Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.

Slides:

Advertisements

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Advertisements

Lower and Upper Bounds on Obtaining History Independence

Biometry and Security: Secure Biometric Authentication for Weak Computational Devices Author: Zelenevskiy Vladimir Based on the research by M.J. Atallah.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Digital Signatures and Hash Functions. Digital Signatures.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

CPSC 335 Computer Science University of Calgary Canada.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Institute of Computer Science University of Wroclaw Page Migration in Dynamic Networks Marcin Bieńkowski Joint work with: Jarek Byrka (Centrum voor Wiskunde.

Lecturer: Moni Naor Foundations of Privacy Informal Lecture Anti-Persistence or History Independent Data Structures.

Sketching in Adversarial Environments Or Sublinearity and Cryptography 1 Moni Naor Joint work with: Ilya Mironov and Gil Segev.

Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel.

Optimal Fast Hashing Yossi Kanizo (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) and David Hay (Politecnico di Torino, Italy)

Privacy and Integrity Preserving in Distributed Systems Presented for Ph.D. Qualifying Examination Fei Chen Michigan State University August 25 th, 2009.

File System Structure §File structure l Logical storage unit l Collection of related information §File system resides on secondary storage (disks). §File.

E.G.M. PetrakisHashing1 Hashing on the Disk  Keys are stored in “disk pages” (“buckets”)  several records fit within one page  Retrieval:  find address.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

History-Independent Cuckoo Hashing Weizmann Institute Israel Udi WiederMoni NaorGil Segev Microsoft Research Silicon Valley.

File Concept §Contiguous logical address space §Types: l Data: Numeric Character Binary l Program.

Data Structures and Programming.  John Edgar2.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.

Chapter 13 File Structures. Understand the file access methods. Describe the characteristics of a sequential file. After reading this chapter, the reader.

1 Physical Data Organization and Indexing Lecture 14.

Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.

CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

Foundations of Privacy Lecture 9: History-Independent Hashing Schemes (and applications) Lecturer: Gil Segev.

CHAPTER 09 Compiled by: Dr. Mohammad Omar Alhawarat Sorting & Searching.

A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.

March 16 & 21, Csci 2111: Data and File Structures Week 9, Lectures 1 & 2 Indexed Sequential File Access and Prefix B+ Trees.

Trevor Brown – University of Toronto B-slack trees: Space efficient B-trees.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

David Luebke 1 10/25/2015 CS 332: Algorithms Skip Lists Hash Tables.

March 23 & 28, Csci 2111: Data and File Structures Week 10, Lectures 1 & 2 Hashing.

David Luebke 1 11/26/2015 Hash Tables. David Luebke 2 11/26/2015 Hash Tables ● Motivation: Dictionaries ■ Set of key/value pairs ■ We care about search,

March 23 & 28, Hashing. 2 What is Hashing? A Hash function is a function h(K) which transforms a key K into an address. Hashing is like indexing.

Storage Structures. Memory Hierarchies Primary Storage –Registers –Cache memory –RAM Secondary Storage –Magnetic disks –Magnetic tape –CDROM (read-only.

Data Structures and Algorithms Lecture (Searching) Instructor: Quratulain Date: 4 and 8 December, 2009 Faculty of Computer Science, IBA.

Hashing 8 April Example Consider a situation where we want to make a list of records for students currently doing the BSU CS degree, with each.

CE Operating Systems Lecture 17 File systems – interface and implementation.

Hash Table March COP 3502, UCF 1. Outline Hash Table: – Motivation – Direct Access Table – Hash Table Solutions for Collision Problem: – Open.

1 Longest Common Subsequence as Private Search Payman Mohassel and Mark Gondree U of CalgaryNPS.

Hashing 1 Hashing. Hashing 2 Hashing … * Again, a (dynamic) set of elements in which we do ‘search’, ‘insert’, and ‘delete’ n Linear ones: lists, stacks,

/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.

CS6045: Advanced Algorithms Data Structures. Hashing Tables Motivation: symbol tables –A compiler uses a symbol table to relate symbols to associated.

1 Plaxton Routing. 2 History Greg Plaxton, Rajmohan Rajaraman, Andrea Richa. Accessing nearby copies of replicated objects, SPAA 1997 Used in several.

CSC 413/513: Intro to Algorithms Hash Tables. ● Hash table: ■ Given a table T and a record x, with key (= symbol) and satellite data, we need to support:

BITS Pilani Pilani Campus Data Structure and Algorithms Design Dr. Maheswari Karthikeyan Lecture1.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Hashing (part 2) CSE 2011 Winter March 2018.

File-System Implementation

The Variable-Increment Counting Bloom Filter

CS 332: Algorithms Hash Tables David Luebke /19/2018.

Sampling of min-entropy relative to quantum knowledge Robert König in collaboration with Renato Renner TexPoint fonts used in EMF. Read the TexPoint.

Subject Name: File Structures

Topic 14: Random Oracle Model, Hashing Applications

Controlling the Chunk Size in Deduplication Systems

Building an Encrypted and Searchable Audit Log

Pseudorandom number, Universal Hashing, Chaining and Linear-Probing

Overflow Handling An overflow occurs when the home bucket for a new pair (key, element) is full. We may handle overflows by: Search the hash table in some.

Overflow Handling An overflow occurs when the home bucket for a new pair (key, element) is full. We may handle overflows by: Search the hash table in some.

Overflow Handling An overflow occurs when the home bucket for a new pair (key, element) is full. We may handle overflows by: Search the hash table in some.

Presentation transcript:

Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil Segev

Weizmann Institute of Science Israel Securing Vote Storage Mechanisms Tal Moran Moni Naor Gil Segev

3 Election Day Carol Bob Carol Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes Alice Bob Alice Problem: Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice … Alice

4 Election Day Carol Alice Bob CarolAlice Bob What about more involved election systems? Write-in candidates Votes which are subsets or rankings …. A simple solution: Lexicographically sorted list of candidates Unary counters

5 Secure Vote Storage Mechanisms that operate in extremely hostile environments Without a “secure” mechanism an adversary may be able to Tamper with the records Compromise privacy Majority of existing techniques are vulnerable in this setting Cryptographic tools require private storage Memory representation may leak sensitive information Subliminal channels Possible scenarios: Malicious software embeds secret information in public output Colluding voters can obtain complete memory dump Poll workers may tamper with the device while in transit …

6 Main Security Goals Tamper-evidence Prevent an adversary from undetectably tampering with the records History-independence Memory representation does not reveal the insertion order Subliminal-freeness Information cannot be secretly embedded into the data Integrity Privacy

This Work 7 Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values) Supports Insert(x), Seal() and RetreiveAll() Cast a ballot Count votes “Finalize” the elections

8 This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage Deterministic history-independent strategy in which each subset of elements determines a unique memory representation Strongest form of history-independence Unique representation - cannot secretly embed information Our approach: Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s

9 Previous approaches were either: Inefficient (required O(K 2 ) space) Randomized (enabled subliminal channels) Required private storage Explicit Space Insertion time K  polylog(N) polylog(N) K  log(N/K) log(N/K) Non-constructive Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result

10 Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal up to poly-logarithmic factors Application to Distributed Computing Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg]

11 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s Encoding(x) = (x, wt 2 (x)) Logarithmic overhead PROM Flipping any bit of x from 0 to 1 requires flipping a bit of wt 2 ( x ) from 1 to 0

12 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Problem: Cannot sort in-place on write-once memories On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list O(K 2 ) space!!

13 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage

14 Our Mechanism Global strategy Mapping elements to entries of a table Both strategies are deterministic, history-independent and write-once Local strategy Resolving collisions separately in each entry

15 The Local Strategy Store elements mapped to each entry in a separate copy-over list ℓ elements require ℓ 2 pre-allocated memory Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped to the same entry….

16 The Global Strategy Sequence of tables Each table stores a fraction of the elements Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

17 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N OVERFLOW

18 The Global Strategy OVERFLOW Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

19 Analyzing The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N Unique representation: Elements determine overflowing entries in the first table Elements mapped to non-overflowing entries are stored Continue with the next table and remaining elements

20 Analyzing The Global Strategy Subset of size K Table of size ~K Stores ® K elements Table of size ~(1- ® )K Stores ® (1 - ® )K elements Table of size ~(1- ® ) 2 K Where do the hash functions come from? Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

Analyzing The Global Strategy Identify the hash function of each table with a bipartite graph Bounded-Neighbor Expander: Any subset S of size K contains ® K elements with a low degree neighbor w.r.t S Universe of size N S OVERFLOW LOW DEGREE 21

Bounded-Neighbor Expanders Any subset S of size K contains ® K elements with a neighbor of degree · ℓ w.r.t S Universe of size N S Table of size M Explicit M ℓ K  polylog(N) polylog(N) K  log(N/K) 1 Non-constructive ® 1/21/polylog(N) Given N and K, Minimize M and ℓ Maximize ® 22

Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders Memory lower bound Our non-constructive solution: K  log(N)  log(N/K) bits Obvious lower bound: K  log(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions 23 Integrate the mechanism into existing schemes

Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders Memory lower bound Our non-constructive solution: K  log(N)  log(N/K) bits Obvious lower bound: K  log(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions 24 Thank you! Integrate the mechanism into existing schemes