Distributed Computing Group TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA Distributed Asymmetric Verification.

Slides:

Advertisements

Similar presentations

Secure Pre-Shared Key Authentication for IKE

Advertisements

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Hidden Markov Models (1)  Brief review of discrete time finite Markov Chain  Hidden Markov Model  Examples of HMM in Bioinformatics  Estimations Basic.

1 Combinatorial Agency with Audits Raphael Eidenbenz ETH Zurich, Switzerland Stefan Schmid TU Munich, Germany TexPoint fonts used in EMF. Read the TexPoint.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures and Hash Functions. Digital Signatures.

Authors Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, Abraham Flaxman Presented by: Jonathan di Costanzo & Muhammad Atif Qureshi 1.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 of 9 ON ALMOST LYAPUNOV FUNCTIONS Daniel Liberzon University of Illinois, Urbana-Champaign, U.S.A. TexPoint fonts used in EMF. Read the TexPoint manual.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.

FIT3105 Smart card based authentication and identity management Lecture 4.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Dynamic Hypercube Topology Stefan Schmid URAW 2005 Upper Rhine Algorithms Workshop University of Tübingen, Germany.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

Atomistic Protein Folding Simulations on the Submillisecond Timescale Using Worldwide Distributed Computing Qing Lu CMSC 838 Presentation.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.

ETH Zurich – Distributed Computing Group Jasmin Smula 1ETH Zurich – Distributed Computing – Stephan Holzer Yvonne Anne Pignolet Jasmin.

On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)

1 Sustaining Cooperation in Multi-Hop Wireless Networks Ratul Mahajan, Maya Rodrig, David Wetherall and John Zahorjan University of Washington Presented.

A TCP With Guaranteed Performance in Networks with Dynamic Congestion and Random Wireless Losses Stefan Schmid, ETH Zurich Roger Wattenhofer, ETH Zurich.

SybilGuard: Defending Against Sybil Attacks via Social Networks Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, and Abraham Flaxman Presented by Ryan.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.

IE 594 : Research Methodology – Discrete Event Simulation David S. Kim Spring 2009.

Hardening Functions for Large-Scale Distributed Computations Doug Szajda Barry Lawson Jason Owen 1.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.

Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.

Yongzhi Wang, Jinpeng Wei VIAF: Verification-based Integrity Assurance Framework for MapReduce.

Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.

SecureMR: A Service Integrity Assurance Framework for MapReduce Author: Wei Wei, Juan Du, Ting Yu, Xiaohui Gu Source: Annual Computer Security Applications.

Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.

Security Mechanisms for Distributed Computing Systems A9ID1007, Xu Ling Kobayashi Laboratory GSIS, TOHOKU UNIVERSITY 2011/12/15 1.

Modeling and Simulation Discrete-Event Simulation

PODC Distributed Computation of the Mode Fabian Kuhn Thomas Locher ETH Zurich, Switzerland Stefan Schmid TU Munich, Germany TexPoint fonts used in.

Reputation Based Trust The using of reputation to accomplish trust between users on the Internet M.Vološin, R.Gore, Ibe2roč. PF UPJŠ, Košice, Slovakia.

Digital Signatures, Message Digest and Authentication Week-9.

Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

ETH Zurich – Distributed Computing Group Stephan Holzer 1ETH Zurich – Distributed Computing – Stephan Holzer Yvonne Anne Pignolet Jasmin.

ETH Zurich – Distributed Computing Group Stephan Holzer 1ETH Zurich – Distributed Computing – Stephan Holzer Yvonne Anne Pignolet Jasmin.

ETH Zurich – Distributed Computing Group Stephan Holzer 1ETH Zurich – Distributed Computing – Stephan Holzer Yvonne Anne Pignolet Jasmin.

Auditing Information Leakage for Distance Metrics Yikan Chen David Evans TexPoint fonts used in EMF. Read the TexPoint manual.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

PROCESS RESILIENCE By Ravalika Pola. outline: Process Resilience  Design Issues  Failure Masking and Replication  Agreement in Faulty Systems  Failure.

Decentralized Trust Management for Ad-Hoc Peer-to-Peer Networks Thomas Repantis Vana Kalogeraki Department of Computer Science & Engineering University.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.

Securing Distributed Computations in a Commercial Environment Philippe Golle, Stanford University Stuart Stubblebine, CertCo.

ETH Zurich – Distributed Computing Group Stephan HolzerETH Zurich – Distributed Computing – Stephan Holzer - ETH Zürich Thomas Locher.

On the Size of Pairing-based Non-interactive Arguments

Cryptographic Hash Function

MPC and Verifiable Computation on Committed Data

Secure and Insecure Mixing

TexPoint fonts used in EMF.

Cryptography Lecture 24.

Presentation transcript:

Distributed Computing Group TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA Distributed Asymmetric Verification in Computational Grids Michael Kuhn Stefan Schmid Roger Wattenhofer IPDPS 2008 Miami, Florida, USA

2 Michael Kuhn, ETH IPDPS Grid Computing Goal: Use idle computing resources worldwide –Examples:

3 Michael Kuhn, ETH IPDPS Model Server Clients (Participants) #clients: Sends work- units (WU) Returns result

4 Michael Kuhn, ETH IPDPS Why should people participate? –Incentives: honour („user of the day“), money,... But: Incentives attract cheaters! The Problem of Cheaters

5 Michael Kuhn, ETH IPDPS Verification required –Today: Redundancy –E.g. Send the same task to 3 participants –This paper: Distributed asymmetric checking –Asymmetry: Verification is often cheaper than computation –Distributed: Participants check each other The Problem of Cheaters Random value

6 Michael Kuhn, ETH IPDPS Contributions Distributed checking algorithm integrated in BOINC –Faster than redundancy if asymmetric checking function exists –Better guarantees than typically used redundancy schemes Resistant against –Dominance of seemingly fast clients –Lazy checking –Sybil attacks Proof-of-concept implementation for discrete logarithm problem –Asymmetric checking function for Pollard-rho algorithm

7 Michael Kuhn, ETH IPDPS Related Work Cheating is a problem [Kahney, Wired Magazine, Feb. 2001] more than 50% of resources spent on cheating! Ringer scheme (precompute selected results) [Golle and Mironov, CT-RSA‘01], [Szaja et al., SP‘03] –Additional work on the server (precomputing ringers) Commitment scheme with Merkle-tree [Du et al., ICDCS‘04] –Additional work on the server (recompute some work-units) Cryptographic protocols e.g. [Aiello et al, ICALP‘00], [Cachin et al., EUROCRYPT‘99] –Often computationally too expensive in practice

8 Michael Kuhn, ETH IPDPS Challenges Cheaters seem to be much faster than ordinary participants –1% cheaters can submit >99% of the results Cheaters stay honest for a long time, and only then start to cheat –Opens many possibilities for cheaters –Never trust a participant Lazy checking –Cheaters can calculate everything correctly but cheat during verification (i.e. simply say the result was correct)

9 Michael Kuhn, ETH IPDPS Cheater Characterization Fraction of cheating clients: p –Problem: Sybil attacks Fraction of incorrect results in the system: r –Problem: Random results can be computed very fast –If no countermeasures are taken: r = 1 Fraction of computing power of cheater(s): q –Computing power is expensive => q is limited! –Goal of cheaters: Pretend to have worked more than what is possible with the available computing resources r p q

10 Michael Kuhn, ETH IPDPS Asymmetric Verification Performance property: It is much cheaper to verify the correctness of a result than to calculate the result –Asymmetric Fingerprint property: A verifier calculates a fingerprint rather than a boolean result –Server compares fingerprints –Only honestly computed checks can lead to a positive result –Observe: Collusions still possible Uniqueness property: Results are either inherently unique, or the dependence from the input values can be verified –Prevents replay attacks Example: Task: Find prime factors of x = 10829; Solution: {7, 7, 13, 17} Checking input: {7, 7, 13, 17}; Fingerprint: 7 * 7 * 13 * 17 = 10829

11 Michael Kuhn, ETH IPDPS Distributed Verification: Algorithm Prerequisites –Fraction of cheaters is limited and considerably smaller than 50% (e.g. p ≤ 10%) => details later –Punishment is possible Check each result, until a clear decision is possible –Result good if „considerably more“ positive than negative checks (and vice versa) –As p is limited, high probability of correct decision (see paper for details) –Punish cheaters (including colluders) and remove all their pending results Assign checks uniformly at random among active clients –Fast clients (often cheaters) cannot dominate checking

12 Michael Kuhn, ETH IPDPS Lifecycle of a Task One after the other, to mitigate collusion

13 Michael Kuhn, ETH IPDPS Preventing Sybil Attacks Problem: Zero cost identity –Solution: Don‘t assign identity for free! Idea: Couple p (#clients) to q (computing resources) –New client has to perform some work without getting credits => buys identity –Goal: make the number of incorrect results a cheater can deliver before being detected lower than the price to buy the identity –Observe: For honest participants the price is low (as they only have to „pay“ once)

14 Michael Kuhn, ETH IPDPS Analysis (Simulation) Number of checks vs. number of results (p = 10%) –Asymmetry: Checking is 50 times faster than calculation –Fastest clients 100 times faster than slowest Fast clients do not dominate checking!

15 Michael Kuhn, ETH IPDPS Analysis (Simulation) (2) Queue lengths –Number of pending checks for different confidence values

16 Michael Kuhn, ETH IPDPS Implementation in BOINC

17 Michael Kuhn, ETH IPDPS ECC Challenge Task: Break large discrete logarithm on elliptic curve –Currently: 130-bit –Reward: 20,000 USD Discrete Logarithm –Given a group with generator g, as well as a group element h: Find x, such that g^x = h Best known algorithm: Pollard-Rho –Well suited for parallelization and use in grids

18 Michael Kuhn, ETH IPDPS Pollard-Rho (Sketch)

19 Michael Kuhn, ETH IPDPS Asymmetric Verification (Sketch) Not every point possesses a predecessor –Backward iteration has high probability to fail after a certain number of steps Finding a distinguished point together with the required parameters is asymptotically as expensive as forward iteration Checking function: Report the x-th predecessor –Verifier can forward iterate x steps and check whether the distinguished point is found P(length > 50) < 10%

20 Michael Kuhn, ETH IPDPS Conclusions Algorithm for distributed verification in volunteer computing, which is resistant against: –Seemingly fast clients (uniform selection of verifier among all active clients) –Lazy checking (fingerprint property) –Replay attacks (uniqueness property) –Sybil attacks (don‘t assign identity for free) Downside: Strong assumption on the verification function –But: such verification functions exist (Pollard-Rho) Future: More generic approaches

21 Michael Kuhn, ETH IPDPS Thanks for your Interest Questions?