weizmann institute of science israel
DESCRIPTION
Deterministic History-Independent Strategies for Storing Information on Write-Once Memories. Moni Naor. Tal Moran. Gil Segev. Weizmann Institute of Science Israel. Securing Vote Storage Mechanisms. Moni Naor. Tal Moran. Gil Segev. Weizmann Institute of Science Israel. Election Day. - PowerPoint PPT PresentationTRANSCRIPT
Weizmann Institute of ScienceIsrael
Deterministic History-IndependentStrategies for Storing Information
on Write-Once Memories
Tal Moran Moni Naor Gil Segev
Weizmann Institute of ScienceIsrael
Securing Vote Storage Mechanisms
Tal Moran Moni Naor Gil Segev
3
Election DayCarol
Bob
Carol
Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes
Alice Alice Bob
Alice Problem:
Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice …
Alice
4
Election Day
Carol
AliceBob 11
1
1
Carol Alice Alice Bob What about more involved election systems?
Write-in candidates Votes which are subsets or rankings ….
A simple solution: Lexicographically sorted list of
candidates Unary counters
5
Secure Vote Storage Mechanisms that operate in extremely hostile environments
Without a “secure” mechanism an adversary may be able to Undetectably tamper with the records Compromise privacy
Possible scenarios: Poll workers may tamper with the device while in transit Malicious software embeds secret information in public output …
6
Main Security Goals Tamper-evidence
Prevent an adversary from undetectably tampering with the records
History-independenceMemory representation does not reveal the insertion order
Subliminal-freenessInformation cannot be secretly embedded into the data
Integrity
Privacy
This Work
7
Goal:A secure and efficient mechanism for storing an increasingly
growing set of K elements taken from a large universe of size N
Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values)
Supports Insert(x), Seal() and RetreiveAll()Cast a ballot
Count votes
“Finalize” the elections
8
This WorkGoal:
A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N
Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage
Deterministic strategy in which each subset of elements determines a unique memory representation
Strongest form of history-independence Unique representation - cannot secretly embed information
Our approach:
Initialized to all 0’sCan only flip 0’s to 1’s
9
Previous approaches were either: Inefficient (required O(K2) space) Randomized (enabled subliminal channels) Required private storage
Explicit
Space
Insertion time
Kpolylog(N)polylog(N)
Klog(N/K)log(N/K)
Non-Constructive
Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of K
elements taken from a large universe of size N
Our ResultsMain
Result
10
Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of K
elements taken from a large universe of size N
Our ResultsMain
Result
First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal
up to poly-logarithmic factors
Application to Distributed Computing
Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos &
Greenberg]
11
Previous Work Molnar, Kohno, Sastry & Wagner ‘06
Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories
Initialized to all 0’sCan only flip 0’s to 1’s
Encoding(x) = (x, wt2(x))
Logarithmic overhead
PROM
Flipping any bit of x from 0 to 1requires flipping a bit of wt2(x)
from 1 to 0
12
Previous Work Molnar, Kohno, Sastry & Wagner ‘06
Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution
Problem: Cannot sort in-place on write-once
memories
On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list
A useful observation [Naor & Teague ‘01]:Store the elements in a lexicographically sorted list
O(K2) space!!
13
Previous Work Molnar, Kohno, Sastry & Wagner ‘06
Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage
Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage
14
Our Mechanism Global strategy
Mapping elements to entries of a table
Both strategies are deterministic, history-independent and write-once
Local strategy Resolving collisions separately in each entry
15
The Local Strategy Store elements mapped to each entry in a separate copy-over list
ℓ elements require ℓ2 pre-allocated memory Allows very small values of ℓ in the worst case!
Can a deterministic global strategy guarantee that?
The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped
to the same entry….
16
The Global Strategy Sequence of tables Each table stores a fraction of the elements
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
17
The Global Strategy Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
Universe of size N
OVERFLOW
OVERFLOW
18
The Global Strategy
OVERFLOW
Universe of size N
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
19
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
Universe of size N
Unique representation: Elements determine
overflowing entries in the first table
Elements mapped to non-overflowing entries are stored
Continue with the next table and remaining elements
The Global Strategy
20
Subset of size K
Table of size ~KStores ®K elements
Table of size ~(1-®)KStores ®(1 - ®)K
elements
Table of size ~(1-®)2K
Where do the hash functions come from?
Universe of size N
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
The Global Strategy
Identify the hash function of each table with a bipartite graph
Universe of size N
S
OVERFLOW
OVERFLOW
LOW DEGREE
21
The Global Strategy
(K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree · ℓ w.r.t S
Bounded-Neighbor Expanders
Table of size M
Universe of size N
Given N and K, want to optimize M, ℓ, ® and the left-degree D
Optimal Extractor Disperser
1 polylog(N)
1/2
M
®
ℓ
1/2
K¢log(N/K)
K¢2(loglogN)2 K
1/polylog(
N)
O(1)
(K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree · ℓ w.r.t S
log(N/K)D 2(loglogN)2 polylog(N)
Open Problems Non-amortized insertion time
In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time
Improved bounded-neighbor expanders
The monotone encoding problem Our non-constructive solution: Klog(N) log(N/K) bits Obvious lower bound: Klog(N/K) bits Find the minimal M such that subsets of size at most K taken
from [N] can be mapped into subsets of [M] while preserving inclusions
Alon & Hod ‘07: M = O(Klog(N/K))23
Conflict Resolution Problem: resolve conflicts that arise when several parties transmit
simultaneously over a single channel Goal: schedules retransmissions such that each of the conflicting parties
eventually transmits individually A party which successfully transmits halts Efficiency measure: number of steps it takes to resolve any K conflicts
among N parties An algorithm is non-adaptive if the choices of the parties in each step do
not depend on previous steps
Conflict Resolution Why require a deterministic algorithm?
Radio Frequency Identification (RFID) Many tags simultaneously read by a single reader
Inventory systems, product tracking,... Tags are highly constraint devices
Can they generate randomness?
26
The Algorithm Global strategy
Mapping parties to time intervals
Local strategy Resolving collisions separately in each interval
27
The Local Strategy Associate each party x 2 [N] with a codeword C(x) taken from a
superimposed code:Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords
Resolves conflicts among any ℓ parties taken from [N]
Party x transmits at step i if and only if C(x)i = 1
O(ℓ2¢logN) steps using known explicit constructions
28
Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy
Universe of size N
The Global Strategy
Phase 1
Phase 2
Phase 3
29
Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy
Universe of size N
The Global Strategy
O(K¢polylog(N))
steps
OVERFLOW
OVERFLOW
SUCCESS
SUCCESSSUCCESS