lower and upper bounds on obtaining history independence niv buchbinder and erez petrank technion,...
Post on 20-Dec-2015
216 views
TRANSCRIPT
![Page 1: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/1.jpg)
Lower and Upper Bounds on Obtaining History
Independence
Niv Buchbinder and Erez Petrank
Technion, Israel
![Page 2: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/2.jpg)
What is History Independent Data-Structure ?
• Sometimes data structures keep unnecessary information.– not accessible via the legitimate interface of
the data structure (the content) ,– can be restored from the data-structure
memory layout. • A privacy issue if an adversary gains
control over the data-structure layout.
The core problem: history of operations applied on the data-structure may be revealed.
![Page 3: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/3.jpg)
Weak History Independence
[Micciancio]: A Data structure implementation is (weakly) History Independent if:
Any two sequences of operations S1 and S2 that yield the same content induce the same distribution on memory layout.
Security: Nothing gained from layout beyond the content.
![Page 4: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/4.jpg)
Weak History Independence Problems
No Information leaks if adversary gets layout once (e.g., the laptop was stolen).
But what if adversary may get layout several times ?
• Information on content modifications leaks.
• We want: no more information leakage.
![Page 5: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/5.jpg)
Strong History Independence
Pair of sequences S1, S2
two lists of stop points in S1, S2
If content is the same in each pair of corresponding stop points Then: Joint distribution of memory layouts at stop points is identical in the two sequences.
[Naor-Teague]: A Data structure implementation is (Strongly) History Independent if:
Security: We cannot distinguish betweenany such two sequences.
![Page 6: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/6.jpg)
A Short History of History Independence
• [Micciancio97] Weak history independent 2-3 tree (motivated by the problem of private incremental cryptography [BGG95]).
• [Naor-Teague01] History-independent hash-table, union-find. Weak history-independent memory allocation.
• All above results are efficient. • [Hartline et al. 02]
– Strong history independence means canonical layout.
– Relaxation of strong history independence.– History independent memory resize.
![Page 7: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/7.jpg)
Our Results
1. Separations between strong & weak (lower bounds):Strong requires a much higher efficiency penalty in the comparison based model.
For example, the queue data structure:weak history independence requires O(1)strong history independence requires Ω(n)
2. Implementations (upper bounds):The heap has a weakly history independent implementation with no time complexity penalty.
![Page 8: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/8.jpg)
Bounds Summary
Operation Weak History Independence
Strong History Independence
heap: insert O(log n) Ω(n)
heap: increase-key O(log n) Ω(n)
heap: extract-max O(log n) No lower bound
heap: build-heap O(n) Ω(n log n)
queue: max{ insert-first, remove-last}
O(1) Ω(n)
![Page 9: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/9.jpg)
Why is Comparison Based implementation important?
• It is “natural”: – Standard implementations for most data
structure operations are like that.– Therefore, we should know not to design
this way when seeking strong history independence
• Library functions are easy to use: – Only implement the comparison
operation on data structure elements.
![Page 10: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/10.jpg)
Strong History Independence =
Canonical Representation
Well behaved: the content graph is strongly connected. (Most data structures are like that)
Lemma [Hartline et al. 02]: Any strongly history independent implementation of “well-behaved” data-structure is canonical.
Any possible content has one possible layout.
![Page 11: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/11.jpg)
Lower Bounds
Main Lemma: D: Data-structure whose content is the set of
keys stored inside it. I: Implementation of D that is :
comparison-based and canonical.
The following operations require time Ω(n).• Insert(D, x)• Extract(D, x)• Increase-key(D, v1, v2)
![Page 12: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/12.jpg)
More Lower Bounds
By similar methods we can show:• For a Heap:
Build-Heap Operation requires time Ω(n log n).• For a queue: either Insert-first or Remove-Last
requires time Ω(n).
The main lemma applies for a comparison based strong history independent:
• Heaps• Dictionaries • Search trees• And others…
![Page 13: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/13.jpg)
The Binary Heap
Binary heap - a simple implementation of a priority queue.
• The keys are stored in an almost full binary tree.
• Heap property - For each node i: Val(parent(i)) Val(i)
• Assume that all values in theheap are unique.
10
7 9
36 4 8
1 5 2
![Page 14: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/14.jpg)
The Binary Heap: Heapify
Heapify - used to preserve the heap property. • Input: a root and two proper sub-heaps of
height h-1. • Output: a proper heap of height h.
The node always chooses to sift down to the direction of the larger value.
2
10 9
36 7 8
1 5 4
![Page 15: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/15.jpg)
Heapify Operation
2
10 9
36 7 8
1 5 4
10
7 9
36 4 8
1 5 2
![Page 16: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/16.jpg)
Reversing Heapify
heapify-1: “reversing” heapify:
Heapify-1(H: Heap, i: position)• Root val(i)• All the path from the root to
node i are shifted down.
10
7 9
36 4 8
1 5 2
The parameter i is a position in the heap H
![Page 17: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/17.jpg)
Heapify-1 Operation
10
7 9
36 4 8
1 5 2
2
10 9
36 7 8
1 5 4
Heapify(Heapify-1(H, i)) = H
Property: If all the keys in the heap are unique then for any i:
![Page 18: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/18.jpg)
Reversing Build-heap
Building a heap - applying heapify on any sub-tree in the heap in a bottom up manner.
We define a randomized procedure Build-Heap-1:• Uses Heapify-1 procedure• The procedure Works in a Top-Bottom manner. • Returns a permutation (tree).
For any random choice:
Build-heap(Build-heap-1(H)) = H
![Page 19: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/19.jpg)
Uniformly Chosen Heaps
• Build-heap is a Many-To-One procedure.• Build-heap-1 is a One-To-Many procedure
depending on the random choices.
Support(H) : The set of permutations (trees) such that build-heap(T) = H
Facts (without proof):1.For each heap H the size of Support(H) is
the same.2.Build-heap-1 returns one of these permutations
uniformly.
![Page 20: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/20.jpg)
How to Obtain a Weak History Independent
Heap
Main idea: keeping a uniformly random heap at all time.
We want:1.Build-heap: Return one of the possible
heaps uniformly.
2.Other operations: preserve this property.
![Page 21: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/21.jpg)
Heap Implementation
Build-Heap and Increase-key are easy to handle.
• A simple extension of standard operation. • Efficiency maintained.
Extract-Max, Insert:The standard extract-max and Insert operations are NOT weakly history independent.
![Page 22: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/22.jpg)
Naive Implementation: Extract-max
Extract-max(H)1. T = build-heap-1(H)2. Remove the last node v in the tree (T’).3. H’ = build-heap(T’)4. If we already removed the maximal value
return H’ Otherwise:5. Replace the root with v and let v sift down
to its correct position.
build-heap-1 and build-heap works in O(n)
… but this implementation is history independent.
![Page 23: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/23.jpg)
Improving Complexity: Extract-max
First 3 steps of Extract-max(H)1.T = build-heap-1(H)2.Remove the last node v in the tree.3.H’ = build-heap(T’)
Main problem - steps 1 to 3 that takes O(n).
Simple observation reduces the complexity of these steps to O(log2(n)) instead of O(n)
![Page 24: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/24.jpg)
Reducing the Complexity to O(log2(n))
Observation: Most of the operations of build-heap-1 are redundant. They are always canceled by the operation of build-heap. Only the operations applied on nodes lying on the path from the root to the last leaf are needed. 10
7 9
36 4 8
1 5 2
Complexity analysis: • Each heapify-1 and heapify
operation takes at most O(log n).
• There are O(log n) such operations.
![Page 25: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/25.jpg)
Reducing the Complexity:O(log(n)) Expected Time
This is the most complex part
Main ideas:• We can show that there are actually O(1)
operations of heapify-1 and heapify that make a difference (in average over the random choices made by the algorithm in each step).
• We can detect these operations and apply only them.
![Page 26: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/26.jpg)
Conclusions1.Demanding strong history independence
usually requires a high efficiency penalty in the comparison based model.
2.Weak history independent heap in the
comparison-based model without penalty,
Complexity:• build-heap - O(n) worst case. • increase-key - O(log n) worst case.• extract-max, insert- O(log n) expected
time, O(log2n) worst case.
![Page 27: Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel](https://reader036.vdocument.in/reader036/viewer/2022081514/56649d4c5503460f94a29938/html5/thumbnails/27.jpg)
Open Questions
1.Is weak and strong History independence different in terms of efficiency also in the general (not comparison-based) model ?
2.History independent implementation of more data structures.
Thank you