any further information.
Similarly, in Step 5 we compute an E 1 -encryption of the integer r e r f α e α f .As argued above, if χ e,f = α e • α f = 0 then also r e r f α e α f = 0, while otherwise r e r f α e α f distributes uniformly in F * ν .Hence, the value r e r f α e α f discloses the value of the Boolean flag χ e,f , but nothing beyond that.
Therefore, the encrypted vector u that P d sends to T in Step 6 enables T to identify from it the rows that can be removed from the matrix; those are the rows that correspond to entries in v := u q1 which equal 1, as such values in v indicate that the plaintext corresponding to those entries in u was zero (Step 7).Similarly, the encrypted vector u that P d computes in Step 8 and sends to T in Step 9 enables T to detect the columns that can be removed from the matrix (Step 10).We note that the vector u that is computed in Step 8 has repeated TRANSACTIONS ON DATA PRIVACY 12 (2019) values, since each entry of the form E(r e α e ) appears in n−2 entries in the vector.To prevent T from identifying which n − 2 entries correspond to the same edge, it is possible to use the basic encryption E(r e α e ) that was generated in Step 4 in order to create n − 3 additional E-encryptions of r e α e by using homomorphic additions with random encryptions of zero, E(0).Protocol 8 Eliminating irrelevant equations and unknowns from the full HT system; general d 1: T generates a BGN cipher and he notifies P1, . . ., P d of the corresponding encryption keys.
, where the entries are ordered by π r .7: T computes v := u q 1 and then he removes from the matrix all rows that correspond to 1-entries in v. 8: P d creates a vector u that includes the value E(reαe) for every pair (e, v) where e ∈ V2 and v ∈ V \ e.The order of the entries in u is as determined by π c .9: P d sends u to T .10: T computes v := u q 1 and then he removes from the matrix all columns that correspond to 1entries in v.

Privacy-preserving testing of 3-colorability of distributed planar graphs
The 3-colorability decision problem is an NP-complete problem, even for special graph classes, e.g. for triangle-free or K 1,5 -free graphs [29].However, by Gr ötzsch Theorem [45], planar graphs that are triangle-free are 3-colorable.(Note that triangle-freeness alone does not imply 3-colorability, as demonstrated by the so-called Gr ötzsch Graph, see Figure 7.) Figure 7: The Gr ötzsch Graph is a triangle-free graph which is not planar.It is not 3colorable.
Assume that P 1 , . . ., P d , who hold private graphs G h = (V, E h ), 1 ≤ h ≤ d, already found that the union graph G = (V, E), E = d h=1 E h , is planar, using Protocol 2 or 5. Assume that they further need to decide whether it is 3-colorable.Then, by Gr ötzsch Theorem, it suffices to check whether it is triangle-free.To this end, let us denote the adjacency matrix of the private graph G h by A h , 1 ≤ h ≤ d; i.e., A h : V 2 → {0, 1} and A h (u, v) = 1 iff E h has the edge (u, v).The adjacency matrix of the union graph G = (V, E) is given by A =  E) is a sequence of vertices w 0 = u, w 1 , . . ., w s−1 , w s = v such that (w i−1 , w i ) ∈ E for all 1 ≤ i ≤ s; in that case s is the length of the path.A path scenario is a path as defined above together with a sequence of indices 1 ≤ h 1 , . . ., h s ≤ d such that (w i−1 , w i ) ∈ E hi for all 1 ≤ i ≤ s.Lemma 3.For any integer k ≥ 1, A k (u, v) equals the number of paths of length k from u to v, while B k (u, v) equals the number of path scenarios of length k from u to v.
Proof of Lemma 3. As both claims of the lemma are clearly true for k = 1, we proceed by induction.We start with the first claim regarding A k (u, v).We have By induction, A(u, w) equals 1 if there is an edge from u to w in G and 0 otherwise, while A k−1 (w, v) is the number of paths of length k−1 from w to v in G. Hence, A(u, w)A k−1 (w, v) equals the number of paths of length k from u to v in G that start with the edge (u, w).Therefore, by summing those numbers over all w ∈ V we get the total number of paths of length k from u to v. Similar argumentation applies also for our second claim regarding B k (u, v).
Proof of Theorem 1.A graph is triangle-free iff it includes no cycles of length 3, that is, no paths of length 3 from a vertex to itself.Hence, a graph is triangle-free iff all entries on the diagonal of A 3 are zero.Therefore, as all entries in A 3 are non-negative, a graph is triangle-free iff the trace of A 3 is zero.The second claim, that a graph is triangle-free iff tr(B 3 ) = 0, follows immediately because a path between any given pair of vertices exists iff a path scenario between those two vertices exists.
In view of the above discussion, the parties P 1 , . . ., P d need only to verify, in a privacypreserving manner, whether tr(A 3 ) = 0 or, equivalently, whether tr(B 3 ) = 0. We prefer to use the latter condition, since tr(B 3 ) can be expressed as a polynomial in private values that P 1 , . . ., P d hold (namely, the entries of their private adjacency matrices A h , 1 ≤ h ≤ d).
To that end, the parties may verify that condition by invoking the BGW protocol [7].(The equivalent condition that involves the matrix A is harder for verification since the entries of the matrix A are Boolean functions of the private inputs.)

A birdseye view of the BGW protocol
Consider a setting in which d > 2 parties, P 1 , . . ., P d , wish to compute an arithmetic function of private inputs that they hold.Party P h holds a private vector (or, equivalently, a TRANSACTIONS ON DATA PRIVACY 12 (2019) matrix) x i over some finite field F, 1 ≤ h ≤ d, and the goal is to compute y = f (x 1 , . . ., x d ), where the function f is a publicly known polynomial in the entries of x 1 , . . ., x d , without disclosing to each other the private inputs.The Ben-Or-Goldwasser-Wigderson (BGW) protocol [7] was designed for this purpose.We proceed to provide a birdseye view of that protocol, with the efficiency improvement of [14].The security of the protocol was proven in [4].
Let C be some arithmetic circuit that computes f over the finite field F. The field's size must be greater than d as well as greater than the a-priori bound on the input and output values.The circuit consists of two different types of gates: addition gates, and multiplication gates.Let α 1 , . . ., α d be distinct non-zero elements in F; then α h will be used as a public identifier of P h , 1 ≤ h ≤ d.The parties preserve the following invariant during the computation: the value of each wire of the circuit is secret-shared using a Shamir's (t + 1)-out-of-d secret sharing scheme (see [35]), with t < d/2.The protocol consists of the following three stages: input sharing phase, circuit emulation phase, and output reconstruction phase.
The input sharing phase.In this phase, each party P h , 1 ≤ h ≤ d, shares his input x h with all parties: for each scalar entry x h (•) in his private input x h he chooses a random polynomial g h of degree t such that g h (0) = x h (•), and he then sends to each party P k the value g The circuit emulation phase.In this phase, the parties emulate the computation of the circuit C on the inputs x 1 , . . ., x d , where in each gate, the parties compute shares of the value of the output wire using their shares of the input wires by invoking a secure protocol.
There are two types of gates to consider: addition gates and multiplication gates.
Addition gates.The computation of the output shares can be performed locally and without any interaction, since if f 1 (α h ) and f 2 (α h ) are the shares that P h holds for the two input wires to an addition gate, then f ) is a valid sharing of the output wire.Indeed, if the polynomials f 1 (x) and f 2 (x) are of degree at most t, then so is their sum f (x) := f 1 (x) + f 2 (x); and, in addition, f (0) = f 1 (0) + f 2 (0).
Multiplication gates.The case of multiplication gates is more involved as it requires interaction among the parties.In particular, given shares f 1 (α h ) and f 2 (α h ) for the two input wires of a multiplication gate, 1 ≤ h ≤ d, then f (α h ) := f 1 (α h ) • f 2 (α h ) are shares of a polynomial f (x) with the correct constant term f (0) = f 1 (0) • f 2 (0), as required, but its degree could be as high as 2t, while we need the sharing polynomial to be of degree at most t.Hence, the players must interact in order to reduce the degree of that polynomial.The degree reduction procedure can be done using the method of [14], which is based on the fact that if f is a polynomial of degree at most d − 1 and α 1 , . . ., α d are d distinct non-zero points in the field, then the constant term f (0) is a linear combination of the other points on that polynomial.That is, are the Lagrange coefficients.The multiplication sub-protocol proceeds as follows.Given the shares f 1 (α h ), f 2 (α h ) of the party P h , the party P h locally multiplies these two shares and gets the value f (α h ).Then, he chooses a polynomial g h (x) of degree at most t such that g h He then shares the polynomial g h with all parties, so that each party P k receives the share g h (α k ).At the end of this stage, each party P k holds the shares g 1 (α k ), . . ., g d (α k ).Next, let us define the polynomial p(x) := d h=1 λ h • g h (x), which has a degree at most t.Each party P k locally computes the linear combination d h=1 λ h • g h (α k ) = p(α k ), which is his share in the implicitly defined polynomial p(x).Note that p(x) is a polynomial of degree at most t, and p(0)

TRANSACTIONS ON DATA PRIVACY 12 (2019)
Output reconstruction phase.In this phase, each party P h receives all the shares of the output wire and he then reconstructs the final output y. 9.2 A protocol for checking whether the trace of B 3 is zero Protocol 9 performs a privacy-preserving check of the trace of B 3 .It starts (Step 1) by selecting the finite field F over which all computations will take place.The size of the field must be greater than d 3 n 3 , since that is the upper bound on tr(B 3 ).The latter bound follows directly from Lemma 4 below, that can be easily proven by induction.
Proof.The lemma is obviously correct for k = 1 since B(u, v) equals the number of private graphs that have the edge (u, v) and that number is within the range [0, d].The proof proceeds by induction: Next (Step 2), each party distributes to all parties (including himself) shares in a Shamir secret sharing scheme in each entry of his private adjacency matrix.The degree t of all interpolation polynomials are selected by all parties upfront.(Note that since all graphs are non-directional, then all adjacency matrices are symmetric and hence it suffices to share and compute only the entries on the diagonal and above it.)After each party collects his respective shares in all adjacency matrices, he proceeds to add them in order to receive a share in each entry of the matrix B (Step 3).In Steps 4-5, the parties proceed to translate their shares into shares in the entries of B 2 and B 3 .Since, for any (u, v) ∈ V 2 and k ≥ 2, the parties can use the BGW multiplication procedure in order to compute shares in the product B k−1 (u, w)B(w, v) (from the shares in B k−1 (u, w) and B(w, v) which they already have) and, subsequently, get shares in B k (u, v).Then the parties compute their share in tr(B 3 ) by simple addition (Step 6).
It is left only to reconstruct tr(B 3 ) and check whether it is zero or not.Such a conclusion of the protocol is possible, but then the parties would reveal tr(B 3 ), which equals the number of cycles of length 3 in G, multiplied by 3 (as each such cycle contributes 1 to three entries on the diagonal of B 3 ).If such information leakage is considered benign then the protocol could end by such reconstruction among the d interacting parties.If, however, such information leakage is to be avoided, the parties can decide on a random multiplier q ∈ F * p and then send to the mediator T their shares multiplied by q.T may then interpolate the received shares in order to get w := q • tr(B 3 ).Such a value reveals to T (who does not know q) only whether tr(B 3 ) = 0 or not, but nothing beyond that (Steps 7-10).
TRANSACTIONS ON DATA PRIVACY 12 (2019) Protocol 9 Privacy-preserving testing of the triangle-freeness of a distributed planar graph 1: P1, . . ., P d choose a finite field F where |F| > d 3 n 2 .2: Each P h , 1 ≤ h ≤ d, shares each entry in his own adjacency matrix A h with all parties.3: Each P h computes from the shares he received his own share in each entry of the matrix B = d h=1 A h .4: P1, . . ., P d invoke the BGW protocol to compute shares in each of the entries in B 2 .5: P1, . . ., P d invoke the BGW protocol to compute shares in each of the entries on the diagonal of B 3 .6: Each P h adds up his shares in the diagonal entries of B 3 in order to get his share s h in tr(B 3 ).7: P1, . . ., P d select a random nonzero term q ∈ F * p .8: Each P h sends to T the value q • s h , 1 ≤ h ≤ d. 9: T recovers from the received shares the value w := q • tr(B 3 ).10: T outputs "The graph is triangle-free" if w = 0 and "The graph is not triangle-free" otherwise.Such a protocol does not leak anything to the interacting parties P 1 , . . ., P d , as implied by the security of the BGW protocol [4], and not to T as argued above.As for the computational costs, the main bottleneck is due to the BGW multiplication procedure.In computing shares in B 2 's entries there are O(n 3 ) multiplication procedures (that could be parallelized), while the computation of the diagonal entries of B 3 involves additional O(n 2 ) multiplication procedures (which could also be parallelized).As the complexity of our planaritytesting protocols is higher than that, then this subsequent computation does not increase the overall complexity.

Conclusions
We introduced the problem of privacy-preserving planarity testing of distributed graphs.We presented a protocol that solves this problem.Our protocol, based on the Hanani-Tutte theorem, protects the private edge sets of each of the parties, under the assumption that the parties are semi-honest and do not collude.Our study presents, for the first time, an SMC protocol that privately tests a geometric property of distributed graphs.A related property of graphs is that of outer-planarity: a graph is called outer-planar if it has a planar drawing for which all the vertices belong to the outer face of the drawing.It is known [13] that a graph is outer-planar iff the graph that is obtained from it by adding a new vertex and adding from it edges to all original vertices is planar.Hence, our privacypreserving planarity testing protocols can be easily modified for testing outer-planarity.All that is needed is to augment the vertex set V = {v 1 , . . ., v n } with a new vertex, V → V = V ∪ {v n+1 }, and that one of the parties, say P 1 , adds to his edge set, E 1 , the n edges (v i , v n+1 ), 1 ≤ i ≤ n.Then the parties may proceed by testing the planarity of the new augmented distributed graph on V .
This study raises the following problems for future research: (a) Improving scalability, either by devising more efficient ways to test the solvability of the HT system, or by designing a privacy-preserving version of another planarity testing algorithm.
(b) Devising privacy-preserving protocols for solving graph problems, which are known to have an efficient solution in cases where the underlying graph is planar, as we did for 3-colorability.The sub-graph isomorphism and the maximal clique problems are examples of such problems.TRANSACTIONS ON DATA PRIVACY 12 (2019) (c) Enhancing the resiliency of the protocol to stronger adversarial models (i.e., malicious parties).
(d) Implement mechanisms to prevent coalitions between the interacting parties.In the solutions that we presented herein, one of the parties P 1 , . . ., P d may collude with the mediator T in order to disclose information on the union graph beyond its planarity.One way to prevent such a coalition is to split the role of the mediator T into k distinct and independent mediators, T 1 , . . ., T k , and enhance our protocols by secret sharing techniques, so that the recovery of information on the union graph requires a collaboration of all k mediators, or of k mediators, where 1 < k < k (the latter option increases the robustness of the system).
(e) Devising privacy-preserving protocols for computing planar drawings of distributed graphs.Assume that P 1 , . . ., P d ran the protocols described in the present study and found that the distributed graph which they hold is planar.In such a case a new problem arises: finding a planar drawing of the distributed graph.Namely, the parties should arrive at a bijection ϕ from the vertex set V to R 2 and a representation of each edge e = (u, v) ∈ E as a continuous simple curve in R 2 with ϕ(u) and ϕ(v) as its end points, such that no two curves intersect apart possibly at their end points.The bijection ϕ can be public, as V is public and shared by all parties.However, the curve representing any given edge should be revealed only to parties that have that edge in their private edge set.This is a problem of secure multiparty computation of a new type, as the output consists of continuous curves.We are not aware of any prior art that pushed the envelope of secure multiparty computation to include such types of computation.

Figure 1 :
Figure 1: K 4 is a planar graph.The left drawing is non-planar, but the right drawing is planar.

Figure 2 :
Figure 2: K 5 and K 3,3 are non-planar.A graph is planar iff it does not include either of them as minors.

Figure 3 :
Figure 3: Illustrating parity D (e, f ): In the two left drawings parity D (e, f ) = 0 while in the other two parity D (e, f ) = 1.

Figure 4 :
Figure 4: Illustrating an (e, v)-move.As a result of such a move, parity D (e, f ) changes only for the four edges adjacent to v (from 0 to 1); for all other edges f , parity D (e, f ) remains unchanged (0).

Figure 5 :
Figure 5: An illustration of the embedding of n = 6 vertices, together with two connecting edges.

Figure 6 :
Figure 6: A drawing of G = (V, E) with E = {e 1,4 , e 1,5 , e 2,4 , e 2,6 , e 3,6 , e 5,6 } and the corresponding complete graph K V .The edges in G are marked by thick lines, while all edges in K V which are not in G are marked by thin lines.

3 :
P1 sends to P2 a vector x1 of length n 2 where, for each edge (vi, vj) ∈ E c 1 , i < j, x1 includes an entry of the form H(i, j) α 1 , while the remaining n 2 − |E c 1 | entries are randomly selected from Z * p .The order of x1's entries is random.4: P2 sends to P1 a vector x2 of length n 2 where, for each edge (vi, vj) ∈ E c 2 , i < j, x2 includes an entry of the form H(i, j) α 2 , while the remaining n 2 − |E c 2 | entries are randomly selected from Z * p .The order of x2's entries is random.5: P1 sends to T the vector y 2 , where y 2

n 2 − |E c 1 |
entries are randomly selected from Z * p .TRANSACTIONS ON DATA PRIVACY 12 (2019) Privacy-Preserving Planarity Testing of Distributed Graphs 135 maintain the uniform distribution.The security of Protocol 7 follows from the hardness of the Discrete Log problem.The protocol entails a total of O(dn 2 ) hash function evaluations and exponentiations (for P 1 , . . ., P d ) and O(dn 2 log n) comparisons for T .The protocol has d rounds of communication in which O(dn 2 log p) bits are transmitted.

Theorem 1 .
d h=1 A h .The matrix B = d h=1 A h , on the other hand, gives for any pair of vertices (u, v) the number of private graphs that have the edge (u, v).The graph G = (V, E), where E = d h=1 E h , is triangle-free iff tr(A 3 ) = tr(B 3 ) = 0. Before proving Theorem 1, we define the notions of paths and path scenarios: T compares the d received vectors, y 1 , . . ., y d , and finds out the number z of values that appear in all of them.
1: P1, ..., P d select jointly a large multiplicative group Z * p (p is prime) and a hash function H whose range can be embedded in Z * p .2:P h selects a secret and random exponent1 < α h < p − 1, 1 ≤ h ≤ d. 3: for 1 ≤ h ≤ d do 4:P h−1 sends to T a vector y h of length n 2 where, for each edge (vi, vj) ∈ E c h , i < j, y h includes an entry of the form H(i, j) α , for α = p .The order of y h 's entries is random.Here, when h = 1, P h−1 is P d .5: end for 6: 7: If z < n 2 − (3n − 6), T notifies P1, . . ., P d that the union graph is not planar.
2: P h , 1 ≤ h ≤ d, sends to P d the values E(α h e ) for all e ∈ V2. 3: P d performs homomorphic addition and computes E(αe) for all e ∈ V2, where αe = P d selects for each e ∈ V2 a random multiplier re ∈ F * ν and computes E(αe) re = E(reαe).5: For each pair of independent edges {e, f } ∈ K ind 2 , P d performs homomorphic multiplication of E(reαe) and E(r f α f ) in order to get E1(rer f αeα f ).6: P d sends to T the vector u := (E1(rer f αeα f