diff --git a/chapter-smpc/chapter.tex b/chapter-smpc/chapter.tex index cf10a3c..f4eef50 100644 --- a/chapter-smpc/chapter.tex +++ b/chapter-smpc/chapter.tex @@ -56,6 +56,13 @@ same time, the mesh cannot be thinned either because thinning it would enable mi these constraints is a high thermal resistance between the HSM's processor and an external heat sink, which limits maximum power dissipation to a fraction of what is achieved in modern CPUs or even GPUs. +A secondary limitation of conventional HSMs is that the highly specialized tamper sensing foils used in their +construction often cannot be scaled to arbitray sizes without incurring unsustainable process yields due to the +multiplication of error rates with increasing area. As a result, even if the heat dissipation problem could be solved, +manufacturing the tamper sensing foil for a conventional HSM large enough to contain a more powerful CPU might not be +possible. The HSM's tamper-sensing envelope would have to protect not only the CPU itself, but also its supporting +components such as memory, power supplies and any internal heat spreading components. + Inertial HSMs solve this issue since they allow their payload to be air cooled without compromising security, and they expand the feasible security boundary size from the several hundred milliliters offered by conventional HSMs to several liters and more, enabling the integration of standard, off-the-shelf server components such as mainboards, CPUs, CPU @@ -87,20 +94,88 @@ of our design. \subsection{Practical Deployments} -\subsection{MPC in HSMs} - -\subsection{HSM Construction} - \subsection{Solutions} \section{A High-Performance IHSM for MPC Applications} -\subsection{A Practical Performance Target} +\subsection{MPC in HSMs} -\subsection{Hardware Requirements} +Multiparty Computation is at the verge of being practical in some applications, but is still too computationally +expensive for others. While some attempts at GPU-accelerating MPC primitives exist, in practice it is commonly +implemented using CPU processing. From the performance numbers given above\todo{Give performance numbers above} we can +see that a single, modern server-class CPU is sufficient for an useful amount of computation in MPC. + +A naive implementation might attempt to implement MPC using an HSM by simply offloading all cryptographic operations to +the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs. +Conventional HSMs commonly use smartphone-class SoCs, which lag behind server CPUs in processing speed by several orders +of magniude. +\todo{Cite some HSM/MPC papers here.} + +In the near term, absent radical developments in either MPC theory or in the speed and power efficiency of processing +hardware, the only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire +server-class computer. As elaborated above, IHSMs are a natural fit for this requirement since they allow for large, +air-cooled payloads. + +%\subsection{Hardware Requirements} + +As a baseline performance target, we consider a commodity server mainboard in CEB or ATX form factor, populated with a +high-end server CPU and a large amount of RAM. As MPC systems do not usually require a great amount of storage, we can +largely ignore storage for our size and power calculations.\todo{Refer to performance numbers from research above here} + +As a result, we end up with a total maximum power dissipation of approximately \todo{Calculate, make table} XXX as shown +in Table~\ref{tab_power_budget}. Dissipating this amount of power using air cooling is within the capabilities of +commodity server cooling components\todo{Refer to datasheets}. + +\begin{table} + \centering + \begin{tabular}{r|l|r|r} + Count & Component & Maximum Power Dissipation Each & Total\\\hline + 1 & CPU: & &\\ + 16 & DDR-4 Memory modules: & &\\ + 1 & Mainboard: & &\\ + 1 & Power Supply: & &\\ + \end{tabular} + \caption{Power budget of a modern mid-range server. Power supply power dissipation calculated at target load.} + \label{tab_power_budget} +\end{table} + +A common type of side-channel attack on cryptographic systems are power analysis attacks. In such attacks, the supply +current of the target processing system is measured at high speed while the target is performing cryptographic +computations. By aggregating the results of a large number of the resulting power traces, it is often possible to infer +the value of secret data such as cryptographic keys. To mitigate this type of attack, not only do we have to place the +CPU, mainboard, and memory inside of the HSM's tamper-sensing barrier, but also the power supply. A secondary benefit of +placing the power supply inside the tamper-sensing barrier is that it simplifies the power wiring between the outside of +the IHSM cage and the payload. Supplying the \qty{12}{\volt} power rails that commodity mainboard commonly use requires +tens of Ampere. To carrie such high current, the wiring has to be sized accordingly. In an IHSM, even thick wires can +easily be passed through the mesh cage, but such wiring requires a large opening at the shaft on one end of the cage, +which creates a literal security gap. Placing the power supply inside of the cage reduces the size of the wires needed +since the power supply steps down a lower current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt} +rails. According to DIN VDE 0298-4\todo{Citation?}, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for +more than \qty{3}{\kilo\watt} of load under worst-case conditions. \subsection{Software Considerations} +While the hardware of a HSM-assisted MPC system is a straightforward application of IHSM technology to a server +platform, the software implementation poses some unique challenges. A core concern in an IHSM based on commodity +hardware running a commodity operating system is the concrete implementation of the IHSM's alarm reseponse. When the +IHSM detects tampering, it is crucial that all secrets in the payload have been made unusable before an attacker can +either extract them, or stop the system from making them unusable. + +Making secret data unusable to an attacker can take one of two forms depending on the implementation. The +straightforward approach is to \emph{zeroize} the secret data, i.e.~to irreversibly overwrite it with zeros or any +other pattern. While zeroizing sounds obvious and easy to implement, it comes with several practical challenges: + +\begin{enumerate} +\item Zeroization usually requires accessing each storage unit of data (i.e. a cache line, DRAM memory row, or FLASH +memory block) once. For large memories, especially for storage like FLASH SSDs, accessing every memory block takes a +large amount of time. If the attacker interrupts the erasing process e.g.~by physically destroying the CPU before it can +complete, they might be able to access unerased data. +\item In many memory technologies, data leaves ``residues'' in memory cells where it was stored, especially when it was +stored for a large amount of time. Particularly SRAM memory is susceptible to this effect.\todo{citation} +\end{enumerate} +% Mention ssds with self erase features +% mention ssd erase power consumption + \subsection{Fast Zeroization of Non-Customizable Memories} \subsection{A Joint Cooling and IHSM Envelope Powertrain} @@ -214,7 +289,7 @@ Often, these rotating joint WPT systems use coaxial structures, but segmented ap In lower-power applications, segmented approaches are more common. A key challenge in segmented approaches is the reduction of secondary-side ripple induced when the segments' alignment changes throught one revolution~\cite{ zhangWirelessSensorPower2024, -}, which usually requires additional secondary-side circuitry. This paper introduces a planar coil topology for WPT +}, which usually requires additional secondary-side circuitry. In this work, we introduce a planar coil topology for WPT through a rotating joint using a single planar PCB coil on both the transmitting and the receiving side that improves rotation ripple at low turn counts. @@ -412,7 +487,7 @@ basket-woven coils, the mandrel can be pulled out after the coil is finished. Li structure can be made mechanically stable with some lacquer, with the turns carrying the layers where they cross. Both construction techniques apply similar principles to those leading to the improved high-frequency behavior of -twisted inductors that we describe in this paper.\footnote{Interestingly, the winding schemes of both honeycomb and +twisted inductors that we describe in this chapter.\footnote{Interestingly, the winding schemes of both honeycomb and basket-woven coils are also governed by the same coprimality condition between the number of turns and the number of inversions within each turn that we describe for our twisted inductors below, although we could not find an example in historic literature where this condition was explicitly stated~\cite{eppenAnforderungenEinzelteileRundfunkempfanger1927, @@ -501,8 +576,9 @@ naturally connect in series, with the resulting spirals on the top and bottom la conventional two-layer inductor, and with $k=2$ inversions, creating two interleaved spirals on both the top and the bottom layer of the PCB. Figure\ \ref{fig_nk_complex_illust} shows additional layout examples for other values of $n$ and $k$. For $k=\frac{1}{2}$, we get a standard single-layer planar spiral inductor for any turn count $n$, and for -$k=1$ we get a standard two-layer planar spiral inductor for any turn count $n$. In this paper, we will call all layouts -with $k\ge 2$ \emph{Twisted Inductors}. The coordinate description of Equation\ \ref{eqn_twolayer_spiral} thus becomes: +$k=1$ we get a standard two-layer planar spiral inductor for any turn count $n$. In this chapter, we will call all +layouts with $k\ge 2$ \emph{Twisted Inductors}. The coordinate description of Equation\ \ref{eqn_twolayer_spiral} thus +becomes: \begin{align} \varphi &= 2\pi n t\\\nonumber @@ -626,9 +702,9 @@ case. \subsubsection{CAD Integration} -To allow for easy design with twisted inductors and to speed up the laboratory prototyping we performed for this paper, -we created a tool that generates arbitrary twisted inductor layouts, and that is able to output these layouts as PCB -footprint files for the open source KiCad EDA CAD tool~\cite{KiCadEDA}. We integrated the ESR and inductance +To allow for easy design with twisted inductors and to speed up the laboratory prototyping we performed for this +chapter, we created a tool that generates arbitrary twisted inductor layouts, and that is able to output these layouts +as PCB footprint files for the open source KiCad EDA CAD tool~\cite{KiCadEDA}. We integrated the ESR and inductance approximations as derived above with our tool, so that it provides immediate design feedback when generating inductors. In order to minimize ESR and maximize PCB area utilization, we made the tool automatically calculate the largest possible trace width when given a minimum clearance specification. @@ -639,9 +715,6 @@ section below, our tool contains functionality to map gerbonara's geometry repre gmsh~\cite{geuzaineGmsh3DFinite2009}, the FEM mesher that we chose to interface with Elmer FEM~\cite{ruokolainenElmerCSCElmerfemElmer2023}. -Our inductor design tool is available in this paper's supplementary material as well as at the git repository linked at -the end of this paper. - \subsection{FEM Simulation} To validate our analytical approximations, we performed a series of FEM simulations in Elmer FEM. For a number of @@ -697,7 +770,7 @@ approximately a factor of two. Going from a simple single-layer spiral inductor ($k=1$), we observe that the resulting inductance decreases by up to \qty{15}{\percent}. We suspect that the main factor leading to this decrease is radial magnetic flux leakage through the PCB material between the inductor's layers. Comparing simple two-layer inductors with $k=1$ to the twisted inductors with larger $k$ values that we propose in this -paper, we observe almost identical performance for $k>1$ with decreases of less than \qty{0.5}{\percent} going from +chapter, we observe almost identical performance for $k>1$ with decreases of less than \qty{0.5}{\percent} going from $k=1$ to $k=3$ irrespective of turn count. From these measurements we can conclude that the flux linkage of twisted inductors almost perfectly matches that of simple two-layer inductors. @@ -861,7 +934,7 @@ angles to one another. \begin{figure} \begin{center} - \includegraphics[width=.85\textwidth]{test_schematic.pdf} + \includegraphics[width=.65\textwidth]{test_schematic.pdf} \end{center} \caption{The test schematic used in all measurements. For direct coupling factor measurements, the load resistor was disconnected. We measure voltage at the output of the function generator to account for drop in its internal output @@ -876,7 +949,7 @@ using Keysight 34465A multimeters in AC Root Mean Square (RMS) mode. \begin{figure} \begin{center} - \includegraphics[width=0.3\textwidth]{symmetry_3turn_n_twist.pdf} + \includegraphics[width=0.8\textwidth]{symmetry_3turn_n_twist.pdf} \end{center} \caption{RMS output voltage of the test circuit from Figure\ \ref{fig_test_schematic} for three pairs of matching inductors with one inductor rotating w.r.t.\ the other. The inductors have $n=3$ turns each and $k=\frac{1}{2}$, @@ -911,7 +984,7 @@ pitch, as their turns deviate the furthest from a set of ideal, concentric circl \begin{figure} \begin{center} - \includegraphics[width=.85\textwidth]{k_ripple_plot.pdf} + \includegraphics[width=.65\textwidth]{k_ripple_plot.pdf} \end{center} \caption{RMS Voltage ripple in a model rotating WPT setup with $R_L=\qty{10}{\ohm}$ as a percentage of total RMS output voltage, plotted against inductor inversion count $k$. Measurements were taken with a number of different @@ -939,24 +1012,40 @@ pitch, as their turns deviate the furthest from a set of ideal, concentric circl \begin{figure} \begin{center} - \includegraphics[width=.75\textwidth]{rms_ripple_double_rotation_n3_r4.pdf} + \includegraphics[width=.65\textwidth]{rms_ripple_double_rotation_n3_r4.pdf} \end{center} \caption{RMS ripple magnitude as a percentage of mean RMS output voltage, plotted against the rotation of each of the two inductors. The two coils were kept at a constant \qty{4}{\milli\meter} radial offset, and the output coil - was loaded with a \qty{10}{\ohm} load. All RMS ripple plots in this paper share the same color scale to allow for + was loaded with a \qty{10}{\ohm} load. All RMS ripple plots in this chapter share the same color scale to allow for visual comparison. This figure shows four variants of 3-turn coils, plots for $n=5$ can be found in Figure\ - \ref{fig_rms_ripple_n5} and plots for $n=\{10,25\}$ in Figures \ref{fig_rms_ripple_n10} and \ref{fig_rms_ripple_n25} - in the Appendix.} + \ref{fig_rms_ripple_n5} and plots for $n=\{10,25\}$ in Figures \ref{fig_rms_ripple_n10} and + \ref{fig_rms_ripple_n25}.} \label{fig_rms_ripple_n3} \end{figure} -%\begin{figure} -% \begin{center} -% \includegraphics[width=.75\figurescale]{rms_ripple_double_rotation_n5_r4.pdf} -% \end{center} -% \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 5-turn coils.} -% \label{fig_rms_ripple_n5} -%\end{figure} +\begin{figure} + \begin{center} + \includegraphics[width=.65\textwidth]{rms_ripple_double_rotation_n10_r4.pdf} + \end{center} + \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 10-turn coils.} + \label{fig_rms_ripple_n10} +\end{figure} + +\begin{figure} + \begin{center} + \includegraphics[width=.65\textwidth]{rms_ripple_double_rotation_n25_r4.pdf} + \end{center} + \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 25-turn coils.} + \label{fig_rms_ripple_n25} +\end{figure} + +\begin{figure} + \begin{center} + \includegraphics[width=.65\textwidth]{rms_ripple_double_rotation_n5_r4.pdf} + \end{center} + \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 5-turn coils.} + \label{fig_rms_ripple_n5} +\end{figure} \subsection{Future Work} @@ -975,7 +1064,7 @@ resistances, and skin effect will affect both to a differring extent. \subsection{Conclusion} -In this paper, we introduced a novel layout approach for planar, multi-layer inductors. Our \emph{twisted} inductors +In this chapter, we introduced a novel layout approach for planar, multi-layer inductors. Our \emph{twisted} inductors generalize several types of conventional planar inductors including conventional single- or two-layer planar spiral inductors as well as planar toroidal inductors. For inversion count parameter $k\ge 2$, twisted inductors produce magnetic field distributions that have better rotational symmetry along the inductor's main axis compared to either @@ -988,12 +1077,9 @@ increased inductance compared to conventional two-layer planar spiral inductors. We base our evaluation on laboratory measurements on a set of 39 sample inductors in total, including an automated, four-dimensional mapping of the coupling between a pair of identical inductors. We provide both an analytical -description of twisted inductor construction as well as a set of Open-Source tools for their design, available at the -link at the end of this paper. +description of twisted inductor construction as well as a set of Open-Source tools for their design. -%\section{Supplemental plots} - %\begin{figure} % \begin{center} % \includegraphics[width=\figurescale]{symmetry_10turn_n_twist.pdf} @@ -1003,22 +1089,6 @@ link at the end of this paper. % \label{fig_symmetry_10turn_n_twist} %\end{figure} -%\begin{figure} -% \begin{center} -% \includegraphics[width=.75\figurescale]{rms_ripple_double_rotation_n10_r4.pdf} -% \end{center} -% \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 10-turn coils.} -% \label{fig_rms_ripple_n10} -%\end{figure} - -%\begin{figure} -% \begin{center} -% \includegraphics[width=.75\figurescale]{rms_ripple_double_rotation_n25_r4.pdf} -% \end{center} -% \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 25-turn coils.} -% \label{fig_rms_ripple_n25} -%\end{figure} - % Thermite experiements and paper \section{Outlook}