Weizmann Institute of Science Israel

1
Deterministic History-IndependentStrategies for
Storing Informationon Write-Once Memories
Moni Naor
Tal Moran
Gil Segev
Weizmann Institute of ScienceIsrael
2
Securing Vote Storage Mechanisms
Moni Naor
Tal Moran
Gil Segev
Weizmann Institute of ScienceIsrael
3
Election Day
Carol
Alice
Alice
Bob

• Elections for class president
• Each student whispers in Mr. Drews ear
• Mr. Drew writes down the votes

Carol

• ProblemMr. Drews notebook leaks sensitive
  information
• First student voted for Carol
• Second student voted for Alice

Alice
Alice
Bob
4
Election Day

• What about more involved election systems?
• Write-in candidates
• Votes which are subsets or rankings
• .

Carol
Alice
Alice
Bob
Alice
1
1

• A simple solution
• Lexicographically sorted list of candidates
• Unary counters

Bob
1
Carol
1
5
Secure Vote Storage

• Mechanisms that operate in extremely hostile
  environments

• Without a secure mechanism an adversary may be
  able to
• Tamper with the records
• Compromise privacy

• Possible scenarios
• Malicious software embeds secret information in
  public output
• Colluding voters can obtain complete memory dump
• Poll workers may tamper with the device while in
  transit

• Majority of existing techniques are vulnerable in
  this setting
• Cryptographic tools require private storage
• Memory representation may leak sensitive
  information
• Subliminal channels

6
Main Security Goals

• Tamper-evidencePrevent an adversary from
  undetectably tampering with the records

Integrity

• History-independenceMemory representation does
  not reveal the insertion order

Privacy

• Subliminal-freenessInformation cannot be
  secretly embedded into the data

7
This Work
Goal A secure and efficient mechanism for
storing an increasingly growing set of K elements
taken from a large universe of size N

• Supports Insert(x), Seal() and RetreiveAll()

Cast a ballot
Count votes
Finalize the elections

• Why consider a large universe?
• Write-in candidates
• Votes which are subsets or rankings
• Records may contain additional information (e.g.,
  160-bit hash values)

8
This Work
Goal A secure and efficient mechanism for
storing an increasingly growing set of K elements
taken from a large universe of size N
Our approach

• Tamper-evidence by exploiting write-once memories
• Due to Molnar, Kohno, Sastry Wagner 06
• Information-theoretic security
• Everything is public!! No need for private storage

Initialized to all 0sCan only flip 0s to 1s

• Deterministic history-independent strategy in
  which each subset of elements determines a unique
  memory representation
• Strongest form of history-independence
• Unique representation - cannot secretly embed
  information

9
Our Results
Deterministic, history-independent and
write-oncestrategy for storing an increasingly
growing set of Kelements taken from a large
universe of size N
Main Result

• Previous approaches were either
• Inefficient (required O(K2) space)
• Randomized (enabled subliminal channels)
• Required private storage

10
Our Results
Deterministic, history-independent and
write-oncestrategy for storing an increasingly
growing set of Kelements taken from a large
universe of size N
Main Result
Application to Distributed Computing
First explicit, deterministic and non-adaptive
Conflict Resolution algorithm which is optimalup
to poly-logarithmic factors

• Resolve conflicts in multiple-access channels
• One of the classical Distributed Computing
  problems
• Explicit, deterministic non-adaptive -- open
  since 85 Komlos Greenberg

11
Previous Work

• Molnar, Kohno, Sastry Wagner 06
• Initiated the formal study of secure vote storage
• Tamper-evidence by exploiting write-once memories

PROM
Encoding(x) (x, wt2(x))
Initialized to all 0sCan only flip 0s to 1s
Logarithmic overhead
12
Previous Work

• Molnar, Kohno, Sastry Wagner 06
• Initiated the formal study of secure vote storage
• Tamper-evidence by exploiting write-once memories
• Copy-over list A deterministic
  history-independent solution

A useful observation Naor Teague 01 Store
the elements in a lexicographically sorted list
Problem Cannot sort in-place on write-once
memories

• On every insertion
• Compute the sorted list including the new element
• Copy the sorted list to the next available memory
  position
• Erase the previous list

O(K2) space!!
13
Previous Work

• Molnar, Kohno, Sastry Wagner 06
• Initiated the formal study of secure vote storage
• Tamper-evidence by exploiting write-once memories
• Copy-over list A deterministic
  history-independent solution
• Several other solutions which are either
  randomized or require private storage

• Bethencourt, Boneh Waters 07
• A linear-space cryptographic solution
• History-independent append-only signature
  scheme
• Randomized requires private storage

14
Our Mechanism

• Global strategy
• Mapping elements to entries of a table

• Local strategy
• Resolving collisions separately in each entry

• Both strategies are deterministic,
  history-independent and write-once

15
The Local Strategy

• Store elements mapped to each entry in a separate
  copy-over list
• l elements require l2 pre-allocated memory
• Allows very small values of l in the worst case!

Can a deterministic global strategy guarantee
that?

• The worst case behavior of any fixed hash
  function is very poor
• There is always a relatively large set of
  elements which are mapped to the same entry.

16
The Global Strategy

• Sequence of tables
• Each table stores a fraction of the elements

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

17
The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

OVERFLOW
OVERFLOW
Universe of size N
18
The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

OVERFLOW
Universe of size N
19
Analyzing The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

• Unique representation
• Elements determine overflowing entries in the
  first table
• Elements mapped to non-overflowing entries are
  stored
• Continue with the next table and remaining
  elements

Universe of size N
20
Analyzing The Global Strategy

• Each element is inserted into several entries of
  the first table
• When an entry overflows
• Elements that are not stored elsewhere are
  inserted into the next table
• The entry is permanently deleted

Table of size K
Stores K elements
Subset of size K
Universe of size N
Table of size (1-)K
Stores (1 - )K elements
Where do the hash functions come from?
Table of size (1-)2K
21
Analyzing The Global Strategy

• Identify the hash function of each table with a
  bipartite graph
• Bounded-Neighbor Expander
• Any subset S of size K contains K elements with
  a low degree neighbor w.r.t S

S
OVERFLOW
Universe of size N
OVERFLOW
LOW DEGREE
22
Bounded-Neighbor Expanders

• Any subset S of size K contains K elements with
  a neighbor of degree l w.r.t S

• Given N and K,
• Minimize M and l
• Maximize

S
Universe of size N
Table of size M
23
Open Problems

• Non-amortized insertion time
• In our scheme insertions may have a cascading
  effect
• Construct a scheme that has bounded worst case
  insertion time

• Improved bounded-neighbor expanders

• Memory lower bound
• Our non-constructive solution K ?log(N)
  ?log(N/K) bits
• Obvious lower bound K?log(N/K) bits
• Find the minimal M such that subsets of size at
  most K taken from N can be mapped into subsets
  of M while preserving inclusions

• Integrate the mechanism into existing schemes

24
Open Problems

• Non-amortized insertion time
• In our scheme insertions may have a cascading
  effect
• Construct a scheme that has bounded worst case
  insertion time

• Improved bounded-neighbor expanders

Thank you!

• Memory lower bound
• Our non-constructive solution K ?log(N)
  ?log(N/K) bits
• Obvious lower bound K?log(N/K) bits
• Find the minimal M such that subsets of size at
  most K taken from N can be mapped into subsets
  of M while preserving inclusions

• Integrate the mechanism into existing schemes