ppt

Download Report

Transcript ppt 

Distributed Asymmetric Verification
in Computational Grids
Michael Kuhn
Stefan Schmid
Roger Wattenhofer
Distributed
Computing
Group
IPDPS 2008
Miami, Florida, USA
Grid Computing
• Goal: Use idle computing
resources worldwide
– Examples: seti@home,
folding@home, ...
Michael Kuhn, ETH Zurich @ IPDPS 2008
2
2
Model
Returns
result
Clients (Participants)
#clients: 104-106
Sends workunits (WU)
Server
Michael Kuhn, ETH Zurich @ IPDPS 2008
3
3
The Problem of Cheaters
• Why should people participate?
– Incentives: honour („user of the day“), money, ...
• But: Incentives attract cheaters!
Michael Kuhn, ETH Zurich @ IPDPS 2008
4
4
The Problem of Cheaters
Random value
• Verification required
– Today: Redundancy
– E.g. seti@home: Send the same task to 3 participants
– This paper: Distributed asymmetric checking
– Asymmetry: Verification is often cheaper than computation
– Distributed: Participants check each other
Michael Kuhn, ETH Zurich @ IPDPS 2008
5
5
Contributions
• Distributed checking algorithm integrated in BOINC
– Faster than redundancy if asymmetric checking function exists
– Better guarantees than typically used redundancy schemes
• Resistant against
– Dominance of seemingly fast clients
– Lazy checking
– Sybil attacks
• Proof-of-concept implementation for discrete logarithm
problem
– Asymmetric checking function for Pollard-rho algorithm
Michael Kuhn, ETH Zurich @ IPDPS 2008
6
6
Related Work
• Cheating is a problem
[Kahney, Wired Magazine, Feb. 2001]
– Seti@home: more than 50% of resources spent on cheating!
• Ringer scheme (precompute selected results)
[Golle and Mironov, CT-RSA‘01], [Szaja et al., SP‘03]
– Additional work on the server (precomputing ringers)
• Commitment scheme with Merkle-tree
[Du et al., ICDCS‘04]
– Additional work on the server (recompute some work-units)
• Cryptographic protocols
e.g. [Aiello et al, ICALP‘00], [Cachin et al., EUROCRYPT‘99]
– Often computationally too expensive in practice
Michael Kuhn, ETH Zurich @ IPDPS 2008
7
7
Challenges
• Cheaters seem to be much faster
than ordinary participants
– 1% cheaters can submit >99%
of the results
100
90
80
70
60
50
40
30
20
10
0
Results
Clients
Honest
Cheater
• Cheaters stay honest for a long time, and only then start to cheat
– Opens many possibilities for cheaters
– Never trust a participant
• Lazy checking
– Cheaters can calculate everything correctly but cheat during
verification (i.e. simply say the result was correct)
Michael Kuhn, ETH Zurich @ IPDPS 2008
8
8
Cheater Characterization
• Fraction of cheating clients: p
q
– Problem: Sybil attacks
• Fraction of incorrect results in
the system: r
– Problem: Random results can
be computed very fast
– If no countermeasures are
taken: r = 1
• Fraction of computing power of
cheater(s): q
– Computing power is
expensive => q is limited!
– Goal of cheaters: Pretend to
have worked more than what
is possible with the available
computing resources
Michael Kuhn, ETH Zurich @ IPDPS 2008
r
p
9
9
Asymmetric Verification
• Performance property: It is much cheaper to verify the
correctness of a result than to calculate the result
– Asymmetric
• Fingerprint property: A verifier calculates a fingerprint
rather than a boolean result
– Server compares fingerprints
Example:
– Find
Onlyprime
honestly
computed
checks
can lead
positive result
Task:
factors
of x = 10829;
Solution:
{7, 7,to
13,a 17}
– Observe:
Collusions
possible7 * 7 * 13 * 17 = 10829
Checking
input: {7,
7, 13, 17};still
Fingerprint:
• Uniqueness property: Results are either inherently
unique, or the dependence from the input values can be
verified
– Prevents replay attacks
Michael Kuhn, ETH Zurich @ IPDPS 2008
1010
Distributed Verification: Algorithm
• Prerequisites
– Fraction of cheaters is limited and considerably smaller than
50% (e.g. p ≤ 10%) => details later
– Punishment is possible
• Check each result, until a clear decision is possible
– Result good if „considerably more“ positive than negative checks
(and vice versa)
– As p is limited, high probability of correct decision (see paper for details)
– Punish cheaters (including colluders) and remove all their
pending results
• Assign checks uniformly at random among active clients
– Fast clients (often cheaters) cannot dominate checking
Michael Kuhn, ETH Zurich @ IPDPS 2008
1111
Lifecycle of a Task
Client 1 computes
result and adds
fingerprint
2
Client 2 computes
result and adds
fingerprint
4
Save result in DB
f(x)
1
x
c(x,f(x))
3
Server creates WU
(input x)
Server chooses client 2
uniformly at random and
stores fingerprint
Server chooses client 3
uniformly at random and
stores fingerprint
Result good, as a „large
majority“ of fingerprints match
the original one.
5
One after the other, to mitigate collusion
Michael Kuhn, ETH Zurich @ IPDPS 2008
1212
Preventing Sybil Attacks
• Problem: Zero cost identity
– Solution: Don‘t assign identity for free!
• Idea: Couple p (#clients) to q (computing resources)
– New client has to perform some work without getting credits
=> buys identity
– Goal: make the number of incorrect results a cheater can deliver
before being detected lower than the price to buy the identity
– Observe: For honest participants the price is low (as they only
have to „pay“ once)
Michael Kuhn, ETH Zurich @ IPDPS 2008
1313
Analysis (Simulation)
• Number of checks vs. number of results (p = 10%)
– Asymmetry: Checking is 50 times faster than calculation
– Fastest clients 100 times faster than slowest
Fast clients do not
dominate checking!
Michael Kuhn, ETH Zurich @ IPDPS 2008
1414
Analysis (Simulation) (2)
• Queue lengths
– Number of pending checks for different confidence values
Michael Kuhn, ETH Zurich @ IPDPS 2008
1515
Implementation in BOINC
Michael Kuhn, ETH Zurich @ IPDPS 2008
1616
ECC Challenge
• Task: Break large discrete logarithm on elliptic curve
– Currently: 130-bit
– Reward: 20,000 USD
• Discrete Logarithm
– Given a group with generator g, as well as a group element h:
Find x, such that g^x = h
• Best known algorithm: Pollard-Rho
– Well suited for parallelization and use in grids
Michael Kuhn, ETH Zurich @ IPDPS 2008
1717
Pollard-Rho (Sketch)
d1,3=d2,2
Normal point
d3,2
Distinguished point
d1,2
d3,1
d2,1
d1,1
f(x1)
f(x0)
d1,1
d1,2
d1,3
x1
d2,1
d2,2
d3,1
d3,2
x0
d1,3 = d2,2
Michael Kuhn, ETH Zurich @ IPDPS 2008
1818
Asymmetric Verification (Sketch)
1
• Not every point possesses
a predecessor
0.8
0.7
Probability
– Backward iteration has high
probability to fail after a
certain number of steps
0.9
0.6
0.5
P(length > 50) < 10%
0.4
0.3
0.2
0.1
0
0
50
100
150
200
250
Iterations
• Finding a distinguished point together with the required parameters
is asymptotically as expensive as forward iteration
• Checking function: Report the x-th predecessor
– Verifier can forward iterate x steps and check whether the
distinguished point is found
Michael Kuhn, ETH Zurich @ IPDPS 2008
1919
Conclusions
• Algorithm for distributed verification in volunteer
computing, which is resistant against:
– Seemingly fast clients (uniform selection of verifier among all
active clients)
– Lazy checking (fingerprint property)
– Replay attacks (uniqueness property)
– Sybil attacks (don‘t assign identity for free)
• Downside: Strong assumption on the verification function
– But: such verification functions exist (Pollard-Rho)
• Future: More generic approaches
Michael Kuhn, ETH Zurich @ IPDPS 2008
2020
Thanks for your Interest
• Questions?
Michael Kuhn, ETH Zurich @ IPDPS 2008
2121