Page 1

THEORY OF COMPUTING, Volume 5 (2009), pp. 43–67

www.theoryofcomputing.org

Deterministic History-Independent

Strategies for Storing Information

on Write-Once Memories

Tal Moran∗

Moni Naor∗†

Gil Segev∗

Received: July 1, 2008; revised: May 14, 2009; published: May 23, 2009.

Abstract: Motivated by the challenging task of designing “secure” vote storage mecha-

nisms, we study information storage mechanisms that operate in extremely hostile environ-

ments. In such environments, the majority of existing techniques for information storage

and for security are susceptible to powerful adversarial attacks. We propose a mechanism

for storing a set of at most K elements from a large universe of size N on write-once mem-

ories in a manner that does not reveal the insertion order of the elements. We consider a

standard model for write-once memories, in which the memory is initialized to the all-zero

state, and the only operation allowed is flipping bits from 0 to 1. Whereas previously known

constructions were either inefficient (required Θ(K2) memory), randomized, or employed

cryptographic techniques which are unlikely to be available in hostile environments, we

eliminate each of these undesirable properties. The total amount of memory used by the

mechanism is linear in the number of stored elements and poly-logarithmic in the size of

the universe of elements.

A preliminary version of this work appeared in the Proc. of the 34th Internat. Colloquium on Automata, Languages and

Programming (ICALP 2007), pages 303–315.

∗Research supported in part by a grant from the Israel Science Foundation.

†Incumbent of the Judith Kleeman Professorial Chair.

ACM Classification: E.1, E.2, F.2.2

AMS Classification: 68P05, 68P30

Key words and phrases: history-independent, write-once memory, tamper-evident, vote storage mech-

anisms, information-theoretic security, conflict resolution, expander graphs

2009 Tal Moran, Moni Naor, and Gil Segev

Licensed under a Creative Commons Attribution LicenseDOI: 10.4086/toc.2009.v005a002

Page 2

TAL MORAN, MONI NAOR, AND GIL SEGEV

We also demonstrate a connection between secure vote storage mechanisms and one of

the classical distributed computing problems: conflict resolution in multiple-access chan-

nels. By establishing a tight connection with the basic building block of our mechanism,

we construct the first deterministic and non-adaptive conflict resolution algorithm whose

running time is optimal up to poly-logarithmic factors.

1Introduction

In this paper we deal with the design of information storage mechanisms that operate in extremely

hostile environments. In such environments, the majority of existing techniques for information storage

and for security are susceptible to powerful adversarial attacks. Our motivation emerges from the task

of designing vote storage mechanisms, recently studied by Molnar, Kohno, Sastry, and Wagner [20].

The setting considered by Molnar et al. is that of an electronic voting machine in a polling station. In

a typical election, the machine is set up by local election officials. Voters are then allowed to cast their

ballots. Finally, the “polls are closed” by the election officials (after which no additional ballots may be

cast), and the results transmitted to a voting center. The machines themselves may also be used to audit

or verify the results.

This setting is an acute example of a hostile environment for voting machines: an adversary attempt-

ing to corrupt the election results may also be a legitimate voter, an election official, or even one of the

voting machine developers. A typical threat is a corrupt poll worker who has complete access to the

vote storage mechanism at some point during or after the election process. The attacker may attempt to

change, add or delete votes, or merely to learn how others voted (in order to buy votes or coerce voters).

Without a “secure” vote storage mechanism, such an adversary may be able to undetectably tamper with

the voting records or compromise voter privacy.

We consider the abstract problem of storing a set of at most K elements taken from a large universe

of size N, while minimizing the total amount of allocated memory. In the vote storage context, think of

“elements” as ballots, K as the number of voters and of N as the number of possible ballot states (e.g.,

if there are 10 two-candidate races, there are N = 210possible ballot states; alternatively, if there is one

race where write-in candidates are allowed, N would be the number of possible candidate names). Our

mechanism supports insert operations, membership queries, and enumeration of all stored elements.1

While previously known constructions were either inefficient, randomized, or employed cryptographic

techniques that require secure key storage, we make a concentrated effort to eliminate these undesirable

properties. We design a storage mechanism which is deterministic, history-independent, and tamper-

evident.

Deterministic strategies.

However, for systems that operate in hostile environments, randomization can assist the adversary in

attacking the system. First, as sources of random bits are typically obtained from the environment,

it is quite possible that the adversary can corrupt these sources. In such cases, we usually have no

Randomization is an important ingredient in the design of efficient systems.

1We note that for vote storage mechanisms it is sufficient to support only insert operations and enumeration of all stored

elements.

THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6744

Page 3

STORING INFORMATION ON WRITE-ONCE MEMORIES

guarantees on the expected behavior of the system. Second, even when truly random bits are available,

these bits may be revealed to the adversary in advance, and serve as a crucial tool in the attack. Third, a

randomized storage strategy may enable a covert channel: As multiple valid representations for the same

abstract state exist, a maliciously designed storage mechanism can secretly embed information into the

stored data by choosing one of these representations. Applications such as voting protocols may run

in completely untrusted environments. In such cases, deterministic strategies have invaluable security

benefits.

History-independence.

to. When designing a data structure whose memory representation may be revealed, we would like to

ensure that an adversary will not be able to infer information that is not available through the system’s

legitimate interface. Computer science is rich with tales of cases where this was not done, such as files

containing information whose creators assumed had been erased, only to be revealed later in embar-

rassing circumstances (e.g., see [3, 10]). Informally, we consider a period of activity after which the

memory representation of the data is revealed to the adversary. The data structure is history-independent

if the adversary will not be able to deduce any more about the sequence of operations that led to the

current content than the content itself yields (concrete definitions will be given in Section 3.1).

Many systems give away much more information than they were intended

Tamper-evident write-once storage.

cation of its content can be detected. Tamper-evidence is usually provided by a mixture of physical

assumptions (such as secure processors) and cryptographic tools (such as signature schemes). Unfortu-

nately, the majority of cryptographic tools require secure key storage, which is unlikely to be available

in a hostile environment. Our construction follows the approach of Molnar et al. [20], who exploited

the properties of write-once memories to provide tamper-evident storage. They introduced an encoding

scheme in which flipping some of the bits of any valid codeword from 0 to 1 will never lead to another

valid codeword. Consider, for example, the encoding E(x) = x||wt(¯ x)2, obtained by concatenating the

string x with the binary representation of the Hamming weight of its complement. This encoding has

the property that flipping any bit of x from 0 to 1 decreases wt(¯ x)2, and requires flipping at least one

bit of wt(¯ x)2from 1 to 0 (which is physically impossible when using a write-once memory). In the

voting scenario, this prevents any modification to the stored ballots after the polls close, and prevents

poll workers from tampering with the content of the data structure while the storage device is in transit.

This approach does not require any cryptographic tools or computational assumptions, which makes it

very suitable for the setting of hostile environments. The additional memory allocation required by the

encoding is only logarithmic in the size of the stored data, and can be handled independently of the

storage strategy. For simplicity of presentation, we ignore the encoding procedure, and refer the reader’s

attention to the fact that our storage strategy is indeed write-once (i.e., the memory is initialized to the

all-zero state, and the only operation allowed is flipping bits from 0 to 1).

A data structure is tamper-evident if any unauthorized modifi-

1.1Our contributions

We construct an efficient, deterministic mechanism for storing a set of at most K elements on write-

once memories. The elements are given one at a time, and stored in a manner that does not reveal the

THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6745

Page 4

TAL MORAN, MONI NAOR, AND GIL SEGEV

insertion order. Our mechanism is immune to a large class of attacks that made previous constructions

unsuitable for extremely hostile environments. Previous constructions were either much less efficient

(required Θ(K2) memory), randomized, or employed cryptographic techniques that require secure key

storage(makingthemvulnerabletovariousside-channelandhardwareattacks). Unlessstatedotherwise,

throughout the paper we refer to the amount of allocated memory as the number of allocated memory

words, each of length logN bits, and assume that writing and reading a memory word can be done in

constant time. Our main result is the following:

Theorem 1.1. There exists an explicit, deterministic, history-independent, and write-once mechanism

for storing a set of at most K elements from a universe of size N, such that:

1. The total amount of allocated memory is O(K·polylog(N)).

2. The amortized insertion time and the worst-case look-up time are O(polylog(N)).

In addition, our construction yields a non-constructive proof for the existence of the following stor-

age mechanism:

Theorem 1.2. There exists a deterministic, history-independent, and write-once mechanism for storing

a set of at most K elements from a universe of size N, such that:

1. The total amount of allocated memory is O(Klog(N/K)).

2. The amortized insertion time is O(log2N·logK).

3. The worst-case look-up time is O(logN·logK).

In order to evaluate the security of our mechanism we focus on the main security goals of vote stor-

age mechanisms [20], and formalize a threat model. Such a model should specify both the computational

capabilities of the adversary (in this paper we consider computationally unbounded adversaries), and the

type of access that the adversary has to the mechanism. Our threat model is described in Section 3.2.

Informally, we consider two types of adversaries: post-election adversaries that gain access to the mech-

anism at the end of the election process, and lunch-time adversaries that gain access to the mechanism

at several points in time during the election process. For each type of adversaries we consider two levels

of access to the mechanism: read-only access, and read-write access.

We show that our mechanism provides the highest level of security against post-election adversaries

with read-write access, and against lunch-time adversaries with read-only access. Unfortunately, our

mechanismturnsouttobeinsecureagainstlunch-timeadversarieswithread-writeaccess. Specifically, it

does not guarantee tamper-evidence against such adversaries. We prove, however, that such a vulnerabil-

ity is not specific for our construction, but is inherent in any mechanism that uses significantly less than

K2bits of storage. In fact, we provide a complete characterization of the class of deterministic, history-

independent and write-once mechanisms that do enjoy such a level of security. Informally, we show that

any such mechanism stores the elements according to a superimposed code [17]. The following theorem

then follows from known lower bounds and upper bounds on superimposed codes [11, 12, 25]:

THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6746

Page 5

STORING INFORMATION ON WRITE-ONCE MEMORIES

Theorem 1.3. Any deterministic, history-independent, and write-once mechanism for storing a set of at

most K elements from a universe of size N which is tamper-evident against a lunch-time adversary with

read-write access uses Ω?(K2/logK)·logN?bits of storage. Moreover, there exists such an explicit

mechanism that uses O(K2log2N) bits of storage.

Conflict resolution.

in multiple-access channels. A fundamental problem of distributed computing is to resolve conflicts that

arisewhenseveralstationstransmitsimultaneouslyoverasinglechannel. Aconflictresolutionalgorithm

schedules retransmissions, such that each of the conflicting stations eventually transmits individually

to the channel. Such an algorithm is non-adaptive if the choice of the transmitting stations in each

step does not depend on information gathered from previous steps (with the exception that a station

which successfully transmits halts, and waits for the algorithm to terminate). The efficiency measure for

conflict resolution algorithms is the total number of steps it takes to resolve conflicts in the worst case

(where the worst case refers to the maximum over all possible sets of conflicting stations).

We consider the standard model in which N stations are tapped into a single channel, and there are

at most K conflicting stations. In 1985, Koml´ os and Greenberg [18] provided a non-constructive proof

for the existence of a deterministic and non-adaptive algorithm that resolves conflicts in O(Klog(N/K))

steps. However, no explicit algorithm with a similar performance guarantee was known.

By adapting our technique to the setting of conflict resolution, we devise the first efficient deter-

ministic and non-adaptive algorithm for this problem. The number of steps required by our algorithm

to resolve conflicts matches the non-explicit upper bound of Koml´ os and Greenberg [18] up to poly-

logarithmic factors. More specifically, we prove the following theorem:

In this paper we also address a seemingly unrelated problem: conflict resolution

Theorem 1.4. For every N and K there exists an explicit, deterministic, and non-adaptive algorithm

that resolves any K conflicts among N stations in O(K·polylog(N)) steps.

Paper organization.

work. Section 3 contains some essential definitions and a formal description of our main security goals

and threat model. In Section 4 we present our construction of the storage mechanism, which we then an-

alyzeinSection5. The analysisincludes, inadditionto anevaluation ofthe soundness, performance, and

security guarantees of our construction, a characterization of the class of mechanisms that are determin-

istic, history-independent, and write-once and provide tamper-evidence against a lunch-time adversary

with read-write access. In Section 6 we provide constructions of the bipartite graphs that serve as the

main building block of our storage mechanism. Finally, in Section 7 we show that our technique can be

adapted to devise a deterministic and non-adaptive conflict resolution algorithm.

The rest of the paper is organized as follows. In Section 2 we review related

2Related work

The problem of constructing history-independent data structures was first formally considered by Mic-

ciancio [19], who devised a variant of 2–3 trees that satisfies a property of this nature. Micciancio

considered a rather weak notion of history-independence, which required only that the shape of the trees

THEORY OF COMPUTING, Volume 5 (2009), pp. 43–6747