Read the TexPoint manual before you delete this box A A A A Distributed Asymmetric Verification in Computational Grids Michael Kuhn Stefan Schmid Roger Wattenhofer IPDPS 2008 Miami Florida USA ID: 800307
Download The PPT/PDF document "TexPoint fonts used in EMF." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA
Distributed Asymmetric Verification in Computational Grids
Michael Kuhn
Stefan Schmid
Roger Wattenhofer
IPDPS 2008
Miami, Florida, USA
Slide2Michael Kuhn, ETH Zurich @ IPDPS 20082
Grid Computing
Goal: Use idle computing resources worldwide
Examples: seti@home, folding@home, ...
Slide3Michael Kuhn, ETH Zurich @ IPDPS 20083Model
Server
Clients (Participants)
#clients: 10
4
-10
6
Sends work-units (WU)
Returns result
Slide4Michael Kuhn, ETH Zurich @ IPDPS 20084Why should people participate?Incentives: honour („user of the day“), money, ...But: Incentives attract cheaters!
The Problem of Cheaters
Slide5Michael Kuhn, ETH Zurich @ IPDPS 20085
Verification requiredToday: RedundancyE.g. seti@home: Send the same task to 3 participants
This paper: Distributed asymmetric checking
Asymmetry: Verification is often cheaper than computation
Distributed: Participants check each other
The Problem of Cheaters
Random value
Slide6Michael Kuhn, ETH Zurich @ IPDPS 20086Contributions
Distributed checking algorithm integrated in BOINCFaster than redundancy if asymmetric checking function existsBetter guarantees than typically used redundancy schemes
Resistant against
Dominance of seemingly fast clients
Lazy checking
Sybil attacks
Proof-of-concept implementation for discrete logarithm problem
Asymmetric checking function for Pollard-rho algorithm
Slide7Michael Kuhn, ETH Zurich @ IPDPS 20087Related Work
Cheating is a problem[Kahney, Wired Magazine, Feb. 2001]
Seti@home: more than 50% of resources spent on cheating!
Ringer scheme (precompute selected results)
[Golle and Mironov, CT-RSA‘01], [Szaja et al., SP‘03]
Additional work on the server (precomputing ringers)
Commitment scheme with Merkle-tree
[Du et al., ICDCS‘04]
Additional work on the server (recompute some work-units)
Cryptographic protocols
e.g. [Aiello et al, ICALP‘00], [Cachin et al., EUROCRYPT‘99]
Often computationally too expensive in practice
Slide8Michael Kuhn, ETH Zurich @ IPDPS 20088Challenges
Cheaters seem to be much faster than ordinary participants
1% cheaters can submit >99%
of the results
Cheaters stay honest for a long time, and only then start to cheat
Opens many possibilities for cheaters
Never trust a participant
Lazy checking
Cheaters can calculate everything correctly but cheat during
verification (i.e. simply say the result was correct)
Slide9Michael Kuhn, ETH Zurich @ IPDPS 20089
Cheater Characterization
Fraction of cheating clients: p
Problem: Sybil attacks
Fraction of incorrect results
in the system:
r
Problem: Random results can be computed very fast
If no countermeasures are taken: r = 1
Fraction of computing power
of cheater(s):
qComputing power is expensive => q is limited
!Goal of cheaters: Pretend to have worked more than what is possible with the available computing resources
r
p
q
Slide10Michael Kuhn, ETH Zurich @ IPDPS 200810Asymmetric Verification
Performance property: It is much cheaper to verify the correctness of a result than to calculate the result
Asymmetric
Fingerprint property
: A verifier calculates a fingerprint rather than a boolean result
Server compares fingerprints
Only honestly computed checks can lead to a positive result
Observe: Collusions still possible
Uniqueness property
: Results are either inherently unique, or the dependence from the input values can be verified
Prevents replay attacks
Example:
Task: Find prime factors of x = 10829; Solution: {7, 7, 13, 17}
Checking input: {7, 7, 13, 17};
Fingerprint
: 7 * 7 * 13 * 17 =
10829
Slide11Michael Kuhn, ETH Zurich @ IPDPS 200811Distributed Verification: Algorithm
PrerequisitesFraction of cheaters is limited and considerably smaller than 50% (e.g. p ≤ 10%) => details later
Punishment is possible
Check each result, until a clear decision is possible
Result good if „considerably more“ positive than negative checks (and vice versa)
As p is limited, high probability of correct decision (see paper for details)
Punish cheaters (including colluders) and remove all their pending results
Assign checks
uniformly at random
among active clientsFast clients (often cheaters) cannot dominate checking
Slide12Michael Kuhn, ETH Zurich @ IPDPS 200812Lifecycle of a Task
One after the other, to mitigate collusion
1
2
3
4
5
Slide13Michael Kuhn, ETH Zurich @ IPDPS 200813Preventing Sybil Attacks
Problem: Zero cost identitySolution: Don‘t assign identity for free!Idea: Couple p (#clients) to q (computing resources)
New client has to perform some work without getting credits
=> buys identity
Goal: make the number of incorrect results a cheater can deliver before being detected lower than the price to buy the identity
Observe: For honest participants the price is low (as they only have to „pay“ once)
Slide14Michael Kuhn, ETH Zurich @ IPDPS 200814Analysis (Simulation)
Number of checks vs. number of results (p = 10%)Asymmetry: Checking is 50 times faster than calculationFastest clients 100 times faster than slowest
Fast clients do
not
dominate checking!
Slide15Michael Kuhn, ETH Zurich @ IPDPS 200815Analysis (Simulation) (2)
Queue lengthsNumber of pending checks for different confidence values
Slide16Michael Kuhn, ETH Zurich @ IPDPS 200816Implementation in BOINC
Slide17Michael Kuhn, ETH Zurich @ IPDPS 200817ECC Challenge
Task: Break large discrete logarithm on elliptic curve
Currently: 130-bit
Reward: 20,000 USD
Discrete Logarithm
Given a group with generator g, as well as a group element h:
Find x, such that g^x = h
Best known algorithm: Pollard-Rho
Well suited for parallelization and use in grids
Slide18Michael Kuhn, ETH Zurich @ IPDPS 200818Pollard-Rho (Sketch)
Slide19Michael Kuhn, ETH Zurich @ IPDPS 200819Asymmetric Verification (Sketch)
Not every point possesses a predecessorBackward iteration has high
probability to fail after a
certain number of steps
Finding a distinguished point together with the required parameters is asymptotically as expensive as forward iteration
Checking function: Report the x-th predecessor
Verifier can forward iterate x steps and check whether the
distinguished point is found
P(length > 50) < 10%
Slide20Michael Kuhn, ETH Zurich @ IPDPS 200820Conclusions
Algorithm for distributed verification in volunteer computing, which is resistant against:Seemingly fast clients (uniform selection of verifier among all active clients)Lazy checking (fingerprint property)
Replay attacks (uniqueness property)
Sybil attacks (don‘t assign identity for free)
Downside: Strong assumption on the verification function
But: such verification functions exist (Pollard-Rho)
Future: More generic approaches
Slide21Michael Kuhn, ETH Zurich @ IPDPS 200821Thanks for your Interest
Questions?