Advertisement

Breaking MPC implementations through compression

  • João S. ResendeEmail author
  • Patrícia R. Sousa
  • Rolando Martins
  • Luís Antunes
Regular Contribution
  • 54 Downloads

Abstract

There are many cryptographic protocols in the literature that are scientifically and mathematically sound. By extension, cryptography today seeks to respond to numerous properties of the communication process beyond confidentiality (secrecy), such as integrity, authenticity, and anonymity. In addition to the theoretical evidence, implementations must be equally secure. Due to the ever-increasing intrusion from governments and other groups, citizens are now seeking alternatives ways of communication that do not leak information. In this paper, we analyze multiparty computation (MPC), which is a sub-field of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. This is a very useful method that can be used, for example, to carry out computations on anonymous data without having to leak that data. Thus, due to the importance of confidentiality in this type of technique, we analyze active and passive attacks using complexity measures (compression and entropy). We start by obtaining network traces and syscalls, then we analyze them using compression and entropy techniques. Finally, we cluster the traces and syscalls using standard clustering techniques. This approach does not need any deep specific knowledge of the implementations being analyzed. This paper presents a security analysis for four MPC frameworks, where three were identified as insecure. These insecure libraries leak information about the inputs provided by each party of the communication. Additionally, we have detected, through a careful analysis of its source code, that SPDZ-2’s secret sharing schema always produces the same results.

Keywords

Multiparty computation Normalized compression distance Entropy Secret sharing Privacy Cryptography 

Notes

Acknowledgements

The work of João S. Resende was supported by a scholarship from the Fundação para a Ciência e Tecnologia (FCT), Portugal (scholarship Number PD/BD/128149/2016). The work of Patrícia R. Sousa and Luís Antunes was supported by Project “NanoSTIMA: Macro-to-Nano Human Sensing: Towards Integrated Multimodal Health Monitoring and Analytics/NORTE-01-0145-FEDER-000016,” financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF). The work of Rolando Martins was supported by a scholarship from the Fundação para a Ciência e Tecnologia (FCT), Portugal (scholarship Number SFRH/BPD/115408/2016). This work is financed by National Funds through the FCT—Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within the project CMU Portuga CMU/CS/0042/2017.

References

  1. 1.
    Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1st ACM Conference on Computer and Communications Security. ACM (1993)Google Scholar
  2. 2.
    Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: Proceedings of the 38th IEEE Symposium on Security and Privacy (2017)Google Scholar
  3. 3.
    Georgiev, M., et al.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM (2012)Google Scholar
  4. 4.
    Reaves, B., et al.: Mo (bile) money, Mo (bile) problems: analysis of branchless banking applications in the developing world. In: USENIX Security Symposium (2015)Google Scholar
  5. 5.
    Sousa, P.R., Antunes, L., Martins, R.: The present and future of privacy-preserving computation in fog computing. In: Rahmani, A., Liljeberg, P., Preden, J.-S., Jantsch, A. (eds.) Fog Computing in the Internet of Things, pp. 51–69. Springer, Berlin (2018)CrossRefGoogle Scholar
  6. 6.
    Back, A., Moller, U., Stiglic, A.: Traffic analysis attacks and trade-offs in anonymity providing systems. In: Information Hiding, vol. 2137 (2001)Google Scholar
  7. 7.
    Cilibrasi, R., Paul, M.B.V.: Clustering by compression. IEEE Trans. Inf. Theory 51(4), 1523–1545 (2005)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Wehner, S.: Analyzing worms and network traffic using compression. J. Comput. Secur. 15(3), 303–320 (2007)CrossRefGoogle Scholar
  9. 9.
    Santos, C.C., et al.: Clustering fetal heart rate tracings by compression. In: 19th IEEE International Symposium on Computer-Based Medical Systems. CBMS 2006. IEEE (2006)Google Scholar
  10. 10.
    Damgrd, I., et al.: Practical covertly secure MPC for dishonest majority or: breaking the SPDZ limits. In: European Symposium on Research in Computer Security. Springer, Berlin (2013)Google Scholar
  11. 11.
    Demmler, D., Schneider, T., Zohner, M.: ABY-a framework for efficient mixed-protocol secure two-party computation. In: NDSS (2015)Google Scholar
  12. 12.
    Kolesnikov, V., et al.: Efficient batched oblivious PRF with applications to private set intersection. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)Google Scholar
  13. 13.
    Frederiksen, T.K., et al.: TinyLEGO: an interactive garbling scheme for maliciously secure two-party computation. IACR Cryptology ePrint Archive 2015/309 (2015)Google Scholar
  14. 14.
    Kolesnikov, V., et al.: DUPLO: unifying cut-and-choose for garbled circuits. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2017Google Scholar
  15. 15.
    Multiparty Computation with SPDZ Online Phase and MASCOT Offline Phase. https://github.com/bristolcrypto/SPDZ-2. Accessed 11 Sept 2017
  16. 16.
    Orlandi, C.: Is multiparty computation any good in practice? In: 2011 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE (2011)Google Scholar
  17. 17.
    Cilibrasi, R., Cruz, A.L., de Rooij, S., Keijzer, M.: Complearn. http://www.complearn.org. Accessed 09 Jan 2017
  18. 18.
    Borbely, R.S.: On normalized compression distance and large malware. J. Comput. Virol. Hacking Tech. 12(4), 235–242 (2016)CrossRefGoogle Scholar
  19. 19.
    Li, M., et al.: The similarity metric. IEEE Trans. Inf. Theory 50(12), 3250–3264 (2004)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science, SFCS’08. IEEE (1982)Google Scholar
  21. 21.
    Yao, A.C.-C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science. IEEE (1986)Google Scholar
  22. 22.
    Yao, A.C. Theory and application of trapdoor functions. In: 23rd Annual Symposium on Foundations of Computer Science, SFCS’08. IEEE (1982)Google Scholar
  23. 23.
    Araki, T., et al.: High-throughput semi-honest secure three-party computation with an honest majority. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)Google Scholar
  24. 24.
    Theory and Practice of Multi-party Computation Workshops. http://www.multipartycomputation.com/mpc-software. Accessed 11 Sept 2017
  25. 25.
    The Richest People in Tech. https://www.forbes.com/richest-in-tech/list/. Accessed 11 Sept 2017
  26. 26.
    ABY: A Framework for Efficient Mixed-protocol Secure Two-party Computation. https://github.com/encryptogroup/ABY (2015)
  27. 27.
    A C++ Implementation of the TinyLEGO Cryptographic Protocol [NST17] for General Secure Two-party Computation. https://github.com/AarhusCrypto/TinyLEGO (2016)
  28. 28.
    Circuits of Basic Functions Suitable for MPC and FHE. https://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/. Accessed 11 Sept 2017
  29. 29.
    A C++ implementation of the DUPLO cryptographic protocol. https://github.com/AarhusCrypto/DUPLO. Accessed 11 Sept 2017
  30. 30.
    Souto, A.: Traffic analysis based on compression. In: Proc Confer\(\hat{e}\)ncia sobre Redes de Computadores CRC’15, Évora, Portugal, Vol. 1, pp. 1–7, November 2015Google Scholar
  31. 31.
    Entropy (Information Theory). http://www.basicknowledge101.com/pdf/km/Entropy%20(information%20theory).pdf. Accessed 11 Sept 2017
  32. 32.
    Pincus, S.M., Gladstone, I.M., Ehrenkranz, R.A.: A regularity statistic for medical data analysis. J. Clin. Monit. Comput. 7(4), 335–345 (1991)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.University of PortoPortoPortugal

Personalised recommendations