610 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 4, JULY/AUGUST 2012 Secure Failure Detection and Consensus in TrustedPals Roberto Cortin˜as, Felix C. Freiling, Marjan Ghajar-Azadanlou, Alberto Lafuente, Mikel Larrea, Lucia Draque Penso, and Iratxe Soraluze Abstract—We present a modular redesign of TrustedPals, a smart card-based security framework for solving Secure Multiparty Computation (SMC). Originally, TrustedPals assumed a synchronous network setting and allowed to reduce SMC to the problem of fault-tolerant consensus among smart cards. We explore how to make TrustedPals applicable in environments with less synchrony and show how it can be used to solve asynchronous SMC. Within the redesign we investigate the problem of solving consensus in a general omission failure model augmented with failure detectors. To this end, we give novel definitions of both consensus and the class P of failure detectors in the omission model, which we call PðomÞ, and show how to implement PðomÞ and have consensus in such a system with very weak synchrony assumptions. The integration of failure detection and consensus into the TrustedPals framework uses tools from privacy enhancing techniques such as message padding and dummy traffic. Index Terms—Failure detection, fault-tolerance, smart cards, consensus, secure multiparty computation, message padding, dummy traffic, general omission model, security performance, reliability. Ç 1INTRODUCTION ONSIDER a set of parties who wish to correctly compute modules are realized using Java Card Technology enabled Csome common function F of their local inputs, while smart cards [3], tamper-proof Subscriber Identity Modules keeping their local data as private as possible, but who do not (SIM) [4] like those used in mobile phones, or storage cards trust each other, nor the channels by which they commu- with built-in tamper-proof processing devices [5]. Roughly nicate. This is the problem of Secure Multiparty Computation speaking, solving SMC among processes is achieved by (SMC) [1]. SMC is a very general security problem, i.e., it can having security modules jointly simulate a Trusted Third Party be used to solve various real-life problems such as (TTP), as we now explain. distributed voting, private bidding and online auctions, To solve SMC in the TrustedPals framework, the sharing of signature or decryption functions and so on. function F is coded as a Java function and is distributed Unfortunately, solving SMC is—without extra assump- within the network in an initial setup phase. Then, processes tions—very expensive in terms of communication (number hand their input value to their security module and the of messages), resilience (amount of redundancy), and time framework accomplishes the secure distribution of the input (number of synchronous rounds). values. Finally, all security modules compute F and return TrustedPals [2] is a smart card-based security framework the result to their process. The network of security modules for solving SMC which allows much more efficient solutions sets up confidential and authenticated channels between to the problem. Conceptually, TrustedPals considers a each other and operates as a secure overlay within the distributed system in which processes are locally equipped distribution phase. Roughly speaking, within this secure with tamper-proof security modules. In practice, processes overlay arbitrary and malicious behavior of an attacker is are implemented as a Java desktop application and security reduced to process crashes and message omissions. Trus- tedPals therefore allows to reduce the security problem of . R. Cortin˜as, A. Lafuente, M. Larrea, and I. Soraluze are with the Facultad SMC to a problem of fault-tolerant synchronization [2], an de Informa´tica, University of the Basque Country UPV/EHU, Paseo area which has a long research tradition in fault-tolerant Manuel de Lardizabal 1, E-20018 Donostia, Spain. E-mail: {roberto.cortinas, alberto.lafuente, mikel.larrea, distributed computing (see, for example, Lynch [6]). How- iratxe.soraluze}@ehu.es. ever, solving the synchronization problem alone is not trivial, . F.C. Freiling is with the Friedrich-Alexander-University Erlangen- especially since we investigate it under message omission Nu¨rnberg, Lehrstuhl fu¨r Informatik 1 (IT-Sicherheitsinfrastrukturen), failures, a failure scenario which is rather unusual. Further- Am Wolfmantel 46, 91058 Erlangen, Germany. E-mail: [email protected]. more, the reduction from security to fault-tolerance creates a . M. Ghajar-Azadanlou is with the Bayer Business Services, 51368 new set of validation obligations regarding the integration of Leverkusen, Germany. a fault-tolerant algorithm into a secure system, which is also E-mail: [email protected]. L.D. Penso is with the Faculty of Mathematics and Economics, Institute for far from being trivial. Optimization and Operations Research, University of Ulm, 89069 Ulm, The initial definition of TrustedPals and its implementa- Germany. E-mail: [email protected]. tion assumed a synchronous network setting, i.e., a setting in Manuscript received 2 July 2010; revised 23 June 2011; accepted 9 Feb. 2012; which all important timing parameters of the network are published online 17 Feb. 2012. bounded and known. This makes TrustedPals sensitive to For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TDSC-2010-07-0109. unforeseen variations in network delay and therefore not Digital Object Identifier no. 10.1109/TDSC.2012.23. very suitable for deployment in networks like the Internet. 1545-5971/12/$31.00 ß 2012 IEEE Published by the IEEE Computer Society CORTINAS~ ET AL.: SECURE FAILURE DETECTION AND CONSENSUS IN TRUSTEDPALS 611 In this paper, we explore how to make TrustedPals can cause processes to only be able to communicate indirectly applicable in environments with less synchrony. More and we admit processes to participate in consensus even if precisely, we show how to solve the asynchronous version they cannot communicate directly. Delporte-Gallet et al. [21] of SMC using asynchronous synchronization algorithms only guarantee that all processes that can communicate inspired by recent results in fault-tolerant distributed directly with each other solve consensus. In contrast, we allow computing: we use an asynchronous consensus algorithm also another set of processes to propose and decide: those and encapsulate (some very weak) timing assumptions which are able to send and receive messages even indirectly. within a device known as a failure detector [7]. As a minor difference, we focus on the class P of eventually The concept of a failure detector has been investigated in perfect failure detectors whereas they [21] implement the quite some detail in systems with merely crash faults [8]. In failure detector. Furthermore, they [21] do not describe such systems, correct processes (i.e., processes which do not how to integrate failure detection and consensus within the crash) must eventually permanently suspect crashed pro- TrustedPals framework: a realistic adversary who is able to cesses. There is very little work on failure detection and selectively influence the communication messages of the consensus in message omission environments. In fact, it is algorithms for failure detection and consensus can cause their not clear what a sensible definition of a failure detector (and consensus algorithm to fail. This problem is partly addressed consensus) is in such environments because the notion of a in a recent paper [22] where consensus and failure detection correct process can have several different meanings (e.g., a are integrated for efficiency purposes, not for security. process with no failures whatsoever or a process which Apart from Delporte-Gallet et al. [21], other authors also does not crash but just omits some messages). In this work, investigated solving consensus in systems with omission instead of correct processes, we will consider well-connected faults. Work by Dolev et al. [23], [24] also follows the failure processes, i.e., those processes which are able to compute detector approach to solve consensus, however they focus and communicate without omissions with a majority of on the class SðomÞ of failure detectors. Babaoglu et al. [25] processes. also follow the path of S to solve consensus in partition- 1.1 Related Work able systems. Alternatively, Santoro and Widmayer [26] assume a synchronous system model, and Moniz et al. [27] Our work on TrustedPals can be regarded as building use randomization. failure detectors for arbitrary (Byzantine) failures, which has Recently, solving SMC without security modules has been investigated previously (see, for example, Malkhi and received some attention focusing mainly on two-party Reiter [9], Kihlstrom et al. [10], Doudou et al. [11], Doudou protocols [28], [29], [30], [31], [32], [33]. In systems with et al. [12], Haeberlen et al. [13], [14], and more recently security modules, Avoine and Vaudenay [34] examined the Haeberlen and Kuznetsov [15]). In contrast to previous approach of jointly simulating a TTP. This approach was works on Byzantine failure detectors, we use security later extended by Avoine et al. [35] who show that in a modules to avoid the tar pits of this area. This contrasts system with security modules fair exchange can be reduced TrustedPals to the large body of work that tackles Byzantine to a special form of consensus. They derive a solution to fair faults directly, like Castro and Liskov’s “Practical Byzantine exchange in a modular way so that the agreement abstrac- Fault-Tolerance” [16] or more recently the Aardvark system tion can be implemented in diverse manners. Benenson et al. by Clement et al. [17] and the Turquois protocol by Moniz [2] extended this idea to the general problem of SMC and et al. [18]. While being conceptually simpler, Byzantine- showed that the use of security modules cannot improve the tolerant protocols necessarily have to assume a two-thirds resilience of SMC but enables more efficient solutions for majority of correct processes in nonsynchronous settings SMC problems.