Support for switching off TLS channels

[strieflin]

We use MP-SPDZ as the MPC engine within the Carbyne Stack cloud-native MPC platform. ATM we use a heavily outdated version of MP-SPDZ but are in the process of replacing that one with a newer version (see carbynestack/ephemeral#15) By using functionality of the Istio service mesh, we are outsourcing the responsibility to ensure inter-player communication happens over TLS-secured channels. Is it possible to disable TLS channels in the MP-SPDZ implementation to avoid the overheads of TLS-over-TLS and the complications of managing certificates on the level of Kubernetes Pods running the MP-SPDZ engine instances. If not would you consider implementing such a feature to enable downstream use in Carbyne Stack?

[mkskeller]

TLS can be switched off using -u in honest-majority machines. In dishonest-majority machines it is switched off by default. If you want to make a deeper change, you can simply look for CryptoPlayer in the code and replace its occurrence by PlainPlayer. In any case, there are a few double-checks by calling the insecure function (in Shamir.hpp and Replicated.hpp for example), which need to be removed in order to run without warnings and without the INSECURE compiler flag.

[strieflin]

I see. Keeping the issue open for now in case our investigations on what is exactly needed to make it usable in our setting create further need for discussions. Thanks!

[kindlich]

Is this only about the communication between multiple Machines, or also when using the Client Functionality?
The Carbyne Stack usecase makes use of Clients, so they would need to allow for non-TLS'ed communication between a Client and MP-SPDZ VM, too.

[strieflin]

@mkskeller: Can TLS be switched off for client/engine connections? If not, any chance to provide that functionality?

[mkskeller]

642d11f adds the compile-time option NO_CLIENT_TLS to this end.

[strieflin]

Thank you very much @mkskeller. Will give that a try ASAP. Closing this for now.