psi from paxos
play

PSI from PaXoS: Fast, Malicious Private Set Intersection - PowerPoint PPT Presentation

Aug 29, 2023 •14 likes •1.04k views

PSI from PaXoS: Fast, Malicious Private Set Intersection ia.cr/2020/193 Benny Pinkas Bar-Ilan University Mike Rosulek Oregon State University Ni Trieu UC Berkeley Avishay Yanai VMware Eurocrypt 2020, COVID-19 edition what is private set

  1. why isn’t it secure against malicious parties? Alice Bob F 1 (·) 1 F 2 (·) Bob should send two 2 c c , e F 3 (·) F -values per item , what if 3 F 4 (·) he sends only one? d 4 d F 5 (·) e 5 F 6 (·) 6 f e c , d F 7 (·) 7 F 8 (·) 8 f F 9 (·) 9 f F 10 (·) 10 � � F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  2. why isn’t it secure against malicious parties? Alice Bob 1 Bob should send two 2 F -values per item , what if 3 he sends only one? 4 5 Alice has c ; does she 6 c include it in output? 7 8 9 10 � � F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  3. why isn’t it secure against malicious parties? Alice Bob 1 Bob should send two 2 F 3 ( c ) F -values per item , what if 3 he sends only one? 4 5 Alice has c ; does she 6 c include it in output? 7 8 9 10 � � F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  4. why isn’t it secure against malicious parties? Alice Bob 1 Bob should send two 2 F 3 ( c ) F -values per item , what if 3 he sends only one? 4 5 Alice has c ; does she 6 c include it in output? 7 8 9 10 � � F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  5. why isn’t it secure against malicious parties? Alice Bob 1 Bob should send two 2 F -values per item , what if 3 he sends only one? 4 5 Alice has c ; does she 6 c include it in output? F 7 ( c ) 7 8 9 10 � � F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  6. why isn’t it secure against malicious parties? Alice Bob 1 Bob should send two 2 F -values per item , what if 3 he sends only one? 4 5 Alice has c ; does she 6 c include it in output? F 7 ( c ) 7 8 ?? Only if c placed in bin 3! 9 10 � � F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  7. why isn’t it secure against malicious parties? Alice Bob 1 Bob should send two 2 F -values per item , what if 3 he sends only one? 4 5 Alice has c ; does she 6 c include it in output? 7 8 Only if c placed in bin 3! 9 ◮ Depends on Alice’s 10 entire input ! � � ⇒ can’t simulate! F 3 ( c ) , F 3 ( e ) , F 4 ( d ) , . . . , F 7 ( c ) , . . .

  8. how do we overcome this problem?

  9. batch OPRF for malicious PSI Alice Bob F 1 ( x 1 ) F 1 (·) 1 F 2 ( x 2 ) F 2 (·) 2 F 3 ( x 3 ) F 3 (·) 3 F 4 ( x 4 ) F 4 (·) 4 F 5 ( x 5 ) F 5 (·) 5 F 6 ( x 6 ) F 6 (·) 6 F 7 ( x 7 ) F 7 (·) 7 F 8 ( x 8 ) F 8 (·) 8 F 9 ( x 9 ) F 9 (·) 9 . . .

  10. batch OPRF for malicious PSI Alice Bob State of the art malicious batch OPRF [OOS17] F 1 ( x 1 ) F 1 (·) 1 ◮ essentially same cost as semi-honest F 2 ( x 2 ) F 2 (·) 2 F 3 ( x 3 ) F 3 (·) 3 F 4 ( x 4 ) F 4 (·) 4 F 5 ( x 5 ) F 5 (·) 5 F 6 ( x 6 ) F 6 (·) 6 F 7 ( x 7 ) F 7 (·) 7 F 8 ( x 8 ) F 8 (·) 8 F 9 ( x 9 ) F 9 (·) 9 . . .

  11. batch OPRF for malicious PSI Alice Bob State of the art malicious batch OPRF [OOS17] F 1 ( x 1 ) F 1 (·) 1 ◮ essentially same cost as semi-honest F 2 ( x 2 ) F 2 (·) 2 F 3 ( x 3 ) F 3 (·) 3 ◮ consistency check relies on an additive homomorphism: F 4 ( x 4 ) F 4 (·) 4 F 5 ( x 5 ) F 5 (·) F i ( x ) ⊕ F j ( y ) = F ij ( x ⊕ y ) 5 F 6 ( x 6 ) F 6 (·) 6 F 7 ( x 7 ) F 7 (·) 7 F 8 ( x 8 ) F 8 (·) 8 F 9 ( x 9 ) F 9 (·) 9 ∗ : a gross oversimplification . . .

  12. our protocol main idea: Alice Bob 1 2 a c 3 4 b d 5 6 c e 7 8 d f 9 10

  13. our protocol main idea: Alice Bob 1 2 a c 3 4 b d 5 6 c e 7 8 d f 9 10

  14. our protocol main idea: Alice Bob 1 s 2 2 s 2 ⊕ s 7 = a c 3 4 b d Alice secret-shares x into 5 bins h 1 ( x ) and h 2 ( x ) 6 c e s 7 7 8 d f 9 10

  15. our protocol main idea: Alice Bob 1 s 2 2 s 2 ⊕ s 7 = a c 3 4 b d Alice secret-shares x into 5 bins h 1 ( x ) and h 2 ( x ) 6 c e s 7 7 8 d f 9 10

  16. our protocol main idea: Alice Bob 1 s 2 2 s 2 ⊕ s 7 = a c s 3 3 4 s 3 ⊕ s 9 = b d Alice secret-shares x into 5 bins h 1 ( x ) and h 2 ( x ) 6 c e s 7 7 8 d f s 9 9 10

  17. our protocol main idea: Alice Bob s 1 1 s 2 2 s 2 ⊕ s 7 = a c s 3 3 s 4 4 s 3 ⊕ s 9 = b d s 5 Alice secret-shares x into 5 s 6 bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e s 7 7 s 8 8 s 4 ⊕ s 7 = d f s 9 9 s 10 10

  18. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10

  19. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10 F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a )

  20. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10 F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b )

  21. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10 F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b ) F 3 ( s 3 ) ⊕ F 7 ( s 7 ) = F 37 ( c ) F 4 ( s 4 ) ⊕ F 7 ( s 7 ) = F 47 ( d )

  22. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10 F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b ) F 3 ( s 3 ) ⊕ F 7 ( s 7 ) = F 37 ( c ) F 4 ( s 4 ) ⊕ F 7 ( s 7 ) = F 47 ( d )

  23. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10 F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) � � F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b ) F 37 ( c ) , F 3 ( s 3 ) ⊕ F 7 ( s 7 ) = F 37 ( c ) F 4 ( s 4 ) ⊕ F 7 ( s 7 ) = F 47 ( d )

  24. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 F 10 ( s 10 ) F 10 (·) 10 F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) � � F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b ) F 37 ( c ) , F 47 ( d ) , F 3 ( s 3 ) ⊕ F 7 ( s 7 ) = F 37 ( c ) F 4 ( s 4 ) ⊕ F 7 ( s 7 ) = F 47 ( d )

  25. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 Bob sends only one F 10 ( s 10 ) F 10 (·) 10 F -value per item F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) � � F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b ) F 37 ( c ) , F 47 ( d ) , F 35 ( e ) , F 69 ( f ) F 3 ( s 3 ) ⊕ F 7 ( s 7 ) = F 37 ( c ) F 4 ( s 4 ) ⊕ F 7 ( s 7 ) = F 47 ( d )

  26. our protocol main idea: Alice Bob F 1 ( s 1 ) F 1 (·) 1 F 2 ( s 2 ) F 2 (·) 2 s 2 ⊕ s 7 = a c F 3 ( s 3 ) F 3 (·) 3 F 4 ( s 4 ) F 4 (·) 4 s 3 ⊕ s 9 = b d F 5 ( s 5 ) F 5 (·) Alice secret-shares x into 5 F 6 ( s 6 ) F 6 (·) bins h 1 ( x ) and h 2 ( x ) 6 s 3 ⊕ s 7 = c e F 7 ( s 7 ) F 7 (·) 7 F 8 ( s 8 ) F 8 (·) 8 s 4 ⊕ s 7 = d f F 9 ( s 9 ) F 9 (·) 9 Bob sends only one F 10 ( s 10 ) F 10 (·) 10 F -value per item F 2 ( s 2 ) ⊕ F 7 ( s 7 ) = F 27 ( a ) � � F 3 ( s 3 ) ⊕ F 9 ( s 9 ) = F 39 ( b ) F 37 ( c ) , F 47 ( d ) , F 35 ( e ) , F 69 ( f ) F 3 ( s 3 ) ⊕ F 7 ( s 7 ) = F 37 ( c ) F 4 ( s 4 ) ⊕ F 7 ( s 7 ) = F 47 ( d )

  27. [how] can Alice secret-share all items? s 1 s 2 s 2 ⊕ s 7 = a s 3 s 4 s 3 ⊕ s 9 = b s 5 s 6 s 3 ⊕ s 7 = c s 7 s 8 s 4 ⊕ s 7 = d s 9 s 10

  28. [how] can Alice secret-share all items? – – s 2 ⊕ s 7 = a – – s 3 ⊕ s 9 = b – – s 3 ⊕ s 7 = c – – s 4 ⊕ s 7 = d – –

  29. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a – – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – s 3 ⊕ s 7 = c – – s 4 ⊕ s 7 = d – –

  30. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a – – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – s 3 ⊕ s 7 = c – find item with one unset location – s 4 ⊕ s 7 = d – –

  31. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a – – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d – –

  32. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a – – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d – –

  33. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a s 3 – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d – –

  34. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a s 3 – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d – –

  35. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a s 3 – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d s 9 –

  36. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a s 3 – algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d s 9 –

  37. [how] can Alice secret-share all items? – s 2 s 2 ⊕ s 7 = a s 3 s 4 algorithm: s 3 ⊕ s 9 = b – set one location arbitrarily – repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location – s 4 ⊕ s 7 = d s 9 –

  38. [how] can Alice secret-share all items? s 1 s 2 s 2 ⊕ s 7 = a s 3 s 4 algorithm: s 3 ⊕ s 9 = b s 5 set one location arbitrarily s 6 repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location s 8 s 4 ⊕ s 7 = d s 9 s 10

  39. [how] can Alice secret-share all items? s 1 s 2 s 2 ⊕ s 7 = a s 3 s 4 algorithm: s 3 ⊕ s 9 = b s 5 set one location arbitrarily s 6 repeat: s 3 ⊕ s 7 = c s 7 find item with one unset location solve for that unset location s 8 s 4 ⊕ s 7 = d s 9 only works if cuckoo graph acyclic s 10 � ������ �� ������ � cuckoo graph

  40. s 1 s 2 s 2 ⊕ s 7 = a s 3 s 4 s 3 ⊕ s 9 = b s 5 s 6 s 3 ⊕ s 7 = c s 7 s 8 s 4 ⊕ s 7 = d s 9 s 10

  41. s 1 s 2 a s 3 s 4 encode so that for all x : b s 5 Encode s 6 s h 1 ( x ) ⊕ s h 2 ( x ) = x c s 7 s 8 d s 9 s 10

  42. probe-and-XOR-of-strings (PaXoS) s 1 s 2 a s 3 encode so that for all x : s 4 � b s 5 s i = x Encode s 6 c s 7 i ∈ P ( x ) s 8 d s 9 s 10

  43. probe-and-XOR-of-strings (PaXoS) s 1 s 2 a s 3 encode so that for all x : s 4 � b s 5 s i = x Encode s 6 c s 7 i ∈ P ( x ) s 8 d s 9 s 10 1. system of linear constraints must be satisfiable with overwhelming probability

  44. probe-and-XOR-of-strings (PaXoS) s 1 s 2 a s 3 encode so that for all x : s 4 � b s 5 s i = x Encode s 6 c s 7 i ∈ P ( x ) s 8 d s 9 s 10 1. system of linear constraints must be satisfiable with overwhelming probability 2. |� s | = number of OPRFs = communication cost of PSI, ideally O ( # items )

  45. probe-and-XOR-of-strings (PaXoS) s 1 s 2 a s 3 encode so that for all x : s 4 � b s 5 s i = x Encode s 6 c s 7 i ∈ P ( x ) s 8 d s 9 s 10 1. system of linear constraints must be satisfiable with overwhelming probability 2. |� s | = number of OPRFs = communication cost of PSI, ideally O ( # items ) 3. ideally linear-time encoding of items into � s .

  46. PaXoS constructions secret-shared cuckoo idea: ◮ requires acyclic cuckoo graph ◮ failure probability too high

  47. PaXoS constructions secret-shared cuckoo idea: ◮ requires acyclic cuckoo graph ◮ failure probability too high probe each position with probability 0.5: ◮ n items � vector of size n + λ ◮ expensive O ( n 3 ) encoding

  48. PaXoS constructions secret-shared cuckoo idea: garbled bloom filter [DCW13]: ◮ requires acyclic cuckoo graph ◮ n items � vector of size λ n ◮ failure probability too high probe each position with probability 0.5: ◮ n items � vector of size n + λ ◮ expensive O ( n 3 ) encoding

  49. PaXoS constructions secret-shared cuckoo idea: garbled bloom filter [DCW13]: ◮ requires acyclic cuckoo graph ◮ n items � vector of size λ n ◮ failure probability too high new garbled cuckoo PaXoS: probe each position with probability 0.5: ◮ n items � vector of size ∼ 2 . 4 n ◮ n items � vector of size n + λ ◮ fast encoding: O ( n λ ) ◮ expensive O ( n 3 ) encoding

  50. new garbled cuckoo PaXoS s 1 for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 s 4 b s 5 s 6 c s 7 s 8 d s 9 s 10 e

  51. new garbled cuckoo PaXoS s 1 for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 s 4 b s 5 s 6 c s 7 s 8 d s 9 s 10 e

  52. new garbled cuckoo PaXoS s 1 for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 s 4 b s 5 s 6 c s 7 s 8 d s 9 s 10 e s 11    s 12   k aux positions .  .  .  s 10 + k 

  53. new garbled cuckoo PaXoS s 1 for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 ◮ probe random subset of aux positions s 4 b s 5 s 6 c s 7 s 8 d s 9 s 10 e s 11    s 12   k aux positions .  .  .  s 10 + k 

  54. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 - ◮ probe random subset of aux positions s 4 - b s 5 - s 6 - c s 7 - s 8 - d s 9 - s 10 - e s 11 -    s 12 -   k .  .  .  s 10 + k - 

  55. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 - ◮ probe random subset of aux positions s 4 - b s 5 - 1. identify all items across all cycles s 6 - c s 7 - s 8 - d s 9 - s 10 - e s 11 -    s 12 -   k .  .  .  s 10 + k - 

  56. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 - ◮ probe random subset of aux positions s 4 - b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items c s 7 - s 8 - d s 9 - s 10 - e s 11 -    s 12 -   k .  .  .  s 10 + k - 

  57. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 - ◮ probe random subset of aux positions s 4 - b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items c s 7 - ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - d s 9 - s 10 - e s 11 -    s 12 -   k .  .  .  s 10 + k - 

  58. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 ◮ probe random subset of aux positions s 4 - � b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - ◮ can be found in [ # cycle items ] 3 time d s 9 s 10 - e � s 11    s 12   k .  .  .  s 10 + k 

  59. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 ◮ probe random subset of aux positions s 4 - � b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - ◮ can be found in [ # cycle items ] 3 time d s 9 s 10 - e � s 11 2. solve for remaining items iteratively (linear time)    s 12   k .  .  .  s 10 + k 

  60. new garbled cuckoo PaXoS s 1 - for each item x : s 2 - ◮ probe positions h 1 ( x ) and h 2 ( x ) a s 3 ◮ probe random subset of aux positions s 4 - � b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - ◮ can be found in [ # cycle items ] 3 time d s 9 s 10 - e � s 11 2. solve for remaining items iteratively (linear time)    s 12   k .  .  .  s 10 + k 

  61. new garbled cuckoo PaXoS s 1 - for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) � a s 3 ◮ probe random subset of aux positions s 4 - � b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - ◮ can be found in [ # cycle items ] 3 time d s 9 s 10 - e � s 11 2. solve for remaining items iteratively (linear time)    s 12 ◮ remaining cuckoo graph is acyclic   k .  .  .  s 10 + k 

  62. new garbled cuckoo PaXoS s 1 - for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) � a s 3 ◮ probe random subset of aux positions s 4 - � b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - ◮ can be found in [ # cycle items ] 3 time d s 9 s 10 - e � s 11 2. solve for remaining items iteratively (linear time)    s 12 ◮ remaining cuckoo graph is acyclic   k .  .  .  s 10 + k 

  63. new garbled cuckoo PaXoS s 1 - for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) � a s 3 ◮ probe random subset of aux positions s 4 � b s 5 - 1. identify all items across all cycles s 6 - ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 - ◮ can be found in [ # cycle items ] 3 time � d s 9 s 10 - e � s 11 2. solve for remaining items iteratively (linear time)    s 12 ◮ remaining cuckoo graph is acyclic   k .  .  .  s 10 + k 

  64. new garbled cuckoo PaXoS s 1 for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) � a s 3 ◮ probe random subset of aux positions s 4 � b s 5 1. identify all items across all cycles s 6 ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 ◮ can be found in [ # cycle items ] 3 time � d s 9 s 10 e � s 11 2. solve for remaining items iteratively (linear time)    s 12 ◮ remaining cuckoo graph is acyclic   k .  .  .  s 10 + k 

  65. new garbled cuckoo PaXoS s 1 for each item x : s 2 ◮ probe positions h 1 ( x ) and h 2 ( x ) � a s 3 ◮ probe random subset of aux positions s 4 � b s 5 1. identify all items across all cycles s 6 ◮ solve linear system for the cycle items � c s 7 ◮ solution exists whp if k > [ # cycle items ] + λ s 8 ◮ can be found in [ # cycle items ] 3 time � d s 9 s 10 e � s 11 2. solve for remaining items iteratively (linear time)    s 12 ◮ remaining cuckoo graph is acyclic   k .  .  .  s 10 + k  whp: [# cycle items] is O ( log n )

Recommend

The ABCDs of Paxos Consensus: a set of processes decide on an input value Main application:

The ABCDs of Paxos Consensus: a set of processes decide on an input value Main application:

The ABCDs of Paxos Consensus: a set of processes decide on an input value Main application: Replicated state machines Paxos asynchronous consensus algorithm AP Abstract Paxos: generic, non-local version CP Classic Paxos: stopping failures,

402 views • 25 slides
Paxos Week: Return of the State Machine Doug Woos Logistics notes No in-class lecture Monday

Paxos Week: Return of the State Machine Doug Woos Logistics notes No in-class lecture Monday

Paxos Week: Return of the State Machine Doug Woos Logistics notes No in-class lecture Monday Problem Set 2 due tonight Lab 3 out Paxos Made Simple Discussion Paxos vs. Primary/Backup Paxos vs. 2PC What about reconfig? The story of Paxos

1.03k views • 79 slides
The ABCDs of Paxos Replicated state machines Consensus: a set of processes decide on an input

The ABCDs of Paxos Replicated state machines Consensus: a set of processes decide on an input

The ABCDs of Paxos Replicated state machines Consensus: a set of processes decide on an input value Paxos asynchronous consensus algorithm AP Abstract Paxos: generic, non-local version CP Classic Paxos: stopping failures, compare-and-swap

522 views • 25 slides
Flexible Paxos: Quorum Intersection Revisited Wen-Chien Wang Review Paxos Prepare Promise

Flexible Paxos: Quorum Intersection Revisited Wen-Chien Wang Review Paxos Prepare Promise

Flexible Paxos: Quorum Intersection Revisited Wen-Chien Wang Review Paxos Prepare Promise Phase 1 Phase 2 Propose Accept Reference: Manos Kapritsos, EECS 591 Distributed System, Lecture 10 Requirements in Paxos acceptors can tolerate

425 views • 18 slides
Paxos and Replication Dan Ports, CSEP 552 Today: achieving consensus with Paxos and how

Paxos and Replication Dan Ports, CSEP 552 Today: achieving consensus with Paxos and how

Paxos and Replication Dan Ports, CSEP 552 Today: achieving consensus with Paxos and how to use this to build a replicated system Last week Scaling a web service using front-end caching but what about the

776 views • 59 slides
Distributed Systems: Paxos Burcu Canakci & Matt Burke Outline 1. Consensus 2. The

Distributed Systems: Paxos Burcu Canakci & Matt Burke Outline 1. Consensus 2. The

Distributed Systems: Paxos Burcu Canakci & Matt Burke Outline 1. Consensus 2. The Part-Time Parliament 3. Single-Decree Paxos 4. Liveness 5. Multi-Decree Paxos 6. Paxos Variants 7. Conclusion Outline 1. Consensus 2. The

962 views • 82 slides
Sharding Scaling Paxos: Shards We can use Paxos to decide on the order of operations, e.g., to a

Sharding Scaling Paxos: Shards We can use Paxos to decide on the order of operations, e.g., to a

Sharding Scaling Paxos: Shards We can use Paxos to decide on the order of operations, e.g., to a key-value store - leader sends each op to all servers - practical limit on how ops/second What if we want to scale to more clients? Sharding

977 views • 76 slides
Fast Paxos Trevor Chan Outline Paxos Protocol 1. Fast Paxos Protocol 2. Consensus

Fast Paxos Trevor Chan Outline Paxos Protocol 1. Fast Paxos Protocol 2. Consensus

Fast Paxos Trevor Chan Outline Paxos Protocol 1. Fast Paxos Protocol 2. Consensus Correctness Criteria Safety If value is chosen, then value must be chosen by any other process that has chosen a value Value chosen must have been proposed

659 views • 32 slides
Paxos Made Moderately Complex Robert Van Renesse Cornell University Problems Addressed

Paxos Made Moderately Complex Robert Van Renesse Cornell University Problems Addressed

Paxos Made Moderately Complex Robert Van Renesse Cornell University Problems Addressed Implementation of Multi-Decree Paxos Not a simple protocol! Liveness How to make Paxos live without overly

698 views • 11 slides
Paxos wrapup Doug Woos Logistics notes Whence video lecture? Problem Set 3 out on Friday Paxos

Paxos wrapup Doug Woos Logistics notes Whence video lecture? Problem Set 3 out on Friday Paxos

Paxos wrapup Doug Woos Logistics notes Whence video lecture? Problem Set 3 out on Friday Paxos Made Moderately Complex Made Simple When to run for office When should a leader try to get elected? - At the beginning of time - When the current

538 views • 31 slides
Generalized Consensus and Paxos Lamport, Leslie 2005 Problem

Generalized Consensus and Paxos Lamport, Leslie 2005 Problem

Generalized Consensus and Paxos Lamport, Leslie 2005 Problem addressed Already developed Fast Paxos (unpublished) by himself. Only 2 message delay (opEmal)

490 views • 11 slides
DISTRIBUTED SYSTEMS: PAXOS Hakim Weatherspoon CS6410 Slides borrowed liberally from past

DISTRIBUTED SYSTEMS: PAXOS Hakim Weatherspoon CS6410 Slides borrowed liberally from past

1 DISTRIBUTED SYSTEMS: PAXOS Hakim Weatherspoon CS6410 Slides borrowed liberally from past presentations from Robert Surton, Cecchetti, Burcu Canakci and Matt Burke Timeline Time, Clocks and Ordering State Machine Replication Paxos Published

1.28k views • 54 slides
Total-Ordering vanilladb.org Why Paxos? Flooding consensus algorithm spends too much time

Total-Ordering vanilladb.org Why Paxos? Flooding consensus algorithm spends too much time

Total-Ordering vanilladb.org Why Paxos? Flooding consensus algorithm spends too much time waiting for the last message in every round On WAN, this largely increases the response time Paxos: why not skip the late messages and make

1.04k views • 34 slides
Paxos Made Moderately Complex Made Moderately Simple State machine replication Reminder:

Paxos Made Moderately Complex Made Moderately Simple State machine replication Reminder:

Paxos Made Moderately Complex Made Moderately Simple State machine replication Reminder: want to agree on order of ops Can think of operations as a log Op1 Op2 Op3 Op4 Op5 Op6 S1 S2 Paxos? S3 Put k1 v1 Put k2 v2 Op1 Op2 Op3

1.11k views • 69 slides
Consensus: Paxos Haobin Ni Oct 22, 2018 What is consensus? A group of people go to the same

Consensus: Paxos Haobin Ni Oct 22, 2018 What is consensus? A group of people go to the same

Consensus: Paxos Haobin Ni Oct 22, 2018 What is consensus? A group of people go to the same place for the same meal. A set of nodes have the same value for the same variable. X=7 X=7 X=7 Why is it important? In state machine replication

1.1k views • 46 slides
Consensus I FLP Impossibility, Paxos CS 240: Computing Systems and Concurrency Lecture 8 Marco

Consensus I FLP Impossibility, Paxos CS 240: Computing Systems and Concurrency Lecture 8 Marco

Consensus I FLP Impossibility, Paxos CS 240: Computing Systems and Concurrency Lecture 8 Marco Canini Credits: Michael Freedman and Kyle Jamieson developed much of the original material. Recall our 2PC commit problem Client C 1. C TC:

831 views • 46 slides
Chubby (OSDI 06) strong consistency, by Google Problem everyone needs consistency Paxos

Chubby (OSDI 06) strong consistency, by Google Problem everyone needs consistency Paxos

Chubby (OSDI 06) strong consistency, by Google Problem everyone needs consistency Paxos isnt the right abstraction (?) Solution distributed lock manager & filesystem Lock API Acquire, Release sequencer operations File API

419 views • 10 slides
Paxos Made Simple Lamport Thomas Marshall Motivation We need a way to maintain consistency

Paxos Made Simple Lamport Thomas Marshall Motivation We need a way to maintain consistency

Paxos Made Simple Lamport Thomas Marshall Motivation We need a way to maintain consistency in a distributed system in the presence of failures. 2PC works, but can get stuck, so a consensus algorithm is better. Background Jim

393 views • 26 slides
RSM & Paxos Consensus Trilogy - Episode II Replicated State Machine What is the problem?

RSM & Paxos Consensus Trilogy - Episode II Replicated State Machine What is the problem?

RSM & Paxos Consensus Trilogy - Episode II Replicated State Machine What is the problem? Fault Tolerance by Replication KV-Store Replica takes over on failure. KV-Store KV-Store Or in other scenarios. Challenge: Ensure

948 views • 62 slides
Paxos Made Moderately Complex Jeremy Rubin Simple State

Paxos Made Moderately Complex Jeremy Rubin Simple State

Paxos Made Moderately Complex Jeremy Rubin Simple State Machine kv = {} while(1){ m, from = read_message() switch (m.type){

367 views • 16 slides
Paxos week and the Temple of Doom Doug Woos Logistics notes Next Monday: International

Paxos week and the Temple of Doom Doug Woos Logistics notes Next Monday: International

Paxos week and the Temple of Doom Doug Woos Logistics notes Next Monday: International Workers Day - No in-class lecture - Will record a video lecture - Please watch by next Wednesday! Lab 2b due tonight at 9pm Problem Set 2 due Friday

1.04k views • 45 slides
Paxos week! Doug Woos Logistics notes Next Monday: International Workers Day - No in-class

Paxos week! Doug Woos Logistics notes Next Monday: International Workers Day - No in-class

Paxos week! Doug Woos Logistics notes Next Monday: International Workers Day - No in-class lecture - Will record a video lecture - Please watch by next Wednesday! Lab 2b due Wednesday Problem Set 2 due Friday - Typeset, short answers,

580 views • 24 slides
Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis

Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis

Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis Michael, Naveen Kr. Sharma, Adriana Szekeres, Dan R. K. Ports Server failures are the common case in data centers Server failures are the common case

836 views • 66 slides
Paxos! CSE 452 Slides from Lorenzo Alvisi, Doug Woos, Tom Anderson State machine replication Want

Paxos! CSE 452 Slides from Lorenzo Alvisi, Doug Woos, Tom Anderson State machine replication Want

Paxos! CSE 452 Slides from Lorenzo Alvisi, Doug Woos, Tom Anderson State machine replication Want to agree on order of ops Can think of operations as a log Op1 Op2 Op3 Op4 Op5 Op6 S1 S2 S3 Op1 Op2 Op3 Op4 Op5 Op6 S1 S2 I want to

905 views • 68 slides

More recommend