Introduction

Overview

Kunpeng cryptographic-computing acceleration library (KCAL) is integrated into the data security suite DataGuard. DataGuard handles the necessary KCAL configuration and calls KCAL APIs to enable multi-party computation (MPC) capability. KCAL has the following features:

• Raw data isolation: It keeps the raw data of users within the secure computing domain using the MPC protocol.
• Operator acceleration: KCAL designs efficient MPC protocol by leveraging the security guarantees of the trusted execution environment (TEE). This allows KCAL to execute operators faster compared to traditional cryptographic MPC protocols.

Principles

Figure 1 KCAL deployment process

1. ISVs or customers build cVM images and confidential containers that contain KCAL (only cVMs are supported in this version), and release image baselines to support remote attestation for image integrity verification.
2. The compute parties (users) apply for computing resources of the cVM images. The trusted third parties or platforms start the cVM instances.
3. Each compute party starts the cVM.
   1. Remote attestation: The trusted third parties or platforms verify the integrity of the confidential computing environment and cVM images through remote attestation.
   2. Key negotiation: The compute parties negotiate a session key using a standard secure communication protocol such as TLS, either directly or after obtaining the peer public key from an attestation report.
   3. Random seed negotiation: The cVMs negotiate a secure shared random seed.
   4. Secure Pseudo-Random Number (PRN) derivation: The cVMs derive secure PRNs based on the shared random seed.
   5. MPC protocol execution: The cVMs calculate the output shares based on the input shares and PRNs.
   6. Users decompress the ZIP file to obtain the RPM installation package.
      

      The compute parties have no permission to directly control internal resources of the confidential computing environment, which ensures the overall security of KCAL.