Fortified Multi-Party Computation: Taking Advantage of Simple Secure
Total Page:16
File Type:pdf, Size:1020Kb
Proceedings on Privacy Enhancing Technologies ; 2021 (4):312–338 Brandon Broadnax, Alexander Koch, Jeremias Mechler, Tobias Müller, Jörn Müller-Quade, and Matthias Nagel Fortified Multi-Party Computation: Taking Advantage of Simple Secure Hardware Modules Abstract: In practice, there are numerous settings where 1 Introduction mutually distrusting parties need to perform distributed computations on their private inputs. For instance, par- Secure multi-party computation (MPC), which allows ticipants in a first-price sealed-bid online auction do not mutually distrusting parties to securely evaluate a pre- want their bids to be disclosed. This problem can be ad- defined function on their private inputs via a protocol, dressed using secure multi-party computation (MPC), is a central privacy-enhancing technology that can be where parties can evaluate a publicly known function on used in a wide range of scenarios. Examples include their private inputs by executing a specific protocol that only reveals the correct output, but nothing else about – auctions (protecting the bids’ confidentiality) [8], the private inputs. Such distributed computations per- – contact discovery (protecting the contacts’ confiden- formed over the Internet are susceptible to remote hacks tiality) [35], that may take place during the computation. As a con- – toll collection (protecting e.g. location data) [21], sequence, sensitive data such as private bids may leak. – medicine (protecting highly sensitive data such as All existing MPC protocols do not provide any protec- (parts of) the genome) [3, 48], tion against the consequences of such remote hacks. – electronic payment (ensuring privacy and e.g. un- We present the first MPC protocols that protect the re- linkability) or [7], motely hacked parties’ inputs and outputs from leaking. – voting (e.g. confidentiality of the votes and correct- More specifically, unless the remote hack takes place ness of the vote count) [46]. before the party received its input or all parties are cor- Protocol parties may become corrupted, i.e. fall under rupted, a hacker is unable to learn the parties’ inputs adversarial control. This can happen prior to the start and outputs, and is also unable to modify them. We of the protocol execution, which is called static corrup- achieve these strong (privacy) guarantees by utilizing tions. Furthermore, protocol parties may also become the fact that in practice parties may not be susceptible corrupted during the protocol execution via remote to remote attacks at every point in time, but only while hacks. This type of corruption is called adaptive corrup- they are online, i.e. able to receive messages. tions, first proposed in [13]. Up to now, all MPC con- To this end, we model communication via explicit chan- structions leak the private inputs of parties corrupted nels. In particular, we introduce channels with an air- during protocol execution. However, the fact that the gap switch (disconnect-able by the party in control of adversary learns all secrets of a corrupted party should the switch), and unidirectional data diodes. These chan- be of a major concern, as there are plenty of sensitive nels and their isolation properties, together with very MPC applications where this results in substantial real- few, similarly simple and plausibly remotely unhackable world damage. In this work, we provide constructions hardware modules serve as the main ingredient for at- where the adversary does not necessarily learn the in- taining such strong security guarantees. In order to for- puts of parties corrupted via remote hacks during the malize these strong guarantees, we propose the UC with protocol execution. Furthermore, this also holds for the Fortified Security (UC#) framework, a variant of the corrupted parties’ outputs. Universal Composability (UC) framework. As an example, consider two government agencies from different countries that want to perform a pri- Keywords: universal composability, remotely unhack- vate set intersection to learn who is on both countries’ able hardware modules, security notions, isolation DOI 10.2478/popets-2021-0072 Received 2021-02-28; revised 2021-06-15; accepted 2021-06-16. Alexander Koch, Jeremias Mechler, Jörn Müller- Quade: Competence Center for Applied Security Technology (KASTEL), Karlsruhe Institute of Technology (KIT) Fortified Multi-Party Computation 313 wanted lists. In such a setting, it is very plausible that point. After receiving input (via the input port), the par- i) both parties can protect their devices against attacks ties authenticate, mask and share their secrets in such requiring direct physical access but ii) are, at the same a way that mounting online attacks gives the adversary time, still susceptible to remote hacks from a nation- control over a party but not the ability to learn the state attacker. Previous MPC protocols, even ones that party’s inputs or outputs, nor to modify them unless are adaptively UC-secure, would not protect the re- he gains control over all parties. This stands in contrast motely hacked party’s inputs’ and outputs’ privacy and to adaptive corruptions where an adversary may learn integrity. Surprisingly, such strong and novel guarantees and modify the inputs and outputs of corrupted parties are possible and provided by our constructions. after they received input. Although the possibility for We achieve this by exploiting the so-far overlooked parties to perform a secure erasure seems necessary for observation that in all likely real-world scenarios, proto- such a strong protection, we show that this assumption col parties who are not connected to the Internet just can be dropped in the full version. Also, the security of cannot be remotely “hacked”. For instance, a party may some of our constructions gracefully degrades to (essen- use data diodes (unidirectional channels) or disconnect tially) standard adaptive UC security if the assumptions itself via air-gap switches. With this, we can now intro- about the remotely unhackable hardware modules, chan- duce a distinction (motivated from the real world but nels and secure erasures turn out to be wrong (cf. Ap- with considerable theoretical interest) between remote pendix A). This illustrates that security is not a binary hacks (e.g. sending malware), called online attacks in property. We thus see our work as a first step towards the following, and so-called physical attacks (e.g. replac- a nuanced view of cryptographic security, which can be ing a part of the hardware or exploiting the larger attack seen as a step towards the quantification of security. surface provided by physical access to the device). In a bit more detail, we introduce a method for forti- In conjunction with data diodes and air-gap fying any generic MPC protocol2 secure in the presence switches, a protocol party may also use additional re- of adaptive corruptions, so that the resulting protocol motely unhackable hardware modules. An example of provides the above-mentioned strong (privacy) guaran- such an additional hardware module is a simple encryp- tees. The constructions we present provide these guaran- tion unit that only implements a specific public key en- tees even when arbitrary (possibly malicious) protocols cryption scheme. All hardware modules used in our con- are executed concurrently. structions are of very limited functionality and could be In order to adequately capture the guarantees pro- potentially formally verified for correctness, making it vided by our remotely unhackable hardware modules in plausible to assume them to be resilient against remote a concurrent setting, we propose UC with Fortified Se- hacking. In particular, an adversary can only corrupt curity, a variant of the UC framework [11]. Like UC se- such modules if he has direct physical access. Our as- curity, the notion of UC with Fortified Security is based sumptions are backed by commercially available devices on the simulation paradigm where the execution of the with the required or similar functionality, see Section 5. protocol under analysis is compared to an ideal proto- Utilizing only few and simple remotely unhackable col execution. In the ideal protocol, all (honest) par- hardware modules, we provide constructions with very ties do not communicate with each other but only hand strong security guarantees against online attacks. More their private inputs to a trusted third party which lo- specifically, online attacks i) mounted after a party re- cally evaluates the desired function and privately sends ceived its first input and ii) mounted before a party the results back to the parties. The protocol under anal- received input if the attack comes from the “outside” ysis, called the real protocol, is said to be secure if it do not allow an adversary to learn a corrupted party’s “emulates” the ideal protocol, i.e. any attack that can inputs and outputs nor to modify them, unless all par- be mounted in the real protocol can also be carried out ties are corrupted. Here, the “outside” denotes all chan- in the ideal protocol. Stated differently, for any given nels except one at a party’s input port1. In more detail, adversary against the real protocol, there exists an ad- the parties in our protocols are disconnected from the versary against the ideal protocol, called the simulator, outside while waiting for input and can therefore not that can cause the same damage in the ideal protocol be corrupted via online attacks from the outside at that 2 Informally, a generic MPC protocol such as [14, 29] can be 1 We use the informal notion of an input port to denote the used to securely realize practically any efficiently computable single channel via which a party can receive its first input. function. Fortified Multi-Party Computation 314 as the given adversary can cause in the real protocol. sary for encrypting the shares. This is therefore done As a consequence, all security guarantees of the ideal by a remotely unhackable encryption unit (connected world such as privacy carry over to an execution of the to its party via a data diode), which encrypts and sends protocol under analysis.