a brief history of l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Brief History Of PowerPoint Presentation
Download Presentation
A Brief History Of

Loading in 2 Seconds...

play fullscreen
1 / 76

A Brief History Of - PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on

A Brief History Of . History Independent Data Structures. Credit: South China Morning Post. Oblivious Data Structures. [Mic97]. Daniele Micciancio Oblivious data structures: Applications to cryptography - STOC 1997. An attempt to solve the privacy problem in incremental cryptography.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Brief History Of' - kyria


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a brief history of

A Brief History Of

History Independent Data Structures

mic97
[Mic97]

Daniele Micciancio

  • Oblivious data structures: Applications to cryptography

- STOC 1997

An attempt to solve the privacy problem in incremental cryptography

bgg95
[BGG95]

M. Bellare, O. Goldreich, S. Goldwasser

  • Incremental Cryptographyand Application to Virus Protection

- STOC 1995

why incremental

T

------------------

B9ECE18C950AFBFA6B0FDBFA4FF731D3

Th

------------------

EEEB9A8EB45DD351D9EC0EB4ACCE66CE

Thi

------------------

A4704FD35F0308287F2937BA3ECCF5FE

This is a survey on the area of history inde-pendent data struc-tures. I will show you how this area developed in the last decade [. . .]

------------------

B97799DE817E55BCC3ADE4370246EB0D

Why Incremental?

Most cryptographic primitives act on the document as a whole.

  • MD5 Signature

Re-compute from scratch is wasteful

  • Ideally, the running time should be O(f(|change|)).
the free food cam
The Free Food Cam

At 15 frame per second, 1 M pixel per frame, 3 byte per pixel

http://zimbs4.srv.cs.cmu.edu/coke/ffc.html(Google for the phrase “free food cam”)

tree signatures bgg95

C

A,B

D

A

B

C

D

E

Tree Signatures [BGG95]
  • Represent the document as a 2-3 Tree whose leaves contain constant-size block of characters
  • Non-incrementally sign each leaf and each internal node
  • Each change only takes O(logn) signature updates

S

S

S

S

S

S

S

S

privacy of tree signatures
Privacy of Tree Signatures

An Apparent Paradox

The very nature of digital signature )there can be no secret about the document and its signature…

  • How can privacy be an issue of when your original intent is to publish the document and its signature?
metadata

Is Microsoft Word really so evil?

Metadata
  • Oct 2000: The Wall Street Journal reports that a candidate running for the U.S. Senate began receiving anonymous emails containing messages written in MS Word criticizing and attacking the candidate. A savvy aide looked at the document properties and discovered they were authored by the chief-of-staff of the opposing party.
  • Feb 2003: A dossier on Iraq’s security and intelligence organizations, cited by Colin Powell and published by 10 Downing Street, is discovered to have been plagiarized from a U.S. researcher on Iraq. Since the dossier was published on their website in MS Word format, researchers also discovered the four people in the British government who edited the document. They were subsequently called to Parliament for a hearing.
  • Mar 2004: SCO Group, seller of UNIX and Linux, sent out a warning letter to 1,500 of the world’s largest companies threatening legal liability for using Linux if they failed to obtain a license from the Utah-based company. After filing suit against Daimler-Chrysler, metadata in a MS Word document revealed that the SCO’s attorneys had originally identified Bank of America as the defendant.

From http://www.abanet.org/tech/ltrc/publications/metadata.html

“a fine document”

metadata in tree signatures

C

A,B

D

A

B

C

D

E

Metadata in Tree Signatures
  • Represent the document as a 2-3 Tree whose leaves contain constant-size block of characters
  • Non-incrementally sign each leaf and each internal node
  • Where is the metadata?

S

S

S

S

S

S

S

S

How can a 2-3 tree leak information?

the wedding guest list

C

A,B

D

A

B

C

D

E

The Wedding Guest List

As you may know, some of us are getting married soon!

  • As hard-core computer scientists, of course you will maintain the guest list in sorted order
    • (using an object-oriented multimedia relational XML database)

Congrads!

back to the guest list

C

A,B

D

A

B

C

D

E

Back To The Guest List

And as the guest list gets compiled, there will always be someone who gets added to the list LAST…

  • “You added me after you have added {Foo}?”
between b and d is c ontention

B

C

A

C

A

D

A

B

C

E

A

C

D

E

B

C

A

C,D

A,B

D

A

B

C

D

E

A

B

C

D

E

Between B and D is C…ontention

Initial

Insert(“D”)

Initial

Insert(“B”)

slide18
[NT01]

Moni Naor, Vanessa Teague

  • Anti-persistence:History Independent Data Structures

- STOC 2001

mic9719
[Mic97]

Daniele Micciancio

  • Oblivious data structures: Applications to cryptography

- STOC 1997

An attempt to solve the privacy problem in incremental cryptography

oblivious data structures20
Oblivious Data Structures

Informal definition

  • A data structure is said to be oblivious if it does not give out any knowledge about the sequence of update operations that have been applied to it other than the final result of the operations.
formal definition mic97
Formal Definition [Mic97]

Let M be a set of operations,and S be a set of algorithms implementing them.

We say S is oblivious if:

  • for any two sequences of operations p1, p2, …, pnand q1, q2, …, qm that lead to the same set of values,the execution of these sequences have identical output probability distributions.
oblivious 2 3 tree
Oblivious 2-3 Tree

Issue: How do 2-3 trees “leak”?

  • Degrees of nodes give out too much information

Solution: Randomize the degrees!

  • Degrees should split uniformly between 2 and 3
results in mic97
Results in [Mic97]

Oblivious 2-3 Trees

  • Insertion and Deletion in expected O(logn) time whp
  • Search in worst-case O(logn) time

Incremental Signature Scheme

  • Security: Tamper Proof, as defined in [BGG95]
  • Privacy: Private (hmm… we will see :P)
  • Expected O(logn) signature updates per change whp
are we done yet

C

A,B

D

A

B

C

D

E

Are We Done Yet?

In an oblivious 2-3 tree, the degreesindeed don’t tell you anything aboutthe update sequence.

  • What else can leak information?
interface matters

C

A,B

D

A

B

C

D

E

Interface Matters

Dictionary ADT

  • Insert(key)
  • Delete(key)
  • Search(key)

Does this allow you to ask“is k1 is inserted some time before k2?”

Principle

When privacy is concerned, if some piece of information cannot be retrieved via the legitimate interface of a system, then it should not be retrievable even with full access to the system.

full access
Full Access

00000200: 006e 1ef0 6335 0000 563d 0673 77a2 f4fc .n..c5..V=.sw...

00000210: c81b 44b0 c62c 7e3e ff89 504e 470d 0a1a ..D..,~>..PNG...

00000220: 0a00 0000 0d49 4844 5200 0000 9600 0000 .....IHDR.......

00000230: 3908 0600 0001 a34c e24f 0000 0009 7048 9......L.O....pH

00000240: 5973 0000 0b13 0000 0b13 0100 9a9c 1800 Ys..............

00000250: 0000 0467 414d 4100 00b1 9e61 4c41 f700 ...gAMA....aLA..

00000260: 0000 2063 4852 4d00 007a 3000 0080 9800 .. cHRM..z0.....

00000270: 00f4 2400 0084 cb00 006d 5f00 00e8 6c00 ..#......m_...l.

00000280: 003c 8b00 001b 58ca 10f6 b800 0034 c849 .<....X......4.I

00000290: 4441 5478 da62 fc5f 3ff9 fff3 e72a 0ce2 DATx.b._?....*..

000002a0: 921e 0c07 9e3f 6778 2629 c970 1848 4bda .....?gx&).p.HK.

000002b0: 4b32 3c97 00d2 7640 faf5 3506 49c9 7f0c K2<...v@..5.I...

000002c0: cf9f 9f07 d23c 40fa 1190 5600 d2df 81b4 .....<@...V.....

000002d0: 1190 6664 90e4 5365 0008 2096 e7cf ff01 ..fd..Se.. .....

000002e0: 054c 18ae 020d f80b 3448 dfff 3783 1e8f .L......4H..7...

000002f0: 24c3 379e df0c 5fc4 2419 76ff bacf 2021 #.7..._.#.v... !

00000300: f10a a8e1 1850 1d0b 90be cb20 0d54 f7f4 .....P..... .T..

00000310: f90d 205f 15c8 7f0a a4ed 80f4 0d06 8000 .. _............

00000320: 6292 9434 04db c006 5470 1e68 201b 372b b..4....Tp.h .7+

00000330: 83b3 ab3e c32f 0156 8648 231d 060e 8ec7 ...>./.V.H#.....

slide29
[NT01]

Moni Naor, Vanessa Teague

  • Anti-persistence:History Independent Data Structures

- STOC 2001

memory representation

C

A,B

D

A

B

C

D

E

Memory Representation

Most memory allocators have a tendency to

  • allocate newer objects at higher addresses

Shape

Memory

A

B

A,B

D

C

D

E

C

history independence nt01
History Independence [NT01]

Definition

A data structure implementation is history independent if any two sequences S1 and S2 that yield the same content induce the same distribution on the memory representation.

  • Similar to Micciancio’s definition, except this is specified on memory representation
strong history independence nt01
Strong History Independence [NT01]

Definition

Let P1= {i11, i12, … , i1l} and P2= {i21, i22, … , i2l}be two lists of points such that for all b2{1, 2} and 1·j·l, we have that 1·ibj· |Sb| and the content of data structure following S1 up to i1j and S2 up to i2j are identical.

A data structure implementation is strongly history independent if for any S1,P1,S2,P2 the distributions of the memory representations at the points i1j and i2j are identical.

strong history independence nt0134

P1

S1

D1

P2

S2

D2

Strong History Independence [NT01]

i14

i11

i12

i13

i15

i21

i22

i23

i24

i25

weak history independence nt01
Weak History Independence [NT01]

Definition

A data structure implementation is history independent if any two sequences S1 and S2 that yield the same content induce the same distribution on the memory representation.

  • Similar to definition [Mic97], except this is specified on memory representation

Weakly

checkpoint
Checkpoint
  • How HIDS got started
  • Why obliviousness is inadequate
  • What WHI and SHI are

The rest of this talk:

- WHI is bearable

- SHI is hard

results in nt01
Results in [NT01]

Besides the definitions,

  • WHI object allocators
    • Applied to Dynamic perfect hashing
  • SHI hash table
    • Currently does not support deletion
  • WHI Union-Find (sketch)
incremental card shuffling
Insert(new card x)

Put the x at the end

Swap x with another card, chosen u.a.r.

Delete(card at position j)

Swap card with the last card

Discard the (new) last card

Incremental Card Shuffling

LemmaThe permutation of cards remains random with these procedures.

fixed size object allocator
Fixed Size Object Allocator

Turn any bounded-indegree, fixed-size record oblivious data structure into WHI

  • Record allocation takes O(1) time
  • Need to be careful when moving blocks

Examples

  • Treaps
  • Oblivious 2-3 Trees
variable size object allocator
Variable Size Object Allocator

Create buckets for objects of geometrically increasing size

B1, B2, B4, B8... (exercise :P)

  • Record allocation takes O(slogs) time
  • From here, adapt the dynamic perfect hashing into WHI
going back to card shuffling
Insert(new card x)

Put the x at the end

Swap x with another card, chosen u.a.r.

Going Back To Card Shuffling

Don’t store the randomness and we get WHI

But that alsorules out SHI

example
Example

D1

D2

3, 1, 2

3, 1, 2

Ins(5)

Ins(4)

3, 5, 2, 1

3, 4, 2, 1

Ins(5)

3, 4, 5, 1, 2

Del(4)

3, 2, 5, 1

ordered hashing
Ordered Hashing

In open addressing, how do you break tie in a collision?

  • Resolve by alphabetical order

O. Amble, D. Knuth

  • Ordered hash tables

- The Computer Journal 17(2), 1974

shi hash table
SHI Hash Table

Looks like Ordered Hashing on Steroid

Define a priority function p(i, x, y) : {0, …, N-1} £U£U {True, False}

Round #

Contestants

Theorem

If p(i, x, y) defines a total order, then the hash table is SHI.

shi hash table45
SHI Hash Table

Youth-rules

true if age(i,x) < age(i,y)

p(i, x, y) = true if age(i,x)=age(i,y) and x< y

false otherwise

Theorems

For any sequence of insertions the expected amortized insertion probe-time for an element is 1/(1-).

For any element, the expected probe-time for successful or unsuccessful search is 1/(1-)

observation in nt01
Observation in [NT01]

“It is interesting to note that all the SHI data structures we have found have the property that each data structure content has a unique representation.”

  • SHI ) Unique Representation?
slide48
[H.02]

J. Hartline, E. S. Hong, A. E. Mohr, W. R. Pentney, E. C. Rocke

  • Characterizing History Independent Data Structures

- ISSAC 2002

results in h 02
Results in [H.02]

A (somewhat) simpler definition of WHI and SHI

  • Show SHI ) Unique Representation

Relax SHI to a new definition: SHI*

  • The adversary can distinguish between empty and non-empty sequences of operations

Show how to resize WHI data structures

hysteresis
Hysteresis

Your wedding is running out of budget?

Capacity

2n

n

0

#Items

0.75n

n

slide51
[BP03]

Niv Buchbinder, Erez Petrank

  • Lower and Upper Bounds on Obtaining History Independence

- Crypto 2003

results in bp03
Results In [BP03]

SHI ) Unique Representation

  • Predated by [H.02]

SHI Heap Lowerbound (in the comparison-based model)

  • Insert, Extract, Increase-Key: (n)

WHI Heap Upperbound

  • Build-Heap: O(n); Increase-Key: O(log n)
  • Insert and Extract-Max: expected O(log n)
heap review

10

9

7

8

5

4

1

3

6

2

Heap Review

Binary Heap

www heapornot com

10

2

10

9

7

7

8

8

9

5

4

4

1

1

3

3

6

6

5

2

www.HeapOrNot.com

Heapify

Heapify-1

heap permutation
Heap  Permutation

Build-Heap-1 (H)

  • If size of H is 1, Return H
  • Choose a node i u.a.r. among all nodes in H
  • HÃ heapify-1(H, i)
  • Return MakeNode(root(H), Build-Heap-1(HL), Build-Heap-1(HR))
whi heap
WHI Heap

1: Pick u.a.r. a heap among all possible heaps with values v1, …, vn.

2: Pick u.a.r. a permutation on the values v1, …, vn. Place them in an (almost) full tree and call Build-Heap.

Theorem1and 2 are actually the same distribution.

simulation

Build-Heap-1

10

Build-Heap-1

9

7

8

5

4

1

Insert

11

3

6

2

9

10

Build-Heap

7

6

4

8

1

5

2

3

Simulation

10,9,7,8,5,4,1,3,6,2

8,2,4,5,3,9,10,1,7,6

8,2,4,5,3,11,10,1,7,6,9

slide58
[A.04]

U. A. Acar, G. E. Blelloch, R. Harper, J. L. Vittes, S. L. M. Woo

  • Dynamizing Static Algorithms with Applications to Dynamic Trees and History Independence

- SODA 2004

Also [ABH02], [ABH03]

dynamiziation

10

9

7

8

5

4

1

11

3

6

2

9

10

7

6

4

8

1

5

2

3

Dynamiziation

Build-Heap

10,9,7,8,5,4,1,3,6,2

Permute

8,2,4,5,3,9,10,1,7,6

Insert

Build-Heap

8,2,4,5,3,11,10,1,7,6,9

sny77
[Sny77]

Lawrence Snyder

  • On Uniquely Represented Data Structures

- FOCS 1977

motivating questions
Motivating Questions
  • unique representation ) linear cost?
  • logarithmic cost ) redundant representation?

jellyfish

8

body

4

12

1

5

9

13

tentacles

2

6

10

14

3

7

11

15

Jellyfish

Update and Search take O(n1/2) time

snyder s lowerbound
Snyder’s Lowerbound

Theorem

If a search tree uniquely represents its data, then

“The argumentation of this lemma is quite involved and will not be presented here.”

slide65
[AO91]

Arne Andersson, Thomas Ottmann

  • New Tight Bounds on Uniquely Represented Dictionaries

- FOCS 1991

slide69
[ST90]

Rajamani Sundar, Robert E. Tarjan

  • Unique Binary Search Tree Representations and Equality-testing of Sets and Sequences

- STOC 1990

open problems
Open Problems
  • SHI Hash table with deletion (Working on it)
  • SHI* seems to be a very reasonable definition
    • See what can be done in this model
g o ooooooooooooooo g l e is hiring
Goooooooooooooooogleis Hiring

Amitabh Sinha

Operations and Mgmt. Science, U.Mich. B. Sch.

Ke Yang

Google

Nikhil Bansal

IBM Research

2004-5-15

slide74

They are hiring!

  • Talk to Ke Yang if you are interested…

yangke@google.com

(917) 881-2797

He’ll be around until 2004-Oct-1.

Ask him for a GMail account.