130 Views

Download Presentation
##### Weizmann Institute of Science Israel

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Deterministic History-IndependentStrategies for Storing**Informationon Write-Once Memories Moni Naor Tal Moran Gil Segev Weizmann Institute of ScienceIsrael**Securing Vote Storage Mechanisms**Moni Naor Tal Moran Gil Segev Weizmann Institute of ScienceIsrael**Election Day**Carol Alice Alice Bob • Elections for class president • Each student whispers in Mr. Drew’s ear • Mr. Drew writes down the votes Carol • Problem:Mr. Drew’s notebook leaks sensitive information • First student voted for Carol • Second student voted for Alice • … Alice Alice Bob**Election Day**• What about more involved election systems? • Write-in candidates • Votes which are subsets or rankings • …. Carol Alice Alice Bob Alice 1 1 • A simple solution: • Lexicographically sortedlistof candidates • Unary counters Bob 1 Carol 1**Secure Vote Storage**• Mechanisms that operate in extremely hostile environments • Without a “secure” mechanism an adversary may be able to • Undetectably tamper with the records • Compromise privacy • Possible scenarios: • Poll workers may tamper with the device while in transit • Malicious software embeds secret information in public output • …**Main Security Goals**• Tamper-evidencePrevent an adversary from undetectably tampering with the records Integrity • History-independenceMemory representation does not reveal theinsertion order Privacy • Subliminal-freenessInformation cannot be secretly embedded into the data**This Work**Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N • Supports Insert(x), Seal()and RetreiveAll() Cast a ballot “Finalize” the elections Count votes • Why consider a large universe? • Write-in candidates • Votes which are subsets or rankings • Records may contain additional information (e.g., 160-bit hash values)**This Work**Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Our approach: • Tamper-evidence by exploiting write-once memories • Due to Molnar, Kohno, Sastry & Wagner ’06 • Information-theoretic security • Everything is public!! No need for private storage Initialized to all 0’sCan only flip 0’s to 1’s • Deterministic strategy in which each subset of elements determines a unique memory representation • Strongest form of history-independence • Unique representation - cannot secretly embed information**Our Results**Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of Kelements taken from a large universe of size N Main Result • Previous approaches were either: • Inefficient (required O(K2) space) • Randomized (enabled subliminal channels) • Required private storage Explicit Non-Constructive Space Kpolylog(N) Klog(N/K) Insertion time polylog(N) log(N/K)**Our Results**Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of Kelements taken from a large universe of size N Main Result Application to Distributed Computing First explicit, deterministic and non-adaptiveConflict Resolution algorithm which is optimalup to poly-logarithmic factors • Resolve conflicts in multiple-access channels • One of the classical Distributed Computing problems • Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg]**Previous Work**• Molnar, Kohno, Sastry & Wagner ‘06 • Initiated the formal study of secure vote storage • Tamper-evidence by exploiting write-once memories PROM Encoding(x) = (x, wt2(x)) Initialized to all 0’sCan only flip 0’s to 1’s Flipping any bit of x from 0 to 1requires flipping a bit of wt2(x) from 1 to 0 Logarithmic overhead**Previous Work**• Molnar, Kohno, Sastry & Wagner ‘06 • Initiated the formal study of secure vote storage • Tamper-evidence by exploiting write-once memories • “Copy-over list”: A deterministic & history-independent solution A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list Problem: Cannot sort in-place on write-once memories • On every insertion: • Compute the sorted list including the new element • Copy the sorted list to the next available memory position • Erase the previous list O(K2) space!!**Previous Work**• Molnar, Kohno, Sastry & Wagner ‘06 • Initiated the formal study of secure vote storage • Tamper-evidence by exploiting write-once memories • “Copy-over list”: A deterministic & history-independent solution • Several other solutions which are either randomized or require private storage • Bethencourt, Boneh & Waters ‘07 • A linear-space cryptographic solution • “History-independent append-only” signature scheme • Randomized & requires private storage**Our Mechanism**• Global strategy • Mapping elements to entries of a table • Local strategy • Resolving collisions separately in each entry • Both strategies are deterministic, history-independent and write-once**The Local Strategy**• Store elements mapped to each entry in a separate copy-over list • ℓ elements require ℓ2 pre-allocated memory • Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? • The worst case behavior of any fixed hash function is very poor • There is always a relatively large set of elements which are mapped to the same entry….**The Global Strategy**• Sequence of tables • Each table stores a fraction of the elements • Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted**The Global Strategy**• Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted OVERFLOW OVERFLOW Universe of size N**The Global Strategy**• Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted OVERFLOW Universe of size N**The Global Strategy**• Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted • Unique representation: • Elements determine overflowing entries in the first table • Elements mapped to non-overflowing entries are stored • Continue with the next table and remaining elements Universe of size N**The Global Strategy**• Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted Table of size ~K Stores ®K elements Subset of size K Universe of size N Table of size ~(1-®)K Stores ®(1 - ®)Kelements Where do the hash functions come from? Table of size ~(1-®)2K**The Global Strategy**• Identify the hash function of each table with a bipartite graph (K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree ·ℓ w.r.t S S OVERFLOW Universe of size N OVERFLOW LOW DEGREE**Bounded-Neighbor Expanders**(K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree ·ℓ w.r.t S • Given N and K, want to optimize M, ℓ, ® and the left-degree D Optimal Extractor Disperser K M K¢log(N/K) K¢2(loglogN)2 ℓ 1 O(1) polylog(N) Table of size M 1/polylog(N) ® 1/2 1/2 Universe of size N polylog(N) D log(N/K) 2(loglogN)2**Open Problems**• Non-amortized insertion time • In our scheme insertions may have a cascading effect • Construct a scheme that has bounded worst case insertion time • Improved bounded-neighbor expanders • The monotone encoding problem • Our non-constructive solution: K log(N) log(N/K) bits • Obvious lower bound: Klog(N/K) bits • Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions • Alon & Hod ‘07: M = O(Klog(N/K))**Conflict Resolution**• Problem: resolve conflicts that arise when several parties transmit simultaneously over a single channel • Goal: schedules retransmissions such that each of the conflicting parties eventually transmits individually • A party which successfully transmits halts • Efficiency measure: number of steps it takes to resolve any K conflicts among N parties • An algorithm is non-adaptive if the choices of the parties in each step do not depend on previous steps**Conflict Resolution**• Why require a deterministic algorithm? • Radio Frequency Identification (RFID) • Many tags simultaneously read by a single reader • Inventory systems, product tracking,... • Tags are highly constraint devices • Can they generate randomness?**The Algorithm**• Global strategy • Mapping parties to time intervals • Local strategy • Resolving collisions separately in each interval 26**The Local Strategy**• Associate each party x2[N] with a codeword C(x) taken from a superimposed code:Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords • Party xtransmits at step i if and only if C(x)i = 1 • Resolves conflicts among any ℓ parties taken from [N] • O(ℓ2¢logN) steps using known explicit constructions 27**The Global Strategy**• Sequence of phases identified with bounded-neighbor expanders • Each phase contains several time slots • The graphs define the active parties at each slot • Resolve collisions in each slot using the local strategy Phase 1 Universe of size N Phase 2 28 Phase 3**The Global Strategy**• Sequence of phases identified with bounded-neighbor expanders • Each phase contains several time slots • The graphs define the active parties at each slot • Resolve collisions in each slot using the local strategy OVERFLOW OVERFLOW Universe of size N SUCCESS SUCCESS SUCCESS O(K¢polylog(N)) steps 29