Abstractions to Build Permissionless Systems Soutenance - - PowerPoint PPT Presentation

abstractions to build permissionless systems
SMART_READER_LITE
LIVE PREVIEW

Abstractions to Build Permissionless Systems Soutenance - - PowerPoint PPT Presentation

Jan 21, 2023 13 likes •426 views

Abstractions to Build Permissionless Systems Soutenance dhabilitation diriger des recherches Emmanuelle Anceaume ( CNRS/IRISA ) CIDRE research team Amr El Abbadi Antonio Fernndez Anta Nicolas Hanusse Fernando Pedone Yvonne-Anne

slide-1
SLIDE 1

Abstractions to Build Permissionless Systems

Soutenance d’habilitation à diriger des recherches Emmanuelle Anceaume (CNRS/IRISA) CIDRE research team Amr El Abbadi Antonio Fernández Anta Nicolas Hanusse Fernando Pedone Yvonne-Anne Pignolet Francois Taiani Philippas Tzigas December 18-th, 2019

1

slide-2
SLIDE 2

Distributed computing

◮ Solving a common problem with distinct entities ◮ Unpredictability due to failures, asynchrony, and local view ◮ Encapsulating the difficulty of robust cooperation within

abstractions

yes no

?

no no yes

2

slide-3
SLIDE 3

Goal of distributing computing

◮ Identifying problems that are abstractions of those that arise in

a variety of distributed situations

◮ Stating precisely these abstractions in terms of properties ◮ Designing and analyzing efficient distributed algorithms to

solve them

3

slide-4
SLIDE 4

Abstractions

4

slide-5
SLIDE 5

Abstractions

Reliable broadscast Causal broadcast Atomic broadcast R/W register

5

slide-6
SLIDE 6

Abstractions

Reliable broadscast Causal broadcast Atomic broadcast R/W register Clock synchronization Mutual exclusion Snapshot

6

slide-7
SLIDE 7

Abstractions

Reliable broadscast Causal broadcast Atomic broadcast R/W register Clock synchronization Mutual exclusion Snapshot Lattice agreement Consensus Replicated state machine Leader election

7

slide-8
SLIDE 8

Implementing abstractions

Reliable broadscast Causal broadcast Atomic broadcast R/W register Clock synchronization Mutual exclusion Snapshot Lattice agreement Consensus Replicated state machine Leader election

Timing model

Asynchronous Synchronous 8

slide-9
SLIDE 9

Implementing abstractions

Reliable broadscast Causal broadcast Atomic broadcast R/W register Clock synchronization Mutual exclusion Snapshot Lattice agreement Consensus Replicated state machine Leader election

Timing model

Asynchronous Synchronous

Failure model

Crash Byzantine 9

slide-10
SLIDE 10

Implementing abstractions

Reliable broadscast Causal broadcast Atomic broadcast R/W register Clock synchronization Mutual exclusion Snapshot Lattice agreement Consensus Replicated state machine Leader election

Timing model

Asynchronous Synchronous

Failure model

Crash Byzantine M e s s a g e

  • p

a s s i n g Shared memory

Communication model

10

slide-11
SLIDE 11

Implementation in « classic » distributed systems

◮ Known and fixed size set of participants ◮ Participants are authorized nodes ◮ Complete communication graph

6 5 1 2 4 3

11

slide-12
SLIDE 12

Permissionless systems

Unbounded number of participants Open membership Connected graph

12

slide-13
SLIDE 13

Permissionless enlarges adversarial strategies spectrum

◮ Churn strategies

◮ Join and leave at just the worst possible time

◮ Byzantine strategies

◮ Sybil attacks : generation of numerous fake identities ◮ Eclipse attacks : manipulation of routing tables ◮ Targeted attacks : isolation of nodes

◮ Rational / irrational behaviors

◮ Free-ride ◮ Make the service sustainable

13

slide-14
SLIDE 14

Abstractions implementation : Scalability issues

◮ For both safety and liveness guarantees

◮ Implementations rely on (Byzantine) quorums ◮ Quorum size in O(n), where n is the size of the system |Q1|= Q |Q2|= Q correct faulty n nodes among which f are Byzantine

◮ Round structure of algorithms

◮ Message complexity in O(n2), where n is the size of the system

14

slide-15
SLIDE 15

Outline of the presentation

◮ Focus on the implementation of distributed abstractions in

permissionless systems

◮ Reliable broadcast abstraction ◮ Consensus abstraction ◮ Replicated state machine abstraction

15

slide-16
SLIDE 16

Reliable broadcast abstraction

◮ Allows any node in the system to disseminate a message to all

the other nodes

◮ Liveness and safety properties

◮ Termination ◮ Uniqueness ◮ Integrity

16

slide-17
SLIDE 17

Broadcast abstraction

◮ Randomized rumor spreading

◮ Nodes pick random neighbors and exchange information

(rumor) with them

◮ Local, tolerant to churn, scalable

◮ ex. Yt = number of nodes that have received the rumor after t

interactions

◮ ∀δ ∈ (0,1) and t ≥ n(ln(n)−ln(δ/2)), P{Yt = n} ≥ 1−δ

𝜐(n, δ =10-3) Simulations with δ =10-3 𝜐(n, δ =10-2) Simulations with δ =10-2 𝜐(n, δ =10-1) Simulations with δ =10-1

Parallel time to propagate a rumor Number of nodes

17

slide-18
SLIDE 18

Broadcast abstraction

◮ Randomness is fundamental

◮ Uniformity : For any discrete time t ≥ 0, for any nodes i and j

in the system P{routing_tablei(t) = j} = 1/n.

◮ Node sampling service

◮ Local to nodes ◮ Returns the identifier of a random node

stream of node ids S (k)

i

Γi

Sampling memory

◮ Making this service robust to eclipse attacks

◮ The adversary injects many corrupted node identifiers to bias

sampling !

18

slide-19
SLIDE 19

Node sampling : omniscient strategy

◮ Suppose that

◮ Each node id j received in the input stream is tagged with its

  • ccurrence probability pj in the full input stream

◮ Let q = minj pj

◮ Omniscient strategy :

◮ Pick id j with probability aj = q/pj

◮ Whatever the frequency of ids in the stream, they are output

uniformly

16 24 1 56 16 14 61 13 2 14 13 14 14 98 56 11

Sampling memory

Input stream of node identifiers p13 a13

Get_node()

11

Constant size Output stream

16

19

slide-20
SLIDE 20

Node sampling : Knowledge-free strategy

◮ Need to estimate the frequency of each identifier in the input

stream

◮ Rely again on randomness !

◮ Cormode’s Count Min sketch data structure

◮ Ingredients

◮ t hash functions and an array of t × k counters

h1:[N]-> [𝑙] h2:[N]-> [𝑙] ht:[N]-> [𝑙] 𝑙 = 𝑓/𝜁 𝑢 = log(1/δ)

20

slide-21
SLIDE 21

Node sampling : Knowledge-free strategy

◮ Need to estimate the frequency of each identifier in the input

stream

◮ Rely again on randomness !

◮ Cormode’s Count Min sketch data structure +1 +1 +1 +1 +1 +1 21 16 21 22 16 21 14 61 13 21 14 13 14

Stream of node identifiers 21

slide-22
SLIDE 22

Node sampling : Knowledge-free strategy

◮ By taking ˆ

fj = mintht[j] then

◮ ˆ

fj ≥ fj, and

◮ ∀ε ∈ (0,1),∀δ ∈ (0,1), P{ˆ

fj ≤ fj +εm} ≥ 1−δ

1 2 1 2 1 1 1 1 1 1 21 16 21 22 16 21 14 61 21 14 13 14

Stream of node identifiers

1

22

slide-23
SLIDE 23

Node sampling robust to eclipse attacks

23

slide-24
SLIDE 24

Reliable broadcast abstraction

◮ Lessons learnt from this study

◮ Randomization is an essential ingredient ◮ Adversarial strategies can be defeated by increasing memory

footprint

◮ Adversarial strategies do not impact scalability ◮ Message complexity : O(logn) ◮ Mode details in [OPODIS 2011, DSN 2013, IJOC 2019]

24

slide-25
SLIDE 25

Consensus abstraction

◮ One of the most important abstraction in fault tolerant

distributed computing

◮ Guarantee a unique decision among a set of input values

Liveness and safety properties

◮ Termination ◮ Agreement ◮ Validity 25

slide-26
SLIDE 26

Randomly chosen committees

General idea :

◮ Execute consensus algorithms on O(log n) nodes ◮ Committee C made of random nodes → µC = µsystem ◮ How electing random nodes ? ◮ How this election is resilient to adversarial behaviors ? 26

slide-27
SLIDE 27

PeerCube : Nodes self-organize within committees

◮ Size of committees is lower and upper bounded ◮ Enforce role separation at committee level : core and spare sets ◮ Only core sets are visible from the outside core set constant size=C spare set size max=O(log N)

0000 0001 0101 0111 0110 0010 0100 1000 1001 1101 1100 1010 1110 1111 0011 0000101000

27

slide-28
SLIDE 28

PeerCube : Significantly reduces churn impact

0.001 0.01 0.1 1 10 100 1000 5000 10000 15000 20000 25000 30000 Number of routing tables updates per node Simulation time - every 500 time units, up to 500 nodes join or leave the system No core/spare classification PeerCube

28

slide-29
SLIDE 29

PeerCube : Resistance to adversarial strategies

Scalability

◮ Byzantine algorithms within constant size committees ◮ Randomization scheme to elect these committees

Resistance to targeted attacks

◮ Move ! ! ◮ Induced churn : pushing nodes to random positions within the

system

29

slide-30
SLIDE 30

PeerCube : Resistance to an adaptive adversary

Impact of induced churn on committees state

µsystem = 0% µsystem = 10% d 0.90 0.99 0.999 0.90 0.99 0.999 safe state 100% 100% 100% 99.17% 82.28% 0.78% polluted state 0% 0% 0% 0.82% 17.71% 99.21% µsystem = 20% µsystem = 30% d 0.90 0.99 0.999 0.90 0.99 0.999 safe state 95.36% 1.66% ∼ 0.0% 87.36% 0.09% ∼ 0.0% polluted state 4.75% 98.33% ∼ 100% 12.63% 99,90% ∼ 100% ◮ A pinch of induced churn is sufficient to defend against

targeted attacks

30

slide-31
SLIDE 31

Consensus Abstraction

◮ Lessons learnt from this study

◮ Clustering makes possible the design of robust operations ◮ Induced churn significantly reduces adversarial targeted attacks ◮ Only a small amount of these ingredients is necessary and

sufficient

◮ More details in [MCAP 2013, SIGMETRICS P.E.R 2012, IJFCS

2011, DSN 2011, ICC 2010, SSS 2009, SASO 2008]

31

slide-32
SLIDE 32

State machine replication abstraction

◮ A service executed at distinct servers (replicas) appears as if

executed on a unique server

Properties

Assuming that all replicas start in the same initial state and commands are deterministic

◮ Validity ◮ Termination

Implementations

◮ Paxos, PBFT ◮ No open membership 32

slide-33
SLIDE 33

Nakamoto’s implementation : Bitcoin

◮ The adversary controls a minority of the total amount of

computational power

◮ Alternative to the common threshold adversary model

33

slide-34
SLIDE 34

Nakamoto implementation : Bitcoin

34

slide-35
SLIDE 35

Nakamoto’s implementation

1st ingredient : Leader election

◮ Implemented by a hash puzzle

◮ The probability of electing each party is proportional to its

computational power

→ Synchronize the creation of blocks → Defeat Sybil attacks → Incentivize correct behavior through currency creation

35

slide-36
SLIDE 36

Nakamoto’s implementation

2nd ingredient : Local arbitration rule

◮ In presence of concurrent winners

◮ Select the chain which required the greatest among of work ◮ Random nature of the hash puzzle + non-faulty leaders always

use the chain which required the greatest among of work

→ Locally, one chain will be extended more than the others

◮ The blockchain

B0

Bi

Bi+1 Bi+1 36

slide-37
SLIDE 37

Electing a leader in a permissionless setting

Proof-of-work

✓ Security analysis and works in practice ! ✗ Environmental issues ✗ The power belongs to leaders (i.e., miners)

Proof-of-work with useful computation, proof-of-space, proof-of-storage. . .

✗ Physical resources

Proof-of-stake

✓ Abstract but limited resource : coin itself ✓ All the required information is already in the blockchain

37

slide-38
SLIDE 38

Proof-of-stake approach (PoS)

Security of PoS relies on randomness

◮ The creator of the next block must be randomly chosen ◮ The source of randomization must not be biased by the

adversary

38

slide-39
SLIDE 39

StakeCube : Combining Sharding and PoS

◮ Miners do not exist anymore ◮ Users self-organize within committees based on their valid

public keys

◮ The number of committees increases sub-linearly with the

number of public keys

◮ Induced churn via unpredictable and perishable users’

credentials (every T blocks)

◮ The next block Bh is created via a consensus run among a

subset of committees which are elected based on Bh−1

◮ Robust to a weakly adaptive adversary : corruption is effective

T blocks after adversary’s selection

◮ More details [NETYS 2019] 39

slide-40
SLIDE 40

On-going work and perspective : blockchain and even more distributed algorithms

◮ Blockchain formalization

◮ Unified framework [ACM SPAA 2019] ◮ BlockTree object with « append » and « read » operations ◮ Token oracle : encapsulate both validity and synchronization

properties

◮ Consistency criteria : strong consistency and eventual

consistency

◮ Implementability

◮ Asynchronous and Byzantine implementation of a particular

RSM abstraction [IEEE IPDPS 2020]

◮ Blockchain implementation

◮ Sycomore : a directed acyclic graph of blocks ◮ PoS extension with StakeCube

40

slide-41
SLIDE 41

Many thanks to all you

  • J. Aspnes
  • A. Fernández Anta
  • L. Mé
  • N. Rivière
  • D. Avreski
  • D. Frey
  • E. Le Merrer
  • F. Robin
  • R. Baldoni
  • R. Friedman
  • R. Ludinard
  • L. Rodrigues
  • C. Bidan
  • S. Gambs
  • F. Majorczyk
  • M. Roy
  • S. Bonomi
  • V. Gramoli
  • E. Maehle
  • J. Royan
  • H. Borba Ribeiro
  • F. Greve
  • J. Marchand
  • E. Schulte-Geers
  • F. Brasileiro
  • A. Guellier
  • L. Mé
  • B. Sericola
  • Y. Busnel
  • G. Guette
  • P. Meye
  • G. Simon
  • G. Cabillic
  • J. Hélary
  • P. Minet
  • T. Sirvent
  • C. Cachin
  • G. Hiet
  • Y. Mocquard
  • B. Smith
  • F. Castella
  • M. Hurfin
  • A. Mostéfaoui
  • G. Straub
  • V. Cazacu
  • V. Issarny
  • E. Mourgaya
  • G. Texier
  • P. Chevochot
  • P. Jacquet
  • P. Multhaler
  • L. Toutain
  • V. Claveau

M.O. Killijian

  • G. Neiger
  • E. Totel
  • A. K Datta

A.M. Kermarrec

  • G. Piolle
  • G. Trédan
  • X. Défago
  • P. Lajoie-Mazenc
  • M. Potop-Butucaru
  • M. Papatriantafilou
  • A. Del Pozzo
  • T. Lajoie-Mazenc
  • N. Prigent
  • F. Tronel
  • C. Delporte-Gallet

J.F. Lalande

  • I. Puaut
  • S. Tucci
  • E. Demairy

J.L. Lanet

  • A. Puliafito
  • P. Tzigas
  • B. Di Gennaro
  • R. Laurent
  • L. Querzoni
  • V. Viet Triem Tong
  • G. Di Luna
  • F. Le Fessant
  • P. Raipin
  • A. Virgillito
  • A. Durand
  • G. Le Lann
  • A. Ravoaja
  • Y. Wang
  • H. Fauconnier

J.P. Lenarzul

  • M. Raynal
  • J. Widder
  • N. Rivetti
  • P. Wilke

With all my special thanks to Laurent

41