scalable bias resistant distributed randomness
play

Scalable Bias-Resistant Distributed Randomness Ewa Syta* , Philipp - PowerPoint PPT Presentation

Aug 14, 2022 •10 likes •320 views

Scalable Bias-Resistant Distributed Randomness Ewa Syta* , Philipp Jovanovic , Eleftherios Kokoris Kogias , Nicolas Gailly , Linus Gasser , Ismail Khoffi , Michael J. Fischer , Bryan Ford *Trinity College, USA EPFL,

  1. Scalable Bias-Resistant Distributed Randomness Ewa Syta* , Philipp Jovanovic † , Eleftherios Kokoris Kogias † , Nicolas Gailly † , Linus Gasser † , Ismail Khoffi ‡ , Michael J. Fischer § , Bryan Ford † *Trinity College, USA † EPFL, Switzerland ‡ University of Bonn, Germany § Yale University, USA IEEE Security & Privacy May 23, 2017

  2. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 2

  3. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 3

  4. Public Randomness • Collectively used • Unpredictable ahead of time • Not secret past a certain point in time • Applications ‣ Random selection: lotteries, sweepstakes, jury selection, voting and election audits ‣ Games: shuffled decks, team assignments ‣ Protocols: parameters, IVs, nonces, sharding ‣ Crypto: challenges for NZKP, authentication protocols, cut-and-choose methods, “nothing up my sleeves” numbers 4

  5. Failed / Rigged Randomness Vietnam War Lotteries (1969) 5

  6. Public Randomness is not New • 1955: Large table of random numbers published as a book by the Rand Corporation • Today: Generating public random numbers is (still) hard • Main issues: trust and scale 6

  7. Goals 5. Scalability 1. Availability Successful protocol Executable with termination for up to hundreds of Decentralized, f=t-1 malicious nodes. participants. public randomness in the (t,n)- threshold security model 4. Verifiability 2. Unpredictability Output correctness Output not revealed can be checked by prematurely. third parties. 3. Unbiasability Output distributed uniformly at random. 7 Assumptions: n= 3f +1, Byzantine adversary and asynchronous network with eventual message delivery

  8. Public Randomness Approaches • With Trusted Third Party ‣ NIST Randomness Beacon 
 • Without TTP Unusual assumptions ‣ Bitcoin (Bonneau, 2015) ‣ Slow cryptographic hash functions (Lenstra, 2015) ‣ Lotteries (Baigneres, 2015) ‣ Financial data (Clark, 2010) (t,n) -threshold security model but not scalable ‣ Coin-flipping (Cachin, 2015) ‣ Distributed key generation (Kate, 2009) 8

  9. Public Randomness is Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III Strawman I Strawman II Strawman III Idea: Combine random Idea: Commit-then-reveal Idea: Secret-share random • • • inputs of all participants. random inputs. inputs. Problem: Last node Problem: Dishonest nodes Problem: Dishonest nodes • • • controls output. can choose not to reveal. can send bad shares. 9

  10. Public Randomness is Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III RandShare RandShare Idea: Strawman III + verifiable secret sharing (Feldman, 1987) • Problems: • ‣ Not publicly verifiable ‣ Not scalable: O(n 3 ) communication / computation complexity 10

  11. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 11

  12. RandHound Client • Goals verifiable ‣ Verifiability: By third parties randomness ‣ Scalability: Performance better than O(n 3 ) • Client/server randomness scavenging protocol ‣ Untrusted client uses a large set of nearly- stateless servers ‣ On demand (via configuration file) Servers ‣ One-shot approach ‣ Example: lottery authority 12

  13. RandHound Achieving Public Verifiability Client randomness & transcript • Publicly-VSS (Schoenmakers, 1999) ‣ Shares are encrypted and publicly verifiable through zero-knowledge proofs ‣ No communication between servers • Collective signing (Syta, 2016) ‣ Client publicly commits to their choices PVSS-Servers • Create protocol transcript from all sent/received (signed) messages 13

  14. RandHound Achieving Scalability Client randomness & transcript • Shard participants into constant size groups ‣ Secret sharing with everyone too expensive! ‣ Run secret sharing (only) inside groups ‣ Collective randomness: combination of 
 all group outputs PVSS 
 PVSS 
 Chicken-and-Egg problem? group 1 group 2 Servers • How to securely assign participants to groups? 14

  15. RandHound Solving the Chicken-and-Egg Problem Client randomness & transcript • Client selects server grouping • Availability might be affected (self-DoS) • Security properties through ‣ PVSS 
 PVSS 
 Pigeonhole principle: at least one group 
 group 1 group 2 is not controlled by the adversary ‣ Collective signing: prevents client equivocation Servers by fixing the secrets that contribute to randomness 15

  16. Public Randomness is (not so) Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III RandShare RandHound Communication / computation complexity: O(c 2 n) 16

  17. RandHerd Availability assumption only • Goals Leader ‣ Continuous, leader-coordinated randomness generation verifiable ‣ randomness Small randomness proof size 
 (a single Schnorr signature) ‣ Better performance than O(n) Participants • Decentralized randomness beacon ‣ Built as a collective authority or cothority ‣ Randomness on demand, at frequent A collective authority intervals, or both 17

  18. RandHerd Achieving RandHerd’s Goals Leader • Idea verifiable ‣ Collective randomness = collective Schnorr signature randomness ‣ Benefits: Small proofs, O(log n) complexity ‣ Problem: Failing nodes influence output Participants • Solution ‣ Arrange nodes into (t,n) -threshold Schnorr signing (Stinson, 2001) groups (failure resistance) ‣ Collective randomness = aggregate group signatures A collective authority ‣ Approach: Setup + round function 18

  19. RandHerd Setup Nodes 1. 1.Elect a temporary leader via lowest ticket 
 t i = VRF( config , key i ) Leader 2. 2.Obtain randomness Z from RandHound Servers 3.Create TSS groups using Z and generate TSS group 0 group keys X i 3. 4.Certify aggregate public key X using CoSi X 0 X 2 X 1 X = X 0 X 1 X 2 
 4. (c,r) 19 TSS group 1 TSS group 2

  20. RandHerd Round Generation TSS group 0 1.Cothority Leader (CL) broadcasts timestamp v collective 2.TSS-CoSi randomness (c,r 0 ) (c,r) CL a. Produce group Schnorr signatures (c,r 0 ) (c,r 1 ) (c,r 2 ) on v b. Aggregate into collective Schnorr signature (c,r = r 0 +r 1 +r 2 ) (c,r 1 ) (c,r 2 ) GL GL c. Publish (c,r) as collective randomness Verification of (c,r) on v using the collective public key X = X 0 X 1 X 2 TSS group 1 TSS group 2 20

  21. Public Randomness is (not so) Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III RandShare RandHound RandHerd Communication / computation complexity: O(c 2 log(n)) 21

  22. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 22

  23. Implementation & Experiments Implementation DeterLab Setup • Go versions of DLEQ-proofs, • 32 physical machines PVSS, TSS, CoSi-TSS, ‣ Intel Xeon E5-2650 v4 
 RandHound, RandHerd (24 cores @ 2.2 GHz) ‣ 64 GB RAM • Based on DEDIS code ‣ 10 Gbps network link ‣ Crypto library • Network restrictions ‣ Network library ‣ Cothority framework ‣ 100 Mbps bandwidth ‣ 200 ms round-trip latency • https://github.com/dedis 23

  24. Experimental Results – RandHound Take-away: Gen. / ver. time for 1 RandHound run is 290 sec / 160 sec with 1024 nodes, group size 32. 24

  25. Experimental Results – RandHound Take-away: Total cost for 1 RandHound run is 10 CPU min (EC2: < $0.02) with 1024 nodes, group size 32. 25

  26. Experimental Results – RandHerd Take-away: Gen. time for 1 RandHerd run with is 6 sec, after setup (10 mins) with 1024 nodes, group size 32. 26

  27. Experimental Results – RandHerd Take-away: For a constant group size RandHerd has O(log n) randomness generation complexity. 27

  28. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 28

  29. Conclusion • Generation of public randomness: trust and scale issues • Our solution: two protocols in the (t,n) -threshold security model Availability Unpredictability Unbiasability Verifiability Scalability Complexity RandHound O(n) RandHerd O(log(n)) • Code: https://github.com/dedis/cothority 29

  30. Demo pulsar.dedis.ch 30

  31. Thank you! Questions? Ewa Syta Philipp Jovanovic ewa.syta@trincoll.edu philipp.jovanovic@epfl.ch 31

Recommend

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

@csunivie Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota, Michael Jensen, Sebastian Kristensen, Mathias Michno, Yvonne-Anne Pignolet, Rene Hansen, Stefan Schmid Randomness: An Important Tool of Our

394 views • 35 slides
Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed

Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed

Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed memory plus coherent replication Scalable distributed memory machines P-C-M nodes connected by network communication assist interprets

1.13k views • 87 slides
RAY A Scalable computation engine Ray is a flexible, high-performance, distributed

RAY A Scalable computation engine Ray is a flexible, high-performance, distributed

RAY A Scalable computation engine Ray is a flexible, high-performance, distributed execution framework for Emerging AI Applications (UC Berkeley) A scalable system for parallel and distributed Python. Shortens path to production

389 views • 35 slides
Scalable Distributed Lineage Authentication Ashish Gehani Scalable Distributed Lineage

Scalable Distributed Lineage Authentication Ashish Gehani Scalable Distributed Lineage

Scalable Distributed Lineage Authentication Ashish Gehani Scalable Distributed Lineage Authentication p. 1/59 What is data lineage ? Output Operation Input 1 Input n (a) Primitive operation (b) Compound operation tree Scalable

843 views • 59 slides
Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis Jelle van den Hooff, David

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis Jelle van den Hooff, David

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis Jelle van den Hooff, David Lazar, Matei Zaharia, Nickolai Zeldovich MIT CSAIL Symposium on Operating Systems Principles (SOSP), 2015 1 / 12 Motivation Encryption systems hide

610 views • 14 slides
Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Michael Rossberg, Rene Golembewski, Guenter Schaefer Ilmenau University of Technology, Germany ICCCN 2012 Attack-Resistant Distributed Time Synchronization for Virtual Private Networks Overview Distributed Services for Distributed VPNs

212 views • 9 slides
BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being partial or prejudiced Where have you seen bias? Bias vs. Propaganda Bias is prejudice; a preconceived judgment or an opinion formed

717 views • 29 slides
UbiCrawler: a scalable fully distributed web crawler Paolo Boldi, Bruno Codenotti, Massimo

UbiCrawler: a scalable fully distributed web crawler Paolo Boldi, Bruno Codenotti, Massimo

UbiCrawler: a scalable fully distributed web crawler Paolo Boldi, Bruno Codenotti, Massimo Santini and Sebastiano Vigna 27th January 2003 Abstract We report our experience in implementing UbiCrawler, a scalable distributed web crawler, using

211 views • 18 slides
Scalable and Distributed Visualization using ParaView Eric A. Wernert, Ph.D. Senior Manager &amp;

Scalable and Distributed Visualization using ParaView Eric A. Wernert, Ph.D. Senior Manager &amp;

Scalable and Distributed Visualization using ParaView Eric A. Wernert, Ph.D. Senior Manager &amp; Scientist, Advanced Visualization Lab Pervasive Technology Institute, Indiana University Big Data for Science Workshop July 26, 2010 Scalable

412 views • 37 slides
Fr Frangipani: A Scalable Distributed Fi File System

Fr Frangipani: A Scalable Distributed Fi File System

Fr Frangipani: A Scalable Distributed Fi File System Chandramohan A. Thekkath Timothy Mann Edward K. Lee Digital Equipment Corpora=on Goal To achieve

144 views • 10 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Astrolabe: A Robust and Scalable Technology for Distributed System R. van Renesse, K.P. Birman,

Astrolabe: A Robust and Scalable Technology for Distributed System R. van Renesse, K.P. Birman,

Astrolabe: A Robust and Scalable Technology for Distributed System R. van Renesse, K.P. Birman, W. Vogels (Cornell University) Presentation by Konrad Iwanicki October 3rd and 8th, 2012 Distributed Systems Course, University of Warsaw 1

861 views • 47 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable Messaging Distributed Message Brokers WSO2 MB Architecture o Distributed Pub/sub architecture o Distributed Queues architecture User Story

1.12k views • 33 slides
Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC

Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC

Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC Actor Model Actors are lightweight, stateful, async processes. Used to build low-latency distributed systems (e.g. Riak, Discord, CouchDB). Most popular

1.53k views • 122 slides
Equity &amp; Excellence: Hidden Bias Implicit Bias Inherent Bias

Equity &amp; Excellence: Hidden Bias Implicit Bias Inherent Bias

Equity &amp; Excellence: Hidden Bias Implicit Bias Inherent Bias ____________________________________________ Vincent R. De Lucia Educator-in-Residence Director of Mandatory Training &amp; PD New Jersey School Boards Association Anderson

426 views • 41 slides
Design of a DDoS Attack-Resistant Distributed Spam Blocklist Jem E. Berkes Dept. Electrical and

Design of a DDoS Attack-Resistant Distributed Spam Blocklist Jem E. Berkes Dept. Electrical and

Design of a DDoS Attack-Resistant Distributed Spam Blocklist Jem E. Berkes Dept. Electrical and Computer Engineering University of Manitoba Winnipeg, Canada Introduction Anti-spam blocklists are vital for the Internet Blocklists are

381 views • 16 slides
Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
Ceph: A Scalable, High-Performance Distributed File System Sage A. Weil, Scott A. Brandt, Ethan

Ceph: A Scalable, High-Performance Distributed File System Sage A. Weil, Scott A. Brandt, Ethan

Ceph: A Scalable, High-Performance Distributed File System Sage A. Weil, Scott A. Brandt, Ethan L. Milner, Darrel D. E. Long Presenter: Md Rajib Hossen Ceph- A single, Open, and Unified platform Horizontally scalable Interoperability

533 views • 15 slides
bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek

bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek

bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek outputs Compare rather than Be aware performance compentenci not people es 7 9 10 11 12 Unconscious bias refers to a

292 views • 15 slides
Zarr - scalable storage of tensor Zarr - scalable storage of tensor data for parallel and

Zarr - scalable storage of tensor Zarr - scalable storage of tensor data for parallel and

Zarr - scalable storage of tensor Zarr - scalable storage of tensor data for parallel and distributed data for parallel and distributed computing computing Alistair Miles ( @alimanfoo ) - SciPy 2019 These slides:

801 views • 63 slides
Scalable Distributed Memory Multiprocessors 1 Outline Scalability physical, bandwidth,

Scalable Distributed Memory Multiprocessors 1 Outline Scalability physical, bandwidth,

Scalable Distributed Memory Multiprocessors 1 Outline Scalability physical, bandwidth, latency and cost level of integration Realizing Programming Models network transactions protocols safety input buffer problem: N-1

993 views • 56 slides
Scalable Algorithms for Distributed Statistical Inference Animashree Anandkumar School of

Scalable Algorithms for Distributed Statistical Inference Animashree Anandkumar School of

Scalable Algorithms for Distributed Statistical Inference Animashree Anandkumar School of Electrical and Computer Engineering Cornell University, Ithaca, NY 14853 Currently visiting EECS, MIT, Cambridge, MA 02139 PhD Committee: Lang Tong,

2.39k views • 162 slides

More recommend