KVSP; Kyoto Virtual Secure Platform
[Official website] [Paper on arXiv] [Brief Japanese description on KVSP]
Virtual Secure Platform (VSP) provides a toolchain to run encrypted C programs without decryption.
VSP is the first comprehensive platform that implements a multi-opcode general-purpose sequential processor over Fully Homomorphic Encryption (FHE) for Secure Multi-Party Computation (SMPC). VSP protects both the data and functions on which the data are evaluated from the adversary in a secure computation offloading situation like cloud computing.
KVSP (Kyoto Virtual Secure Platform) is the first implementation
of VSP. KVSP consists of many other sub-projects.
The kvsp command, which this repository serves, is a
simple interface to use them easily.
Paper
We published a paper on VSP, which is accepted by USENIX Security Symposium 2021. We uploaded its full version onto arXiv.
Quick Start
Demo is on YouTube.
Download a KVSP release from here and unzip it. (It has been compiled on Ubuntu 20.04 LTS and CUDA 11.1.1. If it doesn't work in the following steps, please read Build section and try to build KVSP on your own. It may be time-consuming, but not so hard.)
$ wget 'https://github.com/virtualsecureplatform/kvsp/releases/latest/download/kvsp.tar.gz'
$ tar xf kvsp.tar.gz
$ cd kvsp_v29/bin # The directory's name depends on the file you download.
Write some C code...
$ vim fib.c
$ cat fib.c
static int fib(int n) {
int a = 0, b = 1;
for (int i = 0; i < n; i++) {
int tmp = a + b;
a = b;
b = tmp;
}
return a;
}
int main(int argc, char **argv) {
// Calculate n-th Fibonacci number.
// n is a 1-digit number and given as command-line argument.
return fib(argv[1][0] - '0');
}
...like so. This program (fib.c) returns the n-th term of Fibonacci sequence,
as its comment says.
Compile fib.c to an executable file fib.
$ ./kvsp cc fib.c -o fib
Let's encrypt it. First, we'll generate a secret key (secret.key):
$ ./kvsp genkey -o secret.key
Then encrypt fib with secret.key to get an encrypted executable fib.enc.
We have to pass its command-line arguments here. I chose 5, so the result
of this program will be fib(5)=5.
$ ./kvsp enc -k secret.key -i fib -o fib.enc 5
Okay. Now we will run fib.enc without secret.key.
To do this, first we have to make a bootstrapping key, which doesn't reveal
the secret key at all but only enables the computation:
$ ./kvsp genbkey -i secret.key -o bootstrapping.key
Then we will execute the program, but here is a problem: once it starts running we can't know if it is still running or has already halted, because everything about the code is totally encrypted!
So, we have to decide how many clock cycles to run fib.enc at our choice.
It is, say, 30.
# If you have GPUs use '-g NUM-OF-GPUS' option.
$ ./kvsp run -bkey bootstrapping.key -i fib.enc -o result.enc -c 30
Let's check the result. We'll decrypt result.enc:
$ ./kvsp dec -k secret.key -i result.enc
...
f0 false
...
f0 is 'finish flag', which is true iff the program ends.
So, 30 cycles were not enough. Let's try another 30;
We can resume from the point where we stopped using 'snapshot' file
(its filename depends on your environment):
$ ./kvsp resume -c 30 -i kvsp_20200517002413.snapshot -o result.enc -bkey bootstrapping.key
Check the result again:
$ ./kvsp dec -k secret.key -i result.enc
...
f0 true
...
x8 5
...
Finished! x8 register has the returned value from main() and it is the correct answer 5.
We could get the correct answer using secure computation!
More examples?
See the directory examples/.
System Requirements
We ensure that KVSP works on the following cloud services:
- γγγγ€γ³γΏγΌγγγ ι«η«εγ³γ³γγ₯γΌγγ£γ³γ° Tesla V100οΌ32GBοΌγ’γγ«
- GCP n1-standard-96 with 8 x NVIDIA Tesla V100
- AWS EC2 p3.16xlarge
- AWS EC2 p3.8xlarge
- AWS EC2 p3.2xlarge
- AWS EC2 m5.metal
If you run KVSP locally, prepare a machine with the following devices:
- Intel CPU with AVX2 support (e.g. Intel Core i7-8700)
- 16GB RAM
- NVIDIA GPU (not required but highly recommended)
- Only NVIDIA V100 and A100 are supported.
- Other GPUs may work but are not supported.
Dependencies
We are using Ubuntu 20.04 LTS in the development of v30 and later. Following commands setup the AWS instances. If you use AWS p3 instances, we highly recommend to increase EBS (Storage) size to 12 GB because intermediate files will be some GBs orders.
p3 instances (This includes reboot at last to enable a GPU driver.)
sudo apt update&&sudo apt upgrade -y&&sudo apt install -y libgoogle-perftools-dev libomp-dev nvidia-driver-460&&sudo reboot
c5.metal
sudo apt update&&sudo apt upgrade -y&&sudo apt install -y libgoogle-perftools-dev libomp-dev
Build
Clone this repository:
$ git clone https://github.com/virtualsecureplatform/kvsp.git
Clone submodules recursively:
$ git submodule update --init --recursive
Build KVSP:
$ make -j$(nproc) # It may take a while.
Use option ENABLE_CUDA if you build KVSP with GPU support:
$ make -j$(nproc) ENABLE_CUDA=1 CUDACXX="/usr/local/cuda/bin/nvcc" CUDAHOSTCXX="/usr/bin/clang-8"
Build KVSP Using Docker
Based on Ubuntu 20.04 LTS with NVIDIA CUDA 11.1.1. Note that NVIDIA GPU is NOT necessary to build KVSP.
$ docker build -t kvsp-build .
$ docker run -it -v $PWD:/build -w /build kvsp-build:latest
Code Owners
- kvsp
- @ushitora-anqou
- llvm-cahp
- @ushitora-anqou
- This is forked from llvm/llvm-project
- cahp-rt
- @ushitora-anqou
- cahp-sim
- @ushitora-anqou
- Iyokan-L1
- @naoki9911
- cahp-pearl
- @naoki9911
- cahp-ruby
- @naoki9911
- Iyokan
- @ushitora-anqou and @naoki9911
- TFHEpp
- @nindanaoto
- cuFHE
- @nindanaoto and @naoki9911
- This is forked from vernamlab/cuFHE