1 / 47

Scalable Secure Distributed Computation

Scalable Secure Distributed Computation. Valerie King (U. Victoria and Microsoft Research SVC) joint with Jared Saia (U. New Mexico) Vishal Sanwalani ( University of Victoria) & Erik Vee (Yahoo). General Motivations and Assumptions. No central controller: Large peer-to-peer

brent
Télécharger la présentation

Scalable Secure Distributed Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scalable Secure Distributed Computation Valerie King (U. Victoria and Microsoft Research SVC) joint with Jared Saia (U. New Mexico) Vishal Sanwalani ( University of Victoria) & Erik Vee (Yahoo)

  2. General Motivations and Assumptions No central controller: Large peer-to-peer network, e.g. Need to collaborate: to prevent spamming, adversary attacks, maintain a trust management system. Corrupt peers controlled by a malicious adversary Need for scalable communication: Broadcasting is too expensive

  3. Fundamental problems • Byzantine agreement:Each peer starts with some bit; all peers output the same bit, which must match at least one of the input bits. • Leader election: All peers agree on an uncorrupted leader.

  4. The Model n peers • Each peer has private random bits • Point-to-point messages • Synchronous -- proceeds in ROUNDS. • Scalable: Each uncorrupted peer sends only (log n)c messages of (log n)c length during the protocol.

  5. The Adversary • b < 1/3 fraction are corrupted by the adversary at the start (non-adaptive) “full information model” • In any round the Adversary can see all messages before the corrupted peers send out their messages; • The Adversary has unlimited computational power • The Adversary does not know the private random bit • The corrupted peers can send any number and size of messages.

  6. Results presented here -- a scalable protocol which computes Byzantine Agreement with high probability and --a scalable protocol which computes Leader Election with constant probability on a sparse (degree d= logc n) overlay network with ALMOST EVERYWHERE AGREEMENT = all but 1-1/log n fraction of uncorrupted peers agree.(FOCS 2006) Note: on a sparse network Adversary can isolate bn/d peers->1-1/(3logc n) is best we can hope for.

  7. Our related results • Almost everywhere agreement in a fully connected network (KSSV--SODA06) Each peer knows whom to listen to at the start of the round. IF we require that at the start of each round each peer must specify log n peers to listen to, then after r rounds, >~n1/3/r peers are still confused. (Holty,Kapron,K). PODC 06 I’ll present a sketch if there’s time

  8. Previous work:complete networks Deterministic almost everywhere agreement requires linear # bits of communication per peer and t+1 rounds (early 80’s) Randomized Byzantine agreement with broadcast: ---O(1) rounds with cryptography ---O(log n) rounds in full information theory model superpoly? #bits per peer(BenOr, Pavlov, Vaikuntanathan --STOC06) Randomized leader election- O(log* n) expected rounds, superlinear #bits per peer. .(Russell and Zuckerman 98, Feige 99) Byzantine Agreement and Leader Election- --- O(logc n) rounds, O(logc n) + 1 broadcast(KSSV--SODA06)

  9. Previous work:Sparse Networks • Deterministic almost everywhere agreement --Dwork ( b=1/log n), Berman and Garay (butterfly, b=1/log n), Upfal (late 80’s-92)(b=constant) poly per peer • Peer-to-Peer (scalable) • DHTs (Fiat and Saia) (Awerbuch and Scheidler), different attack model, storage and retrieval problems

  10. Previous Work • Secure Multiparty Computation • Can compute any function in distributed and attack-resistant manner [BCG ‘93] • However results are NOT scalable • Require each peer to send and receive linear number of messages • Cryptographic complexity assumptions--adversary has limited resources

  11. Our Protocol

  12. Recall the problems: • Byzantine agreement:Each peer starts with some bit; all peers output the same bit, which must match at least one of the input bits. • Leader election: All peers agree on an uncorrupted leader.

  13. Our main idea =leader election • At each round reduce the number of eligible candidates by 1/log n fraction. • After log n/log log n rounds, a small set of eligible candidates is left. • Use a brute force method for this set to compute leader election or Byzantine agreement. • Communicate this result down to the other candidates.

  14. Naïve election tree

  15. Problems with Naive • A small number of corrupt peers can dominate the election by repeatedly cheating • (Remember that the corrupt peers see the messages of uncorrupt peers before sending theirs!)

  16. Feige’s subcommittee selection techniqueEach candidate randomly picks a bin;subcommittee=lightest bin’s contents 5 6 1 3 4 2 Even if corrupt ones see the choices first lightest bin will have roughly same fraction b of noncorrupt candidates as whole population

  17. In the broadcast model: Feige’s Leader Election Protocol

  18. . In our protocol: Pairs in tournament replaced by committees ( formed by random bipartite graph)

  19. . Pairs in tournament replaced by committees (random bipartite graph) Almost all committees have fraction of no more than b+ 1/log n of corrupted peers.

  20. Feige + committees + tournament= Robust election graph

  21. Communication Problems • Peer competing in a sub-election needs to be able to communicate with other peers in the sub-election • Why is this hard? • Identities of peers competing at the sub-election are determined dynamically. • Peer is unlikely to have direct links to competitors

  22. Solution: overlay network • Overlay network topology based on election graph • Each node A in election graph has corresponding node s(A) in overlay network where s(A)=set of peers. • Purpose of node s(A) is to enable communication for the sub-election occurring at node A.

  23. Overlay Network:election node --> overlay node

  24. Overlay Network • Size of nodes increases with layer: polylog in bottom; top node has all the peers. • Parent-child connected via a random bipartite graph Mapping of peers to overlay nodes ensures: almost all nodes have >1-b+1/log n good peers

  25. A single election

  26. Problem: DOS Attack • Corrupt peers can wait until near end of election, see who is about to win and then flood them with messages • We assume each peer can only process polylog messages, so must handle this type of denial of service attack

  27. Solution: Permissible Paths • A peer is only allowed to send messages along paths where it has already won sub-elections • This prevents the corrupt peers from sending too many messages to peers that have advanced far in the election • Peers in the overlay node s(A) keep a list of all of those peers that are allowed to send through them

  28. Permissible Paths • Left: Without Permissible Paths: d is overloaded • Right: With Permissible Paths: d is protected

  29. A Single Step

  30. Random Bipartite Graphs Lemma 1:Let l,r,z,n be positive integers such that l,r and z are all no more than n and r/l >= ln^{1-z} n. Then, there is a bipartite graph G(L,R) such that |L| = l and |R| = r and: • Each node in R has degree ln^{z} n. • Each node in L has degree O((r/l) ln^{z}n). • For any subset L' of L, let F(L’) be the set of nodes in R whose number of edges into L’ is a 1/ln n fraction greater than expected. Then for all subsets L’ of L, |F(L')| < max(l,r)/ ln^{z-2} n).

  31. Proof and Uses of Lemma 1 • Proved using probabilistic method, Chernoff and union bounds Used for: • Assignment of peers to leaf nodes in election graph • Connecting successive layers of the election graph • Mapping peers to nodes in overlay network • Connecting peers in neighboring nodes in overlay network

  32. Overlay network is “good” An overlay node is good if <1/3+1/ln n fraction of the peers it contains are corrupt. The properties of the overlay network-: • “Almost all” nodes at any layer of the overlay network are good • “Almost all” connections between adjacent nodes in overlay network enable secure communication through majority filtering.

  33. good paths • An overlay nodeknows a message (or permissible path) if > 1-b-2/logn fraction of uncorrupted peers agree on the message or path. • A permissible path is good if every overlay node on the path knows the path

  34. Election nodes are good • An election node on level i is good if >1-b-4i/log n fraction of peers are uncorrupt and have good paths from the peer to the election node. • “Almost all” nodes in any layer of the election graph are good

  35. Proof of correctness By Induction on level of election (and overlay graph): • At level i almost every election is good, --> 1-b-(4i-1)/log n fraction of each set of candidates elected are uncorrupted, w/ good paths. After removing those which are overloaded, have bad paths, 1-b-(4i+2)/log n remain for next level Whp, topmost committee on level log n/loglog n --has polylog peers --has 1-b - 1/loglog n fraction of uncorrupt peers --is known by the top overlay node=all peers. • This committee selects a leader or computes Byzantine agreement. Its results are known to the top overlay node=all peers.

  36. Complexity • All peers in the overlay network have polylog degree • All peers send and process a polylog number of bits (load balancing done by dropping peers that win too much)

  37. Lower bound ? • Can we do everywhere agreement in a fully connected network or prove that it can’t be done?

  38. Why it’s hard to go to full agreement in a fully connected network If a peer doesn’t know whom to listen to, the adversary can FLOOD the peer.

  39. Holtby, Kapron, King Podc06 • Any synchronous protocol which produces agreement with probability at least 1/2+1/log n • in which each peer sends log n messages and specifies log n messages to receive at each round (defence against flooding) • Leaves out at least > n1/3/r uncorrupted peers from the agreement • Even if the channels are private.

  40. Key lemma • Friends of x given input dist. B SX={y| Prob(y --> x)|B) >p} Lx ={y|Prob (x -->y|B) > p} By averaging argument, not too many x’s have large Friend sets.

  41. Inputs B and B’ 1 0 0 target Size < bn

  42. Adversary takes over small friend sets for B and B’ of target 1 0 0 0

  43. Adversary simulates B and B’ • B= all 0’s • B’= all 1’s except t 0’s. • Agreed value must be 0 for B • 1 for B’ • (in case t 0’s are corrupt). • Adversary isolates a set of n1/3/r peers in target set.

  44. Proof by induction • After each round probability that target set is isolated remains high because prob that a peer sends a message which is read by peer in target is small.

  45. Future Work: General • Simplify protocols and reduce constants • Make limited use of cryptography • Look at tradeoff between efficiency and number of adversarial peers tolerated • Asynchronous communication--we are currently writing this up.

  46. Future Work: General • Can we design protocol to work on a network that is in use like Chord or the Internet? • What other problems can be computed in this way?

  47. Feedback • Questions and/or comments???

More Related