weizmann institute of science israel
DESCRIPTION
Deterministic History-Independent Strategies for Storing Information on Write-Once Memories. Moni Naor. Tal Moran. Gil Segev. Weizmann Institute of Science Israel. Securing Vote Storage Mechanisms. Moni Naor. Tal Moran. Gil Segev. Weizmann Institute of Science Israel. Election Day. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/1.jpg)
Weizmann Institute of ScienceIsrael
Deterministic History-IndependentStrategies for Storing Information
on Write-Once Memories
Tal Moran Moni Naor Gil Segev
![Page 2: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/2.jpg)
Weizmann Institute of ScienceIsrael
Securing Vote Storage Mechanisms
Tal Moran Moni Naor Gil Segev
![Page 3: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/3.jpg)
3
Election DayCarol
Bob
Carol
Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes
Alice Alice Bob
Alice Problem:
Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice …
Alice
![Page 4: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/4.jpg)
4
Election Day
Carol
AliceBob 11
1
1
Carol Alice Alice Bob What about more involved election systems?
Write-in candidates Votes which are subsets or rankings ….
A simple solution: Lexicographically sorted list of
candidates Unary counters
![Page 5: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/5.jpg)
5
Secure Vote Storage Mechanisms that operate in extremely hostile environments
Without a “secure” mechanism an adversary may be able to Undetectably tamper with the records Compromise privacy
Possible scenarios: Poll workers may tamper with the device while in transit Malicious software embeds secret information in public output …
![Page 6: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/6.jpg)
6
Main Security Goals Tamper-evidence
Prevent an adversary from undetectably tampering with the records
History-independenceMemory representation does not reveal the insertion order
Subliminal-freenessInformation cannot be secretly embedded into the data
Integrity
Privacy
![Page 7: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/7.jpg)
This Work
7
Goal:A secure and efficient mechanism for storing an increasingly
growing set of K elements taken from a large universe of size N
Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values)
Supports Insert(x), Seal() and RetreiveAll()Cast a ballot
Count votes
“Finalize” the elections
![Page 8: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/8.jpg)
8
This WorkGoal:
A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N
Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage
Deterministic strategy in which each subset of elements determines a unique memory representation
Strongest form of history-independence Unique representation - cannot secretly embed information
Our approach:
Initialized to all 0’sCan only flip 0’s to 1’s
![Page 9: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/9.jpg)
9
Previous approaches were either: Inefficient (required O(K2) space) Randomized (enabled subliminal channels) Required private storage
Explicit
Space
Insertion time
Kpolylog(N)polylog(N)
Klog(N/K)log(N/K)
Non-Constructive
Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of K
elements taken from a large universe of size N
Our ResultsMain
Result
![Page 10: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/10.jpg)
10
Deterministic, history-independent and write-oncestrategy for storing an increasingly growing set of K
elements taken from a large universe of size N
Our ResultsMain
Result
First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal
up to poly-logarithmic factors
Application to Distributed Computing
Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos &
Greenberg]
![Page 11: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/11.jpg)
11
Previous Work Molnar, Kohno, Sastry & Wagner ‘06
Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories
Initialized to all 0’sCan only flip 0’s to 1’s
Encoding(x) = (x, wt2(x))
Logarithmic overhead
PROM
Flipping any bit of x from 0 to 1requires flipping a bit of wt2(x)
from 1 to 0
![Page 12: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/12.jpg)
12
Previous Work Molnar, Kohno, Sastry & Wagner ‘06
Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution
Problem: Cannot sort in-place on write-once
memories
On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list
A useful observation [Naor & Teague ‘01]:Store the elements in a lexicographically sorted list
O(K2) space!!
![Page 13: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/13.jpg)
13
Previous Work Molnar, Kohno, Sastry & Wagner ‘06
Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage
Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage
![Page 14: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/14.jpg)
14
Our Mechanism Global strategy
Mapping elements to entries of a table
Both strategies are deterministic, history-independent and write-once
Local strategy Resolving collisions separately in each entry
![Page 15: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/15.jpg)
15
The Local Strategy Store elements mapped to each entry in a separate copy-over list
ℓ elements require ℓ2 pre-allocated memory Allows very small values of ℓ in the worst case!
Can a deterministic global strategy guarantee that?
The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped
to the same entry….
![Page 16: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/16.jpg)
16
The Global Strategy Sequence of tables Each table stores a fraction of the elements
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
![Page 17: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/17.jpg)
17
The Global Strategy Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
Universe of size N
OVERFLOW
OVERFLOW
![Page 18: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/18.jpg)
18
The Global Strategy
OVERFLOW
Universe of size N
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
![Page 19: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/19.jpg)
19
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
Universe of size N
Unique representation: Elements determine
overflowing entries in the first table
Elements mapped to non-overflowing entries are stored
Continue with the next table and remaining elements
The Global Strategy
![Page 20: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/20.jpg)
20
Subset of size K
Table of size ~KStores ®K elements
Table of size ~(1-®)KStores ®(1 - ®)K
elements
Table of size ~(1-®)2K
Where do the hash functions come from?
Universe of size N
Each element is inserted into several entries of the first table When an entry overflows:
o Elements that are not stored elsewhere are inserted into the next tableo The entry is permanently deleted
The Global Strategy
![Page 21: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/21.jpg)
Identify the hash function of each table with a bipartite graph
Universe of size N
S
OVERFLOW
OVERFLOW
LOW DEGREE
21
The Global Strategy
(K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree · ℓ w.r.t S
![Page 22: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/22.jpg)
Bounded-Neighbor Expanders
Table of size M
Universe of size N
Given N and K, want to optimize M, ℓ, ® and the left-degree D
Optimal Extractor Disperser
1 polylog(N)
1/2
M
®
ℓ
1/2
K¢log(N/K)
K¢2(loglogN)2 K
1/polylog(
N)
O(1)
(K, ®, ℓ)-Bounded-Neighbor Expander:Any set S of size K contains ®K element with a neighbor of degree · ℓ w.r.t S
log(N/K)D 2(loglogN)2 polylog(N)
![Page 23: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/23.jpg)
Open Problems Non-amortized insertion time
In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time
Improved bounded-neighbor expanders
The monotone encoding problem Our non-constructive solution: Klog(N) log(N/K) bits Obvious lower bound: Klog(N/K) bits Find the minimal M such that subsets of size at most K taken
from [N] can be mapped into subsets of [M] while preserving inclusions
Alon & Hod ‘07: M = O(Klog(N/K))23
![Page 24: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/24.jpg)
Conflict Resolution Problem: resolve conflicts that arise when several parties transmit
simultaneously over a single channel Goal: schedules retransmissions such that each of the conflicting parties
eventually transmits individually A party which successfully transmits halts Efficiency measure: number of steps it takes to resolve any K conflicts
among N parties An algorithm is non-adaptive if the choices of the parties in each step do
not depend on previous steps
![Page 25: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/25.jpg)
Conflict Resolution Why require a deterministic algorithm?
Radio Frequency Identification (RFID) Many tags simultaneously read by a single reader
Inventory systems, product tracking,... Tags are highly constraint devices
Can they generate randomness?
![Page 26: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/26.jpg)
26
The Algorithm Global strategy
Mapping parties to time intervals
Local strategy Resolving collisions separately in each interval
![Page 27: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/27.jpg)
27
The Local Strategy Associate each party x 2 [N] with a codeword C(x) taken from a
superimposed code:Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords
Resolves conflicts among any ℓ parties taken from [N]
Party x transmits at step i if and only if C(x)i = 1
O(ℓ2¢logN) steps using known explicit constructions
![Page 28: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/28.jpg)
28
Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy
Universe of size N
The Global Strategy
Phase 1
Phase 2
Phase 3
![Page 29: Weizmann Institute of Science Israel](https://reader035.vdocument.in/reader035/viewer/2022062501/56816833550346895ddde734/html5/thumbnails/29.jpg)
29
Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy
Universe of size N
The Global Strategy
O(K¢polylog(N))
steps
OVERFLOW
OVERFLOW
SUCCESS
SUCCESSSUCCESS