diff --git a/chapter-smpc/chapter.tex b/chapter-smpc/chapter.tex index 66353dc..a5153be 100644 --- a/chapter-smpc/chapter.tex +++ b/chapter-smpc/chapter.tex @@ -21,12 +21,12 @@ limited~\cite{ Because IHSMs rotate at high speed, IHSM meshes do not need to be contiguous to provide adequate security. While a non-contiguous rotating mesh might theoretically allow a stationary attack tool to quickly penetrate, then retract through one of the mesh's gaps while the mesh is rotating, the time available for such an attack would be too short for -a practical attack. For a mesh with three vertical connecting segments (cf.\ Figure~\ref{fig_proto_mesh} in -Chapter~\ref{chapter-ihsm}) rotating at \qty{1000}{\rpm}, this time would be in the order of \qty{20}{\milli\second}. -Conventional HSM monitoring circuits would likely require a similar amount of time to react to an -attack~\cite{obermaier2018}. +a practical attack (cf.\ Chapter~\ref{chapter-ihsm}). For a mesh with three vertical connecting segments (cf.\ +Figure~\ref{fig_proto_mesh} in Chapter~\ref{chapter-ihsm}) rotating at \qty{1000}{\rpm}, this time would be in the order +of \qty{20}{\milli\second}. Conventional HSM monitoring circuits would likely require a similar amount of time to react +to an attack~\cite{obermaier2018}. -Similar to how the increase in payload \emph{sizew} of IHSMs compared to conventional HSMs unlocks new applications such +Similar to how the increase in payload \emph{size} of IHSMs compared to conventional HSMs unlocks new applications such as the Quantum Key Distribution relay use case we presented in Chapter~\ref{chapter-qkd}, the increase in sustainable power dissipation enabled by air cooling also unlocks a number of new applications. Especially applications that require large amounts of computing power benefit from IHSM technology, as their needs fundamentally cannot be met by @@ -37,14 +37,7 @@ is Multiparty Computation (MPC). MPC is a cryptographic construct that allows se perform a computation in such a way that the inputs to the computation remain private to the parties providing them, and no single party must be trusted for the computation to produce the correct result. Conceptually, MPC is similar to a secret sharing scheme that shares not just data, but computation between untrusted parties. The computation primitive -MPC offers is a cryptographic answer to the question of how to bootstrap trust in a computing system. -\todo{In this chapter, cite academic publications and patents on HSM cooling!} - -%The most challenging scenarios in computing arise when multiple -%parties such as manufacturers and operators, servers and clients, or sellers and buyers need to interact through -%computation. In many practical situations, it is impossible to create a single computer that can be trusted by every -%participant. MPC is a generic solution to a multitude of such scenarios reducing the problem of creating a single, -%shared computer everyone can trust simultaneously to everyone creating their own computer that they only can trust. +MPC offers is a cryptographic tool for bootstrapping trust in a distributed computing system. We can deconstruct the problem of trust in computing into two largely disjunct parts: Establishing trust in a computing system during its creation is one, and maintaining this trust throughout its life is the other. For the second part of @@ -58,41 +51,43 @@ they cannot target all systems simultaneously and we give them too little time t A limitation of both approaches is that in either case, while the party creating or acquiring the system can trust it, they cannot prove its trustworthiness to other parties. MPC solves this issue by allowing every party to contribute -their trusted system to the protocol, cryptographically bootstrapping common trust in the computation and its +their own trusted system to the protocol, cryptographically bootstrapping common trust in the computation and its output\footnote{ In fact, MPC does more than just bootstrapping from each participant trusting their own system to a trusted shared computation. In an MPC protocol providing semi-honest or better security, MPC even \emph{relaxes} each party's trust - requirement from trusting their own system to trusting that any $n$-of-$k$ out of all systems contributing to the + requirement from trusting their own system to trusting any $n$-of-$k$ out of all systems contributing to the protocol. }. \section{Fast MPC and Slow HSMs} -MPC is a uniquely powerful cryptographic primitive, yet it has still not found widespread practical adoption. This is -because MPC is extremely resource-intensive to run. MPC protocols exist on a continuum trading off between extreme -memory and bandwidth requirements on one end and intense computational requirements on the other end. At a first glance, -MPC and Hardware Security Modules look like they would complement each other well, but HSMs cannot keep up with the -intense computational requirements posed by MPC. +MPC is a uniquely powerful cryptographic primitive, yet it has still not found widespread practical adoption. To a large +extent, this is because MPC is extremely resource-intensive to run. MPC protocols exist on a continuum trading off +between extreme memory and bandwidth requirements on one end and intense computational requirements on the other end. At +a first glance, MPC and Hardware Security Modules look like they would complement each other well, but HSMs cannot keep +up with the computational requirements posed by MPC. -Using P-256 curve ECC key generation as a benchmark, commercially available HSMs are quoted to perform between 3500 and -22000 cryptographic operations per second~\cite{ +Using P-256 curve ECC key generation as a benchmark, commercially available HSMs are quoted to perform between 3,500 and +22,000 cryptographic operations per second~\cite{ kumarIBMZ16Performance2025, ThalesLunaNetwork2024, Utrust_GP_HSM_Se_Series_Datasheet_ENpdf, -}. Meanwhile, an MPC protocol doing something as simple as a single AES encryption, corresponding to 7000 logic +}. Meanwhile, an MPC protocol doing something as simple as a single AES encryption, corresponding to 7,000 logic gates~\cite{wangGlobalScaleSecureMultiparty2017}, requires tens of thousands of cryptographic operations when performed in MPC. As a result, applying conventional HSMs to MPC at any practical scale is infeasible by multiple orders of -magnitude. Literature on MPC commonly uses server hardware as a platform for benchmarks. +magnitude. Literature on MPC commonly uses server hardware as a platform for benchmarks, which has power dissipation and +processing speeds well beyond that of conventional HSMs. HSMs are slow compared to contemporary computers because they are limited in their power dissipation, and power dissipation is largely proportional to processing speed. In the limited fields where HSMs have found commercial -application, this limitation was never considered important and market forces pushing towards faster HSMs remain -light\todo{Can we find a citation here?}. Fundamentally, conventional HSMs must envelope the entire payload in a tamper -sensing mesh to detect drilling attacks, but a tamper sensing mesh that is impermeable to a drill is also impermeable to -air. As a result, any heat conducted from the HSMs processor to the outside world must pass through the mesh. At the -same time, the mesh cannot be thinned either because thinning it would enable micro-drilling attacks. The result of -these constraints is a high thermal resistance between the HSM's processor and an external heat sink, which limits -maximum power dissipation to a fraction of what is achieved in modern CPUs or even GPUs. +application, this limitation was never considered important and market forces pushing towards faster HSMs appear to +remain light with the issue receiving little attention in either academic or manufacturer publications on the topic. +Fundamentally, conventional HSMs must envelope the entire payload in a tamper sensing mesh to detect drilling attacks, +but a tamper sensing mesh that is impermeable to a drill is also impermeable to air. As a result, any heat conducted +from the HSMs processor to the outside world must pass through the mesh. At the same time, the mesh cannot be thinned +either because thinning it would enable micro-drilling attacks. The result of these constraints is a high thermal +resistance between the HSM's processor and an external heat sink, which limits maximum power dissipation to a fraction +of that of modern CPUs or even GPUs. A secondary limitation of conventional HSMs is that the highly specialized tamper sensing foils used in their construction often cannot be scaled to arbitray sizes without incurring unsustainable process yields due to the @@ -104,10 +99,9 @@ components such as memory, power supplies and any internal heat spreading compon Inertial HSMs solve this issue since they allow their payload to be air cooled without compromising security, and they expand the feasible security boundary size from the several hundred milliliters offered by conventional HSMs to several liters and more, enabling the integration of standard, off-the-shelf server components such as mainboards, CPUs, CPU -coolers, and power supplies. In this chapter, we will first provide a short overview of the theory of MPC before -elaborating a design of an IHSM tailored to MPC tasks including performance calculations and unique design aspects. We -will conclude with an outlook of applications unlocked by our design as well as promising areas for future improvements -of our design. +coolers, and power supplies. In this chapter, we will first provide a short overview illustrating a basic MPC protocol +for context before elaborating a design of an IHSM tailored to MPC tasks. We will conclude with an outlook of +applications unlocked by our design as well as promising areas for future improvements of our design. \section{The Fundamentals of Multiparty Computation} @@ -134,7 +128,8 @@ real-world settings where parties do not have stable identities such as peer-to- mostly interesting as a research tool since protocols assuming a semi-honest adversary can often be upgraded to covert or malicious security at some performance tradeoff. In a practical setting, a semi-honest secure MPC protocol would not provide additional security over just having one party run the computation except in some situations where inadvertent -side-channel leakage is a concern. +side-channel leakage is a concern. Using HSMs to secure protocol participants' cryptographic computations complements +both the covert and malicious security models. \subsection{Oblivious Transfer} @@ -153,19 +148,17 @@ Transfer Extensions (OTe)\cite{ishaiExtendingObliviousTransfers2003}. Using OTe, base Oblivious Transfer instances can be extended into an arbitrarily large number of Oblivious Transfer instances using only invocations of a pseudo-random function (PRF) such as a cryptographic hash function. -\subsection{Boolean MPC with Yao's Garbled Circuits} -% Yao's Garbled Circuits -Yao's Garbled Circuits (GC) protocol is one of the oldest Multiparty Computation protocols, dating back to the 1980ies. -In Yao's GC, two parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating -the circuit gate by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the -circuit and sends it to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every -wire $w_i$ in the circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for -the logical value $0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned -randomly by the generator, and unknown to the evaluator~\cite{ - yaoHowGenerateExchange1986, - beaverComplexitySecureProtocols1990, - evansPragmaticIntroductionSecure, -}. +\subsection{A basic MPC protocol: Boolean MPC with Yao's Garbled Circuits} + +As a basic example of the approach taken by MPC protocols, we will give a brief overview of Yao's Garbled Circuits (GC) +protocol. Yao's GC is one of the oldest Multiparty Computation protocols, dating back to the 1980ies. In Yao's GC, two +parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating the circuit gate +by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the circuit and sends it +to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every wire $w_i$ in the +circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for the logical value +$0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned randomly by the +generator, and unknown to the +evaluator~\cite{yaoHowGenerateExchange1986,beaverComplexitySecureProtocols1990,evansPragmaticIntroductionSecure}. Gates are represented in Yao's GC as truth tables with one row for every combination of input wire values. Each row of these truth tables contains the output wire label (i.e. secret key) corresponding to the gate's logical output value for @@ -200,28 +193,8 @@ evaluations of a pseudorandom function such as a cryptographic hash or a cipher. Garbled Circuit is many times slower than performing it in the clear. Intuitively, each single-bit gate in the garbled circuit results in several cryptographic operations with input and output sizes of dozens or hundreds of bits. Practically useful functions such as AES encryption have circuit implementations measuring thousands or tens of -thousands of gates, meaning these costs quickly escalate for practical problem sizes~\cite{ - boyarNewCombinationalLogic2010, - songhoriTinyGarbleHighlyCompressed2015, -}. - -% FIXME This entire connecting section - -%\subsection{Practical Application} -%\subsubsection{Preprocessing and Online Phases} -%\subsubsection{Constant-Round MPC} - -% \subsection{Performance} - -% zahurTwoHalvesMake2015,wangGlobalScaleSecureMultiparty2017,kellerMPSPDZVersatileFramework2020,dalskovFantasticFourHonestMajority - -% \subsection{Practical Deployments} - -% \subsection{Solutions} - -% \subsection{Hardware Security Applied to MPC} - -% Hardware security primitives can be applied in several roles in an MPC protocol. +thousands of gates, meaning these costs quickly escalate for practical problem +sizes~\cite{boyarNewCombinationalLogic2010, songhoriTinyGarbleHighlyCompressed2015}. \section{A High-Performance IHSM for MPC Applications} @@ -231,24 +204,17 @@ implemented using CPU processing. The technology comes with an unavoidable incre each single plaintext computation or gate results in several cryptographic operations. A naive implementation might attempt to implement MPC using an HSM by simply offloading all cryptographic operations to -the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs. -Conventional HSMs use low-power embedded processors since their encapsulation using potting and security meshes impedes -heat transfer, limiting power dissipation. - -In the near term, absent radical developments in either MPC theory or in the speed and power efficiency of processing -hardware, the only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire -server-class computer. As elaborated above, IHSMs are a natural fit for this requirement since they allow for large, -air-cooled payloads. - -%\subsection{Hardware Requirements} +the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs. In the near +term, absent radical developments in either MPC theory or in the speed and power efficiency of processing hardware, the +only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire server-class +computer. IHSMs are a natural fit for this requirement since they allow for large, air-cooled payloads. As a baseline performance target, we consider a commodity server mainboard in CEB or ATX form factor, populated with a high-end server CPU and a large amount of RAM. As MPC systems do not usually require a great amount of storage, we can -largely ignore storage for our size and power calculations.\todo{Refer to performance numbers from research above here} - -As a result, we end up with a total maximum power dissipation of approximately \qty{420}{\watt} as shown in -Table~\ref{tab_power_budget}. Dissipating this amount of power using air cooling is within the capabilities of commodity -server cooling components~\cite{coroamaPossibleFutureTrends2025}. +largely ignore storage for our size and power calculations. As a result, we end up with a total maximum power +dissipation of approximately \qty{420}{\watt} as shown in Table~\ref{tab_power_budget}. Dissipating this amount of power +using air cooling is within the capabilities of commodity server cooling +components~\cite{coroamaPossibleFutureTrends2025}. \begin{table} \centering @@ -267,16 +233,16 @@ server cooling components~\cite{coroamaPossibleFutureTrends2025}. A common type of side-channel attack on cryptographic systems are power analysis attacks. In such attacks, the supply current of the target processing system is measured at high speed while the target is performing cryptographic computations. By aggregating the results of a large number of the resulting power traces, it is often possible to infer -the value of secret data such as cryptographic keys. To mitigate this type of attack, not only do we have to place the -CPU, mainboard, and memory inside of the HSM's tamper-sensing barrier, but also the power supply. A secondary benefit of -placing the power supply inside the tamper-sensing barrier is that it simplifies the power wiring between the outside of -the IHSM cage and the payload. Supplying the \qty{12}{\volt} power rails that commodity mainboard commonly use requires -tens of Ampere. To carry such high current, the wiring has to be sized accordingly. In an IHSM, even thick wires can -easily be passed through the mesh cage, but such wiring requires a large opening at the shaft on one end of the cage, -which creates a literal security gap. Placing the power supply inside of the cage reduces the size of the wires needed -since the power supply steps down a lower current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt} -rails. According to DIN VDE 0298-4\todo{Citation?}, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for -more than \qty{3}{\kilo\watt} of load under worst-case conditions. +the value of secret data such as cryptographic keys. To mitigate this type of attack, we propose placing the system's +power supply inside the IHSM envelope. A secondary benefit of placing the power supply inside the tamper-sensing barrier +is that it simplifies the power wiring between the outside of the IHSM cage and the payload. Supplying the +\qty{12}{\volt} power rails that commodity mainboard commonly use requires tens of Ampere. To carry such high current, +the wiring has to be sized accordingly. In an IHSM, even thick wires can easily be passed through the mesh cage, but +such wiring requires a large opening at the shaft on one end of the cage, which creates a literal security gap. Placing +the power supply inside of the cage reduces the size of the wires needed since the power supply steps down a lower +current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt} rails. Using DIN VDE 0298-4\todo{Citation?} +as a reference, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for more than \qty{3}{\kilo\watt} of load +under worst-case conditions. \subsection{Software Considerations} @@ -298,9 +264,6 @@ software without effectively running a system emulation and incurring a massive Intel and AMD contain hardware features that provide transparent DRAM encryption. These hardware features would be necessary when securing an entire sever in an MPC setup with IHSMS technology. -% \subsection{Fast Zeroization of Non-Customizable Memories} -% Thermite experiements and paper - \subsection{A Joint Cooling and IHSM Envelope Powertrain} In this section, we will present a sketch of a design for an IHSM envelope large enough to fit a small server mainboard, @@ -327,34 +290,35 @@ while simultaneously providing cooling to the payload. \end{figure} Our proposed design is based on the idea of using the cooling fans' airflow to power the rotation of the IHSM envelope. -Figure~\ref{fig_setup} shows a conceptual demonstration of this concept. Using the basic cylindrical design, the IHSM -envelope consists of two discs above and below the payload that are connected through vertical struts containing part of -the tamper-sensing mesh on the outside of the payload. We propose widening these vertical connecting struts, and angling -them such that the entire envelope becomes a centrifugal impeller. By letting air flow into the envelope from the side, -and back out through its top and bottom, the envelope assumes the same configuration used in centrifugal cooling fans. +Figure~\ref{fig_setup} shows a conceptual demonstration of this approach. Using a basic cylindrical design, the IHSM +envelope consists of two discs above and below the payload that are connected through vertical struts on the outside of +the payload. We propose widening these vertical connecting struts, and angling them such that the entire envelope +becomes a centrifugal impeller. By letting air flow into the envelope from the side, and back out through its top and +bottom, the envelope assumes the same configuration used in centrifugal cooling fans. Tamper sensing meshes are placed +inside the vertical struts as well as along the horizontal discs at the top and at the bottom. Laying out an IHSM this way has several advantages. First, we save some vertical space by removing the motor from the -shaft of the mesh. Second, on top of driving the mesh, the airflow also serves to cool the payload. Second, this +shaft of the mesh. Second, on top of driving the mesh, the airflow also serves to cool the payload. Finally, this approach eliminates the motor driving the mesh as a single point of failure. In a basic IHSM design as we introduced it -in Chapter~\ref{chapter-ihsm}, this motor is a critical component as it failing would lead to the mesh accelerometer -triggering the tamper alarm. Using a brushless motor type the numebr of wear components in this motor can be reduced to -the motor's shaft bearings. A complication in the practical manufacturing of IHSMs at a small scale is that small-scale -production does not allow for a custom-made motor. Limiting the selection to off-the-shelf brushless motors leads to an -unpredictability of bearing life since precise bearing specifications are not usually included in motor datasheets. +in Chapter~\ref{chapter-ihsm}, this motor is a critical component as its failure would lead to the mesh accelerometer +triggering the deceleration tamper alarm. Using a brushless motor type the number of wear components in this motor can +be reduced to the motor's shaft bearings. A complication in the practical manufacturing of IHSMs at a small scale is +that small-scale production does not allow for a custom-made motor. Limiting the selection to off-the-shelf brushless +motors leads to an unpredictability of bearing life due to the cost of precision bearings. Complicating things, bearing +specifications are not usually included in motor datasheets. Compared to the market for off-the-shelf small brushless motors, cooling fans are easier to shop for. A large selection of products with various form factors and specifications is available, and manufacturers usually give detailed -information on both performance and lifetime. For industrial and server cooling fans, uninterrupted 24/7 operation is -their nominal operating condition. +information on both performance and lifetime. Industrial and server cooling fans are commonly rated for uninterrupted +24/7 operation. The cooling fans can be located on the outside of the envelope in an easily accessible location. Like in +many servers, they can be set up in a redundant way such that a failed cooling fan can be replaced while the system +continues to operate. -The cooling fans can be located on the outside of the envelope in an easily accessible location, and can be set up in a -redundant way such that a failed cooling fan can be replaced while the system continues operation. - -The main drawback of a fan-driven IHSM is the necessary airflow. To maximize payload volume, the fan blades must be kept -as narrow as possible. Narrow fan blades work best at high air speed, but high air speed requires the fan to have high -airflow. Besides limiting fan selection and increasing power consumption, high airflow fans also are noisy. Despite -these limitations, we consider fan-driven IHSMs a valid tradeoff since such a system would most likely be deployed in a -datacenter where high noise levels are acceptable. +The main drawback of a fan-driven IHSM is the amount of airflow necessary. To maximize payload volume, the fan blades +must be kept as narrow as possible. Narrow fan blades work best at high air speed, but high air speed requires the fan +to have high airflow. Besides limiting fan selection and increasing power consumption, high airflow fans also are noisy. +Despite these limitations, we consider fan-driven IHSMs a valid tradeoff since such a system would most likely be +deployed in a datacenter where high noise levels are acceptable. \section{Outlook} diff --git a/main.bib b/main.bib index 68cb0c8..df8ae5b 100644 --- a/main.bib +++ b/main.bib @@ -2672,9 +2672,11 @@ Subject\_term: Computer science} title = {High {{Fidelity Security Mesh Monitoring}} Using {{Low-Cost}}, {{Embedded Time Domain Reflectometry}}}, booktitle = {Transactions on {{Cryptographic Hardware}} and {{Embedded Systems}}}, author = {Götte, Jan Sebastian and Scheuermann, Björn}, - date = {2026}, + date = {2026-01}, volume = {2026/1}, + pages = {533--558}, publisher = {IACR}, + doi = {10.46586/tches.v2026.i1.533-558}, url = {https://eprint.iacr.org/2025/1962}, urldate = {2025-11-04}, abstract = {Security Meshes are patterns of sensing traces covering an area that are used in Hardware Security Modules (HSMs) and other systems to detect attempts to physically intrude into the device's protective shell. State-of-the-art solutions manufacture meshes in bespoke processes from carefully chosen materials, which is expensive and makes replication challenging. Additionally, state-of-the-art monitoring circuits sacrifice either monitoring precision or cost efficiency. In this paper, we present an embeddable security mesh monitoring circuit constructed from low-cost, standard components that utilizes Time Domain Reflectometry (TDR) to create a unique fingerprint of a mesh. Our approach is both low-cost and precise, and enables the use of inexpensive standard Printed Circuit Boards (PCBs) as security mesh material. We demonstrate a working prototype of our TDR circuit costing less than 10 € in components that achieves both time resolution and rise time better than 200 ps—a 25 × improvement over previous work. We demonstrate a simple classifier that detects several types of advanced attacks such as probing using an oscilloscope probe or micro-soldering attacks with no false negatives.}, diff --git a/thesis.tex b/thesis.tex index 092d9bc..6a3eaa9 100644 --- a/thesis.tex +++ b/thesis.tex @@ -33,6 +33,8 @@ \input{titlepage.tex} \frontmatter +\chapter*{Akademischer Werdegang} +\includepdf[pages=-]{lebenslauf-en-akademischer-werdegang-diss.pdf} \input{abstract-de.tex} \input{abstract.tex} \input{ai-llm-use-disclosure.tex}