Sharemind Application Server

Installation

Sharemind MPC components are available from Cybernetica’s APT repository for Debian 10 (buster), Debian 11 (bullseye), Debian 12 (bookworm), Ubuntu 20.04 (focal) and Ubuntu 22.04 (jammy). To access it, add the repository location to your APT configuration and trust the Sharemind package signing GPG key 0x2DD091F5BD648385. In the following, replace “bookworm” with the version name of your distribution.

wget -qO - https://repo.cyber.ee/sharemind/apt/pubkey.gpg | sudo apt-key add -
echo "deb https://repo.cyber.ee/sharemind/apt/2023.09 bookworm non-free" | sudo tee /etc/apt/sources.list.d/sharemind.list

The APT repository requires authentication. Replace “USER” and “PASSWORD” with personalised values provided by Cybernetica in the /etc/apt/auth.conf.d/sharemind.conf configuration file (you have to create the file):

machine repo.cyber.ee
    login USER
    password PASSWORD

Next, update the APT cache:

sudo apt-get install apt-transport-https # may be already installed, has to be done only once
sudo apt-get update

Sharemind MPC uses a modular design and an installation can consist of different subsets of available packages:

  • sharemind-server – the Sharemind Application Server core that by itself does not provide any secure computation options.

  • libsharemind-mod-algorithms – general algorithms module that works on public data.

  • One of the following packages for the shared3p protection domain:

    • libsharemind-mod-shared3p – the Encrypted Computing Engine, provides optimised implementation of the shared3p protection domain with three computation parties and passive security.

    • libsharemind-mod-shared3pdev – an alternative version of the Encrypted Computing Engine that provides the same functionality (syscalls) as libsharemind-mod-shared3p, but is based on manual implementation of MPC protocols and research prototypes. This module used to define the Sharemind Academic Server, but is deprecated starting from the 2022.03 release.

    • libsharemind-mod-shared3p-emu – the Encrypted Computing Emulator that emulates the MPC protocols and is used for testing and development. Requires a single Application Server instead of three.

  • libsharemind-mod-tabledb-hdf5 – storage backend that uses column-optimised table-based HDF5 engine (embedded storage).

  • libsharemind-mod-keydb – NoSQL storage backend that stores data in a Redis server. Installing redis-server package is also required.

  • scc – The SecreC compiler.

  • secrec-stdlib – SecreC standard library.

Install the suitable subset with apt-get install, e.g., commonly:

sudo apt-get install sharemind-server libsharemind-mod-algorithms \
libsharemind-mod-shared3p libsharemind-mod-tabledb-hdf5 \
scc secrec-stdlib

Key generation and exchange

Sharemind MPC uses Transport Layer Security (TLS) technology for secure, mutually authenticated and encrypted communication channels between computation nodes as well as between computation nodes and client applications. Therefore, each Sharemind component requires a personal asymmetric key pair for authentication and encryption.

For instructions on how to generate a new key pair and distribute it to other parties in the deployment, see Client applications → Generating Key Pairs.

Configuration

Sharemind Application Server searches for its main configuration file from the following locations (in order):

  • Filename given by the --conf command line argument

  • System-wide configuration file in /etc/xdg/sharemind/server.conf (XDG Basedir search path)

  • System-wide configuration file in /etc/sharemind/server.conf

The configuration file is an INI-formatted file, where section names are between square brackets ([Section]) and configuration values are given with key=value pairs. In addition to the common INI syntax there is an @include directive which can be used to load configuration files from another file or a directory, it takes a glob expression as an argument and includes matched files in it’s place. A commented example client application configuration file is available in /usr/share/doc/sharemind/examples/server.conf.

At minimum, review (and change) the following values in the example configuration:

  • Section [Server]:

    • The LicenseFile should point to the cryptographically signed license file (*.p7b) that you have received from Cybernetica.

    • The value of UuidNamespace must be the same for all components in the deployment (servers and client applications alike). Ask this value from your Deployment Manager.

    • Name is a unique name of this computation node in this Sharemind MPC deployment. All other parties (including client applications) in the deployment must also provide this name in their configuration to contact your server, so share this name with other parties via Deployment Manager.

  • The [AccessControl] section refers to the access rules configuration file. Sharemind Application Server uses a three-level access control system specifying which users are allowed to connect to the server, which programs are they allowed to run and what data items are these users and programs allowed to read or write. A commented example of such ruleset file is available at /usr/share/doc/sharemind/examples/server-access-control.conf.

  • Section [Network]:

    • ListenInterfaces lists the network interfaces and ports that the Application Server listens on. There is a single port for listening for both client connections as well as for other Application Servers in the deployment. By default, Sharemind Application Server listens on all network interfaces on port 30000.

    • The values of PublicKeyFile and PrivateKeyFile should be the filenames of your public and private keys, respectively. If you followed the example here, these are my-public-key and my-private-key. File location can be given relative to the current configuration file with %{CurrentFileDirectory}, e.g. %{CurrentFileDirectory}/keys/my-public-key.

  • The [Module *] sections are used to load modules and reference their configuration files. Refer to module-specific configuration options below.

  • The [ProtectionDomain] are used to enable various protection domains and need the corresponding module to be loaded. For example, the pd_shared3p protection domain need the mod_shared3p (or the mod_shared3p_dev, or the mod_shared3p_emu) module.

  • The [Server *] sections contain information about the other Sharemind MPC computation nodes. Each section name must be in the format [Server Name], where Name is the unique name for the given computation node used throughout the deployment. Ask your Deployment Manager for the names of computation nodes and the information to fill out the following values:

    • Address – computation node’s IP address or hostname

    • Port – computation node’s port number

    • PublicIdentity – filename, containing the public key for this computation node. File location can be given relative to the current configuration file with %{CurrentFileDirectory}.

In general, it is not necessary to change any other default values in the configuration file. For a successful deployment it is necessary that the network and security related configuration options are compatible between all components in the Sharemind MPC deployment.

The pd_shared3p protection domain

The pd_shared3p protection domain provided by either the mod_shared3p, the mod_shared3p_dev or the mod_shared3p_emu module uses a separate configuration file. The first two differ only in shared library (*.so) file name and use an identical configuration file, shown here next. For the mod_shared3p_emu, continue withthe next sub-section.

  • The [ProtectionDomain] section includes configuration options that relate to networking and performance. The *FragmentSize options allow you to specify the optimal batch sizes for your network configuration.

  • The [Node*] sections map Sharemind Application Servers to computation nodes.

    • The IsComputingNode allows you to put one or more Application Servers in proxy mode for shared3p computations if you have more than three servers in the deployment.

Note that the pd_shared3p configuration has to be identical for all Application Servers.

For reference, here is an example of the pd_shared3p configuration file:

[ProtectionDomain]
MulVecFragmentSize = 100000
EqVecFragmentSize = 100000

[Node1]
ServerName=TestServer1

; Indicates the mode of a protection domain node.
; Options are:
; true - (default) the node performs computations in the protection domain.
; false - the node acts as a proxy that only performs declassification operations, skipping other operations in that protection domain.
IsComputingNode = true

[Node2]
ServerName=TestServer2

[Node3]
ServerName=TestServer3

The emulated pd_shared3p protection domain

The emulated version of the shared3p protection domain implementation does not need server-specific configuration as it uses a single server node. Instead, it uses the configuration file to load protocol performance models in order to give real-life runtime estimated for the emulated SecerC programs. You can obtain an example configuration together with these models from Sharemind SDK Github respository here. Download both files and reference shared3p_emu.cfg from the Application Server configuration. Change shared3p_emu.cfg to either use full file path to shared3p_emu-models.cfg or use the %{CurrentFileDirectory} construction.

Encrypted storage (Embedded HDF5)

The table storage back end for Sharemind MPC consists of two layers. First, there is the abstract tabledb level that provides the SecreC language interface (the tdb* functions). This is provided by the mod_tabledb module. The second layer provides implementation using a specific storage back end, e.g. mod_tabledb-hdf5 uses HDF5 embedded database for storage.

Consequently, the tabledb configuration is also in two levels. The mod_tabledb configuration, referenced from the Sharemind Application Server main configuration file, loads the storage back end submodule and provides its configuration (with reference to another configuration file). Look at the example below:

[DBModule1]
File = libsharemind_mod_tabledb_hdf5.so

[DataSource1]
Name = DS1
DBModule = tabledb_hdf5
Configuration = %{CurrentFileDirectory}/tabledb_hdf5-DS1.cfg

The tabledb module separates data tables into data stores (analogue of a database). The example above creates a single data store “DS1” and refers to data store specific configuration file that in turn sets the filesystem path for the data:

DatabasePath = /var/lib/sharemind/DS1

Usage

To start Sharemind Application Server on the background, use the systemd unit file:

sudo systemctl start sharemind-server

If needed, you can also start Sharemind Application Server binary directly with sharemind-server.