Efficient data structures for high speed packet processing

Paolo Giaccone

Notes for the class on “Computer aided simulations and performance evaluation ”

Politecnico di Torino

November 2020 Outline

1 Applications 2 Theoretical background 3 Tables Direct access arrays Hash tables Multiple-choice hash tables Cuckoo hash 4 Set Membership Problem definition Application Fingerprinting Bit String Hashing Bloom filters Cuckoo filters 5 Longest prefix matching Patricia trie Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 2 / 93 Applications

Section 1

Applications

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 3 / 93 Applications Big Data and probabilistic data structures

3 V’s of Big Data Volume (amount of data) Velocity (speed at which data is arriving and is processed) Variety (types of data)

Main efficiency metrics for data structures space time to write, to update, to read, to delete

Probabilistic data structures based on different hashing techniques approximated answers, but reliable estimation of the error typically, low memory, constant query time, high scaling

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 4 / 93 Applications Probabilistic data structures

Membership answer approximate membership queries e.g., Bloom filter, counting Bloom filter, quotient filter, Cuckoo filter

Cardinality estimate the number of unique elements in a dataset. e.g., linear counting, probabilistic counting, LogLog and HyperLogLog

Frequency in streaming applications, find the frequency of some element, filter the most frequent elements in the stream, detect the trending elements, etc. e.g., majority algorithm, frequent algorithm, count sketch, count–min sketch

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 5 / 93 Applications Probabilistic data structures

Rank estimate quantiles and percentiles in a data stream using only one pass through the data e.g., random sampling, q-digest, t-digest

Similarity find the nearest neighbor for large datasets using sub-linear in time solutions. e.g., locality-sensitive hashing, MinHash, SimHash

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 6 / 93 Applications Application to computer networks

Packet processing examples Address lookup Where to send an incoming packet? Exact matching: Ethernet forwarding tables MAC address Port 56:d4:ae:eb:f8:b6 2 06:b3:01:8b:24:1e 1 Longest prefix matching: IP routing tables Network prefix Gateway Interface 130.192.9.0/24 * eth0 130.192.0.0/16 130.192.9.250 eth0 default/0 130.192.9.252 eth0

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 7 / 93 Applications Application to computer networks

Packet processing examples Firewall, ACL Which packet to accept or deny? “Drop all packets from evil source network 66.66/16 on ports 6-666” Usually needs 5 fields: IP source-address, IP dest-address, L4 protocol, source-port, dest-port

Intrusion Detection Schemes Deep Packet inspection (DPI) “Drop all packets that contains the string EvilWorm anywhere within the packet”

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 8 / 93 Applications Challenges at high speed

high speed processing allows a limited number of clock cycles to process a packet Data rate Transmission time (64B) 100 Mbps 5.12 µs 1 Gbps 512 ns 10 Gbps 51 ns 40 Gbps 12.8 ns 100 Gbps 5.12 ns the time required to elaborate a packet depends on the specific data structure adopted to store all the packet processing rules each kind of packet processing problem requires an optimized data structure to minimize memory accesses memory access time is typically the main performance bottleneck e.g., use hash tables for exact matching, use Patricia tries for longest prefix matching

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 9 / 93 Applications Exact matching problem

Solution #1 sorted table: array of (MAC address, port) pairs sorted based on the MAC address perform binary search to lookup for an address each iteration corresponds to a memory access at most log N iterations/memory accesses for a lookup, where N is the number of stored MAC addresses deterministic lookup time

Solution #2 hash tables: search is much faster than solution #1 on average, even if the worst case can be O(log N/ log log N) it is possible to adopt more sophisticated data structure/hashing techniques (e.g., to reduce memory) Bloom Filters, fingerprinting, etc.

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 10 / 93 Theoretical background

Section 2

Theoretical background

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 11 / 93 Theoretical background “Bins and Balls” model for load balancing

n balls, n bins for any dropping policy, average occupancy 1 ball/bin a deterministic algorithm, by comparing the occupancy of all n bins, is able to achieve a maximum occupancy 1 ball/bin not always feasible to track the size of O(n) bins, when n is very large

Main question Is it possible to achieve similar performance to the optimal load balancing (i.e., 1 ball/bin) with an algorithm that track O(1) bins?

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 12 / 93 Theoretical background Randomized load balancing

Random Dropping policy 1 choose uniformly at random 1 bin log n Maximum occupancy sharply concentrated on (1 + O(1)) and log log n 3 log n upper bounded by log log n

Random Load Balancing policy 1 choose uniformly at random d bins 2 place the ball in the least occupied one log log n Maximum occupancy sharply concentrated on + O(1) log d

Very famous result: “the power of 2 or d random choices”

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 13 / 93 Theoretical background Theoretical results for randomized dropping policies

8 Random Dropping Random Load Balancing d=2 7 Random Load Balancing d=3 Random Load Balancing d=4

6

5

4

Maximum occupancy 3

2

1 100 1000 10000 100000 1e+06 1e+07 1e+08 1e+09 1e+10 n

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 14 / 93 Theoretical background Simulation results for randomized dropping policies

10 Random dropping Random load balancing d=2 Random load balancing d=4 8 95% confidence intervals

6

4 Max bin occupancy

2

0 100 1000 10000 100000 1x106 Bins/Balls

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 15 / 93 Theoretical background The birthday problem

Exact question What is the minimum number of students in a class to be sure that at least 2 of them have the same birthday? 366 students (we neglect leap years for simplicity)

Approximated question What is the minimum number of students in a class such that at least 2 of them have the same birthday with some given probability? 23 students to get probability > 0.5 41 students to get probability > 0.9

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 16 / 93 Theoretical background Exact analysis of birthday problem

Assume a class of m students, with m < 366. Letp ¯ be the probability that all m students have distinct birthdays:

m−1 m−1 364 363 365 − m + 1 Y 365 − i Y  i  p¯ = × × ... × = = 1 − 365 365 365 365 365 i=0 i=0 Now the probability p at least two students have the same birthday (i.e., birthday collision event) is

m−1 Y  i  365! p = 1 − p¯ = 1 − 1 − = 1 − 365 (365 − m)! × 365m i=0 If m = 23 then p = 0.507. If m = 41, then p = 0.903.

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 17 / 93 Theoretical background Approximated analysis of birthday problem

Now observe that e−ax ≈ 1 − ax if x is small

m−1 Pm−1 i m(m−1) 2 Y − i − i=0 − − m p ≈ 1 − e 365 = 1 − e 365 = 1 − e 2×365 ≈ 1 − e 2×365 i=0

1 Exact 0.9 Approx

0.8

0.7

0.6

0.5

0.4

0.3 Prob(birthday collision) 0.2

0.1

0 0 10 20 30 40 50 60 70 80 Number of people Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 18 / 93 Theoretical background Generalized version of birthday problem

Probability of collision Consider m elements chosen uniformly at random, with repetition, from a set of cardinality n, with m < n. The probability p(n) that at least one pair of equal elements has been chosen (i.e., a “collision” has occurred) is

2 − m p(n) ≈ 1 − e 2n (1)

Proof: this is just a generalization of birthday problem with a generic number n of days in a year.

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 19 / 93 Theoretical background Generalized version of birthday problem

Number of elements for a collision Consider m elements chosen uniformly at random, with repetition, from a set of cardinality n, with m < n. To observe at least one collision with probability p, it must hold: s  1  m ≈ 2n log 1 − p

Proof: From (1), we can write:

m2 s − m2  1  1 − p = e 2n ⇒ log(1 − p) = − ⇒ m = 2n log 2n 1 − p

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 20 / 93 Theoretical background Generalized version of birthday problem

Typical number of elements for a collision Assume p = 0.5. Then, √ m ≈ 1.17 n It can be shown that the typical number of elements is sharply concentrated around its average, when n → ∞:

rπ √ E[m] = × n ≈ 1.25 n 2

For example, for n = 365, m ≈ 22.3 and E[m] = 23.9.

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 21 / 93 Tables

Section 3

Tables

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 22 / 93 Tables Table

Definition alternative names: associative array, map, symbol table, dictionary abstract data type composed of a collection of (key, value) pairs each possible key appears at most once

Example: in a router, measure the traffic destined to each TCP port table with key is the destination TCP port value is the number of bytes for the corresponding TCP packets e.g., T = {(80, 948567), (25, 5342), (21, 73888), (5436, 234)}

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 23 / 93 Tables Table

Universe Array U Assumptions 1 large universe U of possible keys S small subset S of m keys to store (S ⊂ U, m = |S|) m elements to store m  |U| n n array size

Example for measuring traffic for each possible TCP flow each TCP flow is identified by (source IP, destination IP, source port, destination port) |U| = 232+32+16+16 = 296 ≈ 8 1028 storage available for n = 106 entries

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 24 / 93 Tables Table implementation

Challenges fast lookup/update space efficiency Possible solutions 1 direct access arrays 2 traditional hash tables 3 multiple-choice hash tables 4 cuckoo hash tables

Reference: Andrii Gakhov,“Probabilistic Data Structures and Algorithms for Big Data Applications”, 2019

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 25 / 93 Tables Direct access arrays Direct access arrays

one entry for each element in the universe array size n = |U| unfeasible in many contexts if |U|  m, very inefficient in terms of space

Performance average lookup O(1) worst-case lookup O(1)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 26 / 93 Tables Hash tables Hash function

Hash function h : U → [1, n] is a deterministic function that looks random Pr(h(k) = j) = 1/n (uniform) ∀k1 6= k2, Pr(h(k1) = h(k2)) = 1/n (independence between two values)

Universe

k 1 h(k)

collision

collision

n

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 27 / 93 Tables Hash tables Hash collision

Hash collision If two elements have the same hash, i.e., h(u) = h(u0), for u, u0 ∈ U, then a collision event is experienced.

General birthday problem An hash collision event for m hashed elements can be modeled as a birthday collision, for the general case of m elements chosen at random, with repetition, from a set of n elements. Thanks to the result in slide 21, √ we know that hash collisions are likely to occur when m > 1.25 n.

√ n 1.25 n Fingerprint Example 1024 40 10 bit - 106 1280 20 bit 3.4 1038 2.2 1019 128 bit MD5 1.4 1048 1.5 1024 160 bit SHA-1 1.2 1077 4.2 1038 256 bit SHA-256

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 28 / 93 Tables Hash tables Hash function families

Cryptographic hash functions one way, collision resistant, i.e., hard to find keys that collide large number of bits to make brute force inversion hard slower than non-cryptographic hash functions

Examples of cryptographic hash functions Name Bits Note MD5 (Message-Digest algorithm) 128 now vulnerable SHA-1 (Secure Hash Algorithm) 160 now vulnerable SHA-2 224/256/384/512

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 29 / 93 Tables Hash tables Hash function families

Non-cryptographic hash functions not designed to be collision resistant guarantee a low probability of collision fast to compute

Examples of non-cryptographic hash functions Name Bits Some usage 32/64/ DNS servers, IPv6, Twitter, FNV (Fowler/Noll/Vo) 128/256/ data base indexing, 512/1024 web search engines Apache Hadoop/Cassandra MurmurHash 32/64 Elasticsearch, libstc++, nginx load balancer/web server CityHash 32/64/128/256 For strings FarmHash 32/64/128 For strings

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 30 / 93 Tables Hash tables Traditional hash tables

Hash table array of n buckets store x = (k, v) in bucket h(k) of the table if two or more elements are mapped to the same entry (e.g., h(k1) = h(k2)), use either a variable-size linked list of entries a fixed-size array of B entries Hash table

(k,v) n x=(k,v) h(k) buckets

bucket size B

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 31 / 93 Tables Hash tables Example of hash table

Hash table H of size n = 3. H[i] is the linked list in bucket i.

Data insertion of m = 6 elements xi = (ki , valuei )

x k h(k) H[1] H[2] H[3] x1 k1 2 - x1 - x2 k2 1 x2 x1 - x3 k3 2 x2 x1 → x3 - x4 k4 1 x2 → x4 x1 → x3 - x5 k5 2 x2 → x4 x1 → x3 → x5 - x6 k6 2 x2 → x4 x1 → x3 → x5 → x6 -

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 32 / 93 Tables Hash tables Performance

Expected lookup time m average size of each linked list is n 1 m if k is in the table, it takes on average 2 n steps m if k is not in the table, it takes on average n steps by choosing m = n the average lookup time is O(1) Worst-case lookup time when m = n, the maximum size of the linked list is as the maximum load in the bins-and-balls model for the random dropping policy log n it takes approximatively log log n steps

Performance average lookup O(1) log n worst-case lookup O( log log n )

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 33 / 93 Tables Hash tables Implementation

Closed addressing store collided elements in a secondary data structure when separate chaining is adopted, a linked list is adopted

Open addressing store collided elements in buckets other than their preferred positions when linear probing is adopted, collided elements are placed in the next empty bucket when deleting an element, the bucket must be flagged in order to preserve the chain of stored elements

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 34 / 93 Tables Hash tables Python implementation

Dictionary array implemented as continuous block of memory for easier indexing start with 8 elements and resize (by a factor 2 or 4) every time it is 2/3 full open addressing using pseudorandom sequences (with period equal to the array size) if interested in the details, enjoy the video “The Mighty Dictionary” by Brandon Craig Rhodes

https://archive.org/details/pyvideo_276___the-mighty-dictionary-55

Try with: python3 -m timeit ’table = 3:1,3+8:2,3+16:3,3+24:4,3+32:5;table[3+32]’

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 35 / 93 Tables Hash tables Balanced binary tree

Assume m = n Performance average lookup θ(log n) worst-case lookup θ(log n)

Comparison better space efficiency than hash table average lookup worst than hash table worst-case lookup worst than hash table

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 36 / 93 Tables Multiple-choice hash tables Multiple-choice hash tables

Policy

two independent hash functions h1 and h2 if k is not yet available in the table, insert x = (k, value) in the least occupied bucket among h1(k) and h2(k)

Performance average lookup O(1) worst-case lookup O(log log n) thanks to “power of two” result for balls and bins

easy to implement in parallel can be generalized to d random choices worst-case lookup time (log log n)/ log d + θ(1)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 37 / 93 Tables Multiple-choice hash tables Example

Hash table H of size n = 3.

Data insertion of m = 6 elements xi = (ki , vi )

x k h1(k) h2(k) H[1] H[2] H[3] x1 k1 2 3 - x1 - x2 k2 1 2 x2 x1 - x3 k3 2 3 x2 x1 x3 x4 k4 1 3 x2 x1 x3 → x4 x5 k5 2 3 x2 x1 → x5 x3 → x4 x6 k6 2 1 x2 → x6 x1 → x5 x3 → x4

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 38 / 93 Tables Multiple-choice hash tables Example of commercial solution

Ethernet switch Gigaswitch (1994) forwarding table with 64k entries a binary search would take 16 memory accesses closed addressing with balanced tree for each bucket an hash function is applied on 48-bit Ethernet address to get another 48-bit value: 16 LSB are the hash-table entry index (64k entries) each entry is a balanced binary tree of height at most 3, sorted by the remaining 32 MSB the hash function should guarantee that no more than 8 addresses are in the same tree, and that we can disambiguate between addresses using the 32 MSB 4 memory accesses for lookup

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 39 / 93 Tables Cuckoo hash Cuckoo hashing

Method based on “rude” nesting habits of European cuckoo bird cuckoo chick pushes the other eggs out of the nest when it hatches just one chick for each nest

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 40 / 93 Tables Cuckoo hash Cuckoo hash tables

for simplicity, table with just one entry for each bucket (i.e., B = 1) trivial to generalize to B ≥ 1 for simplicity, assume x is also the key used for storage

each element x is associated with two buckets h1(x) and h2(x) obtained by two different hash functions if any of the two buckets is available, store x in it otherwise, to make space for x, remove the current element y from either h1(x) or h2(x) and relocate y in its alternative bucket maybe this operation requires to relocate other elements

Performance average access delay O(1) worst-case access delay O(1)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 41 / 93 Tables Cuckoo hash Cuckoo hash

Insertion

function Add-element(x) . Check if one of the positions h1(x) or h2(x) is available if T [h1(x)] = ∅ then . First position available T [h1(x)] ← x; return . Store x and leave else if T [h2(x)] = ∅ then . Second position available T [h2(x)] ← x; return . Store x and leave end if pos ← h1(x) . Both positions are busy. Thus, force storing x in position h1(x) loop max relocations times . Loop for the maximum number of relocations if T [pos] = ∅ then . If the table is free in position pos T [pos] ← x; return . Store x and leave end if Swap(x, T [pos]) . Store and kick out the current content; x is now the victim if pos = h1(x) then . Compute the alternative position for the evicted content x pos ← h2(x) . x was in h1(x), so will be stored in h2(x) else pos ← h1(x) . x was in h2(x), so will be stored in h1(x) end if end loop . The maximum number of relocations has reached Rehash . Rehash the whole table Add-element(x) . Try again to insert the element end function Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 42 / 93 Tables Cuckoo hash Cuckoo hash

Insertion: rehashing The relocations may not terminate, due to cyclic dependency between the alternative positions. cycles occur very frequently only when the table is ≥ 50% full After a maximum number of relocations, the loop stops and the table is “rehashed”, i.e., rebuilt completely with a different sets of hash functions.

Search function Find-element(x) if T [h1(x)] = x then . Check position h1(x) return h1(x) . Found else if T [h2(x)] = x then . Check position h2(x) return h2(x) . Found else return NOT FOUND . Not found end if end function

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 43 / 93 Tables Cuckoo hash Example

Cuckoo table T of size n = 6 with B = 1

Data insertion of m = 6 elements xi = (ki , vi )

x k h1(k) h2(k) T [1] T [2] T [3] T [4] T [5] T [6] x1 k1 1 2 x1 ----- x2 k2 2 3 x1 x2 ---- x3 k3 4 6 x1 x2 - x3 -- x4 k4 1 4 x4 x1 x2 x3 -- x5 k5 4 3 x4 x1 x2 x5 - x3 x6 k6 6 5 x4 x1 x2 x5 x6 x3

Note that a loop would have occurred when inserting x3 in the case h1(x3) = 2 and h2(x3) = 1. Then, any new element added into any of the positions 1,2,3 would lead to infinite iterations, unless this even is properly managed.

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 44 / 93 Set Membership

Section 4

Set Membership

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 45 / 93 Set Membership Problem definition Set Membership

Set membership problem

Given a set of elements S = {s1,..., sm} on a universe U (i.e., S ⊆ U), determine, given some x ∈ U, whether x ∈ S: 1 if x ∈ S, return TRUE always 2 if x 6∈ S, return FALSE always

storage is m × L where L is the average size of each element Possible solutions compare x with all elements in S: O(m) search keep sorted elements of S and perform binary search: O(log(m)) search hash tables (traditional, multiple-choice, cuckoo) storing (x, 1): O(1) search

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 46 / 93 Set Membership Problem definition Approximated Set Membership

Approximated set membership problem

Given a set of elements S = {s1,..., sm} on a universe U (i.e., S ⊆ U), determine, given some x ∈ U, whether x ∈ S: 1 if x ∈ S, return TRUE always 2 if x 6∈ S, return FALSE with high probability

false positive when the algorithm returns TRUE even if x 6∈ S storage is θ(m), independently from the size of the stored elements

Solutions 1 Bit string hashing 2 Bloom filters 3 Cuckoo filters

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 47 / 93 Set Membership Application Filtering storage access

Storage Instead of accessing directly the hash table, Filter (hash table) determine if the key is already inside the key1? No

hash or not (set membership problem). )

2 key2? Yes Access Yes

, value The filter may lead to false positives but 2

(key key3? Yes Access they are not a problem. No

Yes is a false positive Possible applications: when the hash table is too large and it is expensive to access it in terms of time or bandwidth, the filter can be used to understand if it worth to check the hash table the hash table may be stored in different entities in the network data deduplication in data centers

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 48 / 93 Set Membership Fingerprinting Fingerprinting

Instead of storing y ∈ S, store its fingerprint F (y) (which is actually a hash function) y generic/variable number of bits for its representation F (y) fixed number of bits (say b) total storage is m × b for a standard fingerprint table Storage policy For every element y ∈ S, store only F (y) (i.e., y’s fingerprint) To check whether x ∈ S, check if F (x) is in the fingerprint table Use the data structures considered so far Fingerprint Table table

y F(y) y ={y} y F(y) ={F(y)}

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 49 / 93 Set Membership Fingerprinting False positives

When two or more fingerprints collide (i.e., F (x) = F (y) for x 6= y), fingerprinting may lead to false positives

Toy example assume to store only x, thus the table will be T = {F (x)} checking if y is in the table will give a false positive answer if F (x) = F (y)

Deletion support To support deletion and keep the false-positive property, if two elements x and y with the same fingerprints must be stored (F (x) = F (y)), two copies of the fingerprint must be stored otherwise (just one copy), if F (x) was deleted, also y would be deleted and then false-negative events would occur

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 50 / 93 Set Membership Fingerprinting Example of fingerprinting - without deletion support

Assume (i) F (x) maps any string to a 8-bit value ∈ [0, 255], (ii) only one copy of the same fingerprint is stored

Fingerprint map x F (x) Insertion operations “Andrea Bianco” 34 x Table state “Carla Fabiana Chiasserini” 11 “Paolo Giaccone” {121} “Emilio Leonardi” 70 “Andrea Bianco” {121, 34} “Marco Mellia” 34 “Politecnico di Torino” {121, 78, 34} “Marco Ajmone Marsan” 121 “Marco Mellia” {121, 78, 34} “Paolo Giaccone” 121 “Politecnico di Torino” 78

Final table: {121, 78, 34} Search(“Paolo Giaccone”) returns TRUE Search(“Marco Mellia”) returns TRUE Search(“Emilio Leonardi”) returns FALSE Search(“Marco Ajmone Marsan”) returns TRUE (i.e., false positive)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 51 / 93 Set Membership Fingerprinting Example of fingerprinting - with deletion support

Assume (i) F (x) maps any string to a 8-bit value ∈ [0, 255], (ii) many copies of the same fingerprint are stored for different contents

Fingerprint map x F (x) Insertion operations “Andrea Bianco” 34 x Table state “Carla Fabiana Chiasserini” 11 “Paolo Giaccone” {121} “Emilio Leonardi” 70 “Andrea Bianco” {121, 34} “Marco Mellia” 34 “Politecnico di Torino” {121, 78, 34} “Marco Ajmone Marsan” 121 “Marco Mellia” {121, 78, 34, 34} “Paolo Giaccone” 121 “Politecnico di Torino” 78

Final table: T = {121, 78, 34, 34} Delete(“Andrea Bianco”) and then T = {121, 78, 34} Search(“Andrea Bianco”) returns TRUE (i.e., false positive) Search(“Marco Mellia”) returns TRUE Delete(“Marco Mellia”) and then T = {121, 78} Search(“Andrea Bianco”) and Search(“Marco Mellia”) return FALSE

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 52 / 93 Set Membership Fingerprinting Fingerprint size

Key question How many bits for the fingerprint? if too small, many false positive if too large, space waste Note that the fingerprint sizing is independent from the data structure adopted for storage

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 53 / 93 Set Membership Fingerprinting Fingerprint size

Probability of false positive If m elements are stored through a fingerprint with range F (·) ∈ [0, n):

 1m Pr(false positive) = 1 − 1 − (2) n

Since the possible values for the fingerprint are n, the collision probability between two distinct elements x ∈ S and y ∈ S, with x 6= y, is: 1 Pr(F (x) = F (y)) = n Assume that m elements are already stored in set S. Now consider x outside S (x 6∈ S). To avoid false positive for x, F (x) must be different from any F (y), ∀y ∈ S, and thus  1m Pr(false positive) = 1 − 1 − n

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 54 / 93 Set Membership Fingerprinting Fingerprint sizing

Minimum number of bits per fingerprint To store m elements with Pr(false positive) ≤ , for some small  > 0, the number of bits b for the fingerprint must satisfy: m b ≥ log bits per fingerprint 2  i.e., the range of the fingerprint F (·) ∈ [0, n) must satisfy: m n ≥ 

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 55 / 93 Set Membership Fingerprinting Fingerprint sizing – proof

Given some small , thanks to (2):  1m Pr(false positive) = 1 − 1 − ≤  n For large n, 1 − 1 1 − ≈ e n n and (2) becomes:

− m m 1 −  ≤ e n ⇒ log(1 − ) ≤ − n By approximating log(1 − ) ≈ −, m m − ≤ − ⇒ n ≥ n  Finally, m b = log n ≥ log 2 2 

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 56 / 93 Set Membership Fingerprinting Special cases for fingerprint

Negligible probability of false positive Let α > 0, if 1 Pr(false positive) ≤ mα then

b ≥ (α + 1) log2 m bits per fingerprint ⇒ bmin = θ(log2 m)

F (·) ∈ [0, n) with n ≥ mα+1

Non-sufficient fingerprint

If b = log2 m, then n = m and  1 m Pr(false positive) = 1 − 1 − = 1 − e−1 ≈ 0.63 m

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 57 / 93 Set Membership Fingerprinting Storage for a fingerprint table

Fingerprint table: each whole fingerprint is stored in a table (e.g., hash table, binary tree, etc.)

Total storage for a fingerprint table Assume b is the minimum number of bits in the fingerprint to get a probability of false positive equal to . To store m fingerprints on a table the total storage will be m m × b = m × log 2  independently from the universe size |U|

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 58 / 93 Set Membership Bit String Hashing Bit string hashing

Data structure is bit array BA of size n: BA[i] ∈ {0, 1}, for i = 0,..., n − 1 initialization: BA[i] = 0 for all i use hash function h(·) ∈ [0, n − 1] for fingerprinting

Insertion Add y into S set BA[h(y)] = 1 Bit array 0 1 y h(y) 0 Search 0 Check if x ∈ S 0 if BA[h(x)] = 1, return TRUE may lead to FALSE POSITIVE otherwise, return FALSE

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 59 / 93 Set Membership Bit String Hashing Bit string hashing: storage

Total storage let b be the number of bits for each fingerprint h(y) ∈ [0, 2b − 1] total storage is n = 2b bits

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 60 / 93 Set Membership Bit String Hashing Required storage for bit string hashing

Let m be the number of elements to store. By combining previous results: Storage size 1 with bit array of size n = m bits, then Pr(false positive) ≈ 0.63 b indeed, if b = log2 m bit/fingerprint, then n = 2 = m bits 2 with bit array of size n = m/ bits, then Pr(false positive) =  b indeed, if b = log2(m/) bit/fingerprint, then n = 2 = m/ bits

3 2 1 with bit array of size n = m bits, then Pr(false positive) ≈ m b 2 indeed, if b = 2 log2 m bit/fingerprint, then n = 2 = m bits

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 61 / 93 Set Membership Bloom filters Bloom filters

Main idea Instead of using one hash function as in bit string hashing, use k independent hash function h1,..., hk each with range [1, n]

Data structure is bit array BF of size n: BF [i] ∈ {0, 1}, for i = 1,..., n initialization: BF [i] = 0 for all i

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 62 / 93 Set Membership Bloom filters Operations

Insertion Add y into S

BF [hj (y)] = 1, for j = 1,..., k independently from the previous value of BF [hj (y)]

function Insert(x) for i = 1 → k do BF [hj (x)] = 1 end for end function

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 63 / 93 Set Membership Bloom filters Operations

Search Check if x ∈ S

evaluate all k hash function hj (x) only if all the corresponding bits in BF are 1, then x ∈ S

i.e., BF [hj (x)] = 1 for all j = 1 ... k

function Search(x) ans=TRUE for j = 1 → k do if BF [hj (x)] = 0 then ans=FALSE break end if end for return ans end function

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 64 / 93 Set Membership Bloom filters Operations

Union

Union of BF1 and BF2

easily computed by: BF1[i] OR BF2[i], for all i

function Union(BF1, BF2) for i = 1 → n do BF [i] = BF1[i] OR BF2[i] end for return BF end function

Deletion Deleting an element is not possible other data structures must be considered (e.g., counting Bloom filters, Cuckoo filters)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 65 / 93 Set Membership Bloom filters Example

Data insert:

x h1(x) h2(x) h3(x) Bloom filter BF

1 0 0 1 0 0 1 0 x1 1 4 7 S = {x1}

1 0 1 1 0 0 1 1 x2 1 3 8 S = {x1, x2}

1 1 1 1 0 0 1 1 x3 2 4 8 S = {x1, x2, x3}

Search:

x h1(x) h2(x) h3(x) Bloom filter BF

1 ∗ ∗ 1 ∗ ∗ 1 ∗ x1 1 4 7 TRUE

1 ∗ 1 ∗ ∗ ∗ ∗ 1 x4 1 3 8 FALSE POSITIVE

∗ 1 ∗ ∗ 0 ∗ ∗ 1 x5 2 5 8 FALSE

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 66 / 93 Set Membership Bloom filters Performance

Assume Bloom filter of length n bits k hash functions m elements already stored The probability that a certain bit is 0 is

 1mk p = 1 − ≈ e−km/n n

Assume that exactly np of the bits are 0 and n(1 − p) are 1 good approximation thanks to Azuma-Hoeffding inequality for martingales

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 67 / 93 Set Membership Bloom filters Performance

Probability of false positive

!k  mk k k 1  −km  Pr(false positive) = (1 − p) = 1 − 1 − ≈ 1 − e n n

1 0.9 0.8 0.7 0.6 n=m/2 n=m 0.5 n=2*m n=4*m 0.4 n=8*m

Pr(false positive) 0.3 0.2 0.1 0 1 2 3 4 5 6 7 8 9 10 20 k Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 68 / 93 Set Membership Bloom filters Optimal design of Bloom filters

Given m, n, what is the optimal k that minimizes Pr(false positive)? small k increases the fraction of 0 bits in the arrays, available for an element that is not a member of S large k increases the probability of finding at least a 0 bit for an element that is not a member of S Using some algebra:

d Pr(false positive) n = 0 ⇒ k = log(2) dk opt m

Optimal number of hash functions n k = log(2) opt m

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 69 / 93 Set Membership Bloom filters Performance for optimally designed Bloom filters

Optimal performance

 −k m kopt  kopt opt 1 n/m Pr(false positive) = 1 − e n = = (0.6185) 2

1.0000000

0.1000000

0.0100000

0.0010000

0.0001000 Pr(false positive) 0.0000100

0.0000010

0.0000001 0 5 10 15 20 25 30 n/m

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 70 / 93 Set Membership Bloom filters Performance for optimally designed Bloom filters

By setting in the above formula Pr(false positive) = , we obtain

n/m n n − log2  (0.6185) =  ⇒ log2(0.6185) = log2  ⇒ = m m − log2(0.6195) Hence we can claim Required storage for the whole filter

n = m × 1.44 log2(1/) bits

Amortized space cost per item

n/m = 1.44 log2(1/) bits per content which is independent from the number of stored elements

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 71 / 93 Set Membership Bloom filters Near-to-optimality of Bloom filters

Bloom filter To obtain Pr(false positive) = , the total storage is n = m × 1.44 log2(1/) bits for an optimally designed Bloom filter We provide the following property, without proof: Lower bound for storage To obtain Pr(false positive) = , the total storage is at least n = m × log2(1/) bits Thus, the storage of Bloom filters is within a 1.44 factor with respect to the lower bound

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 72 / 93 Set Membership Bloom filters Hashing vs. Bloom filters

Storage comparison Given m is the number of elements to store Pr(false positive) = 

Method Storage requirement n [bit] Bit string hash m × (1/) Bloom filter m × 1.44 log2(1/) Lower bound m × log2(1/)

In both bit string hashes and bloom filters, the storage grows as θ(m), independently from the universe size |U|.

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 73 / 93 Set Membership Bloom filters Hashing vs. Bloom filters

1.00000 Bit string hash Bloom filter Lower bound 0.10000

0.01000

0.00100 Pr(false positive) 0.00010

0.00001 5 10 15 20 25 n/m

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 74 / 93 Set Membership Bloom filters Overall storage comparison

m is the number of elements to store L is the average size of each elements (in bits)

Scheme Prob. Total false positive storage [bit] Store element in a table 0 m × L m Store fingerprint in a table  m × log 2  1 Store fingerprint in a bit string array  m ×  1 Bloom filter  m × 1.44 log 2  1 Lower bound  m × log 2 

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 75 / 93 Set Membership Bloom filters Examples of design

Universe U of all TCP flows: |U| ≈ 8 1028 flows 1 m = 1, 000 flows to store, Pr(false positive) = 10−3 bit string hash: n = 106 bits (125 kbytes) Bloom filter: n = 15 103 bits (1.9 kbytes) 2 m = 10, 000 flows to store, Pr(false positive) = 10−4 bit string hash: n = 108 bits (12.5 Mbytes) Bloom filter: n = 191 103 bits (23.9 kbytes)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 76 / 93 Set Membership Bloom filters Examples of design

10000 Bit string hash, ε=10-5 Bit string hash, ε=10-4 Bit string hash, ε=10-3 Bloom filter, ε=10-5 1000 -4 Bloom filter, ε=10 Bloom filter, ε=10-3

100

10

1 Storage size [Mbytes]

0.1

0.01

0.001 1000 10000 100000 1x106 1x107 Elements to store m

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 77 / 93 Set Membership Cuckoo filters Cuckoo filter

Main ideas 1 Store fingerprints (and not contents) into a Cuckoo hash bucket table with many entries for each bucket 2 Use a special combination of hash functions to compute the two alternative positions of a content

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 78 / 93 Set Membership Cuckoo filters Example

Cuckoo filter F("Andrea") F("Irene") F("Paolo") F("Luca")

n=3 B=2 m=5

F("Andrea") F("Luca") F(x)=fingerprint(x) F("Marta") F("Paolo") F("Irene") Alternative position

F("Paolo") F("Luca") F("Marta") F("Irene") F("Andrea")

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 79 / 93 Set Membership Cuckoo filters Main “trick”

Relocation in Cuckoo hash Cuckoo hash requires the possibility to recover the alternative position of the stored content

If we store x in the Cuckoo hash (either in position h1(x) and h2(x)), it is possible to the find the alternative position from x

retrieve x and then try both h1(x) and h2(x) If we store fingerprint F (x) in the Cuckoo hash (either in position h1(x) and h2(x)), in general it is not possible to recover the alternative position from F (x), since x cannot be computed from F (x) unless a very specific set of hash functions is adopted, as in Cuckoo filters

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 80 / 93 Set Membership Cuckoo filters Hashes for Cuckoo filters

Store F (x) in either bucket i1(x) or i2(x) we have a fingerprint F (x) and a single hash function h(x)

first position i1(x) = h(x)

second position i2(x) = i1(x) ⊕ h(F (x)), being ⊕ the XOR operator

Property Assume the fingerprint F (x) is stored in position i. The alternative position of x is computed as i ⊕ h(F (x)).

Indeed:

if i = i1(x), then i ⊕ h(F (x)) = i2(x) by construction

if i = i2(x), then i ⊕ h(F (x)) = (i1(x) ⊕ h(F (x))) ⊕ h(F (x)) = i1(x) ⊕ (h(F (x)) ⊕ h(F (x))) = i1(x)

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 81 / 93 Set Membership Cuckoo filters Hashes for Cuckoo filters

Fingerprint the number of bits used for fingerprint F (x) grows as Ω(log m/B) where m is the number of elements to insert and B is the number of entries for each bucket is typically few bits (e.g., 5-10)

Hash function h() maps either the element or the fingerprint to any value within the number n of buckets in the table depends on the amount of available memory e.g., n = 106 or n = 109 buckets

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 82 / 93 Set Membership Cuckoo filters Search in Cuckoo filters

Search function Find(x) f = F (x) . Compute the fingerprint of x i1 = h(x) . First position i2 = i1 ⊕ h(f ) . Second position if T [i1] = f OR T [i2] = f then . Check in both positions return TRUE . Found else return FALSE . Not found end if end function

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 83 / 93 Set Membership Cuckoo filters Deletion in Cuckoo filters

If the filter must support deletion, when inserting two distinct contents x and y with F (x) = F (y), both (identical) fingerprints F (x) and F (y) must be stored by construction, all the elements with the same fingerprint and the same first position (i1), share also the second position (i2) (i.e., in the case F (x) = F (y) and h(x) = h(y)) 2B is the maximum number of contents that can be stored with the same fingerprint and i1, since the two buckets can store at most 2B contents Delete function Delete(x) f = F (x), i1 = h(x), i2 = i1 ⊕ h(f ) . Compute fingerprint and the positions if T [i1] = f then . Check in first position T [i1] = ∅ . Remove f else if T [i2] = f then . Check in second position T [i2] = ∅ . Remove f end if end function Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 84 / 93 Set Membership Cuckoo filters Cuckoo vs. Bloom filters

Cuckoo filters support deletion best storage-performance tradeoff for B = 4 storage grows as Ω(log m) actually better than Bloom filters for practical values of  (very small), n and m

Bloom filters do not support deletion storage independent from m

Amortized storage cost Data structure bit/item Optimized Bloom filter 1.44 log2(1/) Cuckoo filter ≈ log2(1/) + 3

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 85 / 93 Set Membership Cuckoo filters Overall storage comparison

m is the number of elements to store L is the average size of each elements (in bits)

Scheme Prob. Total false positive storage [bit] Store element in a table 0 m × L Store fingerprint in a table  m × log2(m/) Store fingerprint in a bit string array  m × 1/ Bloom filter  m × 1.44 log2(1/) Cuckoo filter  m × (log2(1/) + 3) Lower bound  m × log2 1/

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 86 / 93 Longest prefix matching

Section 5

Longest prefix matching

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 87 / 93 Longest prefix matching Longest prefix matching

Solution #1 Adopt data structures for exact matching Example for IPv4

Exact match against prefixes of length 1

Exact match Network Address against prefixes Port of length 2 Priority Encode and pick

Exact match against prefixes of length 32

Solution #2 Adopt Patricia trie

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 88 / 93 Longest prefix matching Patricia trie Patricia trie

compressed version of a binary tree optimized to minimize lookup time and memory consumption simple to construct starting from a binary trie steps to follow 1 build the prefix table 2 build the binary trie 3 build the Patricia trie

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 89 / 93 Longest prefix matching Patricia trie Example

IP routing table

Network prefix Rule (Gateway + Interface) 32.0.0.0/4 A 32.0.0.0/6 B 40.0.0.0/6 C 56.0.0.0/5 D 56.0.0.0/8 E 57.0.0.0/9 F 57.128.0.0/9 G default H

Prefix table Network prefix Rule (Gateway + Interface) 0010* A 001000* B 001010* C 00111* D 00111000* E 001110010* F 001110011* G * H

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 90 / 93 Longest prefix matching Patricia trie Binary trie

Node format: [rule]

H 0

0

1

0 1

A 0 1 1

D 0 0 0

B C 0

0 1

E 0 1 F G

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 91 / 93 Longest prefix matching Patricia trie Patricia trie

Node format: [prefix, rule, next-bit-to-inspect]

-,H,4 0 1

0010,A,5 00111,D,8

0 1 0 1

001000,B,- 001010,C,- 00111000,E,- 00111001,-,9

0 1

F G

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 92 / 93 Longest prefix matching Patricia trie Bibliography

A. Broder, M. Mitzenmacher, and A. Broder, “Network Applications of Bloom Filters: A Survey’ In Internet Mathematics, 2002, http://www.eecs.harvard.edu/~michaelm/postscripts/im2005b.pdf Rasmus Pagh, “Cuckoo Hashing for Undergraduates”, 2006, http://www.it-c.dk/people/pagh/papers/cuckoo-undergrad.pdf Bin Fan, David G. Andersen, Michael Kaminsky, Michael D. Mitzenmacher, “Cuckoo Filter: Practically Better Than Bloom”, ACM CoNEXT, Sidney, Australia, December 2014, http://www.eecs.harvard.edu/~michaelm/ postscripts/cuckoo-conext2014.pdf

Giaccone (Politecnico di Torino) Hash, Cuckoo, Bloom and Patricia Nov. 2020 93 / 93