DOCSLIB.ORG

Pseudorandomness for Network Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Pseudorandomness for Network Algorithms Pseudorandomness for Network Algorithms Russell Impagliazzo ∗ Noam Nisan y Avi Wigderson z Abstract This theory has developed in two (related) branches: conditional and unconditional results. In a condi- We define pseudorandom generators for Yao's two- tional result (of the above type), the quality of the party communication complexity model and exhibit generator is based on some complexity theoretic as- a simple construction, based on expanders, for it. We sumption, which is believed but is not known to hold. then use a recursive composition of such generators to Such results exist for very strong models, specifically obtain pseudorandom generators that fool distributed polynomial time computation, under various assump- network algorithms. While the construction and the tions [BM82, Yao82, GKL88, ILL89, Has90, NW88, proofs are simple, we demonstrate the generality of BFNW]. such generators by giving several applications. The unconditional results use no unproven assump- tion, and typically demonstrate that weaker compu- tational models can be fooled by pseudorandom gen- 1 Introduction erators. To this class of results belong the pseudo- The theory of pseudorandomness is aimed at under- random generators for various constant-depth circuits standing the minimum amount of randomness that a [AW85, Nis91, LVW93] and for space-bounded Turing probabilistic model of computation actually needs. A machines [BNS89, Nis92, NZ93]. Our paper adds a typical result shows that n truly random bits used by significant number of computational models for which the model can be replaced by n pseudorandom ones, such unconditional results can be proved. generated deterministically from m << n random We present a new construction of a pseudorandom bits, without significant difference in the behavior of generator which fools every computational model which the model. The deterministic function stretching the can be described as a network of probabilistic proces- m random bits into n pseudorandom ones is called sors. The quality of the generator (i.e. the number a pseudorandom generator, which is said to fool the of truly random bits m it needs to generate its pseu- given model. dorandom output) essentially depends on the com- munication bandwidth of the algorithm run by the ∗Dept. of Computer Science, UCSD. Supported by USA- network. This is determined by two essential factors: Israel BSF grant 92-00043. the size of separators in the network, and the number yInstitute of Computer Science, Hebrew University of Jerusalem, Israel. This work was supported by USA-Israel BSF of bits communicated by each processor. Note that grant 92-00043 and by a Wolfeson research award administered we care nothing for the computational power of the by the Israeli Academy of Sciences. processors, and care little about their number! zInstitute of Computer Science, Hebrew University of Jerusalem, Israel. This work was supported by USA-Israel BSF Our generator is constructed recursively, based on grant 92-00106 and by a Wolfeson research award administered a recursive balanced partitioning of the nodes in the by the Israeli Academy of Sciences. given networks by small separators. Thus the key graph-theoretic parameter is the tree-width of the net- work, which determines the largest cut encountered in such a process. The savings in random bits is sig- nificant (m = nc for some c < 1) for networks which can be embedded in small dimensional space (such as grids) and low genus topological spaces (such as planar and excluded minor families of graphs). The O(1) 0 savings are extremely significant (m = (log n) ) Page 1 for networks such as paths, cycles and trees. Physical systems and cellular automata As a \base-case" for the recursive construction of • Many models of statistical mechanics assume lo- the pseudo-random generator, serves a new pseudo- cal interactions (usually on a lattice structure) random generator for the two-party communication and random inputs at every site. Monte-Carlo complexity model of [Y79], which is interesting in its simulations of such systems (e.g. heat propa- own right. This generator is based on an expanding gation, spin-glass models, Maxwell's gas model, graph and its security relies on the on following simple ...) are performed in masses. Our results imply observation: The two parties will behave essentially that, provably, much less randomness is needed the same, whether they receive two independent ran- to perform them accurately than it may seem. dom vertices, or the two endpoints of a random edge (Of course, the physicists use even less random- of the expander. Moreover, if the parties use c com- ness via the simple generators supplied in ev- munication bits, it suffices that the expander have ery computer, and seem to be satisfied (usually) degree only exp(O(c)), regardless of the input length. with the outcome, despite its unproven quality.) Moreover, the difference in behavior (traffic on the The paper is organized as follows. In section 2 we communication channel) will be bounded by exp( c). describe the basic generator, which fools two-party As mentioned above, a large number of models− communication complexity. In section 3 we define can be viewed as algorithms performed by commu- distributed networks and protocols, and how to con- nication networks. For these we can apply our gen- struct the generator to fool them. Section 4 describes eral theorem and obtain specific generators. We list our applications. these applications below. We mention in passing that it is standard to derive from the generators explicit functions, for which complexity lower bounds (which 2 Two Parties depend on the quality of the generator) in the given model can be proved. Definition 1 A function g : 0; 1 m 0; 1 r 0; 1 r is is called a pseudorandomf generatorg ! f for com-g × Space-bounded computation Here the net- municationf g complexity c with parameter , if for every • work is a path on which the (random) input re- two-party protocol P of at most c bits of communica- sides, and communication is performed by the tion moving head. We obtain an O(log2 n) genera- tor for what we call bounded read-multiplicity P r[P (y1; y2) accepts] P r[P (g(x)) accepts] , Logspace machines. This includes as a spe- j − j ≤ cial case Nisan's pseudorandom generator for where y1 and y2 are chosen uniformly at random in 0; 1 r, and x is chosen uniformly in 0; 1 m. In Logspace machines [Nis92]. This also includes f g f g as a special case arbitrary two-way finite au- short we say that g is a c-generator if it is a pseu- tomata. dorandom generator for communication complexity c c with parameter 2− . Turing machines. We obtain a O~(pT ) gen- • erator for one-tape time(T ) Turing machines. It is clear that for m = 2r it is trivial to get a We also obtain a O~(pST ) generator for general c-generator for any c (the identity function), and it is also clear that m r + c is a lower bound on m. time(T )-space(S) bounded Turing machines. These ≥ results require a generalization of our basic gen- Our main result in this section is a construction which erator, aimed to handle average rather than worst uses a nearly optimal number of bits m = r + O(c). case bound on the communication complexity. The Generator: Fix an easily constructible regular Boolean circuits. Here the network is the cir- r • expander graph H = (V; E), with 2 vertices and cuit itself, and we obtain pseudorandom gen- degree D = 2d. The input to the generator g is a erators that fool planar circuits and read-once name of a (directed) edge in E, and the two outputs formulae. It also results in pseudorandom gen- 2 are the two vertices on the edge. Thus g accepts an erators for VLSI model in the AT measure. m = r + d bit string and produces two r bit strings. Parallel and distributed network algorithms. Theorem 1 g is a c-generator, for c = (d log λ)=2, • This obviously suits our model. The most stun- where λ is the second largest eigenvalue of H−. In par- ning savings we get are for simple architectures ticular, if H is Ramanujan [LPS86], g is a (d=4) generator. like trees and rings for which we can reduce the − randomness requirements to polylog. Nontriv- Proof: For every graph H = (V; E) of degree D and ial savings in randomness are also achieved for second largest eigenvalue λ, and for every S; T V grid architectures. we have the standard inequality (see e.g. [AC88])⊆ Page 2 3 General Distributed Protocols E(S; T ) S T λ j j j j j j j E − V V j ≤ D 3.1 The Communication Network j j j j j j In our context, the left-hand side is exactly the Our generators work against networks which have difference in probability that a pair of vertices (a; b) small separators, and which their subgraphs also do. belongs to the \rectangle" S T , where in the first Formally we need: expression it is chosen as the× endpoints of uniformly random directed edge from E, and in the second each Definition 3 Let H = (V; E) be a graph. A parti- vertex independently from V . tion tree T for H is a rooted binary tree with a one- Recall that a c-protocol P partitions the inputs to-one onto mapping of V to the leaves of T . A par- c into at most 2 rectangles, say Si Ti, and that the × tition tree T is called balanced if the depth of T is protocol accepts for rectangles i I. Thus by the O(log V ).
Load more

Recommended publications
  • Going Beyond Dual Execution: MPC for Functions with Efficient Verification
    Going Beyond Dual Execution: MPC for Functions with Efficient Verification Carmit Hazay abhi shelat ∗ Bar-Ilan University Northeastern Universityy Muthuramakrishnan Venkitasubramaniamz University of Rochester Abstract The dual execution paradigm of Mohassel and Franklin (PKC’06) and Huang, Katz and Evans (IEEE ’12) shows how to achieve the notion of 1-bit leakage security at roughly twice the cost of semi-honest security for the special case of two-party secure computation. To date, there are no multi-party compu- tation (MPC) protocols that offer such a strong trade-off between security and semi-honest performance. Our main result is to address this shortcoming by designing 1-bit leakage protocols for the multi- party setting, albeit for a special class of functions. We say that function f (x, y) is efficiently verifiable by g if the running time of g is always smaller than f and g(x, y, z) = 1 if and only if f (x, y) = z. In the two-party setting, we first improve dual execution by observing that the “second execution” can be an evaluation of g instead of f , and that by definition, the evaluation of g is asymptotically more efficient. Our main MPC result is to construct a 1-bit leakage protocol for such functions from any passive protocol for f that is secure up to additive errors and any active protocol for g. An important result by Genkin et al. (STOC ’14) shows how the classic protocols by Goldreich et al. (STOC ’87) and Ben-Or et al. (STOC ’88) naturally support this property, which allows to instantiate our compiler with two-party and multi-party protocols.
    [Show full text]
  • 1 Perfect Secrecy of the One-Time Pad
    1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3.
    [Show full text]
  • 6.045J Lecture 13: Pseudorandom Generators and One-Way Functions
    6.080/6.089 GITCS April 4th, 2008 Lecture 16 Lecturer: Scott Aaronson Scribe: Jason Furtado Private-Key Cryptography 1 Recap 1.1 Derandomization In the last six years, there have been some spectacular discoveries of deterministic algorithms, for problems for which the only similarly-efficient solutions that were known previously required randomness. The two most famous examples are • the Agrawal-Kayal-Saxena (AKS) algorithm for determining if a number is prime or composite in deterministic polynomial time, and • the algorithm of Reingold for getting out of a maze (that is, solving the undirected s-t con­ nectivity problem) in deterministic LOGSPACE. Beyond these specific examples, mounting evidence has convinced almost all theoretical com­ puter scientists of the following Conjecture: Every randomized algorithm can be simulated by a deterministic algorithm with at most polynomial slowdown. Formally, P = BP P . 1.2 Cryptographic Codes 1.2.1 Caesar Cipher In this method, a plaintext message is converted to a ciphertext by simply adding 3 to each letter, wrapping around to A after you reach Z. This method is breakable by hand. 1.2.2 One-Time Pad The “one-time pad” uses a random key that must be as long as the message we want to en­ crypt. The exclusive-or operation is performed on each bit of the message and key (Msg ⊕ Key = EncryptedMsg) to end up with an encrypted message. The encrypted message can be decrypted by performing the same operation on the encrypted message and the key to retrieve the message (EncryptedMsg⊕Key = Msg). An adversary that intercepts the encrypted message will be unable to decrypt it as long as the key is truly random.
    [Show full text]
  • László Lovász Avi Wigderson De L’Université Eötvös Loránd À De L’Institute for Advanced Study De Budapest, En Hongrie Et À Princeton, Aux États-Unis
    2021 L’Académie des sciences et des lettres de Norvège a décidé de décerner le prix Abel 2021 à László Lovász Avi Wigderson de l’université Eötvös Loránd à de l’Institute for Advanced Study de Budapest, en Hongrie et à Princeton, aux États-Unis, « pour leurs contributions fondamentales à l’informatique théorique et aux mathématiques discrètes, et pour leur rôle de premier plan dans leur transformation en domaines centraux des mathématiques contemporaines ». L’informatique théorique est l’étude de la puissance croissante sur plusieurs autres sciences, ce et des limites du calcul. Elle trouve son origine qui permet de faire de nouvelles découvertes dans les travaux fondateurs de Kurt Gödel, Alonzo en « chaussant des lunettes d’informaticien ». Church, Alan Turing et John von Neumann, qui ont Les structures discrètes telles que les graphes, conduit au développement de véritables ordinateurs les chaînes de caractères et les permutations physiques. L’informatique théorique comprend deux sont au cœur de l’informatique théorique, et les sous-disciplines complémentaires : l’algorithmique mathématiques discrètes et l’informatique théorique qui développe des méthodes efficaces pour une ont naturellement été des domaines étroitement multitude de problèmes de calcul ; et la complexité, liés. Certes, ces deux domaines ont énormément qui montre les limites inhérentes à l’efficacité des bénéficié des champs de recherche plus traditionnels algorithmes. La notion d’algorithmes en temps des mathématiques, mais on constate également polynomial mise en avant dans les années 1960 par une influence croissante dans le sens inverse. Alan Cobham, Jack Edmonds et d’autres, ainsi que Les applications, concepts et techniques de la célèbre conjecture P≠NP de Stephen Cook, Leonid l’informatique théorique ont généré de nouveaux Levin et Richard Karp ont eu un fort impact sur le défis, ouvert de nouvelles directions de recherche domaine et sur les travaux de Lovász et Wigderson.
    [Show full text]
  • The Flajolet-Martin Sketch Itself Preserves Differential Privacy: Private Counting with Minimal Space
    The Flajolet-Martin Sketch Itself Preserves Differential Privacy: Private Counting with Minimal Space Adam Smith Shuang Song Abhradeep Thakurta Boston University Google Research, Brain Team Google Research, Brain Team [email protected] [email protected] [email protected] Abstract We revisit the problem of counting the number of distinct elements F0(D) in a data stream D, over a domain [u]. We propose an ("; δ)-differentially private algorithm that approximates F0(D) within a factor of (1 ± γ), and with additive error of p O( ln(1/δ)="), using space O(ln(ln(u)/γ)/γ2). We improve on the prior work at least quadratically and up to exponentially, in terms of both space and additive p error. Our additive error guarantee is optimal up to a factor of O( ln(1/δ)), n ln(u) 1 o and the space bound is optimal up to a factor of O min ln γ ; γ2 . We assume the existence of an ideal uniform random hash function, and ignore the space required to store it. We later relax this requirement by assuming pseudo- random functions and appealing to a computational variant of differential privacy, SIM-CDP. Our algorithm is built on top of the celebrated Flajolet-Martin (FM) sketch. We show that FM-sketch is differentially private as is, as long as there are p ≈ ln(1/δ)=(εγ) distinct elements in the data set. Along the way, we prove a structural result showing that the maximum of k i.i.d. random variables is statisti- cally close (in the sense of "-differential privacy) to the maximum of (k + 1) i.i.d.
    [Show full text]
  • 6.5 X 11.5 Doublelines.P65
    Cambridge University Press 978-0-521-87282-9 - Algorithmic Game Theory Edited by Noam Nisan, Tim Roughgarden, Eva Tardos and Vijay V. Vazirani Copyright Information More information Algorithmic Game Theory Edited by Noam Nisan Hebrew University of Jerusalem Tim Roughgarden Stanford University Eva´ Tardos Cornell University Vijay V. Vazirani Georgia Institute of Technology © Cambridge University Press www.cambridge.org Cambridge University Press 978-0-521-87282-9 - Algorithmic Game Theory Edited by Noam Nisan, Tim Roughgarden, Eva Tardos and Vijay V. Vazirani Copyright Information More information cambridge university press Cambridge, New York,Melbourne, Madrid, Cape Town, Singapore, Sao˜ Paulo, Delhi Cambridge University Press 32 Avenue of the Americas, New York, NY 10013-2473, USA www.cambridge.org Information on this title: www.cambridge.org/9780521872829 C Noam Nisan, Tim Roughgarden, Eva´ Tardos, Vijay V. Vazirani 2007 This publication is in copyright. Subject to statutory exception and to the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published 2007 Printed in the United States of America A catalog record for this book is available from the British Library. Library of Congress Cataloging in Publication Data Algorithmic game theory / edited by Noam Nisan ...[et al.]; foreword by Christos Papadimitriou. p. cm. Includes index. ISBN-13: 978-0-521-87282-9 (hardback) ISBN-10: 0-521-87282-0 (hardback) 1. Game theory. 2. Algorithms. I. Nisan, Noam. II. Title. QA269.A43 2007 519.3–dc22 2007014231 ISBN 978-0-521-87282-9 hardback Cambridge University Press has no responsibility for the persistence or accuracy of URLS for external or third-party Internet Web sites referred to in this publication and does not guarantee that any content on such Web sites is, or will remain, accurate or appropriate.
    [Show full text]
  • Algorithmic Mechanism Design
    Algorithmic Mechanism Design Noam Nisan Institute of Computer Science Hebrew University of Jerusalem Givat Ram Israel and Scho ol of Computer Science IDC Herzliya Emailnoamcshujiacil y Amir Ronen Institute of Computer Science Hebrew University of Jerusalem Givat Ram Israel Emailamirycshujiacil This researchwas supp orted by grants from the Israeli ministry of Science and the Israeli academy of sciences y This researchwas supp orted by grants from the Israeli ministry of Science and the Israeli academy of sciences Algorithmic Mechanism Design contact Amir Ronen Institute of Computer Science Hebrew University of Jerusalem Givat Ram Israel Emailamirycshujiacil Abstract We consider algorithmic problems in a distributed setting where the participants cannot b e assumed to follow the algorithm but rather their own selfinterest As such participants termed agents are capable of manipulating the algorithm the algorithm designer should ensure in advance that the agents interests are b est served by b ehaving correctly Following notions from the eld of mechanism design we suggest a framework for studying such algorithms In this mo del the algorithmic solution is adorned with payments to the partic ipants and is termed a mechanism The payments should b e carefully chosen as to motivate all participants to act as the algorithm designer wishes We apply the standard to ols of mechanism design to algorithmic problems and in particular to the shortest path problem Our main technical contribution concerns the study of a representative problem task
    [Show full text]
  • Pseudorandomness
    ~ MathDefs ~ CS 127: Cryptography / Boaz Barak Pseudorandomness Reading: Katz-Lindell Section 3.3, Boneh-Shoup Chapter 3 The nature of randomness has troubled philosophers, scientists, statisticians and laypeople for many years.1 Over the years people have given different answers to the question of what does it mean for data to be random, and what is the nature of probability. The movements of the planets initially looked random and arbitrary, but then the early astronomers managed to find order and make some predictions on them. Similarly we have made great advances in predicting the weather, and probably will continue to do so in the future. So, while these days it seems as if the event of whether or not it will rain a week from today is random, we could imagine that in some future we will be able to perfectly predict it. Even the canonical notion of a random experiment- tossing a coin - turns out that it might not be as random as you’d think, with about a 51% chance that the second toss will have the same result as the first one. (Though see also this experiment.) It is conceivable that at some point someone would discover some function F that given the first 100 coin tosses by any given person can predict the value of the 101th.2 Note that in all these examples, the physics underlying the event, whether it’s the planets’ movement, the weather, or coin tosses, did not change but only our powers to predict them. So to a large extent, randomness is a function of the observer, or in other words If a quantity is hard to compute, it might as well be random.
    [Show full text]
  • Pseudorandomness and Combinatorial Constructions
    Pseudorandomness and Combinatorial Constructions Luca Trevisan∗ September 20, 2018 Abstract In combinatorics, the probabilistic method is a very powerful tool to prove the existence of combinatorial objects with interesting and useful properties. Explicit constructions of objects with such properties are often very difficult, or unknown. In computer science, probabilistic al- gorithms are sometimes simpler and more efficient than the best known deterministic algorithms for the same problem. Despite this evidence for the power of random choices, the computational theory of pseu- dorandomness shows that, under certain complexity-theoretic assumptions, every probabilistic algorithm has an efficient deterministic simulation and a large class of applications of the the probabilistic method can be converted into explicit constructions. In this survey paper we describe connections between the conditional “derandomization” re- sults of the computational theory of pseudorandomness and unconditional explicit constructions of certain combinatorial objects such as error-correcting codes and “randomness extractors.” 1 Introduction 1.1 The Probabilistic Method in Combinatorics In extremal combinatorics, the probabilistic method is the following approach to proving existence of objects with certain properties: prove that a random object has the property with positive probability. This simple idea has beem amazingly successful, and it gives the best known bounds for arXiv:cs/0601100v1 [cs.CC] 23 Jan 2006 most problems in extremal combinatorics. The idea was introduced (and, later, greatly developed) by Paul Erd˝os [18], who originally applied it to the following question: define R(k, k) to be the minimum value n such that every graph on n vertices has either an independent set of size at least k or a clique of size at least k;1 It was known that R(k, k) is finite and that it is at most 4k, and the question was to prove a lower bound.
    [Show full text]
  • 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008
    MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. 6.080/6.089 GITCS April 4th, 2008 Lecture 16 Lecturer: Scott Aaronson Scribe: Jason Furtado Private-Key Cryptography 1 Recap 1.1 Derandomization In the last six years, there have been some spectacular discoveries of deterministic algorithms, for problems for which the only similarly-efficient solutions that were known previously required randomness. The two most famous examples are • the Agrawal-Kayal-Saxena (AKS) algorithm for determining if a number is prime or composite in deterministic polynomial time, and • the algorithm of Reingold for getting out of a maze (that is, solving the undirected s-t con­ nectivity problem) in deterministic LOGSPACE. Beyond these specific examples, mounting evidence has convinced almost all theoretical com­ puter scientists of the following Conjecture: Every randomized algorithm can be simulated by a deterministic algorithm with at most polynomial slowdown. Formally, P = BP P . 1.2 Cryptographic Codes 1.2.1 Caesar Cipher In this method, a plaintext message is converted to a ciphertext by simply adding 3 to each letter, wrapping around to A after you reach Z. This method is breakable by hand. 1.2.2 One-Time Pad The “one-time pad” uses a random key that must be as long as the message we want to en­ crypt. The exclusive-or operation is performed on each bit of the message and key (Msg ⊕ Key = EncryptedMsg) to end up with an encrypted message.
    [Show full text]
  • Lecture 3: Randomness in Computation
    Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science, we study randomness due to the following reasons: 1. Randomness is essential for computers to simulate various physical, chemical and biological phenomenon that are typically random. 2. Randomness is necessary for Cryptography, and several algorithm design tech- niques, e.g. sampling and property testing. 3. Even though efficient deterministic algorithms are unknown for many problems, simple, elegant and fast randomized algorithms are known. We want to know if these randomized algorithms can be derandomized without losing the efficiency. We address these in this lecture, and answer the following questions: (1) What is randomness? (2) How can we generate randomness? (3) What is the relation between randomness and hardness and other disciplines of computer science and mathematics? 1 What is Randomness? What are random binary strings? One may simply answer that every 0/1-bit appears with the same probability (50%), and hence 00000000010000000001000010000 is not random as the number of 0s is much more than the number of 1s. How about this sequence? 00000000001111111111 The sequence above contains the same number of 0s and 1s. However most people think that it is not random, as the occurrences of 0s and 1s are in a very unbalanced way. So we roughly call a string S 2 f0; 1gn random if for every pattern x 2 f0; 1gk, the numbers of the occurrences of every x of the same length are almost the same.
    [Show full text]
  • Specification Faithfulness in Networks with Rational Nodes
    Specification Faithfulness in Networks with Rational Nodes Jeffrey Shneidman, David C. Parkes Division of Engineering and Applied Sciences, Harvard University, 33 Oxford Street, Cambridge MA 02138 {jeffsh, parkes}@eecs.harvard.edu ABSTRACT drive up their “contributed computation” credit [15]. There It is useful to prove that an implementation correctly follows is interesting work documenting the “free rider” problem [1] a specification. But even with a provably correct implemen- and the “tragedy of the commons” [12] in a data centric peer tation, given a choice, would a node choose to follow it? This to peer setting. paper explores how to create distributed system specifica- This behavior can be classified as a type of failure, which tions that will be faithfully implemented in networks with should stand independently from other types of failures in rational nodes, so that no node will choose to deviate. Given distributed systems and is indicative of an underlying in- a strategyproof centralized mechanism, and given a network centive problem in a system’s design when run on a network of nodes modeled as having rational-manipulation faults, with rational nodes. Whereas traditional failure models are we provide a proof technique to establish the incentive-, overcome by relying on redundancy, rational manipulation communication-, and algorithm-compatibility properties that can also be overcome with design techniques such as prob- guarantee that participating nodes are faithful to a sug- lem partitioning, catch-and-punish, and incentives. In such gested specification. As a case study, we apply our methods a network one can state a strong claim about the faithfulness to extend the strategyproof interdomain routing mechanism of each node’s implementation.
    [Show full text]