文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Technical Principles of KCAL

Figure 1 KCAL deployment process

Deploying and Using cVM-based MPC Cryptographic Operators

  1. ISVs or customers build cVM images and confidential containers that contain KCAL (only cVMs are supported in this version), and release image baselines to support remote attestation for image integrity verification.
  2. The compute parties (users) apply for computing resources of the cVM images. The trusted third parties or platforms start the cVM instances.
  3. Each compute party starts the cVM.
    1. Remote attestation:

      The trusted third parties or platforms verify the integrity of the confidential computing environment and cVM images through remote attestation.

    2. Key negotiation: The compute parties negotiate a session key using a standard secure communication protocol such as TLS, either directly or after obtaining the peer public key from an attestation report.
    3. Random seed negotiation: The cVMs negotiate a secure shared random seed.
    4. Secure Pseudo-Random Number (PRN) derivation: The cVMs derive secure PRNs based on the shared random seed.
    5. MPC protocol execution: The cVMs calculate the output shares based on the input shares and PRNs.

Deploying and Using cVM-based PSI/PIR Operator

  1. ISVs or customers build cVM images and confidential containers that contain KCAL (only cVMs are supported in this version), and release image baselines to support remote attestation for image integrity verification.
  2. The compute parties (users) apply for computing resources of the cVM images. The trusted third parties or platforms start the cVM instances.
  3. Each compute party starts the cVM.
    1. Remote attestation: The trusted third parties or platforms verify the integrity of the confidential computing environment and cVM images through remote attestation.
    2. Key negotiation: The compute parties negotiate a session key using a standard secure communication protocol such as TLS, either directly or after obtaining the peer public key from an attestation report.
    3. Random seed negotiation: The cVMs negotiate a secure shared random seed.
    4. Hashing: Each cVM calculates the hash or hash-based message authentication code HMAC of identifiers such as IDs, keywords, or indexes using the shared random seed, and replaces the original values with the hashed outputs to enhance data security.
    5. PSI/PIR protocol execution: The cVM executes the PSI/PIR protocol based on the hashed outputs.
Parent topic: System Architecture