Lower and Upper Bounds on Obtaining History

Independence

Niv Buchbinder and Erez Petrank

Technion, Israel

What is History Independent Data-Structure ?

• Sometimes data structures keep unnecessary information.– not accessible via the legitimate interface of

the data structure (the content) ,– can be restored from the data-structure

memory layout. • A privacy issue if an adversary gains

control over the data-structure layout.

The core problem: history of operations applied on the data-structure may be revealed.

Weak History Independence

[Micciancio]: A Data structure implementation is (weakly) History Independent if:

Any two sequences of operations S1 and S2 that yield the same content induce the same distribution on memory layout.

Security: Nothing gained from layout beyond the content.

Weak History Independence Problems

No Information leaks if adversary gets layout once (e.g., the laptop was stolen).

But what if adversary may get layout several times ?

• Information on content modifications leaks.

• We want: no more information leakage.

Strong History Independence

Pair of sequences S1, S2

two lists of stop points in S1, S2

If content is the same in each pair of corresponding stop points Then: Joint distribution of memory layouts at stop points is identical in the two sequences.

[Naor-Teague]: A Data structure implementation is (Strongly) History Independent if:

Security: We cannot distinguish betweenany such two sequences.

A Short History of History Independence

• [Micciancio97] Weak history independent 2-3 tree (motivated by the problem of private incremental cryptography [BGG95]).

• [Naor-Teague01] History-independent hash-table, union-find. Weak history-independent memory allocation.

• All above results are efficient. • [Hartline et al. 02]

– Strong history independence means canonical layout.

– Relaxation of strong history independence.– History independent memory resize.

Our Results

1. Separations between strong & weak (lower bounds):Strong requires a much higher efficiency penalty in the comparison based model.

For example, the queue data structure:weak history independence requires O(1)strong history independence requires Ω(n)

2. Implementations (upper bounds):The heap has a weakly history independent implementation with no time complexity penalty.

Bounds Summary

Operation Weak History Independence

Strong History Independence

heap: insert O(log n) Ω(n)

heap: increase-key O(log n) Ω(n)

heap: extract-max O(log n) No lower bound

heap: build-heap O(n) Ω(n log n)

queue: max{ insert-first, remove-last}

O(1) Ω(n)

Why is Comparison Based implementation important?

• It is “natural”: – Standard implementations for most data

structure operations are like that.– Therefore, we should know not to design

this way when seeking strong history independence

• Library functions are easy to use: – Only implement the comparison

operation on data structure elements.

Strong History Independence =

Canonical Representation

Well behaved: the content graph is strongly connected. (Most data structures are like that)

Lemma [Hartline et al. 02]: Any strongly history independent implementation of “well-behaved” data-structure is canonical.

Any possible content has one possible layout.

Lower Bounds

Main Lemma: D: Data-structure whose content is the set of

keys stored inside it. I: Implementation of D that is :

comparison-based and canonical.

The following operations require time Ω(n).• Insert(D, x)• Extract(D, x)• Increase-key(D, v1, v2)

More Lower Bounds

By similar methods we can show:• For a Heap:

Build-Heap Operation requires time Ω(n log n).• For a queue: either Insert-first or Remove-Last

requires time Ω(n).

The main lemma applies for a comparison based strong history independent:

• Heaps• Dictionaries • Search trees• And others…

The Binary Heap

Binary heap - a simple implementation of a priority queue.

• The keys are stored in an almost full binary tree.

• Heap property - For each node i: Val(parent(i)) Val(i)

• Assume that all values in theheap are unique.

10

7 9

36 4 8

1 5 2

The Binary Heap: Heapify

Heapify - used to preserve the heap property. • Input: a root and two proper sub-heaps of

height h-1. • Output: a proper heap of height h.

The node always chooses to sift down to the direction of the larger value.

2

10 9

36 7 8

1 5 4

Heapify Operation

2

10 9

36 7 8

1 5 4

10

7 9

36 4 8

1 5 2

Reversing Heapify

heapify-1: “reversing” heapify:

Heapify-1(H: Heap, i: position)• Root val(i)• All the path from the root to

node i are shifted down.

10

7 9

36 4 8

1 5 2

The parameter i is a position in the heap H

Heapify-1 Operation

10

7 9

36 4 8

1 5 2

2

10 9

36 7 8

1 5 4

Heapify(Heapify-1(H, i)) = H

Property: If all the keys in the heap are unique then for any i:

Reversing Build-heap

Building a heap - applying heapify on any sub-tree in the heap in a bottom up manner.

We define a randomized procedure Build-Heap-1:• Uses Heapify-1 procedure• The procedure Works in a Top-Bottom manner. • Returns a permutation (tree).

For any random choice:

Build-heap(Build-heap-1(H)) = H

Uniformly Chosen Heaps

• Build-heap is a Many-To-One procedure.• Build-heap-1 is a One-To-Many procedure

depending on the random choices.

Support(H) : The set of permutations (trees) such that build-heap(T) = H

Facts (without proof):1.For each heap H the size of Support(H) is

the same.2.Build-heap-1 returns one of these permutations

uniformly.

How to Obtain a Weak History Independent

Heap

Main idea: keeping a uniformly random heap at all time.

We want:1.Build-heap: Return one of the possible

heaps uniformly.

2.Other operations: preserve this property.

Heap Implementation

Build-Heap and Increase-key are easy to handle.

• A simple extension of standard operation. • Efficiency maintained.

Extract-Max, Insert:The standard extract-max and Insert operations are NOT weakly history independent.

Naive Implementation: Extract-max

Extract-max(H)1. T = build-heap-1(H)2. Remove the last node v in the tree (T’).3. H’ = build-heap(T’)4. If we already removed the maximal value

return H’ Otherwise:5. Replace the root with v and let v sift down

to its correct position.

build-heap-1 and build-heap works in O(n)

… but this implementation is history independent.

Improving Complexity: Extract-max

First 3 steps of Extract-max(H)1.T = build-heap-1(H)2.Remove the last node v in the tree.3.H’ = build-heap(T’)

Main problem - steps 1 to 3 that takes O(n).

Simple observation reduces the complexity of these steps to O(log2(n)) instead of O(n)

Reducing the Complexity to O(log2(n))

Observation: Most of the operations of build-heap-1 are redundant. They are always canceled by the operation of build-heap. Only the operations applied on nodes lying on the path from the root to the last leaf are needed. 10

7 9

36 4 8

1 5 2

Complexity analysis: • Each heapify-1 and heapify

operation takes at most O(log n).

• There are O(log n) such operations.

Reducing the Complexity:O(log(n)) Expected Time

This is the most complex part

Main ideas:• We can show that there are actually O(1)

operations of heapify-1 and heapify that make a difference (in average over the random choices made by the algorithm in each step).

• We can detect these operations and apply only them.

Conclusions1.Demanding strong history independence

usually requires a high efficiency penalty in the comparison based model.

2.Weak history independent heap in the

comparison-based model without penalty,

Complexity:• build-heap - O(n) worst case. • increase-key - O(log n) worst case.• extract-max, insert- O(log n) expected

time, O(log2n) worst case.

Open Questions

1.Is weak and strong History independence different in terms of efficiency also in the general (not comparison-based) model ?

2.History independent implementation of more data structures.

Thank you