scalable bias resistant distributed randomness
play

Scalable Bias-Resistant Distributed Randomness Ewa Syta* , Philipp - PowerPoint PPT Presentation

Aug 14, 2022 •10 likes •320 views

Scalable Bias-Resistant Distributed Randomness Ewa Syta* , Philipp Jovanovic , Eleftherios Kokoris Kogias , Nicolas Gailly , Linus Gasser , Ismail Khoffi , Michael J. Fischer , Bryan Ford *Trinity College, USA EPFL,

  1. Scalable Bias-Resistant Distributed Randomness Ewa Syta* , Philipp Jovanovic † , Eleftherios Kokoris Kogias † , Nicolas Gailly † , Linus Gasser † , Ismail Khoffi ‡ , Michael J. Fischer § , Bryan Ford † *Trinity College, USA † EPFL, Switzerland ‡ University of Bonn, Germany § Yale University, USA IEEE Security & Privacy May 23, 2017

  2. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 2

  3. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 3

  4. Public Randomness • Collectively used • Unpredictable ahead of time • Not secret past a certain point in time • Applications ‣ Random selection: lotteries, sweepstakes, jury selection, voting and election audits ‣ Games: shuffled decks, team assignments ‣ Protocols: parameters, IVs, nonces, sharding ‣ Crypto: challenges for NZKP, authentication protocols, cut-and-choose methods, “nothing up my sleeves” numbers 4

  5. Failed / Rigged Randomness Vietnam War Lotteries (1969) 5

  6. Public Randomness is not New • 1955: Large table of random numbers published as a book by the Rand Corporation • Today: Generating public random numbers is (still) hard • Main issues: trust and scale 6

  7. Goals 5. Scalability 1. Availability Successful protocol Executable with termination for up to hundreds of Decentralized, f=t-1 malicious nodes. participants. public randomness in the (t,n)- threshold security model 4. Verifiability 2. Unpredictability Output correctness Output not revealed can be checked by prematurely. third parties. 3. Unbiasability Output distributed uniformly at random. 7 Assumptions: n= 3f +1, Byzantine adversary and asynchronous network with eventual message delivery

  8. Public Randomness Approaches • With Trusted Third Party ‣ NIST Randomness Beacon 
 • Without TTP Unusual assumptions ‣ Bitcoin (Bonneau, 2015) ‣ Slow cryptographic hash functions (Lenstra, 2015) ‣ Lotteries (Baigneres, 2015) ‣ Financial data (Clark, 2010) (t,n) -threshold security model but not scalable ‣ Coin-flipping (Cachin, 2015) ‣ Distributed key generation (Kate, 2009) 8

  9. Public Randomness is Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III Strawman I Strawman II Strawman III Idea: Combine random Idea: Commit-then-reveal Idea: Secret-share random • • • inputs of all participants. random inputs. inputs. Problem: Last node Problem: Dishonest nodes Problem: Dishonest nodes • • • controls output. can choose not to reveal. can send bad shares. 9

  10. Public Randomness is Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III RandShare RandShare Idea: Strawman III + verifiable secret sharing (Feldman, 1987) • Problems: • ‣ Not publicly verifiable ‣ Not scalable: O(n 3 ) communication / computation complexity 10

  11. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 11

  12. RandHound Client • Goals verifiable ‣ Verifiability: By third parties randomness ‣ Scalability: Performance better than O(n 3 ) • Client/server randomness scavenging protocol ‣ Untrusted client uses a large set of nearly- stateless servers ‣ On demand (via configuration file) Servers ‣ One-shot approach ‣ Example: lottery authority 12

  13. RandHound Achieving Public Verifiability Client randomness & transcript • Publicly-VSS (Schoenmakers, 1999) ‣ Shares are encrypted and publicly verifiable through zero-knowledge proofs ‣ No communication between servers • Collective signing (Syta, 2016) ‣ Client publicly commits to their choices PVSS-Servers • Create protocol transcript from all sent/received (signed) messages 13

  14. RandHound Achieving Scalability Client randomness & transcript • Shard participants into constant size groups ‣ Secret sharing with everyone too expensive! ‣ Run secret sharing (only) inside groups ‣ Collective randomness: combination of 
 all group outputs PVSS 
 PVSS 
 Chicken-and-Egg problem? group 1 group 2 Servers • How to securely assign participants to groups? 14

  15. RandHound Solving the Chicken-and-Egg Problem Client randomness & transcript • Client selects server grouping • Availability might be affected (self-DoS) • Security properties through ‣ PVSS 
 PVSS 
 Pigeonhole principle: at least one group 
 group 1 group 2 is not controlled by the adversary ‣ Collective signing: prevents client equivocation Servers by fixing the secrets that contribute to randomness 15

  16. Public Randomness is (not so) Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III RandShare RandHound Communication / computation complexity: O(c 2 n) 16

  17. RandHerd Availability assumption only • Goals Leader ‣ Continuous, leader-coordinated randomness generation verifiable ‣ randomness Small randomness proof size 
 (a single Schnorr signature) ‣ Better performance than O(n) Participants • Decentralized randomness beacon ‣ Built as a collective authority or cothority ‣ Randomness on demand, at frequent A collective authority intervals, or both 17

  18. RandHerd Achieving RandHerd’s Goals Leader • Idea verifiable ‣ Collective randomness = collective Schnorr signature randomness ‣ Benefits: Small proofs, O(log n) complexity ‣ Problem: Failing nodes influence output Participants • Solution ‣ Arrange nodes into (t,n) -threshold Schnorr signing (Stinson, 2001) groups (failure resistance) ‣ Collective randomness = aggregate group signatures A collective authority ‣ Approach: Setup + round function 18

  19. RandHerd Setup Nodes 1. 1.Elect a temporary leader via lowest ticket 
 t i = VRF( config , key i ) Leader 2. 2.Obtain randomness Z from RandHound Servers 3.Create TSS groups using Z and generate TSS group 0 group keys X i 3. 4.Certify aggregate public key X using CoSi X 0 X 2 X 1 X = X 0 X 1 X 2 
 4. (c,r) 19 TSS group 1 TSS group 2

  20. RandHerd Round Generation TSS group 0 1.Cothority Leader (CL) broadcasts timestamp v collective 2.TSS-CoSi randomness (c,r 0 ) (c,r) CL a. Produce group Schnorr signatures (c,r 0 ) (c,r 1 ) (c,r 2 ) on v b. Aggregate into collective Schnorr signature (c,r = r 0 +r 1 +r 2 ) (c,r 1 ) (c,r 2 ) GL GL c. Publish (c,r) as collective randomness Verification of (c,r) on v using the collective public key X = X 0 X 1 X 2 TSS group 1 TSS group 2 20

  21. Public Randomness is (not so) Hard Availability Unpredictability Unbiasability Verifiability Scalability Strawman I Strawman II Strawman III RandShare RandHound RandHerd Communication / computation complexity: O(c 2 log(n)) 21

  22. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 22

  23. Implementation & Experiments Implementation DeterLab Setup • Go versions of DLEQ-proofs, • 32 physical machines PVSS, TSS, CoSi-TSS, ‣ Intel Xeon E5-2650 v4 
 RandHound, RandHerd (24 cores @ 2.2 GHz) ‣ 64 GB RAM • Based on DEDIS code ‣ 10 Gbps network link ‣ Crypto library • Network restrictions ‣ Network library ‣ Cothority framework ‣ 100 Mbps bandwidth ‣ 200 ms round-trip latency • https://github.com/dedis 23

  24. Experimental Results – RandHound Take-away: Gen. / ver. time for 1 RandHound run is 290 sec / 160 sec with 1024 nodes, group size 32. 24

  25. Experimental Results – RandHound Take-away: Total cost for 1 RandHound run is 10 CPU min (EC2: < $0.02) with 1024 nodes, group size 32. 25

  26. Experimental Results – RandHerd Take-away: Gen. time for 1 RandHerd run with is 6 sec, after setup (10 mins) with 1024 nodes, group size 32. 26

  27. Experimental Results – RandHerd Take-away: For a constant group size RandHerd has O(log n) randomness generation complexity. 27

  28. Talk Outline • Motivation ‣ The need for public randomness Strawman examples: Towards unbiasable randomness ‣ • Two Randomness Protocols ‣ RandHound ‣ RandHerd • Implementation and Experimental Results • Conclusions and Demo 28

  29. Conclusion • Generation of public randomness: trust and scale issues • Our solution: two protocols in the (t,n) -threshold security model Availability Unpredictability Unbiasability Verifiability Scalability Complexity RandHound O(n) RandHerd O(log(n)) • Code: https://github.com/dedis/cothority 29

  30. Demo pulsar.dedis.ch 30

  31. Thank you! Questions? Ewa Syta Philipp Jovanovic ewa.syta@trincoll.edu philipp.jovanovic@epfl.ch 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

@csunivie Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota, Michael Jensen, Sebastian Kristensen, Mathias Michno, Yvonne-Anne Pignolet, Rene Hansen, Stefan Schmid Randomness: An Important Tool of Our

394 views • 35 slides
Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed

Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed

Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed memory plus coherent replication Scalable distributed memory machines P-C-M nodes connected by network communication assist interprets

1.13k views • 87 slides
RAY A Scalable computation engine Ray is a flexible, high-performance, distributed

RAY A Scalable computation engine Ray is a flexible, high-performance, distributed

RAY A Scalable computation engine Ray is a flexible, high-performance, distributed execution framework for Emerging AI Applications (UC Berkeley) A scalable system for parallel and distributed Python. Shortens path to production

389 views • 35 slides
Scalable Distributed Lineage Authentication Ashish Gehani Scalable Distributed Lineage

Scalable Distributed Lineage Authentication Ashish Gehani Scalable Distributed Lineage

Scalable Distributed Lineage Authentication Ashish Gehani Scalable Distributed Lineage Authentication p. 1/59 What is data lineage ? Output Operation Input 1 Input n (a) Primitive operation (b) Compound operation tree Scalable

843 views • 59 slides
Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis Jelle van den Hooff, David

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis Jelle van den Hooff, David

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis Jelle van den Hooff, David Lazar, Matei Zaharia, Nickolai Zeldovich MIT CSAIL Symposium on Operating Systems Principles (SOSP), 2015 1 / 12 Motivation Encryption systems hide

608 views • 14 slides
Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Michael Rossberg, Rene Golembewski, Guenter Schaefer Ilmenau University of Technology, Germany ICCCN 2012 Attack-Resistant Distributed Time Synchronization for Virtual Private Networks Overview Distributed Services for Distributed VPNs

212 views • 9 slides
BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being partial or prejudiced Where have you seen bias? Bias vs. Propaganda Bias is prejudice; a preconceived judgment or an opinion formed

717 views • 29 slides
UbiCrawler: a scalable fully distributed web crawler Paolo Boldi, Bruno Codenotti, Massimo

UbiCrawler: a scalable fully distributed web crawler Paolo Boldi, Bruno Codenotti, Massimo

UbiCrawler: a scalable fully distributed web crawler Paolo Boldi, Bruno Codenotti, Massimo Santini and Sebastiano Vigna 27th January 2003 Abstract We report our experience in implementing UbiCrawler, a scalable distributed web crawler, using

211 views • 18 slides
Scalable and Distributed Visualization using ParaView Eric A. Wernert, Ph.D. Senior Manager &amp;

Scalable and Distributed Visualization using ParaView Eric A. Wernert, Ph.D. Senior Manager &amp;

Scalable and Distributed Visualization using ParaView Eric A. Wernert, Ph.D. Senior Manager &amp; Scientist, Advanced Visualization Lab Pervasive Technology Institute, Indiana University Big Data for Science Workshop July 26, 2010 Scalable

412 views • 37 slides
Fr Frangipani: A Scalable Distributed Fi File System

Fr Frangipani: A Scalable Distributed Fi File System

Fr Frangipani: A Scalable Distributed Fi File System Chandramohan A. Thekkath Timothy Mann Edward K. Lee Digital Equipment Corpora=on Goal To achieve

144 views • 10 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Astrolabe: A Robust and Scalable Technology for Distributed System R. van Renesse, K.P. Birman,

Astrolabe: A Robust and Scalable Technology for Distributed System R. van Renesse, K.P. Birman,

Astrolabe: A Robust and Scalable Technology for Distributed System R. van Renesse, K.P. Birman, W. Vogels (Cornell University) Presentation by Konrad Iwanicki October 3rd and 8th, 2012 Distributed Systems Course, University of Warsaw 1

861 views • 47 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable Messaging Distributed Message Brokers WSO2 MB Architecture o Distributed Pub/sub architecture o Distributed Queues architecture User Story

1.12k views • 33 slides
Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC

Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC

Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC Actor Model Actors are lightweight, stateful, async processes. Used to build low-latency distributed systems (e.g. Riak, Discord, CouchDB). Most popular

1.53k views • 122 slides
Simulation Examples Banks, Carson, Nelson &amp; Nicol Discrete-Event System Simulation Purpose

Simulation Examples Banks, Carson, Nelson &amp; Nicol Discrete-Event System Simulation Purpose

Chapter 2 Simulation Examples Banks, Carson, Nelson &amp; Nicol Discrete-Event System Simulation Purpose To present several examples of simulations that can be performed by devising a simulation table either manually or with a spreadsheet.

606 views • 46 slides
SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements Grouped into batches Batches are executed when a GO statement is hit Why are these batches necessary? Certain commands cannot be

452 views • 21 slides
INTRODUCTION TO PROBABILITY INTRODUCTION TO PROBABILITY MODELS MODELS Lecture 34 Qi Wang ,

INTRODUCTION TO PROBABILITY INTRODUCTION TO PROBABILITY MODELS MODELS Lecture 34 Qi Wang ,

INTRODUCTION TO PROBABILITY INTRODUCTION TO PROBABILITY MODELS MODELS Lecture 34 Qi Wang , Department of Statistics Nov 12, 2018 5 NUMBER SUMMARY 5 NUMBER SUMMARY 5 Number Summary is consist of Minimum, , Median, , Maximum EXAMPLE 1

404 views • 12 slides
SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to study the whole popula5on? A major reason studying samples rather than the

288 views • 16 slides
Big Table A Distributed Storage System For Data OSDI 2006 Fay Chang, Jeffrey Dean, Sanjay

Big Table A Distributed Storage System For Data OSDI 2006 Fay Chang, Jeffrey Dean, Sanjay

Big Table A Distributed Storage System For Data OSDI 2006 Fay Chang, Jeffrey Dean, Sanjay Ghemawat et.al. Presented by Rahul Malviya Why BigTable ? Lots of (semi-)structured data at Google - - URLs: Contents, crawl metadata(when,

611 views • 41 slides
Lecture 8 HASHING!!!!! Announcements HW3 due Friday! HW4 posted Friday! Today: hashing

Lecture 8 HASHING!!!!! Announcements HW3 due Friday! HW4 posted Friday! Today: hashing

Lecture 8 HASHING!!!!! Announcements HW3 due Friday! HW4 posted Friday! Today: hashing # 1 NIL 22 2 NIL 13 43 3 NIL 9 9 NIL n=9 buckets Outline Hash tables are another sort of data structure that allows fast

966 views • 59 slides
Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010

Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010

Introduction A Random Number Interface Strings Standard I/O and File Streams Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010 Introduction A Random Number Interface Strings Standard I/O and File

481 views • 22 slides
Introduction to Statistics Dajiang Liu Basic Information for PHS525 Course title:

Introduction to Statistics Dajiang Liu Basic Information for PHS525 Course title:

Introduction to Statistics Dajiang Liu Basic Information for PHS525 Course title: Biostatistics for Laboratory Scientists Instructors: Dr. Dajiang Liu: dajiang.liu@psu.edu Office: HCAR 2020 Tel: 717-531-4178 Dr. Huamei

616 views • 24 slides

More recommend