Weizmann Institute of Science Israel

1
Deterministic History-IndependentStrategies for
Storing Informationon Write-Once Memories
Moni Naor
Tal Moran
Gil Segev
Weizmann Institute of ScienceIsrael
2
Securing Vote Storage Mechanisms
Moni Naor
Tal Moran
Gil Segev
Weizmann Institute of ScienceIsrael
3
Election Day
Carol
Alice
Alice
Bob

• Elections for class president
• Each student whispers in Mr. Drews ear
• Mr. Drew writes down the votes

Carol

• ProblemMr. Drews notebook leaks sensitive
  information
• First student voted for Carol
• Second student voted for Alice

Alice
Alice
Bob
4
Election Day

• What about more involved election systems?
• Write-in candidates
• Votes which are subsets or rankings
• .

Carol
Alice
Alice
Bob
Alice
1
1

• A simple solution
• Lexicographically sorted list of candidates
• Unary counters

Bob
1
Carol
1
5
Secure Vote Storage

• Mechanisms that operate in extremely hostile
  environments

• Without a secure mechanism an adversary may be
  able to
• Undetectably tamper with the records
• Compromise privacy

• Possible scenarios
• Poll workers may tamper with the device while in
  transit
• Malicious software embeds secret information in
  public output

6
Main Security Goals

• Tamper-evidencePrevent an adversary from
  undetectably tampering with the records

Integrity

• History-independenceMemory representation does
  not reveal the insertion order

Privacy

• Subliminal-freenessInformation cannot be
  secretly embedded into the data

7
This Work
Goal A secure and efficient mechanism for
storing an increasingly growing set of K elements
taken from a large universe of size N

• Supports Insert(x), Seal() and RetreiveAll()

Cast a ballot
Count votes
Finalize the elections

• Why consider a large universe?
• Write-in candidates
• Votes which are subsets or rankings
• Records may contain additional information (e.g.,
  160-bit hash values)

8
This Work
Goal A secure and efficient mechanism for
storing an increasingly growing set of K elements
taken from a large universe of size N
Our approach

• Tamper-evidence by exploiting write-once memories
• Due to Molnar, Kohno, Sastry Wagner 06
• Information-theoretic security
• Everything is public!! No need for private storage

Initialized to all 0sCan only flip 0s to 1s

• Deterministic strategy in which each subset of
  elements determines a unique memory
  representation
• Strongest form of history-independence
• Unique representation - cannot secretly embed
  information

9
Our Results
Deterministic, history-independent and
write-oncestrategy for storing an increasingly
growing set of Kelements taken from a large
universe of size N
Main Result

• Previous approaches were either
• Inefficient (required O(K2) space)
• Randomized (enabled subliminal channels)
• Required private storage

Explicit
Non-Constructive
Space
K?polylog(N)
K?log(N/K)
Insertion time
polylog(N)
log(N/K)
10
Our Results
Deterministic, history-independent and
write-oncestrategy for storing an increasingly
growing set of Kelements taken from a large
universe of size N
Main Result
Application to Distributed Computing
First explicit, deterministic and non-adaptive
Conflict Resolution algorithm which is optimalup
to poly-logarithmic factors

• Resolve conflicts in multiple-access channels
• One of the classical Distributed Computing
  problems
• Explicit, deterministic non-adaptive -- open
  since 85 Komlos Greenberg

11
Previous Work

• Molnar, Kohno, Sastry Wagner 06
• Initiated the formal study of secure vote storage
• Tamper-evidence by exploiting write-once memories

PROM
Encoding(x) (x, wt2(x))
Initialized to all 0sCan only flip 0s to 1s
Logarithmic overhead
12
Previous Work

• Molnar, Kohno, Sastry Wagner 06
• Initiated the formal study of secure vote storage
• Tamper-evidence by exploiting write-once memories
• Copy-over list A deterministic
  history-independent solution

A useful observation Naor Teague 01 Store
the elements in a lexicographically sorted list
Problem Cannot sort in-place on write-once
memories

• On every insertion
• Compute the sorted list including the new element
• Copy the sorted list to the next available memory
  position
• Erase the previous list

O(K2) space!!
13
Previous Work

• Molnar, Kohno, Sastry Wagner 06
• Initiated the formal study of secure vote storage
• Tamper-evidence by exploiting write-once memories
• Copy-over list A deterministic
  history-independent solution
• Several other solutions which are either
  randomized or require private storage

• Bethencourt, Boneh Waters 07
• A linear-space cryptographic solution
• History-independent append-only signature
  scheme
• Randomized requires private storage

14
Our Mechanism

• Global strategy
• Mapping elements to entries of a table

• Local strategy
• Resolving collisions separately in each entry

• Both strategies are deterministic,
  history-independent and write-once

15
The Local Strategy

• Store elements mapped to each entry in a separate
  copy-over list
• l elements require l2 pre-allocated memory
• Allows very small values of l in the worst case!

Can a deterministic global strategy guarantee
that?

• The worst case behavior of any fixed hash
  function is very poor
• There is always a relatively large set of
  elements which are mapped to the same entry.

16
The Global Strategy

• Sequence of tables
• Each table stores a fraction of the elements

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

17
The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

OVERFLOW
OVERFLOW
Universe of size N
18
The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

OVERFLOW
Universe of size N
19
The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

• Unique representation
• Elements determine overflowing entries in the
  first table
• Elements mapped to non-overflowing entries are
  stored
• Continue with the next table and remaining
  elements

Universe of size N
20
The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

Table of size K
Stores K elements
Subset of size K
Universe of size N
Table of size (1-)K
Stores (1 - )K elements
Where do the hash functions come from?
Table of size (1-)2K
21
The Global Strategy

• Identify the hash function of each table with a
  bipartite graph

(K, , l)-Bounded-Neighbor ExpanderAny set S of
size K contains K element with a neighbor of
degree l w.r.t S
S
OVERFLOW
Universe of size N
OVERFLOW
LOW DEGREE
22
Bounded-Neighbor Expanders
(K, , l)-Bounded-Neighbor ExpanderAny set S of
size K contains K element with a neighbor of
degree l w.r.t S

• Given N and K, want to optimize M, l, and the
  left-degree D

Optimal
Extractor
Disperser
M
Klog(N/K)
K2(loglogN)2
K
1
polylog(N)
l
O(1)
Table of size M
1/2

1/2
1/polylog(N)
Universe of size N
log(N/K)
D
2(loglogN)2
polylog(N)
23
Open Problems

• Non-amortized insertion time
• In our scheme insertions may have a cascading
  effect
• Construct a scheme that has bounded worst case
  insertion time

• Improved bounded-neighbor expanders

• The monotone encoding problem
• Our non-constructive solution K ?log(N)
  ?log(N/K) bits
• Obvious lower bound K?log(N/K) bits
• Find the minimal M such that subsets of size at
  most K taken from N can be mapped into subsets
  of M while preserving inclusions
• Alon Hod 07 M O(K?log(N/K))

24
Conflict Resolution

• Problem resolve conflicts that arise when
  several parties transmit simultaneously over a
  single channel
• Goal schedules retransmissions such that each of
  the conflicting parties eventually transmits
  individually
• A party which successfully transmits halts
• Efficiency measure number of steps it takes to
  resolve any K conflicts among N parties
• An algorithm is non-adaptive if the choices of
  the parties in each step do not depend on
  previous steps

25
Conflict Resolution

• Why require a deterministic algorithm?

• Radio Frequency Identification (RFID)
• Many tags simultaneously read by a single reader
• Inventory systems, product tracking,...
• Tags are highly constraint devices
• Can they generate randomness?

26
The Algorithm

• Global strategy
• Mapping parties to time intervals

• Local strategy
• Resolving collisions separately in each interval

26
27
The Local Strategy

• Associate each party x 2 N with a codeword C(x)
  taken from a superimposed codeAny codeword is
  not contained in the bit-wise or of any other l-1
  codewords

• Party x transmits at step i if and only if C(x)i
  1

• Resolves conflicts among any l parties taken from
  N

• O(l2logN) steps using known explicit
  constructions

27
28
The Global Strategy

• Sequence of phases identified with
  bounded-neighbor expanders
• Each phase contains several time slots
• The graphs define the active parties at each slot
• Resolve collisions in each slot using the local
  strategy

Phase 1
Universe of size N
Phase 2
28
Phase 3
29
The Global Strategy

• Sequence of phases identified with
  bounded-neighbor expanders
• Each phase contains several time slots
• The graphs define the active parties at each slot
• Resolve collisions in each slot using the local
  strategy

OVERFLOW
OVERFLOW
Universe of size N
SUCCESS
SUCCESS
SUCCESS
O(Kpolylog(N)) steps
29