jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SMPC chapter: Improve wording and fix spelling

Browse source
This commit is contained in:
jaseg 2026-01-19 17:20:20 +01:00
parent bf66366603
commit bb744cb11f
3 changed files with 89 additions and 121 deletions
Download patch file Download diff file Expand all files Collapse all files

204
chapter-smpc/chapter.tex
View file

@ -21,12 +21,12 @@ limited~\cite{
Because IHSMs rotate at high speed, IHSM meshes do not need to be contiguous to provide adequate security. While a
non-contiguous rotating mesh might theoretically allow a stationary attack tool to quickly penetrate, then retract
through one of the mesh's gaps while the mesh is rotating, the time available for such an attack would be too short for
a practical attack. For a mesh with three vertical connecting segments (cf.\ Figure~\ref{fig_proto_mesh} in
Chapter~\ref{chapter-ihsm}) rotating at \qty{1000}{\rpm}, this time would be in the order of \qty{20}{\milli\second}.
Conventional HSM monitoring circuits would likely require a similar amount of time to react to an
attack~\cite{obermaier2018}.
a practical attack (cf.\ Chapter~\ref{chapter-ihsm}). For a mesh with three vertical connecting segments (cf.\
Figure~\ref{fig_proto_mesh} in Chapter~\ref{chapter-ihsm}) rotating at \qty{1000}{\rpm}, this time would be in the order
of \qty{20}{\milli\second}. Conventional HSM monitoring circuits would likely require a similar amount of time to react
to an attack~\cite{obermaier2018}.
Similar to how the increase in payload \emph{sizew} of IHSMs compared to conventional HSMs unlocks new applications such
Similar to how the increase in payload \emph{size} of IHSMs compared to conventional HSMs unlocks new applications such
as the Quantum Key Distribution relay use case we presented in Chapter~\ref{chapter-qkd}, the increase in sustainable
power dissipation enabled by air cooling also unlocks a number of new applications. Especially applications that require
large amounts of computing power benefit from IHSM technology, as their needs fundamentally cannot be met by
@ -37,14 +37,7 @@ is Multiparty Computation (MPC). MPC is a cryptographic construct that allows se
perform a computation in such a way that the inputs to the computation remain private to the parties providing them, and
no single party must be trusted for the computation to produce the correct result. Conceptually, MPC is similar to a
secret sharing scheme that shares not just data, but computation between untrusted parties. The computation primitive
MPC offers is a cryptographic answer to the question of how to bootstrap trust in a computing system.
\todo{In this chapter, cite academic publications and patents on HSM cooling!}
%The most challenging scenarios in computing arise when multiple
%parties such as manufacturers and operators, servers and clients, or sellers and buyers need to interact through
%computation. In many practical situations, it is impossible to create a single computer that can be trusted by every
%participant. MPC is a generic solution to a multitude of such scenarios reducing the problem of creating a single,
%shared computer everyone can trust simultaneously to everyone creating their own computer that they only can trust.
MPC offers is a cryptographic tool for bootstrapping trust in a distributed computing system.
We can deconstruct the problem of trust in computing into two largely disjunct parts: Establishing trust in a computing
system during its creation is one, and maintaining this trust throughout its life is the other. For the second part of
@ -58,41 +51,43 @@ they cannot target all systems simultaneously and we give them too little time t
A limitation of both approaches is that in either case, while the party creating or acquiring the system can trust it,
they cannot prove its trustworthiness to other parties. MPC solves this issue by allowing every party to contribute
their trusted system to the protocol, cryptographically bootstrapping common trust in the computation and its
their own trusted system to the protocol, cryptographically bootstrapping common trust in the computation and its
output\footnote{
In fact, MPC does more than just bootstrapping from each participant trusting their own system to a trusted shared
computation. In an MPC protocol providing semi-honest or better security, MPC even \emph{relaxes} each party's trust
requirement from trusting their own system to trusting that any $n$-of-$k$ out of all systems contributing to the
requirement from trusting their own system to trusting any $n$-of-$k$ out of all systems contributing to the
protocol.
}.
\section{Fast MPC and Slow HSMs}
MPC is a uniquely powerful cryptographic primitive, yet it has still not found widespread practical adoption. This is
because MPC is extremely resource-intensive to run. MPC protocols exist on a continuum trading off between extreme
memory and bandwidth requirements on one end and intense computational requirements on the other end. At a first glance,
MPC and Hardware Security Modules look like they would complement each other well, but HSMs cannot keep up with the
intense computational requirements posed by MPC.
MPC is a uniquely powerful cryptographic primitive, yet it has still not found widespread practical adoption. To a large
extent, this is because MPC is extremely resource-intensive to run. MPC protocols exist on a continuum trading off
between extreme memory and bandwidth requirements on one end and intense computational requirements on the other end. At
a first glance, MPC and Hardware Security Modules look like they would complement each other well, but HSMs cannot keep
up with the computational requirements posed by MPC.
Using P-256 curve ECC key generation as a benchmark, commercially available HSMs are quoted to perform between 3500 and
22000 cryptographic operations per second~\cite{
Using P-256 curve ECC key generation as a benchmark, commercially available HSMs are quoted to perform between 3,500 and
22,000 cryptographic operations per second~\cite{
kumarIBMZ16Performance2025,
ThalesLunaNetwork2024,
Utrust_GP_HSM_Se_Series_Datasheet_ENpdf,
}. Meanwhile, an MPC protocol doing something as simple as a single AES encryption, corresponding to 7000 logic
}. Meanwhile, an MPC protocol doing something as simple as a single AES encryption, corresponding to 7,000 logic
gates~\cite{wangGlobalScaleSecureMultiparty2017}, requires tens of thousands of cryptographic operations when performed
in MPC. As a result, applying conventional HSMs to MPC at any practical scale is infeasible by multiple orders of
magnitude. Literature on MPC commonly uses server hardware as a platform for benchmarks.
magnitude. Literature on MPC commonly uses server hardware as a platform for benchmarks, which has power dissipation and
processing speeds well beyond that of conventional HSMs.
HSMs are slow compared to contemporary computers because they are limited in their power dissipation, and power
dissipation is largely proportional to processing speed. In the limited fields where HSMs have found commercial
application, this limitation was never considered important and market forces pushing towards faster HSMs remain
light\todo{Can we find a citation here?}. Fundamentally, conventional HSMs must envelope the entire payload in a tamper
sensing mesh to detect drilling attacks, but a tamper sensing mesh that is impermeable to a drill is also impermeable to
air. As a result, any heat conducted from the HSMs processor to the outside world must pass through the mesh. At the
same time, the mesh cannot be thinned either because thinning it would enable micro-drilling attacks. The result of
these constraints is a high thermal resistance between the HSM's processor and an external heat sink, which limits
maximum power dissipation to a fraction of what is achieved in modern CPUs or even GPUs.
application, this limitation was never considered important and market forces pushing towards faster HSMs appear to
remain light with the issue receiving little attention in either academic or manufacturer publications on the topic.
Fundamentally, conventional HSMs must envelope the entire payload in a tamper sensing mesh to detect drilling attacks,
but a tamper sensing mesh that is impermeable to a drill is also impermeable to air. As a result, any heat conducted
from the HSMs processor to the outside world must pass through the mesh. At the same time, the mesh cannot be thinned
either because thinning it would enable micro-drilling attacks. The result of these constraints is a high thermal
resistance between the HSM's processor and an external heat sink, which limits maximum power dissipation to a fraction
of that of modern CPUs or even GPUs.
A secondary limitation of conventional HSMs is that the highly specialized tamper sensing foils used in their
construction often cannot be scaled to arbitray sizes without incurring unsustainable process yields due to the
@ -104,10 +99,9 @@ components such as memory, power supplies and any internal heat spreading compon
Inertial HSMs solve this issue since they allow their payload to be air cooled without compromising security, and they
expand the feasible security boundary size from the several hundred milliliters offered by conventional HSMs to several
liters and more, enabling the integration of standard, off-the-shelf server components such as mainboards, CPUs, CPU
coolers, and power supplies. In this chapter, we will first provide a short overview of the theory of MPC before
elaborating a design of an IHSM tailored to MPC tasks including performance calculations and unique design aspects. We
will conclude with an outlook of applications unlocked by our design as well as promising areas for future improvements
of our design.
coolers, and power supplies. In this chapter, we will first provide a short overview illustrating a basic MPC protocol
for context before elaborating a design of an IHSM tailored to MPC tasks. We will conclude with an outlook of
applications unlocked by our design as well as promising areas for future improvements of our design.
\section{The Fundamentals of Multiparty Computation}
@ -134,7 +128,8 @@ real-world settings where parties do not have stable identities such as peer-to-
mostly interesting as a research tool since protocols assuming a semi-honest adversary can often be upgraded to covert
or malicious security at some performance tradeoff. In a practical setting, a semi-honest secure MPC protocol would not
provide additional security over just having one party run the computation except in some situations where inadvertent
side-channel leakage is a concern.
side-channel leakage is a concern. Using HSMs to secure protocol participants' cryptographic computations complements
both the covert and malicious security models.
\subsection{Oblivious Transfer}
@ -153,19 +148,17 @@ Transfer Extensions (OTe)\cite{ishaiExtendingObliviousTransfers2003}. Using OTe,
base Oblivious Transfer instances can be extended into an arbitrarily large number of Oblivious Transfer instances using
only invocations of a pseudo-random function (PRF) such as a cryptographic hash function.
\subsection{Boolean MPC with Yao's Garbled Circuits}
% Yao's Garbled Circuits
Yao's Garbled Circuits (GC) protocol is one of the oldest Multiparty Computation protocols, dating back to the 1980ies.
In Yao's GC, two parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating
the circuit gate by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the
circuit and sends it to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every
wire $w_i$ in the circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for
the logical value $0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned
randomly by the generator, and unknown to the evaluator~\cite{
yaoHowGenerateExchange1986,
beaverComplexitySecureProtocols1990,
evansPragmaticIntroductionSecure,
}.
\subsection{A basic MPC protocol: Boolean MPC with Yao's Garbled Circuits}
As a basic example of the approach taken by MPC protocols, we will give a brief overview of Yao's Garbled Circuits (GC)
protocol. Yao's GC is one of the oldest Multiparty Computation protocols, dating back to the 1980ies. In Yao's GC, two
parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating the circuit gate
by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the circuit and sends it
to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every wire $w_i$ in the
circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for the logical value
$0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned randomly by the
generator, and unknown to the
evaluator~\cite{yaoHowGenerateExchange1986,beaverComplexitySecureProtocols1990,evansPragmaticIntroductionSecure}.
Gates are represented in Yao's GC as truth tables with one row for every combination of input wire values. Each row of
these truth tables contains the output wire label (i.e. secret key) corresponding to the gate's logical output value for
@ -200,28 +193,8 @@ evaluations of a pseudorandom function such as a cryptographic hash or a cipher.
Garbled Circuit is many times slower than performing it in the clear. Intuitively, each single-bit gate in the garbled
circuit results in several cryptographic operations with input and output sizes of dozens or hundreds of bits.
Practically useful functions such as AES encryption have circuit implementations measuring thousands or tens of
thousands of gates, meaning these costs quickly escalate for practical problem sizes~\cite{
boyarNewCombinationalLogic2010,
songhoriTinyGarbleHighlyCompressed2015,
}.
% FIXME This entire connecting section
%\subsection{Practical Application}
%\subsubsection{Preprocessing and Online Phases}
%\subsubsection{Constant-Round MPC}
% \subsection{Performance}
% zahurTwoHalvesMake2015,wangGlobalScaleSecureMultiparty2017,kellerMPSPDZVersatileFramework2020,dalskovFantasticFourHonestMajority
% \subsection{Practical Deployments}
% \subsection{Solutions}
% \subsection{Hardware Security Applied to MPC}
% Hardware security primitives can be applied in several roles in an MPC protocol.
thousands of gates, meaning these costs quickly escalate for practical problem
sizes~\cite{boyarNewCombinationalLogic2010, songhoriTinyGarbleHighlyCompressed2015}.
\section{A High-Performance IHSM for MPC Applications}
@ -231,24 +204,17 @@ implemented using CPU processing. The technology comes with an unavoidable incre
each single plaintext computation or gate results in several cryptographic operations.
A naive implementation might attempt to implement MPC using an HSM by simply offloading all cryptographic operations to
the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs.
Conventional HSMs use low-power embedded processors since their encapsulation using potting and security meshes impedes
heat transfer, limiting power dissipation.
In the near term, absent radical developments in either MPC theory or in the speed and power efficiency of processing
hardware, the only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire
server-class computer. As elaborated above, IHSMs are a natural fit for this requirement since they allow for large,
air-cooled payloads.
%\subsection{Hardware Requirements}
the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs. In the near
term, absent radical developments in either MPC theory or in the speed and power efficiency of processing hardware, the
only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire server-class
computer. IHSMs are a natural fit for this requirement since they allow for large, air-cooled payloads.
As a baseline performance target, we consider a commodity server mainboard in CEB or ATX form factor, populated with a
high-end server CPU and a large amount of RAM. As MPC systems do not usually require a great amount of storage, we can
largely ignore storage for our size and power calculations.\todo{Refer to performance numbers from research above here}
As a result, we end up with a total maximum power dissipation of approximately \qty{420}{\watt} as shown in
Table~\ref{tab_power_budget}. Dissipating this amount of power using air cooling is within the capabilities of commodity
server cooling components~\cite{coroamaPossibleFutureTrends2025}.
largely ignore storage for our size and power calculations. As a result, we end up with a total maximum power
dissipation of approximately \qty{420}{\watt} as shown in Table~\ref{tab_power_budget}. Dissipating this amount of power
using air cooling is within the capabilities of commodity server cooling
components~\cite{coroamaPossibleFutureTrends2025}.
\begin{table}
\centering
@ -267,16 +233,16 @@ server cooling components~\cite{coroamaPossibleFutureTrends2025}.
A common type of side-channel attack on cryptographic systems are power analysis attacks. In such attacks, the supply
current of the target processing system is measured at high speed while the target is performing cryptographic
computations. By aggregating the results of a large number of the resulting power traces, it is often possible to infer
the value of secret data such as cryptographic keys. To mitigate this type of attack, not only do we have to place the
CPU, mainboard, and memory inside of the HSM's tamper-sensing barrier, but also the power supply. A secondary benefit of
placing the power supply inside the tamper-sensing barrier is that it simplifies the power wiring between the outside of
the IHSM cage and the payload. Supplying the \qty{12}{\volt} power rails that commodity mainboard commonly use requires
tens of Ampere. To carry such high current, the wiring has to be sized accordingly. In an IHSM, even thick wires can
easily be passed through the mesh cage, but such wiring requires a large opening at the shaft on one end of the cage,
which creates a literal security gap. Placing the power supply inside of the cage reduces the size of the wires needed
since the power supply steps down a lower current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt}
rails. According to DIN VDE 0298-4\todo{Citation?}, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for
more than \qty{3}{\kilo\watt} of load under worst-case conditions.
the value of secret data such as cryptographic keys. To mitigate this type of attack, we propose placing the system's
power supply inside the IHSM envelope. A secondary benefit of placing the power supply inside the tamper-sensing barrier
is that it simplifies the power wiring between the outside of the IHSM cage and the payload. Supplying the
\qty{12}{\volt} power rails that commodity mainboard commonly use requires tens of Ampere. To carry such high current,
the wiring has to be sized accordingly. In an IHSM, even thick wires can easily be passed through the mesh cage, but
such wiring requires a large opening at the shaft on one end of the cage, which creates a literal security gap. Placing
the power supply inside of the cage reduces the size of the wires needed since the power supply steps down a lower
current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt} rails. Using DIN VDE 0298-4\todo{Citation?}
as a reference, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for more than \qty{3}{\kilo\watt} of load
under worst-case conditions.
\subsection{Software Considerations}
@ -298,9 +264,6 @@ software without effectively running a system emulation and incurring a massive
Intel and AMD contain hardware features that provide transparent DRAM encryption. These hardware features would be
necessary when securing an entire sever in an MPC setup with IHSMS technology.
% \subsection{Fast Zeroization of Non-Customizable Memories}
% Thermite experiements and paper
\subsection{A Joint Cooling and IHSM Envelope Powertrain}
In this section, we will present a sketch of a design for an IHSM envelope large enough to fit a small server mainboard,
@ -327,34 +290,35 @@ while simultaneously providing cooling to the payload.
\end{figure}
Our proposed design is based on the idea of using the cooling fans' airflow to power the rotation of the IHSM envelope.
Figure~\ref{fig_setup} shows a conceptual demonstration of this concept. Using the basic cylindrical design, the IHSM
envelope consists of two discs above and below the payload that are connected through vertical struts containing part of
the tamper-sensing mesh on the outside of the payload. We propose widening these vertical connecting struts, and angling
them such that the entire envelope becomes a centrifugal impeller. By letting air flow into the envelope from the side,
and back out through its top and bottom, the envelope assumes the same configuration used in centrifugal cooling fans.
Figure~\ref{fig_setup} shows a conceptual demonstration of this approach. Using a basic cylindrical design, the IHSM
envelope consists of two discs above and below the payload that are connected through vertical struts on the outside of
the payload. We propose widening these vertical connecting struts, and angling them such that the entire envelope
becomes a centrifugal impeller. By letting air flow into the envelope from the side, and back out through its top and
bottom, the envelope assumes the same configuration used in centrifugal cooling fans. Tamper sensing meshes are placed
inside the vertical struts as well as along the horizontal discs at the top and at the bottom.
Laying out an IHSM this way has several advantages. First, we save some vertical space by removing the motor from the
shaft of the mesh. Second, on top of driving the mesh, the airflow also serves to cool the payload. Second, this
shaft of the mesh. Second, on top of driving the mesh, the airflow also serves to cool the payload. Finally, this
approach eliminates the motor driving the mesh as a single point of failure. In a basic IHSM design as we introduced it
in Chapter~\ref{chapter-ihsm}, this motor is a critical component as it failing would lead to the mesh accelerometer
triggering the tamper alarm. Using a brushless motor type the numebr of wear components in this motor can be reduced to
the motor's shaft bearings. A complication in the practical manufacturing of IHSMs at a small scale is that small-scale
production does not allow for a custom-made motor. Limiting the selection to off-the-shelf brushless motors leads to an
unpredictability of bearing life since precise bearing specifications are not usually included in motor datasheets.
in Chapter~\ref{chapter-ihsm}, this motor is a critical component as its failure would lead to the mesh accelerometer
triggering the deceleration tamper alarm. Using a brushless motor type the number of wear components in this motor can
be reduced to the motor's shaft bearings. A complication in the practical manufacturing of IHSMs at a small scale is
that small-scale production does not allow for a custom-made motor. Limiting the selection to off-the-shelf brushless
motors leads to an unpredictability of bearing life due to the cost of precision bearings. Complicating things, bearing
specifications are not usually included in motor datasheets.
Compared to the market for off-the-shelf small brushless motors, cooling fans are easier to shop for. A large selection
of products with various form factors and specifications is available, and manufacturers usually give detailed
information on both performance and lifetime. For industrial and server cooling fans, uninterrupted 24/7 operation is
their nominal operating condition.
information on both performance and lifetime. Industrial and server cooling fans are commonly rated for uninterrupted
24/7 operation. The cooling fans can be located on the outside of the envelope in an easily accessible location. Like in
many servers, they can be set up in a redundant way such that a failed cooling fan can be replaced while the system
continues to operate.
The cooling fans can be located on the outside of the envelope in an easily accessible location, and can be set up in a
redundant way such that a failed cooling fan can be replaced while the system continues operation.
The main drawback of a fan-driven IHSM is the necessary airflow. To maximize payload volume, the fan blades must be kept
as narrow as possible. Narrow fan blades work best at high air speed, but high air speed requires the fan to have high
airflow. Besides limiting fan selection and increasing power consumption, high airflow fans also are noisy. Despite
these limitations, we consider fan-driven IHSMs a valid tradeoff since such a system would most likely be deployed in a
datacenter where high noise levels are acceptable.
The main drawback of a fan-driven IHSM is the amount of airflow necessary. To maximize payload volume, the fan blades
must be kept as narrow as possible. Narrow fan blades work best at high air speed, but high air speed requires the fan
to have high airflow. Besides limiting fan selection and increasing power consumption, high airflow fans also are noisy.
Despite these limitations, we consider fan-driven IHSMs a valid tradeoff since such a system would most likely be
deployed in a datacenter where high noise levels are acceptable.
\section{Outlook}

4
main.bib
View file

@ -2672,9 +2672,11 @@ Subject\_term: Computer science}
title = {High {{Fidelity Security Mesh Monitoring}} Using {{Low-Cost}}, {{Embedded Time Domain Reflectometry}}},
booktitle = {Transactions on {{Cryptographic Hardware}} and {{Embedded Systems}}},
author = {Götte, Jan Sebastian and Scheuermann, Björn},
date = {2026},
date = {2026-01},
volume = {2026/1},
pages = {533--558},
publisher = {IACR},
doi = {10.46586/tches.v2026.i1.533-558},
url = {https://eprint.iacr.org/2025/1962},
urldate = {2025-11-04},
abstract = {Security Meshes are patterns of sensing traces covering an area that are used in Hardware Security Modules (HSMs) and other systems to detect attempts to physically intrude into the device's protective shell. State-of-the-art solutions manufacture meshes in bespoke processes from carefully chosen materials, which is expensive and makes replication challenging. Additionally, state-of-the-art monitoring circuits sacrifice either monitoring precision or cost efficiency. In this paper, we present an embeddable security mesh monitoring circuit constructed from low-cost, standard components that utilizes Time Domain Reflectometry (TDR) to create a unique fingerprint of a mesh. Our approach is both low-cost and precise, and enables the use of inexpensive standard Printed Circuit Boards (PCBs) as security mesh material. We demonstrate a working prototype of our TDR circuit costing less than 10 € in components that achieves both time resolution and rise time better than 200 ps—a 25 × improvement over previous work. We demonstrate a simple classifier that detects several types of advanced attacks such as probing using an oscilloscope probe or micro-soldering attacks with no false negatives.},

2
thesis.tex
View file

@ -33,6 +33,8 @@
\input{titlepage.tex}
\frontmatter
\chapter*{Akademischer Werdegang}
\includepdf[pages=-]{lebenslauf-en-akademischer-werdegang-diss.pdf}
\input{abstract-de.tex}
\input{abstract.tex}
\input{ai-llm-use-disclosure.tex}