Download presentation
Presentation is loading. Please wait.
Published byArnold Cole Modified over 9 years ago
1
Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil Segev
2
Weizmann Institute of Science Israel Securing Vote Storage Mechanisms Tal Moran Moni Naor Gil Segev
3
3 Election Day Carol Bob Carol Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes Alice Bob Alice Problem: Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice … Alice
4
4 Election Day Carol Alice Bob 1 1 1 1 CarolAlice Bob What about more involved election systems? Write-in candidates Votes which are subsets or rankings …. A simple solution: Lexicographically sorted list of candidates Unary counters
5
5 Secure Vote Storage Mechanisms that operate in extremely hostile environments Without a “secure” mechanism an adversary may be able to Undetectably tamper with the records Compromise privacy Possible scenarios: Poll workers may tamper with the device while in transit Malicious software embeds secret information in public output …
6
6 Main Security Goals Tamper-evidence Prevent an adversary from undetectably tampering with the records History-independence Memory representation does not reveal the insertion order Subliminal-freeness Information cannot be secretly embedded into the data Integrity Privacy
7
This Work 7 Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values) Supports Insert(x), Seal() and RetreiveAll() Cast a ballot Count votes “Finalize” the elections
8
8 This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage Deterministic strategy in which each subset of elements determines a unique memory representation Strongest form of history-independence Unique representation - cannot secretly embed information Our approach: Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s
9
9 Previous approaches were either: Inefficient (required O(K 2 ) space) Randomized (enabled subliminal channels) Required private storage Explicit Space Insertion time K polylog(N) polylog(N) K log(N/K) log(N/K) Non-Constructive Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result
10
10 Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal up to poly-logarithmic factors Application to Distributed Computing Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg]
11
11 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s Encoding(x) = (x, wt 2 (x)) Logarithmic overhead PROM Flipping any bit of x from 0 to 1 requires flipping a bit of wt 2 ( x ) from 1 to 0
12
12 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Problem: Cannot sort in-place on write-once memories On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list O(K 2 ) space!!
13
13 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage
14
14 Our Mechanism Global strategy Mapping elements to entries of a table Both strategies are deterministic, history-independent and write-once Local strategy Resolving collisions separately in each entry
15
15 The Local Strategy Store elements mapped to each entry in a separate copy-over list ℓ elements require ℓ 2 pre-allocated memory Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped to the same entry….
16
16 The Global Strategy Sequence of tables Each table stores a fraction of the elements Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted
17
17 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N OVERFLOW
18
18 The Global Strategy OVERFLOW Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted
19
19 Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N Unique representation: Elements determine overflowing entries in the first table Elements mapped to non-overflowing entries are stored Continue with the next table and remaining elements The Global Strategy
20
20 Subset of size K Table of size ~K Stores ® K elements Table of size ~(1- ® )K Stores ® (1 - ® )K elements Table of size ~(1- ® ) 2 K Where do the hash functions come from? Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted The Global Strategy
21
Identify the hash function of each table with a bipartite graph Universe of size N S OVERFLOW LOW DEGREE 21 The Global Strategy (K, ®, ℓ) -Bounded-Neighbor Expander: Any set S of size K contains ® K element with a neighbor of degree · ℓ w.r.t S
22
Bounded-Neighbor Expanders Table of size M Universe of size N Given N and K, want to optimize M, ℓ, ® and the left-degree D Optimal ExtractorDisperser 1polylog(N) 1/2 M ® ℓ K ¢ log(N/K)K ¢ 2 (loglogN) 2 K 1/polylog(N) O(1) (K, ®, ℓ) -Bounded-Neighbor Expander: Any set S of size K contains ® K element with a neighbor of degree · ℓ w.r.t S log(N/K)D2 (loglogN) 2 polylog(N)
23
Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders The monotone encoding problem Our non-constructive solution: K log(N) log(N/K) bits Obvious lower bound: K log(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions Alon & Hod ‘07: M = O(K log(N/K)) 23
24
Conflict Resolution Problem: resolve conflicts that arise when several parties transmit simultaneously over a single channel Goal: schedules retransmissions such that each of the conflicting parties eventually transmits individually A party which successfully transmits halts Efficiency measure: number of steps it takes to resolve any K conflicts among N parties An algorithm is non-adaptive if the choices of the parties in each step do not depend on previous steps
25
Conflict Resolution Why require a deterministic algorithm? Radio Frequency Identification (RFID) Many tags simultaneously read by a single reader Inventory systems, product tracking,... Tags are highly constraint devices Can they generate randomness?
26
26 The Algorithm Global strategy Mapping parties to time intervals Local strategy Resolving collisions separately in each interval
27
27 The Local Strategy Associate each party x 2 [N] with a codeword C(x) taken from a superimposed code: Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords Resolves conflicts among any ℓ parties taken from [N] Party x transmits at step i if and only if C(x) i = 1 O(ℓ 2 ¢ logN) steps using known explicit constructions
28
28 Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy Universe of size N The Global Strategy Phase 1 Phase 2 Phase 3
29
29 Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy Universe of size N The Global Strategy O(K ¢ polylog(N)) steps OVERFLOW SUCCESS
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.