March 2002 / CMU

Maverick Maverick WooWoo

Oblivious Search TreesOblivious Search Trees

The Art of RememberingThe-Right-Thing™

2

Move To FrontMove To Front

a linked list of keys

Search(x)Scans the list for x

Move x to the front

Example: Search(“the onion”)

slashdotslashdot dilbertdilbert the onionthe onion … citeseerciteseer

the onionthe onion slashdotslashdot dilbertdilbert citeseerciteseer…

3

The-Right-Thing?The-Right-Thing?

If this is how my browser stores my web-site cookies…

slashdotslashdot dilbertdilbert the onionthe onion … citeseerciteseer

/. Is not Research…

Plus, that’s not crypto!!!

4

ConceptConcept

HistoryDependence

5

DictionaryDictionary

Represents a set of keys

Supports a very typical interfaceCreate()Insert(x)Search(x)Delete(x)

6

Move To Front, AgainMove To Front, Again

Link list maintained by the MTF rule is an implementation of Dictionary

But would the interface allow you to infer that I visit /. VERY often?slashdotslashdot dilbertdilbert the onionthe onion … citeseerciteseer

7

IdeallyIdeally

If some information is not available through the “legitimate” interface, then it should not be available even with full access to the system.

8

ObliviousOblivious

Informal definition

A data structure is said to be oblivious if it does not give out any knowledge about the sequence of update operations that have been applied to it other than the final result of the operations.

9

Sounds Cool...Sounds Cool...

But then, how should we represent a Dictionary in an oblivious way?

10

Sorted ListSorted List

Canonical form ) Obliviousness

But it’s not efficient!

11

Search TreesSearch Trees

Can be viewed as sorted list

A F P X

C S

K

12

Splay TreesSplay Trees

By design exploithistory… 1

2

3

4

5

6

7

13

2-3 Trees As Sorted Lists2-3 Trees As Sorted Lists

Mark Brown and Robert Tarjan

Design and Analysis of A Data Structure for Representing Sorted Lists

@ SIAM JC 1980

14

Example 2-3 Sorted ListExample 2-3 Sorted List

(Yes, “G” is missing. :P)

A B C D E F H I J K L M

A C I K, L

B, D J

H

E, F

2-node

3-node

leaf

What are the keys in nodes?What are the keys in nodes?

15

StructureStructure

Internal nodes store “glue” keys;External leaves store “actual” keys

Each nodeHas d 2 {2, 3} children (degree)Contains keys of the rightmost leaves from the first (d-1) sub-trees

16

Example 2-3 Sorted ListExample 2-3 Sorted List

Insert(“G”)Locate target

A B C D E F H I J K L M

A C I K, L

B, D J

H

G

E, F

G

G

17

Example 2-3 Sorted ListExample 2-3 Sorted List

Insert(“G”)Insert as leaf

A B C D E F H I J K L M

A C I K, L

B, D J

H

G

E, F, G

18

Example 2-3 Sorted ListExample 2-3 Sorted List

Insert(“G”)Overflow

F

A B C D E F H I J K L M

A C I K, L

B, D J

H

G

E, F, G

19

Example 2-3 Sorted ListExample 2-3 Sorted List

Insert(“G”)Node splitting

A B C D E F H I J K L M

A C I K, L

B, D, F J

H

G

E G

20

Example 2-3 Sorted ListExample 2-3 Sorted List

Insert(“G”)Overflow

D

A B C D E F H I J K L M

A C I K, L

B, D, F J

H

G

E G

21

Example 2-3 Sorted ListExample 2-3 Sorted List

Insert(“G”)Node splitting

A B C D E F H I J K L M

A C I K, L

J

D, H

G

E G

B F

22

Curious?Curious?

Why do we want the leaves?

A B C D E F H I J K L M

A C I K, L

J

D, H

G

E G

B F

23

Finger SearchFinger Search

Accessing a key ranked d away take O(log d) time

A B C D E F H I J K L M

A C I K, L

J

D, H

G

E G

B F

24

Oblivious?Oblivious?

Initial

Insert(“D”)

Initial

Insert(“B”)

B

A

A B C E

C

C

A

A C D E

D

B

A

A B C E

C,D

D

C

A,B

A C D E

D

B

25

TruthTruth

Any other known deterministic search trees are history dependent

AVL trees

2-3 trees (actually, all a-b trees)

Red-Black trees

Splay trees

Why???

26

Lower BoundLower Bound

Arne Andersson, Thomas OttmannNew Tight Bounds On Uniquely

Represented Dictionaries@ FOCS 1991

Either Search or Update must require (n1/3) time

27

ConceptConcept

GotRandom?

28

Oblivious 2-3 TreeOblivious 2-3 Tree

Daniele Micciancio(then MIT, now UCSD)Oblivious Data Structures:

Applications to Cryptography@ STOC 1997

29

Issue At HandIssue At Hand

How do 2-3 trees “leak”?

Degree of node gives out too much information

30

Solution Solution

Randomize the degree!

Degrees should split uniformly between 2 and 3

31

DefinitionDefinition

Let M be a set of operations, and S be a set of algorithms implementing them. We say S is oblivious if:

for any two sequences of operations p1, p2, …, pn and q1, q2, …, qm that leads to the same set of values,the execution of these sequences have identical output probability distributions.

32

Oblivious 2-3 TreeOblivious 2-3 Tree

Create(L)Create a tree based on sorted list L

Insert(i, b, T)Insert b as the i-th key into T

For this talk, i is an input to Insert

Delete(i, T)Delete the i-th key in T

b doesn’t needto have order

b doesn’t needto have order

33

StructureStructure

Internal nodes store size of span;External leaves store keys

Degree of nodes is either 2 or 3Except on right spine, where it can be 1

2

A B C ED

5

12

34

Slight ModificationSlight Modification

To make the (later) proof easier, I added level-links on internal nodes.

Usage: can now find the next node on the same level in O(1) time.

2

A B C ED

5

12To make figures

cleaner, level linkswill be implicit.

To make figurescleaner, level links

will be implicit.

35

DisclaimerDisclaimer

Paper contains no correctness proof.

Plus, now that I made some changes.

All mistakes are mine

36

CreateCreate

Create(L)Start with L at bottom levelBuild nodes in level j by traversing nodes in level (j+1)

Pick d from {2, 3} u.a.r.Assign next d available nodes at level (j+1) to new node at level jSpan is sum of the spans of the d sub-trees

Continue collapsing until root

L is sortedL is sorted

37

Create ExampleCreate Example

L = {“A”, …, “F”, “H”, …, “M”}

A B C D E F H I J K L M

2

2

3

2

2

1

7

5

12

38

Coin Flips RequiredCoin Flips Required

Worst case when n = 2k+1 and all coins give 2

2k-1 k

1 2k-1 + 1 + k= 2k + k= n – 1 + b log(n) c

39

CheckpointCheckpoint

Make sure you can dry-run Create.

A B C D E F H I J K L M

2

2

3

2

2

1

7

5

12

40

Insert - RequirementInsert - Requirement

What do we want from Insert(i, b, T)?“Preserve randomness”

Insert(i, b, Create(L)) ~ Create(L’)where L’ = { L[1…i-1], b, L[i…n] }and n = |L|

A ~ BA and B have the same distribution

A ~ BA and B have the same distribution

41

Insert - Easy AlgorithmInsert - Easy Algorithm

Extract L from the treeModify L to get L’Run Create(L’)

Surely we have Insert(i, b, Create(L)) ~ Create(L’)

42

Insert - High Level IdeaInsert - High Level Idea

First 3 stepsLocate the old i-th leaf

Mark the root to leaf path

Insert the new leaf to parent nodeIf not on right spine, “delete” all nodes to the right.Otherwise, “special treatment”.

43

5

Insert ExampleInsert Example

Insert(7, “G”, T)First, locate the 7-th leaf

A B C D E F H I J K L M

2 2 2

7

12

3 2 1

G

Range on brownpath may need tobe changed later

Range on brownpath may need tobe changed later

44

5

Insert ExampleInsert Example

“H” is now an excess…

A B C D E F H I J K L M

2 2 2

7

12

3 2 1

G

45

5

Insert ExampleInsert Example

Imagine all the nodes to the right are gone. In reality, don’t do anything!!!

A B C D E F H I J K L M

2 2 2

7

12

3 2 1

G

46

Insert - High Level IdeaInsert - High Level Idea

(continue)Flip coins and group leaves as in Create(L’)If the outcomes ever synchronize, update span on root path and stop.Otherwise, continue at the above level.

47

5

Insert ExampleInsert Example

Coin gives either 2 or 3.Let’s say it’s 3.

A B C D E F

2 2 2

7

12

3

G K L

2 1

MH I J

3

Notice the brownpath changed: can exploit level-links

Notice the brownpath changed: can exploit level-links

48

6

Insert ExampleInsert Example

The structures synchronize.Update span on root path and stop.

A B C D E F H I J K L

2 2

7

13

3 2

G

3 1

M

49

Why can we stop?Why can we stop?

All possible futures are the same in Create(L) and Create(L’).

Really ImportantReally

Important

5

A B C D E F

2 2 2

7

12

3

G K L

2 1

MH I J

3

50

Structural Agreement Structural Agreement LemmaLemma

In a level, Create(L) and Create(L’) agree structurally, then all possible futures coincide.

5

A B C D E F

2 2 2

7

12

3

G K L

2 1

MH I J

3

51

5

Insert ExampleInsert Example

What if coin gave 2?“Just do it.”

A B C D E F H I J K L

2 2 2

7

12

3 2

G

2 1

M

52

5

Insert ExampleInsert Example

Now if coin says 3, we will synchronize and again finish early.

A B C D E F H I J K L

2 2 2

7

12

3 2 1

G

2

M

3

53

5

Insert ExampleInsert Example

But let’s say it’s 2. Duh…

A B C D E F H I J K L

2 2 2

7

12

3 2 1

G

2 2

M

54

5

Insert ExampleInsert Example

At this point, we flip another coin and finish this level for sure.

A B C D E F H I J K L M

2 2 2

7

12

3 2 1

G

2 2 2

55

5

Insert ExampleInsert Example

We didn’t really “synchronize”. Perhaps need to proceed in upper level?

A B C D E F H I J K L M

2 2

7

12

3

G

2 2 2

56

CheckpointCheckpoint

Is it clear how to do the bottom level?

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2

57

Insert ExampleInsert Example

It’s synchronized actually. But it’s always safe to continue running.

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2

Not so forrunning timeNot so for

running time

58

ObservationObservation

If we happen to synchronize in the bottom level, then we finish early.

Otherwise, the root path must have shifted to the right spine.

2

A B C ED

5

12

There is anexception…There is anexception…

59

Insert ExampleInsert Example

Current state of imaginary Create(L’)

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2

60

Insert ExampleInsert Example

Do we need to flip a coin here?

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2?

61

Insert ExampleInsert Example

No. It’s safe to reuse all coins until the descendants of “current” node.

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2

Really ImportantReally

Important

62

IndependenceIndependence

Create(L): 2,2,3,2,2,3,3,?,?,?,?,?,? …Create(L’): 2,2,3,2,2,3,3,?,?,?,?,?,? …

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2

63

Insert ExampleInsert Example

Right spine is tricky. We may or may not need one more coin.

A B C D E F H I J K L M

2 2

7

12

3

5

G

2 2 2

64

Insert ExampleInsert Example

What could happen in Create(L’)?

Get 2 Get 3

H I J K L M

6

2 2 2

H I J K L M

5

2 2 2

4 2 d/c

65

Insert ExampleInsert Example

Q: How to decide which case really“happened” in Create(L’)? A: You don’t. Flip a coin (and pray…)

H I J K L M

6

2 2 2

H I J K L M

5

2 2 2

4 2 d/c

66

Insert ExampleInsert Example

It’s 3!!!Both futures coincide.

A B C D E F H I J K L M

2 2

7

12

3

6

G

2 2 2

67

Insert ExampleInsert Example

Update the size on the root path and stop.

A B C D E F H I J K L M

2 2

7

13

3

6

G

2 2 2

68

Insert ExampleInsert Example

It could have been 2 as well. Flip one more coin and continue to upper level.

A B C D E F

2 2

7

12

3

G H I J K L M

5

2 2 2

4 2 d/c

69

Insert ExampleInsert Example

Q: Why isn’t this “synchronized”?A: Structural Agreement Lemma

does not apply.

A B C D E F

2 2

7

12

3

G H I J K L M

2 2 2

4 2

70

Insert ExampleInsert Example

Same argument at root.We need to flip a coin.

A B C D E F

2 2

7

12

3

G H I J K L M

2 2 2

4 2

71

Insert ExampleInsert Example

If it’s 3, we are done.

A B C D E F

2 2

7

13

3

G H I J K L M

2 2 2

4 2

72

Insert ExampleInsert Example

If it’s 2… create a newroot node and stop.

A B C D E F

2 2

7

11

3

G H I J K L M

2 2 2

4 2

2d/c

13

73

CheckpointCheckpoint

Is the example clear?

A B C D E F

2 2

7

11

3

G H I J K L M

2 2 2

4 2

2

13

74

Actually...Actually...

One special case is not specified.Let me work with the easier tree.

6

A B C D E F H I J K L

2 2

7

13

3 2

G

3 1

M

75

Insert ExampleInsert Example

Insert(4, “X”, T)

6

A B C X E F H I J K L

2 2

7

13

3 2

G

3 1

MD

76

Insert ExampleInsert Example

First coin gives 2…Second coin gives 2…

6

E F H I J K L

7

13

3 2

G

3 1

MD

2 2

A B C X

2 2

77

Insert ExampleInsert Example

Do we call this “synchronized” or not?

Plus, who is the parent?

6

E F H I J K L

7

13

3 2

G

3 1

MD

2 2

A B C X

2 2

78

Insert ExampleInsert Example

Yes, this is synchronized for this level. But, we can’t finish early. Why?

6

E F H I J K L

7

13

3 2

G

3 1

MD

2 2

A B C X

2 2

79

Insert ExampleInsert Example

Structural Agreement Lemma does not apply.

6

E F H I J K L

7

13

3 2

G

3 1

MD

2 2

A B C X

2 2

80

Insert ExampleInsert Example

The beautiful trick is: “By I.H.”

6

E F H I J K L

7

13

3 2

G

3 1

MD

2 2

A B C X

2 2

81

Insert ExampleInsert Example

“I.H.”???

5

A B C D E F H I J K L M

2 2 2

7

12

3 2 1

G

82

Insert ExampleInsert Example

This is yet another Insert invocation.

6

E F H I J K L

7

13

3 2

G

3 1

MD

2 2

A B C X

2 2

83

Running TimeRunning Time

Future PlanShow expected O(1) work per level w.h.p.

O(log n) levels ) expected O(log n) time w.h.p.

84

Per Level WorkPer Level Work

Either on right spine or not

If so, must be constant work.

If not so, consider general cases…

85

Per Level WorkPer Level Work

SituationCan have 1 or 2 excess nodes

FutureNext node in Create(L) can be 2- or 3Next coin in Create(L’) can give 2 or 3

86

Excess - 1Excess - 1

E F G

E F G H

2

3

…

…

E F G …

E F G …

E F G H …

E F G H …

2

3

3

2

87

Excess - 2Excess - 2

E F G

E F G H

2

3

…

…

D E G …

D E F …

D E F G …

D E F G …

2

3

3

2

D

D

F

G

2

H

H

3

88

Almost DoneAlmost Done

OtherBusiness

89

DeleteDelete

What? I should have slides for that too?

Similar to Insert

90

Memory RepresentationMemory Representation

Memory allocator may give out memory blocks with increasing address…

91

ReferenceReference

Moni Naor, Vanessa Teague

Anti-persistence:History IndependentData Structures

@ STOC 2001

92

Other Oblivious Search Other Oblivious Search TreesTrees

TreapsAll randomized BST realization would do

Skip Lists

93

ExpectationExpectation

Oblivious 2-3 TreesTaken over the coin flipswithin one invocation of Insert

Skip List and TreapsTaken over the coin flips across all invocations of Insert

94

Treap AdvertisementTreap Advertisement

Treaps are good… Treaps are good…

Can use a 8-way independent hash function to generate priorities

After hash is chosen, no randomness is involved

95

CryptoCrypto

IncrementalSignature

96

Digital SignatureDigital Signature

Imagine typing a document in a text editor that maintains the digital signature

Expensive to re-sign the whole document with every keystroke

T

--------------------B9ECE18C950AFBFA6B0FDBFA4FF731D3

Th

--------------------EEEB9A8EB45DD351D9EC0EB4ACCE66CE

The

--------------------A4704FD35F0308287F2937BA3ECCF5FE

There will be data structures. There will be crypto. There will be Maverick…what else do you need?--------------------B97799DE817E55BCC3ADE4370246EB0D

…

97

Incremental SignatureIncremental Signature

Given the previous document D’ and its signature ’

Apply operation f to obtain D = f(D’)

New signature of D can be computed quickly from D’, ’ and f

98

Example SchemeExample Scheme

Let S be a non-incremental signing algorithm.

To start, we sign the first document D’ by S to get = S(D’)

99

Example SchemeExample Scheme

Let ’ = S(D’), D = f(D’) and f’ be “undo” of f, i.e. f(f’(D))=D

Compute = S(’ :: f)

Output (, ’, f, f’) as incremental signature

A::B A concat. with B

A::B A concat. with B

100

Example SchemeExample Scheme

To verify (, ’, f, f’) w.r.t. D

=S(’ :: f)D = f(f’(D))’ is a valid incremental signature of f’(D)

101

Example SchemeExample Scheme

Probably secure

Definitely NOT privateFinal signature contains all previous undo information

102

Tree SignatureTree Signature

M. Bellare, O. Goldreich, S. Goldwasser

Incremental Cryptography and Application to Virus Protection@ STOC 1995

103

More RealisticallyMore Realistically

Surveillance video camera which time stamps and signs each image frame

104

EndEnd

Questions?