THEORY OF COMPUTING, Volume 5 (2009), pp. 43–67
Strategies for Storing Information
on Write-Once Memories
Received: July 1, 2008; revised: May 14, 2009; published: May 23, 2009.
Abstract: Motivated by the challenging task of designing “secure” vote storage mecha-
nisms, we study information storage mechanisms that operate in extremely hostile environ-
ments. In such environments, the majority of existing techniques for information storage
and for security are susceptible to powerful adversarial attacks. We propose a mechanism
for storing a set of at most K elements from a large universe of size N on write-once mem-
ories in a manner that does not reveal the insertion order of the elements. We consider a
standard model for write-once memories, in which the memory is initialized to the all-zero
state, and the only operation allowed is flipping bits from 0 to 1. Whereas previously known
constructions were either inefficient (required Θ(K2) memory), randomized, or employed
cryptographic techniques which are unlikely to be available in hostile environments, we
eliminate each of these undesirable properties. The total amount of memory used by the
mechanism is linear in the number of stored elements and poly-logarithmic in the size of
the universe of elements.
A preliminary version of this work appeared in the Proc. of the 34th Internat. Colloquium on Automata, Languages and
Programming (ICALP 2007), pages 303–315.
∗Research supported in part by a grant from the Israel Science Foundation.
†Incumbent of the Judith Kleeman Professorial Chair.
ACM Classification: E.1, E.2, F.2.2
AMS Classification: 68P05, 68P30
Key words and phrases: history-independent, write-once memory, tamper-evident, vote storage mech-
anisms, information-theoretic security, conflict resolution, expander graphs
2009 Tal Moran, Moni Naor, and Gil Segev
Licensed under a Creative Commons Attribution LicenseDOI: 10.4086/toc.2009.v005a002
TAL MORAN, MONI NAOR, AND GIL SEGEV
We also demonstrate a connection between secure vote storage mechanisms and one of
the classical distributed computing problems: conflict resolution in multiple-access chan-
nels. By establishing a tight connection with the basic building block of our mechanism,
we construct the first deterministic and non-adaptive conflict resolution algorithm whose
running time is optimal up to poly-logarithmic factors.
In this paper we deal with the design of information storage mechanisms that operate in extremely
hostile environments. In such environments, the majority of existing techniques for information storage
and for security are susceptible to powerful adversarial attacks. Our motivation emerges from the task
of designing vote storage mechanisms, recently studied by Molnar, Kohno, Sastry, and Wagner .
The setting considered by Molnar et al. is that of an electronic voting machine in a polling station. In
a typical election, the machine is set up by local election officials. Voters are then allowed to cast their
ballots. Finally, the “polls are closed” by the election officials (after which no additional ballots may be
cast), and the results transmitted to a voting center. The machines themselves may also be used to audit
or verify the results.
This setting is an acute example of a hostile environment for voting machines: an adversary attempt-
ing to corrupt the election results may also be a legitimate voter, an election official, or even one of the
voting machine developers. A typical threat is a corrupt poll worker who has complete access to the
vote storage mechanism at some point during or after the election process. The attacker may attempt to
change, add or delete votes, or merely to learn how others voted (in order to buy votes or coerce voters).
Without a “secure” vote storage mechanism, such an adversary may be able to undetectably tamper with
the voting records or compromise voter privacy.
We consider the abstract problem of storing a set of at most K elements taken from a large universe
of size N, while minimizing the total amount of allocated memory. In the vote storage context, think of
“elements” as ballots, K as the number of voters and of N as the number of possible ballot states (e.g.,
if there are 10 two-candidate races, there are N = 210possible ballot states; alternatively, if there is one
race where write-in candidates are allowed, N would be the number of possible candidate names). Our
mechanism supports insert operations, membership queries, and enumeration of all stored elements.1
While previously known constructions were either inefficient, randomized, or employed cryptographic
techniques that require secure key storage, we make a concentrated effort to eliminate these undesirable
properties. We design a storage mechanism which is deterministic, history-independent, and tamper-
However, for systems that operate in hostile environments, randomization can assist the adversary in
attacking the system. First, as sources of random bits are typically obtained from the environment,
it is quite possible that the adversary can corrupt these sources. In such cases, we usually have no
Randomization is an important ingredient in the design of efficient systems.
1We note that for vote storage mechanisms it is sufficient to support only insert operations and enumeration of all stored
THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6744
STORING INFORMATION ON WRITE-ONCE MEMORIES
guarantees on the expected behavior of the system. Second, even when truly random bits are available,
these bits may be revealed to the adversary in advance, and serve as a crucial tool in the attack. Third, a
randomized storage strategy may enable a covert channel: As multiple valid representations for the same
abstract state exist, a maliciously designed storage mechanism can secretly embed information into the
stored data by choosing one of these representations. Applications such as voting protocols may run
in completely untrusted environments. In such cases, deterministic strategies have invaluable security
to. When designing a data structure whose memory representation may be revealed, we would like to
ensure that an adversary will not be able to infer information that is not available through the system’s
legitimate interface. Computer science is rich with tales of cases where this was not done, such as files
containing information whose creators assumed had been erased, only to be revealed later in embar-
rassing circumstances (e.g., see [3, 10]). Informally, we consider a period of activity after which the
memory representation of the data is revealed to the adversary. The data structure is history-independent
if the adversary will not be able to deduce any more about the sequence of operations that led to the
current content than the content itself yields (concrete definitions will be given in Section 3.1).
Many systems give away much more information than they were intended
Tamper-evident write-once storage.
cation of its content can be detected. Tamper-evidence is usually provided by a mixture of physical
assumptions (such as secure processors) and cryptographic tools (such as signature schemes). Unfortu-
nately, the majority of cryptographic tools require secure key storage, which is unlikely to be available
in a hostile environment. Our construction follows the approach of Molnar et al. , who exploited
the properties of write-once memories to provide tamper-evident storage. They introduced an encoding
scheme in which flipping some of the bits of any valid codeword from 0 to 1 will never lead to another
valid codeword. Consider, for example, the encoding E(x) = x||wt(¯ x)2, obtained by concatenating the
string x with the binary representation of the Hamming weight of its complement. This encoding has
the property that flipping any bit of x from 0 to 1 decreases wt(¯ x)2, and requires flipping at least one
bit of wt(¯ x)2from 1 to 0 (which is physically impossible when using a write-once memory). In the
voting scenario, this prevents any modification to the stored ballots after the polls close, and prevents
poll workers from tampering with the content of the data structure while the storage device is in transit.
This approach does not require any cryptographic tools or computational assumptions, which makes it
very suitable for the setting of hostile environments. The additional memory allocation required by the
encoding is only logarithmic in the size of the stored data, and can be handled independently of the
storage strategy. For simplicity of presentation, we ignore the encoding procedure, and refer the reader’s
attention to the fact that our storage strategy is indeed write-once (i.e., the memory is initialized to the
all-zero state, and the only operation allowed is flipping bits from 0 to 1).
A data structure is tamper-evident if any unauthorized modifi-
We construct an efficient, deterministic mechanism for storing a set of at most K elements on write-
once memories. The elements are given one at a time, and stored in a manner that does not reveal the
THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6745
TAL MORAN, MONI NAOR, AND GIL SEGEV
insertion order. Our mechanism is immune to a large class of attacks that made previous constructions
unsuitable for extremely hostile environments. Previous constructions were either much less efficient
(required Θ(K2) memory), randomized, or employed cryptographic techniques that require secure key
throughout the paper we refer to the amount of allocated memory as the number of allocated memory
words, each of length logN bits, and assume that writing and reading a memory word can be done in
constant time. Our main result is the following:
Theorem 1.1. There exists an explicit, deterministic, history-independent, and write-once mechanism
for storing a set of at most K elements from a universe of size N, such that:
1. The total amount of allocated memory is O(K·polylog(N)).
2. The amortized insertion time and the worst-case look-up time are O(polylog(N)).
In addition, our construction yields a non-constructive proof for the existence of the following stor-
Theorem 1.2. There exists a deterministic, history-independent, and write-once mechanism for storing
a set of at most K elements from a universe of size N, such that:
1. The total amount of allocated memory is O(Klog(N/K)).
2. The amortized insertion time is O(log2N·logK).
3. The worst-case look-up time is O(logN·logK).
In order to evaluate the security of our mechanism we focus on the main security goals of vote stor-
age mechanisms , and formalize a threat model. Such a model should specify both the computational
capabilities of the adversary (in this paper we consider computationally unbounded adversaries), and the
type of access that the adversary has to the mechanism. Our threat model is described in Section 3.2.
Informally, we consider two types of adversaries: post-election adversaries that gain access to the mech-
anism at the end of the election process, and lunch-time adversaries that gain access to the mechanism
at several points in time during the election process. For each type of adversaries we consider two levels
of access to the mechanism: read-only access, and read-write access.
We show that our mechanism provides the highest level of security against post-election adversaries
with read-write access, and against lunch-time adversaries with read-only access. Unfortunately, our
mechanismturnsouttobeinsecureagainstlunch-timeadversarieswithread-writeaccess. Specifically, it
does not guarantee tamper-evidence against such adversaries. We prove, however, that such a vulnerabil-
ity is not specific for our construction, but is inherent in any mechanism that uses significantly less than
K2bits of storage. In fact, we provide a complete characterization of the class of deterministic, history-
independent and write-once mechanisms that do enjoy such a level of security. Informally, we show that
any such mechanism stores the elements according to a superimposed code . The following theorem
then follows from known lower bounds and upper bounds on superimposed codes [11, 12, 25]:
THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6746
STORING INFORMATION ON WRITE-ONCE MEMORIES
Theorem 1.3. Any deterministic, history-independent, and write-once mechanism for storing a set of at
most K elements from a universe of size N which is tamper-evident against a lunch-time adversary with
read-write access uses Ω?(K2/logK)·logN?bits of storage. Moreover, there exists such an explicit
mechanism that uses O(K2log2N) bits of storage.
in multiple-access channels. A fundamental problem of distributed computing is to resolve conflicts that
schedules retransmissions, such that each of the conflicting stations eventually transmits individually
to the channel. Such an algorithm is non-adaptive if the choice of the transmitting stations in each
step does not depend on information gathered from previous steps (with the exception that a station
which successfully transmits halts, and waits for the algorithm to terminate). The efficiency measure for
conflict resolution algorithms is the total number of steps it takes to resolve conflicts in the worst case
(where the worst case refers to the maximum over all possible sets of conflicting stations).
We consider the standard model in which N stations are tapped into a single channel, and there are
at most K conflicting stations. In 1985, Koml´ os and Greenberg  provided a non-constructive proof
for the existence of a deterministic and non-adaptive algorithm that resolves conflicts in O(Klog(N/K))
steps. However, no explicit algorithm with a similar performance guarantee was known.
By adapting our technique to the setting of conflict resolution, we devise the first efficient deter-
ministic and non-adaptive algorithm for this problem. The number of steps required by our algorithm
to resolve conflicts matches the non-explicit upper bound of Koml´ os and Greenberg  up to poly-
logarithmic factors. More specifically, we prove the following theorem:
In this paper we also address a seemingly unrelated problem: conflict resolution
Theorem 1.4. For every N and K there exists an explicit, deterministic, and non-adaptive algorithm
that resolves any K conflicts among N stations in O(K·polylog(N)) steps.
work. Section 3 contains some essential definitions and a formal description of our main security goals
and threat model. In Section 4 we present our construction of the storage mechanism, which we then an-
alyzeinSection5. The analysisincludes, inadditionto anevaluation ofthe soundness, performance, and
security guarantees of our construction, a characterization of the class of mechanisms that are determin-
istic, history-independent, and write-once and provide tamper-evidence against a lunch-time adversary
with read-write access. In Section 6 we provide constructions of the bipartite graphs that serve as the
main building block of our storage mechanism. Finally, in Section 7 we show that our technique can be
adapted to devise a deterministic and non-adaptive conflict resolution algorithm.
The rest of the paper is organized as follows. In Section 2 we review related
The problem of constructing history-independent data structures was first formally considered by Mic-
ciancio , who devised a variant of 2–3 trees that satisfies a property of this nature. Micciancio
considered a rather weak notion of history-independence, which required only that the shape of the trees
THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6747