oblivious search trees
DESCRIPTION
Oblivious Search Trees. The Art of Remembering The-Right-Thing ™. Move To Front. a linked list of keys Search( x ) Scans the list for x Move x to the front Example: Search(“the onion”). slashdot. dilbert. the onion. …. citeseer. the onion. slashdot. dilbert. …. citeseer. - PowerPoint PPT PresentationTRANSCRIPT
March 2002 / CMU
Maverick Maverick WooWoo
Oblivious Search TreesOblivious Search Trees
The Art of RememberingThe-Right-Thing™
2
Move To FrontMove To Front
a linked list of keys
Search(x)Scans the list for x
Move x to the front
Example: Search(“the onion”)
slashdotslashdot dilbertdilbert the onionthe onion … citeseerciteseer
the onionthe onion slashdotslashdot dilbertdilbert citeseerciteseer…
3
The-Right-Thing?The-Right-Thing?
If this is how my browser stores my web-site cookies…
slashdotslashdot dilbertdilbert the onionthe onion … citeseerciteseer
/. Is not Research…
Plus, that’s not crypto!!!
4
ConceptConcept
HistoryDependence
5
DictionaryDictionary
Represents a set of keys
Supports a very typical interfaceCreate()Insert(x)Search(x)Delete(x)
6
Move To Front, AgainMove To Front, Again
Link list maintained by the MTF rule is an implementation of Dictionary
But would the interface allow you to infer that I visit /. VERY often?slashdotslashdot dilbertdilbert the onionthe onion … citeseerciteseer
7
IdeallyIdeally
If some information is not available through the “legitimate” interface, then it should not be available even with full access to the system.
8
ObliviousOblivious
Informal definition
A data structure is said to be oblivious if it does not give out any knowledge about the sequence of update operations that have been applied to it other than the final result of the operations.
9
Sounds Cool...Sounds Cool...
But then, how should we represent a Dictionary in an oblivious way?
10
Sorted ListSorted List
Canonical form ) Obliviousness
But it’s not efficient!
11
Search TreesSearch Trees
Can be viewed as sorted list
A F P X
C S
K
12
Splay TreesSplay Trees
By design exploithistory… 1
2
3
4
5
6
7
13
2-3 Trees As Sorted Lists2-3 Trees As Sorted Lists
Mark Brown and Robert Tarjan
Design and Analysis of A Data Structure for Representing Sorted Lists
@ SIAM JC 1980
14
Example 2-3 Sorted ListExample 2-3 Sorted List
(Yes, “G” is missing. :P)
A B C D E F H I J K L M
A C I K, L
B, D J
H
E, F
2-node
3-node
leaf
What are the keys in nodes?What are the keys in nodes?
15
StructureStructure
Internal nodes store “glue” keys;External leaves store “actual” keys
Each nodeHas d 2 {2, 3} children (degree)Contains keys of the rightmost leaves from the first (d-1) sub-trees
16
Example 2-3 Sorted ListExample 2-3 Sorted List
Insert(“G”)Locate target
A B C D E F H I J K L M
A C I K, L
B, D J
H
G
E, F
G
G
17
Example 2-3 Sorted ListExample 2-3 Sorted List
Insert(“G”)Insert as leaf
A B C D E F H I J K L M
A C I K, L
B, D J
H
G
E, F, G
18
Example 2-3 Sorted ListExample 2-3 Sorted List
Insert(“G”)Overflow
F
A B C D E F H I J K L M
A C I K, L
B, D J
H
G
E, F, G
19
Example 2-3 Sorted ListExample 2-3 Sorted List
Insert(“G”)Node splitting
A B C D E F H I J K L M
A C I K, L
B, D, F J
H
G
E G
20
Example 2-3 Sorted ListExample 2-3 Sorted List
Insert(“G”)Overflow
D
A B C D E F H I J K L M
A C I K, L
B, D, F J
H
G
E G
21
Example 2-3 Sorted ListExample 2-3 Sorted List
Insert(“G”)Node splitting
A B C D E F H I J K L M
A C I K, L
J
D, H
G
E G
B F
22
Curious?Curious?
Why do we want the leaves?
A B C D E F H I J K L M
A C I K, L
J
D, H
G
E G
B F
23
Finger SearchFinger Search
Accessing a key ranked d away take O(log d) time
A B C D E F H I J K L M
A C I K, L
J
D, H
G
E G
B F
24
Oblivious?Oblivious?
Initial
Insert(“D”)
Initial
Insert(“B”)
B
A
A B C E
C
C
A
A C D E
D
B
A
A B C E
C,D
D
C
A,B
A C D E
D
B
25
TruthTruth
Any other known deterministic search trees are history dependent
AVL trees
2-3 trees (actually, all a-b trees)
Red-Black trees
Splay trees
Why???
26
Lower BoundLower Bound
Arne Andersson, Thomas OttmannNew Tight Bounds On Uniquely
Represented Dictionaries@ FOCS 1991
Either Search or Update must require (n1/3) time
27
ConceptConcept
GotRandom?
28
Oblivious 2-3 TreeOblivious 2-3 Tree
Daniele Micciancio(then MIT, now UCSD)Oblivious Data Structures:
Applications to Cryptography@ STOC 1997
29
Issue At HandIssue At Hand
How do 2-3 trees “leak”?
Degree of node gives out too much information
30
Solution Solution
Randomize the degree!
Degrees should split uniformly between 2 and 3
31
DefinitionDefinition
Let M be a set of operations, and S be a set of algorithms implementing them. We say S is oblivious if:
for any two sequences of operations p1, p2, …, pn and q1, q2, …, qm that leads to the same set of values,the execution of these sequences have identical output probability distributions.
32
Oblivious 2-3 TreeOblivious 2-3 Tree
Create(L)Create a tree based on sorted list L
Insert(i, b, T)Insert b as the i-th key into T
For this talk, i is an input to Insert
Delete(i, T)Delete the i-th key in T
b doesn’t needto have order
b doesn’t needto have order
33
StructureStructure
Internal nodes store size of span;External leaves store keys
Degree of nodes is either 2 or 3Except on right spine, where it can be 1
2
A B C ED
5
12
34
Slight ModificationSlight Modification
To make the (later) proof easier, I added level-links on internal nodes.
Usage: can now find the next node on the same level in O(1) time.
2
A B C ED
5
12To make figures
cleaner, level linkswill be implicit.
To make figurescleaner, level links
will be implicit.
35
DisclaimerDisclaimer
Paper contains no correctness proof.
Plus, now that I made some changes.
All mistakes are mine
36
CreateCreate
Create(L)Start with L at bottom levelBuild nodes in level j by traversing nodes in level (j+1)
Pick d from {2, 3} u.a.r.Assign next d available nodes at level (j+1) to new node at level jSpan is sum of the spans of the d sub-trees
Continue collapsing until root
L is sortedL is sorted
37
Create ExampleCreate Example
L = {“A”, …, “F”, “H”, …, “M”}
A B C D E F H I J K L M
2
2
3
2
2
1
7
5
12
38
Coin Flips RequiredCoin Flips Required
Worst case when n = 2k+1 and all coins give 2
2k-1 k
1 2k-1 + 1 + k= 2k + k= n – 1 + b log(n) c
39
CheckpointCheckpoint
Make sure you can dry-run Create.
A B C D E F H I J K L M
2
2
3
2
2
1
7
5
12
40
Insert - RequirementInsert - Requirement
What do we want from Insert(i, b, T)?“Preserve randomness”
Insert(i, b, Create(L)) ~ Create(L’)where L’ = { L[1…i-1], b, L[i…n] }and n = |L|
A ~ BA and B have the same distribution
A ~ BA and B have the same distribution
41
Insert - Easy AlgorithmInsert - Easy Algorithm
Extract L from the treeModify L to get L’Run Create(L’)
Surely we have Insert(i, b, Create(L)) ~ Create(L’)
42
Insert - High Level IdeaInsert - High Level Idea
First 3 stepsLocate the old i-th leaf
Mark the root to leaf path
Insert the new leaf to parent nodeIf not on right spine, “delete” all nodes to the right.Otherwise, “special treatment”.
43
5
Insert ExampleInsert Example
Insert(7, “G”, T)First, locate the 7-th leaf
A B C D E F H I J K L M
2 2 2
7
12
3 2 1
G
Range on brownpath may need tobe changed later
Range on brownpath may need tobe changed later
44
5
Insert ExampleInsert Example
“H” is now an excess…
A B C D E F H I J K L M
2 2 2
7
12
3 2 1
G
45
5
Insert ExampleInsert Example
Imagine all the nodes to the right are gone. In reality, don’t do anything!!!
A B C D E F H I J K L M
2 2 2
7
12
3 2 1
G
46
Insert - High Level IdeaInsert - High Level Idea
(continue)Flip coins and group leaves as in Create(L’)If the outcomes ever synchronize, update span on root path and stop.Otherwise, continue at the above level.
47
5
Insert ExampleInsert Example
Coin gives either 2 or 3.Let’s say it’s 3.
A B C D E F
2 2 2
7
12
3
G K L
2 1
MH I J
3
Notice the brownpath changed: can exploit level-links
Notice the brownpath changed: can exploit level-links
48
6
Insert ExampleInsert Example
The structures synchronize.Update span on root path and stop.
A B C D E F H I J K L
2 2
7
13
3 2
G
3 1
M
49
Why can we stop?Why can we stop?
All possible futures are the same in Create(L) and Create(L’).
Really ImportantReally
Important
5
A B C D E F
2 2 2
7
12
3
G K L
2 1
MH I J
3
50
Structural Agreement Structural Agreement LemmaLemma
In a level, Create(L) and Create(L’) agree structurally, then all possible futures coincide.
5
A B C D E F
2 2 2
7
12
3
G K L
2 1
MH I J
3
51
5
Insert ExampleInsert Example
What if coin gave 2?“Just do it.”
A B C D E F H I J K L
2 2 2
7
12
3 2
G
2 1
M
52
5
Insert ExampleInsert Example
Now if coin says 3, we will synchronize and again finish early.
A B C D E F H I J K L
2 2 2
7
12
3 2 1
G
2
M
3
53
5
Insert ExampleInsert Example
But let’s say it’s 2. Duh…
A B C D E F H I J K L
2 2 2
7
12
3 2 1
G
2 2
M
54
5
Insert ExampleInsert Example
At this point, we flip another coin and finish this level for sure.
A B C D E F H I J K L M
2 2 2
7
12
3 2 1
G
2 2 2
55
5
Insert ExampleInsert Example
We didn’t really “synchronize”. Perhaps need to proceed in upper level?
A B C D E F H I J K L M
2 2
7
12
3
G
2 2 2
56
CheckpointCheckpoint
Is it clear how to do the bottom level?
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2
57
Insert ExampleInsert Example
It’s synchronized actually. But it’s always safe to continue running.
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2
Not so forrunning timeNot so for
running time
58
ObservationObservation
If we happen to synchronize in the bottom level, then we finish early.
Otherwise, the root path must have shifted to the right spine.
2
A B C ED
5
12
There is anexception…There is anexception…
59
Insert ExampleInsert Example
Current state of imaginary Create(L’)
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2
60
Insert ExampleInsert Example
Do we need to flip a coin here?
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2?
61
Insert ExampleInsert Example
No. It’s safe to reuse all coins until the descendants of “current” node.
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2
Really ImportantReally
Important
62
IndependenceIndependence
Create(L): 2,2,3,2,2,3,3,?,?,?,?,?,? …Create(L’): 2,2,3,2,2,3,3,?,?,?,?,?,? …
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2
63
Insert ExampleInsert Example
Right spine is tricky. We may or may not need one more coin.
A B C D E F H I J K L M
2 2
7
12
3
5
G
2 2 2
64
Insert ExampleInsert Example
What could happen in Create(L’)?
Get 2 Get 3
H I J K L M
6
2 2 2
H I J K L M
5
2 2 2
4 2 d/c
65
Insert ExampleInsert Example
Q: How to decide which case really“happened” in Create(L’)? A: You don’t. Flip a coin (and pray…)
H I J K L M
6
2 2 2
H I J K L M
5
2 2 2
4 2 d/c
66
Insert ExampleInsert Example
It’s 3!!!Both futures coincide.
A B C D E F H I J K L M
2 2
7
12
3
6
G
2 2 2
67
Insert ExampleInsert Example
Update the size on the root path and stop.
A B C D E F H I J K L M
2 2
7
13
3
6
G
2 2 2
68
Insert ExampleInsert Example
It could have been 2 as well. Flip one more coin and continue to upper level.
A B C D E F
2 2
7
12
3
G H I J K L M
5
2 2 2
4 2 d/c
69
Insert ExampleInsert Example
Q: Why isn’t this “synchronized”?A: Structural Agreement Lemma
does not apply.
A B C D E F
2 2
7
12
3
G H I J K L M
2 2 2
4 2
70
Insert ExampleInsert Example
Same argument at root.We need to flip a coin.
A B C D E F
2 2
7
12
3
G H I J K L M
2 2 2
4 2
71
Insert ExampleInsert Example
If it’s 3, we are done.
A B C D E F
2 2
7
13
3
G H I J K L M
2 2 2
4 2
72
Insert ExampleInsert Example
If it’s 2… create a newroot node and stop.
A B C D E F
2 2
7
11
3
G H I J K L M
2 2 2
4 2
2d/c
13
73
CheckpointCheckpoint
Is the example clear?
A B C D E F
2 2
7
11
3
G H I J K L M
2 2 2
4 2
2
13
74
Actually...Actually...
One special case is not specified.Let me work with the easier tree.
6
A B C D E F H I J K L
2 2
7
13
3 2
G
3 1
M
75
Insert ExampleInsert Example
Insert(4, “X”, T)
6
A B C X E F H I J K L
2 2
7
13
3 2
G
3 1
MD
76
Insert ExampleInsert Example
First coin gives 2…Second coin gives 2…
6
E F H I J K L
7
13
3 2
G
3 1
MD
2 2
A B C X
2 2
77
Insert ExampleInsert Example
Do we call this “synchronized” or not?
Plus, who is the parent?
6
E F H I J K L
7
13
3 2
G
3 1
MD
2 2
A B C X
2 2
78
Insert ExampleInsert Example
Yes, this is synchronized for this level. But, we can’t finish early. Why?
6
E F H I J K L
7
13
3 2
G
3 1
MD
2 2
A B C X
2 2
79
Insert ExampleInsert Example
Structural Agreement Lemma does not apply.
6
E F H I J K L
7
13
3 2
G
3 1
MD
2 2
A B C X
2 2
80
Insert ExampleInsert Example
The beautiful trick is: “By I.H.”
6
E F H I J K L
7
13
3 2
G
3 1
MD
2 2
A B C X
2 2
81
Insert ExampleInsert Example
“I.H.”???
5
A B C D E F H I J K L M
2 2 2
7
12
3 2 1
G
82
Insert ExampleInsert Example
This is yet another Insert invocation.
6
E F H I J K L
7
13
3 2
G
3 1
MD
2 2
A B C X
2 2
83
Running TimeRunning Time
Future PlanShow expected O(1) work per level w.h.p.
O(log n) levels ) expected O(log n) time w.h.p.
84
Per Level WorkPer Level Work
Either on right spine or not
If so, must be constant work.
If not so, consider general cases…
85
Per Level WorkPer Level Work
SituationCan have 1 or 2 excess nodes
FutureNext node in Create(L) can be 2- or 3Next coin in Create(L’) can give 2 or 3
86
Excess - 1Excess - 1
E F G
E F G H
2
3
…
…
E F G …
E F G …
E F G H …
E F G H …
2
3
3
2
87
Excess - 2Excess - 2
E F G
E F G H
2
3
…
…
D E G …
D E F …
D E F G …
D E F G …
2
3
3
2
D
D
F
G
2
H
H
3
88
Almost DoneAlmost Done
OtherBusiness
89
DeleteDelete
What? I should have slides for that too?
Similar to Insert
90
Memory RepresentationMemory Representation
Memory allocator may give out memory blocks with increasing address…
91
ReferenceReference
Moni Naor, Vanessa Teague
Anti-persistence:History IndependentData Structures
@ STOC 2001
92
Other Oblivious Search Other Oblivious Search TreesTrees
TreapsAll randomized BST realization would do
Skip Lists
93
ExpectationExpectation
Oblivious 2-3 TreesTaken over the coin flipswithin one invocation of Insert
Skip List and TreapsTaken over the coin flips across all invocations of Insert
94
Treap AdvertisementTreap Advertisement
Treaps are good… Treaps are good…
Can use a 8-way independent hash function to generate priorities
After hash is chosen, no randomness is involved
95
CryptoCrypto
IncrementalSignature
96
Digital SignatureDigital Signature
Imagine typing a document in a text editor that maintains the digital signature
Expensive to re-sign the whole document with every keystroke
T
--------------------B9ECE18C950AFBFA6B0FDBFA4FF731D3
Th
--------------------EEEB9A8EB45DD351D9EC0EB4ACCE66CE
The
--------------------A4704FD35F0308287F2937BA3ECCF5FE
There will be data structures. There will be crypto. There will be Maverick…what else do you need?--------------------B97799DE817E55BCC3ADE4370246EB0D
…
97
Incremental SignatureIncremental Signature
Given the previous document D’ and its signature ’
Apply operation f to obtain D = f(D’)
New signature of D can be computed quickly from D’, ’ and f
98
Example SchemeExample Scheme
Let S be a non-incremental signing algorithm.
To start, we sign the first document D’ by S to get = S(D’)
99
Example SchemeExample Scheme
Let ’ = S(D’), D = f(D’) and f’ be “undo” of f, i.e. f(f’(D))=D
Compute = S(’ :: f)
Output (, ’, f, f’) as incremental signature
A::B A concat. with B
A::B A concat. with B
100
Example SchemeExample Scheme
To verify (, ’, f, f’) w.r.t. D
=S(’ :: f)D = f(f’(D))’ is a valid incremental signature of f’(D)
101
Example SchemeExample Scheme
Probably secure
Definitely NOT privateFinal signature contains all previous undo information
102
Tree SignatureTree Signature
M. Bellare, O. Goldreich, S. Goldwasser
Incremental Cryptography and Application to Virus Protection@ STOC 1995
103
More RealisticallyMore Realistically
Surveillance video camera which time stamps and signs each image frame
104
EndEnd
Questions?