What is Distributed Storage Good For?

Transcription

1 Efficient Robust Storage using Secret Tokens Dan Dobre, Matthias Majuntke, Marco Serafini and Neeraj Suri Dependable Embedded Systems & SW Group Neeraj Suri EU-NSF ICT March 2006

2 What is Distributed Storage Good For? 1980 s 2009 clients request Distributed clients request bad reply or no reply Storage certificate

3 What Distributed Storage is Good? Distributed storage that is robust Regular & wait-free Resilient to Byzantine faults Optimally resilient 3t+1 storage nodes (base objects) AND stores unauthenticated data No crypto overhead Invulnerable to attacks Q: What latency of READ and WRITE?

4 Our Results Unauthenticated Storage Optimal resilience WRITE 2 [ACKM06] s do not write READ 2 Adversary may guess the future READ 2 [GV06] READ t+1 [ACKM06] READ t+1 [ACKM06] Robust READ 2 READ 1 READ 2 [GV06,DMS08]

5 Model Background Our Results Outline 1. Lower Bound 2. Unbounded s Algorithm 3. Fast s Algorithm Summary

6 Model Asynchronous message passing system Clients: 1 honest writer and many (malicious) readers Base objects: 3t+1 of which t may be Byzantine Regular read/write storage Initial value v 0 WRITE(v) stores value v v 0 and returns ok READ returns the last written value or a concurrent one Metric: latency = # communication round-trips clients base objects Honest clients can generate a secret (token)

7 Registers and Distributed Storage Register types [La86] Safe, regular and atomic (1,b) (1,b) (2,y) OK (0,v (2,y) 0 ) (1,b) b y return b return yb or y

8 Registers and Distributed Storage Register types [La86] Safe, regular and atomic (1,b) (1,b) (2,y) b y return vy 0

9 Optimal Resilience 3t+1 base objects necessary [MAD02] (1,b) (1,b) S 4 (1,b) σ 1 b return b

10 Wait for to break ties? Optimal Resilience... S 4 (1,b) σ 1 b... return b

11 WRITE 2 [ACKM06] pre-write write What about the READ? S 4 b

12 Unauthenticated Storage Optimal resilience WRITE 2 [ACKM06] s do not write READ 2 Adversary can guess the future READ 2 [GV06] READ t+1 [ACKM06] READ t+1 [ACKM06] Robust READ 2 READ 1 READ 2 [GV06,DMS08]

13 Our First Result: A Lower Bound Theorem: Reading from unauthenticated storage with optimal resilience requires at least two communication rounds if readers do not write.

14 cannot wait for Lower Bound (Run 1) S 4 return? b

15 Lower Bound (Run 2) WRITE precedes READ and Run 2 ~ Run 1 S 4 b return b

16 Lower Bound (Run 3) Run 3 ~ Run 2 S 4 return b return v 0

17 Unauthenticated Storage Optimal resilience WRITE 2 [ACKM06] s do not write READ 2 Adversary can guess the future READ 2 [GV06] READ t+1 [ACKM06] READ t+1 [ACKM06] Robust READ 2 READ 1 READ 2 [GV06,DMS08]

18 Unbounded s Algorithm (t = 1) σ 1 S 4 b return b

19 Unbounded s Algorithm (t = 1) σ 1 Wait condition: t+1 (2) pre-writes of b S 4 pw b write b rnd 1 rnd2 return b

20 Unbounded s Algorithm (t = 1) S 4 Wait condition: t+1 (2) pre-writes of b OR S-t (3) writes with smaller timestamp return v 0

21 Unbounded s Algorithm (t = 1) Wait condition: t+1 (2) pre-writes of b S 4 OR S-t (3) writes with smaller timestamp return b b

22 Unbounded s Algorithm (t > 1) S = 7, t = 2 Wait condition: S 4 t+1 (3) pre-writes of b S 5 OR S-t (5) writes with smaller timestamp S 6 S 7 return? b

23 Unbounded s Algorithm (t > 1) S = 7, t = 2 Recall: at least S 4 t+1 (3) READ rounds S 5 are necessary [ACKM06] S 6 S 7 b

24 Unbounded s Algorithm (t > 1) S = 7, t = 2 S 4 S 5 S 6 Adversary guesses Idea: bind the value to a secret token s in write phase S 7 pre-write b b write b rnd1 rnd2

25 Unbounded s Algorithm (t > 1) S = 7, t = 2 write <b,s> σ 3 S 4 S 5 S 6 S 7 New reports condition: σ 3 and S-t writes reports with and smaller σ 3 timestamp than b s OR with same timestamp but different secret token pre-write b write <b,s> rnd1 rnd2 return v 0

26 Summary of Unbounded s Algorihm Pros: Unbounded AND malicious readers READ latency down from t+1 to 2 rounds (tight) Graceful degradation Constant messages (except 2nd READ round with O(S)) Cons: Non-amensic stores unlimited # of values [CGK07] READs are blocking if secrecy is violated

27 Unauthenticated Storage Optimal resilience WRITE 2 [ACKM06] s do not write READ 2 Adversary can guess the future READ 2 [GV06] READ t+1 [ACKM06] READ t+1 [ACKM06] Robust READ 2 READ 1 READ 2 [GV06,DMS08]

28 The Fast s Algorithm READ and WRITE(b) overlap READs write σ 0 S 4 b

29 The Fast s Algorithm WRITE(b) precedes READ σ 0 <1,s> Adversary guesses σ 0 Idea: (1) reader writes secret s together with a timestamp: e.g. <1, s> S 4 <1,s> <1,s> (2) pre-write collects the info and write phase writes it back [<0,ε>,<1,s >, <0,ε>, ] b s s not both and are correct <1,s> return b

30 Summary of Fast s Algorithm Pros: Fast READs Graceful degradation Constant READ messages Cons: Non-amensic stores unlimited # of values [CGK07] Old values may be read if secrecy is violated Storage requirements and WRITE messages linear in the # readers

31 Summary Optimal resilience WRITE 2 [ACKM06] s do not write READ 2 Adversary can guess the future READ 2 [GV06] READ t+1 [ACKM06] READ t+1 [ACKM06] Robust READ 2 READ 1 READ 2 [GV06,DMS08]

32 Fin Questions?

33 What bounds for Unauthenticated storage? Observation: the READ lower bounds the adversary knows a value before it is written Idea: write a secret together with each value (e.g. a random bit string) Better READ Latency 2 rounds are necessary and sufficient if readers don t write 1 round is sufficient otherwise Graceful Degradation: Forged values are never read The first algorithm is always safe and the second is always live

34 Deriving the UR* Algorithm (t > 1) S = 7, t = 2 S 4 S 5 S 6 Wait condition: t+1 (3) pre-writes of b OR S-t (5) writes with smaller timestamp S 7 b return b * Unbounded s

35 Deriving the UR* Algorithm (t > 1) S = 7, t = 2 S 4 S 5 S 6 Wait condition: t+1 (3) pre-writes of b OR S-t (5) writes with smaller timestamp S 7 return b return v 0 * Unbounded s

36 The UR* Algorithm WRITE(v): 1. pre-write (ts++, v) to all base objects 2. wait for n-t responses 3. s gettoken() /*random value*/ 4. write (ts, v, s) to all base objects 5. wait for n-t responses and return ok; READ: 1. read from 2t+1 base objects 2. collect all written values (*,*,*) in set C /*candidates*/ 3. send C to all base objects 4. wait for responses /*two sets PW and W*/ remove c C when c is missing from n-t W sets until c: c = max ts (C) AND c is contained in t+1 PW or W sets 5. return c.val * Unbounded s

37 Argumentation C1: Some correct bo reports that b is written in the first READ round t+1 correct bos report b to the second READ round W R C2: not C1 a) no correct base object reports b in the second round from w field n-t bos report values with smaller timestamps WRITE(b) is not completed b) some correct base object reports b from w field

38 Deriving the Algorithm (t > 1) S = 7, t = 2 Wait condition: S 4 t+1 pre-writes of b S 5 OR S-t writes with smaller timestamp S 6 S 7 b

39 Deriving the Algorithm (t > 1) S = 7, t = 2 S 4 S 5 S 6 Wait condition: t+1 pre-writes of b OR S-t writes with smaller timestamp S 7

40 References [CGK07] G. Chockler, R. Guerraoui, and I. Keidar: Amnesic Distributed Storage. DISC 07 [ACKM06] I. Abraham, G. Chockler, I. Keidar, and D. Malkhi : Byzantine Disk Paxos: Optimal Resilience with Byzantine Shared Memory. Distributed Computing 2006 [DMS08] D. Dobre, M. Majuntke, N. Suri: On the Time- Complexity of Amnesic Storage. OPODIS 08 [GV06] R. Guerraoui and M. Vukolić: How fast can a very robust read be? PODC 06 [LA86] L.Lamport: On interprocess Communication. Part I, Algorithms [MAD02] JP Martin, L. Alvisi, M. Dahlin: Small Byzantine Quorum Systems, DISC 02

41 Increasing Resilience is Critical BFT protocols rely on failure independence Compromising s i does not help compromising s j So, in addition to HW costs: n implementations of the service n versions to maintain n operating systems