From d11dc09b04a314d469b9046e525ac8fb97bd6803 Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 2 Oct 2025 07:43:11 +0200 Subject: [PATCH] Straighten up MPC chapter a bit --- chapter-conclusion/chapter.tex | 2 ++ chapter-smpc/chapter.tex | 65 ++++++++++++++++++++++------------ 2 files changed, 44 insertions(+), 23 deletions(-) diff --git a/chapter-conclusion/chapter.tex b/chapter-conclusion/chapter.tex index 2e0b672..35a71eb 100644 --- a/chapter-conclusion/chapter.tex +++ b/chapter-conclusion/chapter.tex @@ -1 +1,3 @@ \chaptertitle{Conclusion} + + diff --git a/chapter-smpc/chapter.tex b/chapter-smpc/chapter.tex index cc3e258..2c0ef11 100644 --- a/chapter-smpc/chapter.tex +++ b/chapter-smpc/chapter.tex @@ -168,26 +168,26 @@ thousands of gates, meaning these costs quickly escalate for practical problem s songhoriTinyGarbleHighlyCompressed2015 } +% FIXME This entire connecting section + %\subsection{Practical Application} %\subsubsection{Preprocessing and Online Phases} %\subsubsection{Constant-Round MPC} -\subsection{Performance} +% \subsection{Performance} % zahurTwoHalvesMake2015,wangGlobalScaleSecureMultiparty2017,kellerMPSPDZVersatileFramework2020,dalskovFantasticFourHonestMajority -\subsection{Practical Deployments} +% \subsection{Practical Deployments} -\subsection{Solutions} +% \subsection{Solutions} -\subsection{Hardware Security Applied to MPC} +% \subsection{Hardware Security Applied to MPC} -Hardware security primitives can be applied in several roles in an MPC protocol. +% Hardware security primitives can be applied in several roles in an MPC protocol. \section{A High-Performance IHSM for MPC Applications} -\subsection{MPC in HSMs} - Multiparty Computation is at the verge of being practical in some applications, but is still too computationally expensive for others. While some attempts at GPU-accelerating MPC primitives exist, in practice it is commonly implemented using CPU processing. From the performance numbers given above\todo{Give performance numbers above} we can @@ -249,26 +249,45 @@ hardware running a commodity operating system is the concrete implementation of IHSM detects tampering, it is crucial that all secrets in the payload have been made unusable before an attacker can either extract them, or stop the system from making them unusable. -Making secret data unusable to an attacker can take one of two forms depending on the implementation. The -straightforward approach is to \emph{zeroize} the secret data, i.e.~to irreversibly overwrite it with zeros or any -other pattern. While zeroizing sounds obvious and easy to implement, it comes with several practical challenges: - -\begin{enumerate} -\item Zeroization usually requires accessing each storage unit of data (i.e. a cache line, DRAM memory row, or FLASH -memory block) once. For large memories, especially for storage like FLASH SSDs, accessing every memory block takes a -large amount of time. If the attacker interrupts the erasing process e.g.~by physically destroying the CPU before it can -complete, they might be able to access unerased data. -\item In many memory technologies, data leaves ``residues'' in memory cells where it was stored, especially when it was -stored for a large amount of time. Particularly SRAM memory is susceptible to this effect.\todo{citation} -\end{enumerate} -% Mention ssds with self erase features -% mention ssd erase power consumption - -\subsection{Fast Zeroization of Non-Customizable Memories} +Making secret data unusable to an attacker can be done by either deleting it (\emph{zeroization} in HSM terminology) or +by encrypting the data when it is stored and destroying the key. Zeroization is more technically challenging, while +encryption comes at a performance cost. The main challenges in zeroization are ensuring that the data is deleted fast +enough, and making sure it cannot be reconstructed through data remanence effects. Zeroization is practical for small +amounts of RAM such as a microcontroller's main SRAM or a small amount of DRAM in a server set aside for cryptographic +keys. For larger amounts of data, or for any data stored on flash memory, HDDs etc., encryption is the only viable +option due to speed. Encrypting data at rest on HDD or flash storage is straightforward to do in software and is a +standard feature in any modern operating system. RAM is more challenging. Encrypting data in RAM cannot be done in +software without effectively running a system emulation and incurring a massive performance penalty. Recent CPUs from +Intel and AMD contain hardware features that provide transparent DRAM encryption. These hardware features would be +necessary when securing an entire sever in an MPC setup with IHSMS technology. +% \subsection{Fast Zeroization of Non-Customizable Memories} % Thermite experiements and paper \subsection{A Joint Cooling and IHSM Envelope Powertrain} +We have determined that our requirements are an IHSM envelope large enough to fit a small server mainboard, and that +provides air cooling to the payload. In this section, we will sketch out a solution that solves the engineering issue of +moving such an IHSM envelope while simultaneously providing cooling to the payload. + +% FIXME picture! +Our proposed design is based on the idea of using the cooling fans' airflow to power the rotation of the IHSM envelope. +Using the basic cylindrical design, the IHSM envelope consists of two discs above and below the payload that are +connected through vertical struts containing part of the tamper-sensing mesh on the outside of the payload. We propose +widening these vertical connecting struts, and angling them such that the entire envelope becomes a centrifugal +impeller. By letting air flow into the envelope from the side, and back out through its top and bottom, the envelope +assumes the same configuration used in centrifugal cooling fans. A secondary advantage of this concept is that we do not +need a motor on the envelope's shaft, saving vertical space and one difficult to source part. Furthermore, the cooling +fans can be located on the outside of the envelope in an easily accessible location, and can be set up in a redundant +way such that a failed cooling fan can be replaced while the system continues operation. The only disadvantage of this +solution over a direct motor drive is noise. To achieve the speed necessary for sufficient security at the large +envelope diameter of an MPC accelerator application, high-airflow fans must be used, which are very noisy when at full +speed. We consider this a valid tradeoff since such a system would be deployed in a datacenter where high noise levels +are acceptable. + \section{Outlook} +In this chapter we briefly introduced the challenges raised by MPC at scale, and we outlined a practical solution based +on an IHSM-protected sever that can be used to perform MPC with an unique combination of high bandwidth and low latency +that was previously considered impractical due to physical security concerns. +