19 research outputs found
Incremental Edge Orientation in Forests
For any forest G = (V, E) it is possible to orient the edges E so that no vertex in V has out-degree greater than 1. This paper considers the incremental edge-orientation problem, in which the edges E arrive over time and the algorithm must maintain a low-out-degree edge orientation at all times. We give an algorithm that maintains a maximum out-degree of 3 while flipping at most O(log log n) edge orientations per edge insertion, with high probability in n. The algorithm requires worst-case time O(log n log log n) per insertion, and takes amortized time O(1). The previous state of the art required up to O(log n / log log n) edge flips per insertion.
We then apply our edge-orientation results to the problem of dynamic Cuckoo hashing. The problem of designing simple families ? of hash functions that are compatible with Cuckoo hashing has received extensive attention. These families ? are known to satisfy static guarantees, but do not come typically with dynamic guarantees for the running time of inserts and deletes. We show how to transform static guarantees (for 1-associativity) into near-state-of-the-art dynamic guarantees (for O(1)-associativity) in a black-box fashion. Rather than relying on the family ? to supply randomness, as in past work, we instead rely on randomness within our table-maintenance algorithm
Cuckoo Hashing in Cryptography: Optimal Parameters, Robustness and Applications
Cuckoo hashing is a powerful primitive that enables storing items using small space with efficient querying. At a high level, cuckoo hashing maps items into entries storing at most items such that each item is placed into one of randomly chosen entries. Additionally, there is an overflow stash that can store at most items. Many cryptographic primitives rely upon cuckoo hashing to privately embed and query data where it is integral to ensure small failure probability when constructing cuckoo hashing tables as it directly relates to the privacy guarantees.
As our main result, we present a more query-efficient cuckoo hashing construction using more hash functions. For construction failure probability , the query overhead of our scheme is . Our scheme has quadratically smaller query overhead than prior works for any target failure probability . We also prove lower bounds matching our construction. Our improvements come from a new understanding of the locality of cuckoo hashing failures for small sets of items.
We also initiate the study of robust cuckoo hashing where the input set may be chosen with knowledge of the hash functions. We present a cuckoo hashing scheme using more hash functions with query overhead that is robust against poly adversaries. Furthermore, we present lower bounds showing that this construction is tight and that extending previous approaches of large stashes or entries cannot obtain robustness except with query overhead.
As applications of our results, we obtain improved constructions for batch codes and PIR. In particular, we present the most efficient explicit batch code and blackbox reduction from single-query PIR to batch PIR
SSE and SSD: Page-Efficient Searchable Symmetric Encryption
International audienceSearchable Symmetric Encryption (SSE) enables a client to outsource a database to an untrusted server, while retaining the ability to securely search the data. The performance bottleneck of classic SSE schemes typically does not come from their fast, symmetric cryptographic operations, but rather from the cost of memory accesses. To address this issue, many works in the literature have considered the notion of locality, a simple design criterion that helps capture the cost of memory accesses in traditional storage media, such as Hard Disk Drives. A common thread among many SSE schemes aiming to improve locality is that they are built on top of new memory allocation schemes, which form the technical core of the constructions. The starting observation of this work is that for newer storage media such as Solid State Drives (SSDs), which have become increasingly common, locality is not a good predictor of practical performance. Instead, SSD performance mainly depends on page efficiency, that is, reading as few pages as possible. We define this notion, and identify a simple memory allocation problem, Data-Independent Packing (DIP), that captures the main technical challenge required to build page-efficient SSE. As our main result, we build a page-efficient and storage-efficient data-independent packing scheme, and deduce the Tethys SSE scheme, the first SSE scheme to achieve at once O(1) page efficiency and O(1) storage efficiency. The technical core of the result is a new generalization of cuckoo hashing to items of variable size. Practical experiments show that this new approach achieves excellent performance
Alibi: A Flaw in Cuckoo-Hashing based Hierarchical ORAM Schemes and a Solution
There once was a table of hashes
That held extra items in stashes
It all seemed like bliss
But things went amiss
When the stashes were stored in the caches
The first Oblivious RAM protocols introduced the ``hierarchical solution,\u27\u27
(STOC \u2790) where the servers store a series of hash tables of geometrically increasing capacities.
Each ORAM query would read a small number of locations from each level of the hierarchy,
and each level of the hierarchy would be reshuffled and rebuilt at geometrically increasing intervals to ensure that
no single query was ever repeated twice at the same level. This yielded an ORAM protocol with polylogarithmic overhead.
Future works extended and improved the hierarchical solution, replacing traditional hashing with cuckoo
hashing (ICALP \u2711) and cuckoo hashing with a combined stash (Goodrich et al. SODA \u2712).
In this work, we identify a subtle flaw in the protocol of Goodrich et al. (SODA \u2712)
that uses cuckoo hashing with a stash in the hierarchical ORAM solution.
We give a concrete distinguishing attack against this type of hierarchical ORAM
that uses cuckoo hashing with a combined stash.
This security flaw has propagated to at least 5 subsequent
hierarchical ORAM protocols,
including the recent optimal ORAM scheme, OptORAMa (Eurocrypt \u2720).
In addition to our attack, we identify a simple fix that
does not increase the asymptotic complexity.
We note, however, that our attack only affects more recent hierarchical ORAMs,
but does not affect the early protocols that predate the use of cuckoo hashing,
or other types of ORAM solutions (e.g. Path ORAM or Circuit ORAM)
Strongly universal string hashing is fast
We present fast strongly universal string hashing families: they can process
data at a rate of 0.2 CPU cycle per byte. Maybe surprisingly, we find that
these families---though they require a large buffer of random numbers---are
often faster than popular hash functions with weaker theoretical guarantees.
Moreover, conventional wisdom is that hash functions with fewer multiplications
are faster. Yet we find that they may fail to be faster due to operation
pipelining. We present experimental results on several processors including
low-powered processors. Our tests include hash functions designed for
processors with the Carry-Less Multiplication (CLMUL) instruction set. We also
prove, using accessible proofs, the strong universality of our families.Comment: Software is available at
http://code.google.com/p/variablelengthstringhashing/ and
https://github.com/lemire/StronglyUniversalStringHashin
On Risks of Using a High Performance Hashing Scheme with Common Universal Classes
The contribution of this thesis is a mathematical analysis a high
performance hashing scheme called cuckoo hashing when combined with two very simple and efficient classes of functions that we refer to as the multiplicative class and the linear class, respectively. We prove that cuckoo hashing tends to work badly with these classes. In order to show this, we investigate how the inner structure of such functions influences the behavior of the cuckoo scheme when a set of keys is inserted into initially empty tables. Cuckoo Hashing uses two tables of size each. It is known that the insertion of an arbitrary set of size for an arbitrary constant (which yields a \emph{load factor} of up to ) fails with probability if the hash functions are chosen from an -wise independent class. This leads to the result of expected amortized constant time for a single insertion. In contrast to this we prove lower bounds of the following kind: If is a uniformly random chosen set of size (leading to a load factor of only (!)) then the insertion of fails with probability , or even with probability , if the hash functions are either hosen from the multiplicative or the linear class. This answers an open question that was already raised by the inventors of cuckoo hashing, Pagh and Rodler, who observed in experiments that cuckoo hashing exhibits a bad behavior when combined with the multiplicative class. Our results implicitly show that the quality of pairwise independence is not sufficient for a hash class to work well with cuckoo hashing. Moreover, our work exemplifies that a recent result of Mitzenmacher and Vadhan, who prove that under certain constraints simple universal functions yield values that are highly independent and very lose to uniform random, has to be applied with care: It may not hold if the constraints are not satisfied.Der Beitrag dieser Dissertation ist die mathematische Analyse eines
Hashing-Verfahrens namens Cuckoo Hashing in Kombination mit einfachen,
effizient aus\-wertbaren Funktionen zweier Hashklassen, die wir die
multiplikative Klasse bzw. die lineare Klasse nennen. Cuckoo Hashing hat
die deutliche Tendenz, mit Funktionen dieser beiden Klassen schlecht zu
funktionieren. Um dies zu beweisen, untersuchen wir den Einfluss der
inneren Struktur solcher Funktionen auf das Verhalten des
Cuckoo-Verfahrens, wenn der Versuch unternommen wird, eine SchlĂŒsselmenge
in anfangs leere Tabellen einzufĂŒgen. Cuckoo Hashing verwendet
zwei Tabellen der jeweiligen GröĂe . Man weiĂ, dass die
EinfĂŒgung einer beliebigen Menge der GröĂe fĂŒr eine
beliebige Konstante (was einen Lastfaktor
von bis zu liefert) mit Wahrscheinlichkeit
fehlschlÀgt, falls die Hashfunktionen aus einer -fach
unabhĂ€ngigen Klasse gewĂ€hlt werden. Damit lĂ€Ăt sich beweisen, dass die
erwarteten amortisierten Kosten einer einzelnen EinfĂŒgung konstant
sind. DemgegenĂŒber beweisen wir untere Schranken der folgenden Art:
Wenn eine uniform zufĂ€llig gewĂ€hlte SchlĂŒsselmenge der GröĂe ist
(Lastfaktor (!)), dann schlĂ€gt die EinfĂŒgung von mit
groĂer Wahrscheinlichkeit , oder sogar , fehl, falls
Funktionen der multiplikativen bzw. der linearen Klasse gewÀhlt
werden. Damit beantworten wir eine Frage, die bereits von Pagh und
Rodler aufgeworfen wurde, als sie mit Hilfe von Experimenten
feststellten, dass es riskant ist, Cuckoo Hashing mit Funktionen der
multiplikativen Klasse zu kombinieren. Unsere Resultate zeigen, dass
paarweise UnabhÀngigkeit und uniforme Vertei\-lung der Hashwerte
keine Garantie dafĂŒr ist, dass Cuckoo Hashing gut funktioniert. Zudem
machen unsere Ergebnisse exemplarisch deutlich, dass bei der
Anwendung eines kĂŒrzlich veröffentlichten Resultates von Mitzenmacher und
Vadhan, welches besagt, dass selbst Funktionen aus einfachen, schwach
universellen Klassen unter gewissen Bedingungen zu hochgradig
unabhĂ€ngigen und fast uniform zufĂ€lligen Werten fĂŒhren können,
Vorsicht geboten ist: Falls dessen Bedingungen nicht erfĂŒllt sind,
gilt es unter UmstÀnden nicht