Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Weizmann Institute of Science Israel Gil Segev Securing Vote Storage Mechanisms Tal Moran Moni Naor Weizmann Institute of Science Israel Gil Segev Election Day Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes Carol Alice Alice Bob Problem: Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice … 3 Election Day What about more involved election systems? Write-in candidates Votes which are subsets or rankings …. Carol Alice Alice Bob A simple solution: Lexicographically sorted list of candidates Unary counters 4 Secure Vote Storage Mechanisms that operate in extremely hostile environments Without a “secure” mechanism an adversary may be able to Undetectably tamper with the records Compromise privacy Possible scenarios: Poll workers may tamper with the device while in transit Malicious software embeds secret information in public output … 5 Main Security Goals Integrity Tamper-evidence Prevent an adversary from undetectably tampering with the records History-independence Memory representation does not reveal the insertion order Privacy Subliminal-freeness Information cannot be secretly embedded into the data 6 This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Supports Insert(x), Seal() and RetreiveAll() Cast a ballot “Finalize” the elections Count votes Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values) 7 This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Our approach: Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage Initialized to all 0’s Can only flip 0’s to 1’s Deterministic strategy in which each subset of elements determines a unique memory representation Strongest form of history-independence Unique representation - cannot secretly embed information 8 Our Results Main Result Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Previous approaches were either: Inefficient (required O(K2) space) Randomized (enabled subliminal channels) Required private storage Explicit Non-Constructive Space Kpolylog(N) Klog(N/K) Insertion time polylog(N) log(N/K) 9 Our Results Main Result Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Application to Distributed Computing First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal up to poly-logarithmic factors Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg] 10 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories Encoding(x) = (x, wt2(x)) Flipping any bit of x from 0 to 1 requires flipping a bit of wt2(x) from 1 to 0 Initialized to all 0’s Can only flip 0’s to 1’s Logarithmic overhead 11 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list Problem: Cannot sort in-place on write-once memories On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list O(K2) space!! 12 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage 13 Our Mechanism Global strategy Local strategy Mapping elements to entries of a table Resolving collisions separately in each entry Both strategies are deterministic, history-independent and write-once 14 The Local Strategy Store elements mapped to each entry in a separate copy-over list ℓ elements require ℓ2 pre-allocated memory Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped to the same entry…. 15 The Global Strategy Sequence of tables Each table stores a fraction of the elements Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted 16 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted OVERFLOW Universe of size N OVERFLOW 17 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted OVERFLOW Universe of size N 18 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N Unique representation: Elements determine overflowing entries in the first table Elements mapped to non-overflowing entries are stored Continue with the next table and remaining elements 19 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Table of size ~K Stores ®K elements Subset of size K Universe of size N Table of size ~(1-®)K Stores ®(1 - ®)K elements Where do the hash functions come from? Table of size ~(1-®)2K 20 The Global Strategy Identify the hash function of each table with a bipartite graph (K, ®, ℓ)-Bounded-Neighbor Expander: Any set S of size K contains ®K element with a neighbor of degree · ℓ w.r.t S S Universe of size N OVERFLOW OVERFLOW LOW DEGREE 21 Bounded-Neighbor Expanders (K, ®, ℓ)-Bounded-Neighbor Expander: Any set S of size K contains ®K element with a neighbor of degree · ℓ w.r.t S Given N and K, want to optimize M, ℓ, ® and the left-degree D Optimal Extractor Disperser M K¢log(N/K) K¢2(loglogN)2 K ℓ 1 O(1) polylog(N) ® D 1/2 log(N/K) 1/polylog(N) 1/2 2(loglogN) Table of size M 2 polylog(N) Universe of size N Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders The monotone encoding problem Our non-constructive solution: K log(N) log(N/K) bits Obvious lower bound: Klog(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions Alon & Hod ‘07: M = O(Klog(N/K)) 23 Conflict Resolution Problem: resolve conflicts that arise when several parties transmit simultaneously over a single channel Goal: schedules retransmissions such that each of the conflicting parties eventually transmits individually A party which successfully transmits halts Efficiency measure: number of steps it takes to resolve any K conflicts among N parties An algorithm is non-adaptive if the choices of the parties in each step do not depend on previous steps Conflict Resolution Why require a deterministic algorithm? Radio Frequency Identification (RFID) Many tags simultaneously read by a single reader Inventory systems, product tracking,... Tags are highly constraint devices Can they generate randomness? The Algorithm Global strategy Mapping parties to time intervals Local strategy Resolving collisions separately in each interval 26 The Local Strategy Associate each party x 2 [N] with a codeword C(x) taken from a superimposed code: Any codeword is not contained in the bit-wise or of any other ℓ-1 codewords Party x transmits at step i if and only if C(x)i = 1 Resolves conflicts among any ℓ parties taken from [N] O(ℓ2¢logN) steps using known explicit constructions 27 The Global Strategy Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy Phase 1 Universe of size N Phase 2 Phase 3 28 The Global Strategy Sequence of phases identified with bounded-neighbor expanders Each phase contains several time slots The graphs define the active parties at each slot Resolve collisions in each slot using the local strategy OVERFLOW OVERFLOW Universe of size N SUCCESS SUCCESS SUCCESS O(K¢polylog(N)) steps 29
© Copyright 2025 Paperzz