Presentation is loading. Please wait.

Presentation is loading. Please wait.

Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.

Published byTobias Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil."— Presentation transcript:

1 Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil Segev

2 Weizmann Institute of Science Israel Securing Vote Storage Mechanisms Tal Moran Moni Naor Gil Segev

3 3 Election Day Carol Bob Carol Elections for class president Each student whispers in Mr. Drew’s ear Mr. Drew writes down the votes Alice Bob Alice Problem: Mr. Drew’s notebook leaks sensitive information First student voted for Carol Second student voted for Alice … Alice

4 4 Election Day Carol Alice Bob 1 1 1 1 CarolAlice Bob What about more involved election systems? Write-in candidates Votes which are subsets or rankings …. A simple solution: Lexicographically sorted list of candidates Unary counters

5 5 Secure Vote Storage Mechanisms that operate in extremely hostile environments Without a “secure” mechanism an adversary may be able to Tamper with the records Compromise privacy Majority of existing techniques are vulnerable in this setting Cryptographic tools require private storage Memory representation may leak sensitive information Subliminal channels Possible scenarios: Malicious software embeds secret information in public output Colluding voters can obtain complete memory dump Poll workers may tamper with the device while in transit …

6 6 Main Security Goals Tamper-evidence Prevent an adversary from undetectably tampering with the records History-independence Memory representation does not reveal the insertion order Subliminal-freeness Information cannot be secretly embedded into the data Integrity Privacy

7 This Work 7 Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Why consider a large universe? Write-in candidates Votes which are subsets or rankings Records may contain additional information (e.g., 160-bit hash values) Supports Insert(x), Seal() and RetreiveAll() Cast a ballot Count votes “Finalize” the elections

8 8 This Work Goal: A secure and efficient mechanism for storing an increasingly growing set of K elements taken from a large universe of size N Tamper-evidence by exploiting write-once memories Due to Molnar, Kohno, Sastry & Wagner ’06 Information-theoretic security Everything is public!! No need for private storage Deterministic history-independent strategy in which each subset of elements determines a unique memory representation Strongest form of history-independence Unique representation - cannot secretly embed information Our approach: Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s

9 9 Previous approaches were either: Inefficient (required O(K 2 ) space) Randomized (enabled subliminal channels) Required private storage Explicit Space Insertion time K  polylog(N) polylog(N) K  log(N/K) log(N/K) Non-constructive Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result

10 10 Deterministic, history-independent and write-once strategy for storing an increasingly growing set of K elements taken from a large universe of size N Our Results Main Result First explicit, deterministic and non-adaptive Conflict Resolution algorithm which is optimal up to poly-logarithmic factors Application to Distributed Computing Resolve conflicts in multiple-access channels One of the classical Distributed Computing problems Explicit, deterministic & non-adaptive -- open since ‘85 [Komlos & Greenberg]

11 11 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories Initialized to all 0 ’s Can only flip 0 ’s to 1 ’s Encoding(x) = (x, wt 2 (x)) Logarithmic overhead PROM Flipping any bit of x from 0 to 1 requires flipping a bit of wt 2 ( x ) from 1 to 0

12 12 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Problem: Cannot sort in-place on write-once memories On every insertion: Compute the sorted list including the new element Copy the sorted list to the next available memory position Erase the previous list A useful observation [Naor & Teague ‘01]: Store the elements in a lexicographically sorted list O(K 2 ) space!!

13 13 Previous Work Molnar, Kohno, Sastry & Wagner ‘06 Initiated the formal study of secure vote storage Tamper-evidence by exploiting write-once memories “Copy-over list”: A deterministic & history-independent solution Several other solutions which are either randomized or require private storage Bethencourt, Boneh & Waters ‘07 A linear-space cryptographic solution “History-independent append-only” signature scheme Randomized & requires private storage

14 14 Our Mechanism Global strategy Mapping elements to entries of a table Both strategies are deterministic, history-independent and write-once Local strategy Resolving collisions separately in each entry

15 15 The Local Strategy Store elements mapped to each entry in a separate copy-over list ℓ elements require ℓ 2 pre-allocated memory Allows very small values of ℓ in the worst case! Can a deterministic global strategy guarantee that? The worst case behavior of any fixed hash function is very poor There is always a relatively large set of elements which are mapped to the same entry….

16 16 The Global Strategy Sequence of tables Each table stores a fraction of the elements Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

17 17 The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N OVERFLOW

18 18 The Global Strategy OVERFLOW Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

19 19 Analyzing The Global Strategy Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted Universe of size N Unique representation: Elements determine overflowing entries in the first table Elements mapped to non-overflowing entries are stored Continue with the next table and remaining elements

20 20 Analyzing The Global Strategy Subset of size K Table of size ~K Stores ® K elements Table of size ~(1- ® )K Stores ® (1 - ® )K elements Table of size ~(1- ® ) 2 K Where do the hash functions come from? Universe of size N Each element is inserted into several entries of the first table When an entry overflows: o Elements that are not stored elsewhere are inserted into the next table o The entry is permanently deleted

21 Analyzing The Global Strategy Identify the hash function of each table with a bipartite graph Bounded-Neighbor Expander: Any subset S of size K contains ® K elements with a low degree neighbor w.r.t S Universe of size N S OVERFLOW LOW DEGREE 21

22 Bounded-Neighbor Expanders Any subset S of size K contains ® K elements with a neighbor of degree · ℓ w.r.t S Universe of size N S Table of size M Explicit M ℓ K  polylog(N) polylog(N) K  log(N/K) 1 Non-constructive ® 1/21/polylog(N) Given N and K, Minimize M and ℓ Maximize ® 22

23 Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders Memory lower bound Our non-constructive solution: K  log(N)  log(N/K) bits Obvious lower bound: K  log(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions 23 Integrate the mechanism into existing schemes

24 Open Problems Non-amortized insertion time In our scheme insertions may have a cascading effect Construct a scheme that has bounded worst case insertion time Improved bounded-neighbor expanders Memory lower bound Our non-constructive solution: K  log(N)  log(N/K) bits Obvious lower bound: K  log(N/K) bits Find the minimal M such that subsets of size at most K taken from [N] can be mapped into subsets of [M] while preserving inclusions 24 Thank you! Integrate the mechanism into existing schemes

Download ppt "Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil."

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
Lower and Upper Bounds on Obtaining History Independence

Lower and Upper Bounds on Obtaining History Independence
Biometry and Security: Secure Biometric Authentication for Weak Computational Devices Author: Zelenevskiy Vladimir Based on the research by M.J. Atallah.

Biometry and Security: Secure Biometric Authentication for Weak Computational Devices Author: Zelenevskiy Vladimir Based on the research by M.J. Atallah.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.

Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
CPSC 335 Computer Science University of Calgary Canada.

CPSC 335 Computer Science University of Calgary Canada.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Institute of Computer Science University of Wroclaw Page Migration in Dynamic Networks Marcin Bieńkowski Joint work with: Jarek Byrka (Centrum voor Wiskunde.

Institute of Computer Science University of Wroclaw Page Migration in Dynamic Networks Marcin Bieńkowski Joint work with: Jarek Byrka (Centrum voor Wiskunde.
Lecturer: Moni Naor Foundations of Privacy Informal Lecture Anti-Persistence or History Independent Data Structures.

Lecturer: Moni Naor Foundations of Privacy Informal Lecture Anti-Persistence or History Independent Data Structures.
Sketching in Adversarial Environments Or Sublinearity and Cryptography 1 Moni Naor Joint work with: Ilya Mironov and Gil Segev.

Sketching in Adversarial Environments Or Sublinearity and Cryptography 1 Moni Naor Joint work with: Ilya Mironov and Gil Segev.
Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel.

Lower and Upper Bounds on Obtaining History Independence Niv Buchbinder and Erez Petrank Technion, Israel.
Optimal Fast Hashing Yossi Kanizo (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) and David Hay (Politecnico di Torino, Italy)

Optimal Fast Hashing Yossi Kanizo (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) and David Hay (Politecnico di Torino, Italy)

Similar presentations

Ads by Google