Presentation is loading. Please wait.

Presentation is loading. Please wait.

Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.

Published byArnold Cole Modified over 9 years ago

Similar presentations

Presentation on theme: "Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil."— Presentation transcript:

1 Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil Segev

2 Weizmann Institute of Science Israel Securing Vote Storage Mechanisms Tal Moran Moni Naor Gil Segev

3 3 Election Day Carol Bob Carol Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes Alice Bob Alice Problem: Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice … Alice

4 4 Election Day Carol Alice Bob 1 1 1 1 CarolAlice Bob What about more involved election systems? Write-in candidates Votes which are subsets or rankings …. A simple solution: Lexicographically sorted list of candidates Unary counters

5 5 Secure Vote Storage Mechanisms that operate in extremely hostile environments Without a “secure” mechanism an adversary may be able to Undetectably tamper with the records Compromise privacy Possible scenarios: Poll workers may tamper with the device while in transit Malicious software embeds secret information in public output …

6 6 Main Security Goals Tamper-evidence Prevent an adversary from undetectably tampering with the records History-independence Memory representation does not reveal the insertion order Subliminal-freeness Information cannot be secretly embedded into the data Integrity Privacy

7 This Work 7 Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values) Supports Insert(x), Seal() and RetreiveAll() Cast a ballot Count votes “Finalize” the elections

8 8 This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage Deterministic strategy in which each subset of elements determines a unique memory representation Strongest form of history-independence Unique representation - cannot secretly embed information Our approach: Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s

9 9 Previous approaches were either: Inefficient (required O(K 2 ) space) Randomized (enabled subliminal channels) Required private storage Explicit Space Insertion time K  polylog(N) polylog(N) K  log(N/K) log(N/K) Non-Constructive Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result

10 10 Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal up to poly-logarithmic factors Application to Distributed Computing Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg]

11 11 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s Encoding(x) = (x, wt 2 (x)) Logarithmic overhead PROM Flipping any bit of x from 0 to 1 requires flipping a bit of wt 2 ( x ) from 1 to 0

12 12 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Problem: Cannot sort in-place on write-once memories On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list O(K 2 ) space!!

13 13 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage

14 14 Our Mechanism Global strategy Mapping elements to entries of a table Both strategies are deterministic, history-independent and write-once Local strategy Resolving collisions separately in each entry

15 15 The Local Strategy Store elements mapped to each entry in a separate copy-over list ℓ elements require ℓ 2 pre-allocated memory Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped to the same entry….

16 16 The Global Strategy Sequence of tables Each table stores a fraction of the elements Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

17 17 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N OVERFLOW

18 18 The Global Strategy OVERFLOW Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

19 19 Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N Unique representation: Elements determine overflowing entries in the first table Elements mapped to non-overflowing entries are stored Continue with the next table and remaining elements The Global Strategy

20 20 Subset of size K Table of size ~K Stores ® K elements Table of size ~(1- ® )K Stores ® (1 - ® )K elements Table of size ~(1- ® ) 2 K Where do the hash functions come from? Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted The Global Strategy

21 Identify the hash function of each table with a bipartite graph Universe of size N S OVERFLOW LOW DEGREE 21 The Global Strategy (K, ®, ℓ) -Bounded-Neighbor Expander: Any set S of size K contains ® K element with a neighbor of degree · ℓ w.r.t S

22 Bounded-Neighbor Expanders Table of size M Universe of size N Given N and K, want to optimize M, ℓ, ® and the left-degree D Optimal ExtractorDisperser 1polylog(N) 1/2 M ® ℓ K ¢ log(N/K)K ¢ 2 (loglogN) 2 K 1/polylog(N) O(1) (K, ®, ℓ) -Bounded-Neighbor Expander: Any set S of size K contains ® K element with a neighbor of degree · ℓ w.r.t S log(N/K)D2 (loglogN) 2 polylog(N)

23 Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders The monotone encoding problem Our non-constructive solution: K  log(N)  log(N/K) bits Obvious lower bound: K  log(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions Alon & Hod ‘07: M = O(K  log(N/K)) 23

24 Conflict Resolution Problem: resolve conflicts that arise when several parties transmit simultaneously over a single channel Goal: schedules retransmissions such that each of the conflicting parties eventually transmits individually A party which successfully transmits halts Efficiency measure: number of steps it takes to resolve any K conflicts among N parties An algorithm is non-adaptive if the choices of the parties in each step do not depend on previous steps

25 Conflict Resolution Why require a deterministic algorithm? Radio Frequency Identification (RFID) Many tags simultaneously read by a single reader Inventory systems, product tracking,... Tags are highly constraint devices Can they generate randomness?

26 26 The Algorithm Global strategy Mapping parties to time intervals Local strategy Resolving collisions separately in each interval

27 27 The Local Strategy Associate each party x 2 [N] with a codeword C(x) taken from a superimposed code: Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords Resolves conflicts among any ℓ parties taken from [N] Party x transmits at step i if and only if C(x) i = 1 O(ℓ 2 ¢ logN) steps using known explicit constructions

28 28 Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy Universe of size N The Global Strategy Phase 1 Phase 2 Phase 3

29 29 Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy Universe of size N The Global Strategy O(K ¢ polylog(N)) steps OVERFLOW SUCCESS

Download ppt "Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil."

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
David Luebke 1 6/7/2014 ITCS 6114 Skip Lists Hashing.

David Luebke 1 6/7/2014 ITCS 6114 Skip Lists Hashing.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
HASH TABLE. HASH TABLE a group of people could be arranged in a database like this: Hashing is the transformation of a string of characters into a.

HASH TABLE. HASH TABLE a group of people could be arranged in a database like this: Hashing is the transformation of a string of characters into a.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.

Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.
©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.
Optimal Fast Hashing Yossi Kanizo (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) and David Hay (Hebrew Univ., Israel)

Optimal Fast Hashing Yossi Kanizo (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) and David Hay (Hebrew Univ., Israel)
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.

File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
CPSC 335 Computer Science University of Calgary Canada.

CPSC 335 Computer Science University of Calgary Canada.
1 Maximal Independent Set. 2 Independent Set (IS): In a graph, any set of nodes that are not adjacent.

1 Maximal Independent Set. 2 Independent Set (IS): In a graph, any set of nodes that are not adjacent.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Institute of Computer Science University of Wroclaw Page Migration in Dynamic Networks Marcin Bieńkowski Joint work with: Jarek Byrka (Centrum voor Wiskunde.

Institute of Computer Science University of Wroclaw Page Migration in Dynamic Networks Marcin Bieńkowski Joint work with: Jarek Byrka (Centrum voor Wiskunde.

Similar presentations

Ads by Google