Skip to main content
SpringerLink
Log in

Breaking MPC implementations through compression

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

There are many cryptographic protocols in the literature that are scientifically and mathematically sound. By extension, cryptography today seeks to respond to numerous properties of the communication process beyond confidentiality (secrecy), such as integrity, authenticity, and anonymity. In addition to the theoretical evidence, implementations must be equally secure. Due to the ever-increasing intrusion from governments and other groups, citizens are now seeking alternatives ways of communication that do not leak information. In this paper, we analyze multiparty computation (MPC), which is a sub-field of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. This is a very useful method that can be used, for example, to carry out computations on anonymous data without having to leak that data. Thus, due to the importance of confidentiality in this type of technique, we analyze active and passive attacks using complexity measures (compression and entropy). We start by obtaining network traces and syscalls, then we analyze them using compression and entropy techniques. Finally, we cluster the traces and syscalls using standard clustering techniques. This approach does not need any deep specific knowledge of the implementations being analyzed. This paper presents a security analysis for four MPC frameworks, where three were identified as insecure. These insecure libraries leak information about the inputs provided by each party of the communication. Additionally, we have detected, through a careful analysis of its source code, that SPDZ-2’s secret sharing schema always produces the same results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. Entropy is a measure of unpredictability of information content [31].

  2. tcpdump is a tool that allows to inspect the traffic passing through the data network. Like all sniffers, tcpdump can be used for good (e.g., detecting communication errors), but also for evil (e.g., capturing personal data).

  3. STrace allows the attacker to observe the system calls used by an application. STrace is useful because it can help the user to better understand what the system does during program execution, which can be a great help in tuning performance and resource management.

  4. Approximate Entropy is a technique used to quantify the amount of regularity and the unpredictability of fluctuations over time-series data [32].

  5. A network socket is an endpoint to the communication flow between two programs running over a network.

References

  1. Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1st ACM Conference on Computer and Communications Security. ACM (1993)

  2. Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: Proceedings of the 38th IEEE Symposium on Security and Privacy (2017)

  3. Georgiev, M., et al.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM (2012)

  4. Reaves, B., et al.: Mo (bile) money, Mo (bile) problems: analysis of branchless banking applications in the developing world. In: USENIX Security Symposium (2015)

  5. Sousa, P.R., Antunes, L., Martins, R.: The present and future of privacy-preserving computation in fog computing. In: Rahmani, A., Liljeberg, P., Preden, J.-S., Jantsch, A. (eds.) Fog Computing in the Internet of Things, pp. 51–69. Springer, Berlin (2018)

    Chapter  Google Scholar 

  6. Back, A., Moller, U., Stiglic, A.: Traffic analysis attacks and trade-offs in anonymity providing systems. In: Information Hiding, vol. 2137 (2001)

  7. Cilibrasi, R., Paul, M.B.V.: Clustering by compression. IEEE Trans. Inf. Theory 51(4), 1523–1545 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  8. Wehner, S.: Analyzing worms and network traffic using compression. J. Comput. Secur. 15(3), 303–320 (2007)

    Article  Google Scholar 

  9. Santos, C.C., et al.: Clustering fetal heart rate tracings by compression. In: 19th IEEE International Symposium on Computer-Based Medical Systems. CBMS 2006. IEEE (2006)

  10. Damgrd, I., et al.: Practical covertly secure MPC for dishonest majority or: breaking the SPDZ limits. In: European Symposium on Research in Computer Security. Springer, Berlin (2013)

  11. Demmler, D., Schneider, T., Zohner, M.: ABY-a framework for efficient mixed-protocol secure two-party computation. In: NDSS (2015)

  12. Kolesnikov, V., et al.: Efficient batched oblivious PRF with applications to private set intersection. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)

  13. Frederiksen, T.K., et al.: TinyLEGO: an interactive garbling scheme for maliciously secure two-party computation. IACR Cryptology ePrint Archive 2015/309 (2015)

  14. Kolesnikov, V., et al.: DUPLO: unifying cut-and-choose for garbled circuits. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2017

  15. Multiparty Computation with SPDZ Online Phase and MASCOT Offline Phase. https://github.com/bristolcrypto/SPDZ-2. Accessed 11 Sept 2017

  16. Orlandi, C.: Is multiparty computation any good in practice? In: 2011 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE (2011)

  17. Cilibrasi, R., Cruz, A.L., de Rooij, S., Keijzer, M.: Complearn. http://www.complearn.org. Accessed 09 Jan 2017

  18. Borbely, R.S.: On normalized compression distance and large malware. J. Comput. Virol. Hacking Tech. 12(4), 235–242 (2016)

    Article  Google Scholar 

  19. Li, M., et al.: The similarity metric. IEEE Trans. Inf. Theory 50(12), 3250–3264 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  20. Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science, SFCS’08. IEEE (1982)

  21. Yao, A.C.-C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science. IEEE (1986)

  22. Yao, A.C. Theory and application of trapdoor functions. In: 23rd Annual Symposium on Foundations of Computer Science, SFCS’08. IEEE (1982)

  23. Araki, T., et al.: High-throughput semi-honest secure three-party computation with an honest majority. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)

  24. Theory and Practice of Multi-party Computation Workshops. http://www.multipartycomputation.com/mpc-software. Accessed 11 Sept 2017

  25. The Richest People in Tech. https://www.forbes.com/richest-in-tech/list/. Accessed 11 Sept 2017

  26. ABY: A Framework for Efficient Mixed-protocol Secure Two-party Computation. https://github.com/encryptogroup/ABY (2015)

  27. A C++ Implementation of the TinyLEGO Cryptographic Protocol [NST17] for General Secure Two-party Computation. https://github.com/AarhusCrypto/TinyLEGO (2016)

  28. Circuits of Basic Functions Suitable for MPC and FHE. https://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/. Accessed 11 Sept 2017

  29. A C++ implementation of the DUPLO cryptographic protocol. https://github.com/AarhusCrypto/DUPLO. Accessed 11 Sept 2017

  30. Souto, A.: Traffic analysis based on compression. In: Proc Confer\(\hat{e}\)ncia sobre Redes de Computadores CRC’15, Évora, Portugal, Vol. 1, pp. 1–7, November 2015

  31. Entropy (Information Theory). http://www.basicknowledge101.com/pdf/km/Entropy%20(information%20theory).pdf. Accessed 11 Sept 2017

  32. Pincus, S.M., Gladstone, I.M., Ehrenkranz, R.A.: A regularity statistic for medical data analysis. J. Clin. Monit. Comput. 7(4), 335–345 (1991)

    Article  Google Scholar 

Download references

Acknowledgements

The work of João S. Resende was supported by a scholarship from the Fundação para a Ciência e Tecnologia (FCT), Portugal (scholarship Number PD/BD/128149/2016). The work of Patrícia R. Sousa and Luís Antunes was supported by Project “NanoSTIMA: Macro-to-Nano Human Sensing: Towards Integrated Multimodal Health Monitoring and Analytics/NORTE-01-0145-FEDER-000016,” financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF). The work of Rolando Martins was supported by a scholarship from the Fundação para a Ciência e Tecnologia (FCT), Portugal (scholarship Number SFRH/BPD/115408/2016). This work is financed by National Funds through the FCT—Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within the project CMU Portuga CMU/CS/0042/2017.

Author information

Authors and Affiliations

  1. University of Porto, R.Campo Alegre,1021/1055, 4169-007, Porto, Portugal

    João S. Resende, Patrícia R. Sousa, Rolando Martins & Luís Antunes

Authors
  1. João S. Resende
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrícia R. Sousa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rolando Martins
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Luís Antunes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to João S. Resende.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Millionaire’s problem code

The Code 7 represents the ABY code that allows the implementation of the millionaire’s problem. In this case, we read the input from a local file and, to perform the brute force, we just need to rewrite a file and rerun the program to have a different example.

Appendix B: Commands

The listings shows the commands used to produce the file of the output traffic of the protocol: network (Listing 3) and STrace (Listing 4). The machine that runs this process needs to have all the communications in the interface lo in idle, in order to have only the information correlated with the MPC process in the captures.

figure d
Fig. 6
figure 6

Tree with the entire clustering of the brute force attack

Full size image
figure e
figure f

Appendix C: Output of code analysis

We have to analyze the values printed from the secret sharing (Listing 5), in order to see whether this output is always equal in all the iterations with the same set of inputs.

figure g

Appendix D: Entropy value influence

The padding of zeros can influence the entropy values. The following example shows two different input sizes (salary of Bill Gates) converted to 32 bits binary. We can see that if we convert only 6 digits of salary (896 000), we have a lot of padding of zeros at the left (00000000000011001110010011001000). The same does not occur in the input size 12 (896000000000 - 11000100101111011110110011000010). It may be detrimental to have padding of zeros left, as entropy is influenced in the wrong way.

figure h

We use the python command pyeeg to calculate the approximate entropy, used to present the entropy results in this paper.

figure i

Appendix E: SPDZ-2 maketree with complearn

Figure 6 represents the entire tree generated by complearn. The tree contains a high S(T) value, but the representation in some situation is complicated to visualize. In order to help the identification of different clusters, it has performed a set of “blue cuts” in the tree. This way, we can visualize a cluster flowing branch until the leaves.

In a highlight perspective, the tree can split each one of the traces connected to a similar example where we see all the 16 different types of communications perfectly split accordingly in the tree. The similar traces are formed of the same party’s communicating with a number from 0 to 4 where an example can be \(0\_gates\_zuck\) and \(2\_gates\_zuck\). Here, both are the same communication but in a different iteration, where 0 represents the first communication and 2 the third communication. This example has a communication between Gates and Zuck, where Gates is the initiator of the communication and Zuck the other party in the communication protocol.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Resende, J.S., Sousa, P.R., Martins, R. et al. Breaking MPC implementations through compression. Int. J. Inf. Secur. 18, 505–518 (2019). https://doi.org/10.1007/s10207-018-0424-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0424-2

Keywords

Search

Navigation