Administrivia AdvancedTopicsin - - PDF document

1 AdvancedTopicsin DistributedComputing: Introduction

WinterTerm20072008

MaxPlanckInstituteforSoftware Systems

• Administrivia

Meetings:everysecondThursday,startingfrom

October25),9:1512:00,E1.4,6th rotunda

Introductorylectures:October25,November8 NoclassonNovember22 Mailinglist:adcws07l@postino.mpisb.mpg.de

(subscribebyemailto adcws07ljoin@postino.mpisb.mpg.de)

Webpage:

http://www.mpisws.mpg.de/~pkouznet/ADC07/

• Administrivia (contd.)

Credit=

Chooseatopic Prepareandleadadiscussionofthetopic Faithfullyattendthemeetingsandparticipate indiscussions

Officehours:Wed10:0011:30,E1.4,office

625

RegistrationbyemailtoPetrKuznetsov

(matriculationid,preferredtopic):by November8

• Outline

“Classical” distributedcomputing

Basicabstractions:processingand communication Failuremodels Synchronyassumptions Correctnessofalgorithms (Discouraging?)tradeoffs

“Borderlinechallenges”

• Adistributedsystem

Multiprocessors LANs Internet Deviations:hardware

faults,softwarebugs, securityattacks…

• Distributed≠ Parallel

‘‘youknowyouhaveadistributedsystem

whenthecrashofacomputeryou’venever heardofstopsyoufromgettinganywork done” (Lamport)

Themainchallengeistogettheworkdone

despitefailures(nottocomputethetask faster)

Classesofproblems:synchronization,fault

tolerance,computability,complexitybounds

2

• History

Diningphilosophers,mutualexclusion

(Dijkstra )~60’s

Distributedcomputing,logicalclocks

(Lamport),distributedtransactions(Gray) ~70’s

Consensus(Lynch)~80’s Distributedprogrammingmodels,systems,

since~90’s

• Basicabstractions

Process abstraction– anindependent

threadofcomputation

Communicationabstractions

Messagepassing:channels Sharedmemory:objects

• Processes

AutomatonPi

(i=1,...,N):

States Inputs Outputs Sequential specification

Algorithm={P1,…,PN}

• Failuremodels:processing

Processiscorrect ifitfollowsitsalgorithm

Processingfailures

Byzantine Omission Crashes Crashrecoveries

• Byzantinefailuremodel

Arbitrarydeviations:

Viruses Softwarebugs Unanticipatedmaliciousattacks

Difficulttohandle,typicalassumptions:

Failuresnotcorrelated Lessthanonethirdoftheprocessescanfail

• Omissionfailuremodel

Aprocessfailstosendorreceivea

message(send/receiveomission)

Send/receivebufferoverflows

3

• Crashfailuremodel

Aprocesscrashes=prematurelystopstaking steps

Models“benign” hardwareerrors Typicallyanupperboundfonthenumber

• fcrashesisassumed:

Atmostaminorityoftheprocessescancrash Atleastoneprocessiscorrect

• Failuremodels:communication

Linklosses

Fairlosschannels:everymessageresent sufficientlymanytimesiseventuallydelivered Reliablechannels:everymessagesentbya correctprocesstoacorrectprocessis eventuallydelivered

Duplication/creationinlinks Faultysharedobjects

• Synchronyassumptions

Canbequantifiedusingprocessingbound Φ andcommunicationbound ∆

WhileaprocesstakesΦ localsteps,every

correctprocesstakesatleastonestep

Everysentmessagetakesatmost∆ local

steps tobedelivered

• Synchronoussystem

Thebounds∆ andΦ existandareknown (≈thereareknownupperandlowerboundson timetoexecuteastepandtotransmita message) Tomodelsystemswithhighlypredictable stabletimingbounds

• Partiallysynchronoussystem

Thebounds∆ andΦ existbutarenotknown (≈thereareunknownboundsontimeto executeastepandtotransmitamessage) Tomodelsystemswithunpredictablebut stabletimingbounds

• Asynchronoussystem

Theboundsmightnotexist. (≈ itcantakearbitrarilylongtotakeastep

• fcomputationandtocommunicate)

Tomodelunpredictablesystems:noglobal time,onlycausality

4

• Problemspecification

Safetyproperties≈ nothingbadhappens

Canonlybeviolatedinafiniteexecution,e.g.,by producingawrongoutputorsendingan incorrectmessage

Liveness properties≈ somethinggood

eventuallyhappens

Canonlybeviolatedinan infiniteexecution,e.g., byneverproducinganexpectedoutput

• Fundamentaltradeoffs

Availabilityvs.Consistency

Statemachinereplication:strongconsistency, likelyunavailable DistributedHashTables(DHTs):besteffort consistency,alwaysresponsive

Timevs.spacecomplexity

Sharedmemoryimplementations Routingatascale

… Costvs.benefit

• “Borderline” topics

I.Security

systemsshouldnot“leak” information

II.Games

settherulesandpreventdeviations

III.Networks

transmitamessagereliably(andsecurely) despitenodeandlinkfailures

• vercomefailuresinwirelessnetworks

computeanaggregatevaluefromalargegroup

• f“weak” sensors
• “Borderline” topics(contd.)

IV.Multiprocessorsynchronizationwith STMs (vs.locks)

accessconcurrentobjectswith(lightweight) transactions boostprogresswithcontentionmanagers

V.Formalmodels

I/Oautomata Temporallogic

VI.Systems

ByzantineFaultTolerance P2P:keybasedroutingandDHTs

• I.1Securemultipartycomputation

Howtocomputetheaveragesalaryina

groupwithoutanyonelearningthesalaryof anyoneelse?

AliceandBobwanttoknowwhoisolder

withoutrevealingtheirages

• Problemstatement

nplayersp0,…,pn1,eachpi possessingan

inputvaluexi

a(probabilistic)functionf(x0,…,xn1) Everyplayercomputesthevalueof

f(x0,…,xn1)withoutlearningany informationontheinputsextratothe computedvalue f(…)canbedefinedinafaulttolerantway

5

• Amodelwithtrustedmediator

Eachplayerpisendsxitothetrusted

mediatorM

Mcomputesf(x0,…,xn1)andsendsthe

resultbacktotheplayers Challenge:emulateMinadistributed system?

• Solutions

Cryptographic:tolerateuptot<n/2

cheaters(underusualpubliccrypto assumptions)

Noncryptographic:tolerateuptot<n/3

cheaters(assumingsecurecommunication channels)

• Applications

Verifiablesecretsharing(VSS):

reconstructasecretgiven(abounded numberof)badshares

AVSS MVSS …

Distributedvoting Auctions …

• II.1Games

Secretsharinggame: Distributeasecretamongasetofnplayers (p1,…,pn)sothat

anymofthemcanreconstructthesecret anym1cannot

Shamir’s scheme:

Dealerchoosesarandompolynomialf(x)ofdegreet withf(0)=sandsendsf(i)toplayerI Tocomputethesecret:eachplayerbroadcastshis (her)share

• Incentives

Supposeeachplayerisrational:

Betterlearnthesecretthannottolearn Bettertobetheonlyplayertolearnthesecret

Butthenwhysendingmyshare,Ibetter

waituntilIreceiveenoughshares

Shamir’s schemeisweaklydominatedby

notsendinganything

• GeneralizationtoSMPC

SecureMultiPartyComputation Eachplayer

Preferscomputingthefunctiononprivate

inputstonotcomputing

Wantstobetheonlyplayertodoso

6

• Challenges

Proposeascheme(ajointstrategy)such

thatnorationalagentwouldwishtodeviate fromit

Tolerate(bounded)coalitions? Moregenerally:howtodealwithrationality

inadistributedsystem?Canwedobetter ifweknowwhatthebadguyswant?Canwe definewhattheywant?

• III.1Secureandreliablecommunication

Securetransferproblem

• ndisjointroutesbetweenAandB
• TransmitmfromAtoB
• Eavesdroppingonuptotroutesdoesnothelpthe

adversarytolearnthemessage

• Controllingcommunicationonatmostdroutesdoes

nothelptheadversarytodisruptthetransmission

• Variations

Onewayvs.twoway Routesreplacedwithbidirectionalgraphs Directedgraphs? Synchronousvs.asynchronous Multicastchannels(e.g.Ethernet) …

• III.2 Gossipinginwirelessnetworks

Staticwirelessnetwork Maliciousadversarymaycontrolsomenodes bymakingthem

Sendbadmessages Jamthechannel(preventcommunication) Spoofmessages(corruptcommunication)

• Oneproblem:reliablebroadcast

Thesourcehasamessagem Makesure(w.h.p.)thatmisdeliveredby

everygoodnode Whatisthestrongestadversarywecan tolerate(undervariousmodel assumptions)?

• Assumptions

Adversarycanonlysendincoherent

messages

Adversarycanonlycreatecollisions(no

spoofing)

Adversarycanspoofmessagesbuthas

boundedpower

…

7

• III.3Sensors

Alargecollectionof“lightweight” mobiledevices Nocentralinfrastructure Communicationispairwise Whatcanandwhatcannotbecomputed? Themaximaltemperatureinaflockofbirds,

averagenoiselevelinaconstructionarea,etc.?

Routinginasensornetworks?

• Assumptions

Algorithmsareuniform:donotdependon

thenumberofsensors

Sensorsarefinitestate (anonymous) Sensorsmayfail …