470 likes | 614 Vues
Scalable Secure Distributed Computation. Valerie King (U. Victoria and Microsoft Research SVC) joint with Jared Saia (U. New Mexico) Vishal Sanwalani ( University of Victoria) & Erik Vee (Yahoo). General Motivations and Assumptions. No central controller: Large peer-to-peer
E N D
Scalable Secure Distributed Computation Valerie King (U. Victoria and Microsoft Research SVC) joint with Jared Saia (U. New Mexico) Vishal Sanwalani ( University of Victoria) & Erik Vee (Yahoo)
General Motivations and Assumptions No central controller: Large peer-to-peer network, e.g. Need to collaborate: to prevent spamming, adversary attacks, maintain a trust management system. Corrupt peers controlled by a malicious adversary Need for scalable communication: Broadcasting is too expensive
Fundamental problems • Byzantine agreement:Each peer starts with some bit; all peers output the same bit, which must match at least one of the input bits. • Leader election: All peers agree on an uncorrupted leader.
The Model n peers • Each peer has private random bits • Point-to-point messages • Synchronous -- proceeds in ROUNDS. • Scalable: Each uncorrupted peer sends only (log n)c messages of (log n)c length during the protocol.
The Adversary • b < 1/3 fraction are corrupted by the adversary at the start (non-adaptive) “full information model” • In any round the Adversary can see all messages before the corrupted peers send out their messages; • The Adversary has unlimited computational power • The Adversary does not know the private random bit • The corrupted peers can send any number and size of messages.
Results presented here -- a scalable protocol which computes Byzantine Agreement with high probability and --a scalable protocol which computes Leader Election with constant probability on a sparse (degree d= logc n) overlay network with ALMOST EVERYWHERE AGREEMENT = all but 1-1/log n fraction of uncorrupted peers agree.(FOCS 2006) Note: on a sparse network Adversary can isolate bn/d peers->1-1/(3logc n) is best we can hope for.
Our related results • Almost everywhere agreement in a fully connected network (KSSV--SODA06) Each peer knows whom to listen to at the start of the round. IF we require that at the start of each round each peer must specify log n peers to listen to, then after r rounds, >~n1/3/r peers are still confused. (Holty,Kapron,K). PODC 06 I’ll present a sketch if there’s time
Previous work:complete networks Deterministic almost everywhere agreement requires linear # bits of communication per peer and t+1 rounds (early 80’s) Randomized Byzantine agreement with broadcast: ---O(1) rounds with cryptography ---O(log n) rounds in full information theory model superpoly? #bits per peer(BenOr, Pavlov, Vaikuntanathan --STOC06) Randomized leader election- O(log* n) expected rounds, superlinear #bits per peer. .(Russell and Zuckerman 98, Feige 99) Byzantine Agreement and Leader Election- --- O(logc n) rounds, O(logc n) + 1 broadcast(KSSV--SODA06)
Previous work:Sparse Networks • Deterministic almost everywhere agreement --Dwork ( b=1/log n), Berman and Garay (butterfly, b=1/log n), Upfal (late 80’s-92)(b=constant) poly per peer • Peer-to-Peer (scalable) • DHTs (Fiat and Saia) (Awerbuch and Scheidler), different attack model, storage and retrieval problems
Previous Work • Secure Multiparty Computation • Can compute any function in distributed and attack-resistant manner [BCG ‘93] • However results are NOT scalable • Require each peer to send and receive linear number of messages • Cryptographic complexity assumptions--adversary has limited resources
Recall the problems: • Byzantine agreement:Each peer starts with some bit; all peers output the same bit, which must match at least one of the input bits. • Leader election: All peers agree on an uncorrupted leader.
Our main idea =leader election • At each round reduce the number of eligible candidates by 1/log n fraction. • After log n/log log n rounds, a small set of eligible candidates is left. • Use a brute force method for this set to compute leader election or Byzantine agreement. • Communicate this result down to the other candidates.
Problems with Naive • A small number of corrupt peers can dominate the election by repeatedly cheating • (Remember that the corrupt peers see the messages of uncorrupt peers before sending theirs!)
Feige’s subcommittee selection techniqueEach candidate randomly picks a bin;subcommittee=lightest bin’s contents 5 6 1 3 4 2 Even if corrupt ones see the choices first lightest bin will have roughly same fraction b of noncorrupt candidates as whole population
In the broadcast model: Feige’s Leader Election Protocol
. In our protocol: Pairs in tournament replaced by committees ( formed by random bipartite graph)
. Pairs in tournament replaced by committees (random bipartite graph) Almost all committees have fraction of no more than b+ 1/log n of corrupted peers.
Feige + committees + tournament= Robust election graph
Communication Problems • Peer competing in a sub-election needs to be able to communicate with other peers in the sub-election • Why is this hard? • Identities of peers competing at the sub-election are determined dynamically. • Peer is unlikely to have direct links to competitors
Solution: overlay network • Overlay network topology based on election graph • Each node A in election graph has corresponding node s(A) in overlay network where s(A)=set of peers. • Purpose of node s(A) is to enable communication for the sub-election occurring at node A.
Overlay Network • Size of nodes increases with layer: polylog in bottom; top node has all the peers. • Parent-child connected via a random bipartite graph Mapping of peers to overlay nodes ensures: almost all nodes have >1-b+1/log n good peers
Problem: DOS Attack • Corrupt peers can wait until near end of election, see who is about to win and then flood them with messages • We assume each peer can only process polylog messages, so must handle this type of denial of service attack
Solution: Permissible Paths • A peer is only allowed to send messages along paths where it has already won sub-elections • This prevents the corrupt peers from sending too many messages to peers that have advanced far in the election • Peers in the overlay node s(A) keep a list of all of those peers that are allowed to send through them
Permissible Paths • Left: Without Permissible Paths: d is overloaded • Right: With Permissible Paths: d is protected
Random Bipartite Graphs Lemma 1:Let l,r,z,n be positive integers such that l,r and z are all no more than n and r/l >= ln^{1-z} n. Then, there is a bipartite graph G(L,R) such that |L| = l and |R| = r and: • Each node in R has degree ln^{z} n. • Each node in L has degree O((r/l) ln^{z}n). • For any subset L' of L, let F(L’) be the set of nodes in R whose number of edges into L’ is a 1/ln n fraction greater than expected. Then for all subsets L’ of L, |F(L')| < max(l,r)/ ln^{z-2} n).
Proof and Uses of Lemma 1 • Proved using probabilistic method, Chernoff and union bounds Used for: • Assignment of peers to leaf nodes in election graph • Connecting successive layers of the election graph • Mapping peers to nodes in overlay network • Connecting peers in neighboring nodes in overlay network
Overlay network is “good” An overlay node is good if <1/3+1/ln n fraction of the peers it contains are corrupt. The properties of the overlay network-: • “Almost all” nodes at any layer of the overlay network are good • “Almost all” connections between adjacent nodes in overlay network enable secure communication through majority filtering.
good paths • An overlay nodeknows a message (or permissible path) if > 1-b-2/logn fraction of uncorrupted peers agree on the message or path. • A permissible path is good if every overlay node on the path knows the path
Election nodes are good • An election node on level i is good if >1-b-4i/log n fraction of peers are uncorrupt and have good paths from the peer to the election node. • “Almost all” nodes in any layer of the election graph are good
Proof of correctness By Induction on level of election (and overlay graph): • At level i almost every election is good, --> 1-b-(4i-1)/log n fraction of each set of candidates elected are uncorrupted, w/ good paths. After removing those which are overloaded, have bad paths, 1-b-(4i+2)/log n remain for next level Whp, topmost committee on level log n/loglog n --has polylog peers --has 1-b - 1/loglog n fraction of uncorrupt peers --is known by the top overlay node=all peers. • This committee selects a leader or computes Byzantine agreement. Its results are known to the top overlay node=all peers.
Complexity • All peers in the overlay network have polylog degree • All peers send and process a polylog number of bits (load balancing done by dropping peers that win too much)
Lower bound ? • Can we do everywhere agreement in a fully connected network or prove that it can’t be done?
Why it’s hard to go to full agreement in a fully connected network If a peer doesn’t know whom to listen to, the adversary can FLOOD the peer.
Holtby, Kapron, King Podc06 • Any synchronous protocol which produces agreement with probability at least 1/2+1/log n • in which each peer sends log n messages and specifies log n messages to receive at each round (defence against flooding) • Leaves out at least > n1/3/r uncorrupted peers from the agreement • Even if the channels are private.
Key lemma • Friends of x given input dist. B SX={y| Prob(y --> x)|B) >p} Lx ={y|Prob (x -->y|B) > p} By averaging argument, not too many x’s have large Friend sets.
Inputs B and B’ 1 0 0 target Size < bn
Adversary takes over small friend sets for B and B’ of target 1 0 0 0
Adversary simulates B and B’ • B= all 0’s • B’= all 1’s except t 0’s. • Agreed value must be 0 for B • 1 for B’ • (in case t 0’s are corrupt). • Adversary isolates a set of n1/3/r peers in target set.
Proof by induction • After each round probability that target set is isolated remains high because prob that a peer sends a message which is read by peer in target is small.
Future Work: General • Simplify protocols and reduce constants • Make limited use of cryptography • Look at tradeoff between efficiency and number of adversarial peers tolerated • Asynchronous communication--we are currently writing this up.
Future Work: General • Can we design protocol to work on a network that is in use like Chord or the Internet? • What other problems can be computed in this way?
Feedback • Questions and/or comments???