slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Weizmann Institute of Science Israel PowerPoint Presentation
Download Presentation
Weizmann Institute of Science Israel

Loading in 2 Seconds...

  share
play fullscreen
1 / 29
rollo

Weizmann Institute of Science Israel - PowerPoint PPT Presentation

130 Views
Download Presentation
Weizmann Institute of Science Israel
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Deterministic History-IndependentStrategies for Storing Informationon Write-Once Memories Moni Naor Tal Moran Gil Segev Weizmann Institute of ScienceIsrael

  2. Securing Vote Storage Mechanisms Moni Naor Tal Moran Gil Segev Weizmann Institute of ScienceIsrael

  3. Election Day Carol Alice Alice Bob • Elections for class president • Each student whispers in Mr. Drew’s ear • Mr. Drew writes down the votes Carol • Problem:Mr. Drew’s notebook leaks sensitive information • First student voted for Carol • Second student voted for Alice • … Alice Alice Bob

  4. Election Day • What about more involved election systems? • Write-in candidates • Votes which are subsets or rankings • …. Carol Alice Alice Bob Alice 1 1 • A simple solution: • Lexicographically sortedlistof candidates • Unary counters Bob 1 Carol 1

  5. Secure Vote Storage • Mechanisms that operate in extremely hostile environments • Without a “secure” mechanism an adversary may be able to • Undetectably tamper with the records • Compromise privacy • Possible scenarios: • Poll workers may tamper with the device while in transit • Malicious software embeds secret information in public output • …

  6. Main Security Goals • Tamper-evidencePrevent an adversary from undetectably tampering with the records Integrity • History-independenceMemory representation does not reveal theinsertion order Privacy • Subliminal-freenessInformation cannot be secretly embedded into the data

  7. This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N • Supports Insert(x), Seal()and RetreiveAll() Cast a ballot “Finalize” the elections Count votes • Why consider a large universe? • Write-in candidates • Votes which are subsets or rankings • Records may contain additional information (e.g., 160-bit hash values)

  8. This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Our approach: • Tamper-evidence by exploiting write-once memories • Due to Molnar, Kohno, Sastry & Wagner ’06 • Information-theoretic security • Everything is public!! No need for private storage Initialized to all 0’sCan only flip 0’s to 1’s • Deterministic strategy in which each subset of elements determines a unique memory representation • Strongest form of history-independence • Unique representation - cannot secretly embed information

  9. Our Results Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of Kelements taken from a large universe of size N Main Result • Previous approaches were either: • Inefficient (required O(K2) space) • Randomized (enabled subliminal channels) • Required private storage Explicit Non-Constructive Space Kpolylog(N) Klog(N/K) Insertion time polylog(N) log(N/K)

  10. Our Results Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of Kelements taken from a large universe of size N Main Result Application to Distributed Computing First explicit, deterministic and non-adaptiveConflict Resolution algorithm which is optimalup to poly-logarithmic factors • Resolve conflicts in multiple-access channels • One of the classical Distributed Computing problems • Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg]

  11. Previous Work • Molnar, Kohno, Sastry & Wagner ‘06 • Initiated the formal study of secure vote storage • Tamper-evidence by exploiting write-once memories PROM Encoding(x) = (x, wt2(x)) Initialized to all 0’sCan only flip 0’s to 1’s Flipping any bit of x from 0 to 1requires flipping a bit of wt2(x) from 1 to 0 Logarithmic overhead

  12. Previous Work • Molnar, Kohno, Sastry & Wagner ‘06 • Initiated the formal study of secure vote storage • Tamper-evidence by exploiting write-once memories • “Copy-over list”: A deterministic & history-independent solution A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list Problem: Cannot sort in-place on write-once memories • On every insertion: • Compute the sorted list including the new element • Copy the sorted list to the next available memory position • Erase the previous list O(K2) space!!

  13. Previous Work • Molnar, Kohno, Sastry & Wagner ‘06 • Initiated the formal study of secure vote storage • Tamper-evidence by exploiting write-once memories • “Copy-over list”: A deterministic & history-independent solution • Several other solutions which are either randomized or require private storage • Bethencourt, Boneh & Waters ‘07 • A linear-space cryptographic solution • “History-independent append-only” signature scheme • Randomized & requires private storage

  14. Our Mechanism • Global strategy • Mapping elements to entries of a table • Local strategy • Resolving collisions separately in each entry • Both strategies are deterministic, history-independent and write-once

  15. The Local Strategy • Store elements mapped to each entry in a separate copy-over list • ℓ elements require ℓ2 pre-allocated memory • Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? • The worst case behavior of any fixed hash function is very poor • There is always a relatively large set of elements which are mapped to the same entry….

  16. The Global Strategy • Sequence of tables • Each table stores a fraction of the elements • Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted

  17. The Global Strategy • Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted OVERFLOW OVERFLOW Universe of size N

  18. The Global Strategy • Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted OVERFLOW Universe of size N

  19. The Global Strategy • Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted • Unique representation: • Elements determine overflowing entries in the first table • Elements mapped to non-overflowing entries are stored • Continue with the next table and remaining elements Universe of size N

  20. The Global Strategy • Each element is inserted into several entries of the first table • When an entry overflows: • Elements that are not stored elsewhere are inserted into the next table • The entry is permanently deleted Table of size ~K Stores ®K elements Subset of size K Universe of size N Table of size ~(1-®)K Stores ®(1 - ®)Kelements Where do the hash functions come from? Table of size ~(1-®)2K

  21. The Global Strategy • Identify the hash function of each table with a bipartite graph (K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree ·ℓ w.r.t S S OVERFLOW Universe of size N OVERFLOW LOW DEGREE

  22. Bounded-Neighbor Expanders (K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree ·ℓ w.r.t S • Given N and K, want to optimize M, ℓ, ® and the left-degree D Optimal Extractor Disperser K M K¢log(N/K) K¢2(loglogN)2 ℓ 1 O(1) polylog(N) Table of size M 1/polylog(N) ® 1/2 1/2 Universe of size N polylog(N) D log(N/K) 2(loglogN)2

  23. Open Problems • Non-amortized insertion time • In our scheme insertions may have a cascading effect • Construct a scheme that has bounded worst case insertion time • Improved bounded-neighbor expanders • The monotone encoding problem • Our non-constructive solution: K log(N) log(N/K) bits • Obvious lower bound: Klog(N/K) bits • Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions • Alon & Hod ‘07: M = O(Klog(N/K))

  24. Conflict Resolution • Problem: resolve conflicts that arise when several parties transmit simultaneously over a single channel • Goal: schedules retransmissions such that each of the conflicting parties eventually transmits individually • A party which successfully transmits halts • Efficiency measure: number of steps it takes to resolve any K conflicts among N parties • An algorithm is non-adaptive if the choices of the parties in each step do not depend on previous steps

  25. Conflict Resolution • Why require a deterministic algorithm? • Radio Frequency Identification (RFID) • Many tags simultaneously read by a single reader • Inventory systems, product tracking,... • Tags are highly constraint devices • Can they generate randomness?

  26. The Algorithm • Global strategy • Mapping parties to time intervals • Local strategy • Resolving collisions separately in each interval 26

  27. The Local Strategy • Associate each party x2[N] with a codeword C(x) taken from a superimposed code:Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords • Party xtransmits at step i if and only if C(x)i = 1 • Resolves conflicts among any ℓ parties taken from [N] • O(ℓ2¢logN) steps using known explicit constructions 27

  28. The Global Strategy • Sequence of phases identified with bounded-neighbor expanders • Each phase contains several time slots • The graphs define the active parties at each slot • Resolve collisions in each slot using the local strategy Phase 1 Universe of size N Phase 2 28 Phase 3

  29. The Global Strategy • Sequence of phases identified with bounded-neighbor expanders • Each phase contains several time slots • The graphs define the active parties at each slot • Resolve collisions in each slot using the local strategy OVERFLOW OVERFLOW Universe of size N SUCCESS SUCCESS SUCCESS O(K¢polylog(N)) steps 29