jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Straighten up MPC chapter a bit

Browse source
This commit is contained in:
jaseg 2025-10-02 07:43:11 +02:00
parent 086d45306e
commit d11dc09b04
2 changed files with 44 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

2
chapter-conclusion/chapter.tex
View file

@ -1 +1,3 @@
\chaptertitle{Conclusion}

65
chapter-smpc/chapter.tex
View file

@ -168,26 +168,26 @@ thousands of gates, meaning these costs quickly escalate for practical problem s
songhoriTinyGarbleHighlyCompressed2015
}
% FIXME This entire connecting section
%\subsection{Practical Application}
%\subsubsection{Preprocessing and Online Phases}
%\subsubsection{Constant-Round MPC}
\subsection{Performance}
% \subsection{Performance}
% zahurTwoHalvesMake2015,wangGlobalScaleSecureMultiparty2017,kellerMPSPDZVersatileFramework2020,dalskovFantasticFourHonestMajority
\subsection{Practical Deployments}
% \subsection{Practical Deployments}
\subsection{Solutions}
% \subsection{Solutions}
\subsection{Hardware Security Applied to MPC}
% \subsection{Hardware Security Applied to MPC}
Hardware security primitives can be applied in several roles in an MPC protocol.
% Hardware security primitives can be applied in several roles in an MPC protocol.
\section{A High-Performance IHSM for MPC Applications}
\subsection{MPC in HSMs}
Multiparty Computation is at the verge of being practical in some applications, but is still too computationally
expensive for others. While some attempts at GPU-accelerating MPC primitives exist, in practice it is commonly
implemented using CPU processing. From the performance numbers given above\todo{Give performance numbers above} we can
@ -249,26 +249,45 @@ hardware running a commodity operating system is the concrete implementation of
IHSM detects tampering, it is crucial that all secrets in the payload have been made unusable before an attacker can
either extract them, or stop the system from making them unusable.
Making secret data unusable to an attacker can take one of two forms depending on the implementation. The
straightforward approach is to \emph{zeroize} the secret data, i.e.~to irreversibly overwrite it with zeros or any
other pattern. While zeroizing sounds obvious and easy to implement, it comes with several practical challenges:
\begin{enumerate}
\item Zeroization usually requires accessing each storage unit of data (i.e. a cache line, DRAM memory row, or FLASH
memory block) once. For large memories, especially for storage like FLASH SSDs, accessing every memory block takes a
large amount of time. If the attacker interrupts the erasing process e.g.~by physically destroying the CPU before it can
complete, they might be able to access unerased data.
\item In many memory technologies, data leaves ``residues'' in memory cells where it was stored, especially when it was
stored for a large amount of time. Particularly SRAM memory is susceptible to this effect.\todo{citation}
\end{enumerate}
% Mention ssds with self erase features
% mention ssd erase power consumption
\subsection{Fast Zeroization of Non-Customizable Memories}
Making secret data unusable to an attacker can be done by either deleting it (\emph{zeroization} in HSM terminology) or
by encrypting the data when it is stored and destroying the key. Zeroization is more technically challenging, while
encryption comes at a performance cost. The main challenges in zeroization are ensuring that the data is deleted fast
enough, and making sure it cannot be reconstructed through data remanence effects. Zeroization is practical for small
amounts of RAM such as a microcontroller's main SRAM or a small amount of DRAM in a server set aside for cryptographic
keys. For larger amounts of data, or for any data stored on flash memory, HDDs etc., encryption is the only viable
option due to speed. Encrypting data at rest on HDD or flash storage is straightforward to do in software and is a
standard feature in any modern operating system. RAM is more challenging. Encrypting data in RAM cannot be done in
software without effectively running a system emulation and incurring a massive performance penalty. Recent CPUs from
Intel and AMD contain hardware features that provide transparent DRAM encryption. These hardware features would be
necessary when securing an entire sever in an MPC setup with IHSMS technology.
% \subsection{Fast Zeroization of Non-Customizable Memories}
% Thermite experiements and paper
\subsection{A Joint Cooling and IHSM Envelope Powertrain}
We have determined that our requirements are an IHSM envelope large enough to fit a small server mainboard, and that
provides air cooling to the payload. In this section, we will sketch out a solution that solves the engineering issue of
moving such an IHSM envelope while simultaneously providing cooling to the payload.
% FIXME picture!
Our proposed design is based on the idea of using the cooling fans' airflow to power the rotation of the IHSM envelope.
Using the basic cylindrical design, the IHSM envelope consists of two discs above and below the payload that are
connected through vertical struts containing part of the tamper-sensing mesh on the outside of the payload. We propose
widening these vertical connecting struts, and angling them such that the entire envelope becomes a centrifugal
impeller. By letting air flow into the envelope from the side, and back out through its top and bottom, the envelope
assumes the same configuration used in centrifugal cooling fans. A secondary advantage of this concept is that we do not
need a motor on the envelope's shaft, saving vertical space and one difficult to source part. Furthermore, the cooling
fans can be located on the outside of the envelope in an easily accessible location, and can be set up in a redundant
way such that a failed cooling fan can be replaced while the system continues operation. The only disadvantage of this
solution over a direct motor drive is noise. To achieve the speed necessary for sufficient security at the large
envelope diameter of an MPC accelerator application, high-airflow fans must be used, which are very noisy when at full
speed. We consider this a valid tradeoff since such a system would be deployed in a datacenter where high noise levels
are acceptable.
\section{Outlook}
In this chapter we briefly introduced the challenges raised by MPC at scale, and we outlined a practical solution based
on an IHSM-protected sever that can be used to perform MPC with an unique combination of high bandwidth and low latency
that was previously considered impractical due to physical security concerns.