Secure and Efficient Metering - JHU Department of Computer Science
Transcript of Secure and Efficient Metering - JHU Department of Computer Science
![Page 1: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/1.jpg)
Secure and Efficient Metering
Moni Naor and Benny PinkasEurocrypt '98
![Page 2: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/2.jpg)
Contents
Motivation One approach Lightweight Security Secure and Efficient Metering
![Page 3: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/3.jpg)
Motivation
Advertising– Webpage popularity– Cost
Measure server & client interaction Royalties payment
![Page 4: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/4.jpg)
Pay-Per-Click Scheme
AD BUY!!!
AdServer
Page A Page B
Client
![Page 5: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/5.jpg)
Hit Inflation
Alternatives– Pay-per-sale– Pay-per-lead
Page A Page B
Page C
Client
![Page 6: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/6.jpg)
SAWM: A Tool for Secure andAuthenticated Web Metering
Blundo and CimatoProceedings of the 14th InternationalConference on Software engineering andknowledge engineering 2002
![Page 7: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/7.jpg)
SAWM: A Tool for Secure andAuthenticated Web Metering Hash chaining Three participants
– Audit Agency– Client– Server
Parameters– Random seed w– Hash function H– Client identifier id– Number of applications k
![Page 8: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/8.jpg)
SAWM ProtocolClient Server
<id, k, w>
<id, Hk(w)>
Hk-j(w)
<id, V, counter>
Last token received
Audit
![Page 9: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/9.jpg)
Shortcomings
Requires client & audit agencyinteraction
Client and server can collude
Corrupt servers can share client tokens
Fake servers can collect tokens
![Page 10: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/10.jpg)
Auditable Metering withLightweight Security
Franklin and MalkhiFinancial Crypto 1997
![Page 11: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/11.jpg)
Auditable Metering withLightweight Security Hash function h Timing function F
– Apply hash function iteratively k times to x0such that xj+1 = h(xj)
– Fk(x0) = min{xj}, where 0<j≤k
xi
h(xi)
Fk(x0)
![Page 12: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/12.jpg)
Auditable Metering with Lightweight Security
Web serverClient Page request
Timing function
Execute timing function
<Fk(x0), x0, k>
Visit record
Audit agency
![Page 13: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/13.jpg)
Lightweight Security Auditing
Method 1– Determine low probability visit records
<Fk(x0),x0,k>– Verify these values
Method 2– y = Fk(x0)– Estimator function µ(y) that estimates k’– Check if estimator function approximates timing
function
![Page 14: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/14.jpg)
Lightweight Security Shortcomings
Client can cheat server Client can collude with server Does not take into account different
processing power of clients Costly verification Security based on statistical
probabilities
![Page 15: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/15.jpg)
Secure and Efficient Metering
Naor and PinkasEuroCrypt ‘98
![Page 16: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/16.jpg)
Secure and Efficient Metering
Uses variant of Shamir secret sharingscheme
Cryptographically secure scheme Requirements
– Security– Efficiency– Accuracy– Privacy– Turnover
![Page 17: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/17.jpg)
General Metering Scheme
α hS,t
Audit agency
Client (id) Server
challengea (hs,t, id)
id
responsea(challengea, α)
Challengeb(S||t)
responseb(responsea)
![Page 18: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/18.jpg)
Secure & Efficient Metering Parameters
Bivariate polynomial: P(x,y)– Degree k-1 in x
– Degree d-1 in y
– Finite field Zp
– Selected by audit agency
Client value: C
Server value: S
Time frame: t
![Page 19: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/19.jpg)
Secure and Efficient Metering Scheme
Audit agency
ClientServer
Qc(y)=P(C,y)
Qc(S||t)
P(0,S||t)
![Page 20: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/20.jpg)
Calculating P(0, S||t)
Use Lagrange interpolation
C1C2
P(0,S||t)
X
Y P(C1, y) P(C2, y)
![Page 21: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/21.jpg)
Security Analysis
Without k visits, server has 1/p chances offinding P(0, S||t)
Corrupt clients can collude with servers
Corrupt servers can donate client informationfrom previous time frames
Polynomial P replaced every d times frames
![Page 22: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/22.jpg)
Robustness
Corrupt clients can give the serverwrong values
Even with wrong values, a servershould still be able to prove it had kvisits
Non-interactive verifiable secret sharing
![Page 23: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/23.jpg)
Robustness Verifiable Secret Sharing for Shamir’s scheme
[Feldman87]
Participantsgs,gf1
Computer
Computer
Dealer S1
Computer
S2
S3
g is the generator of a groupAbort
(2,3) VSS scheme
![Page 24: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/24.jpg)
<u,v> <a,b>
<u,v>
S verifies:v au + b mod p
Client
Audit Agency
Server
Calculate a,b,v such that,v = au +b mod p
Robustness: Alternate Method Audit agency wants the client to tell the server u.
![Page 25: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/25.jpg)
Robustness
P(x,y): degree k-1 in x, degree d-1 in y
A(x,y): degree a in x and b in y
B(y): degree b in y
Audit Agency calculates:
V(x,y) = A(x,y)・P(x,y) + B(y)
![Page 26: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/26.jpg)
Robustness
P(C,y), V(C,y) A(x,S||ti), B(S||ti)
P(C, S||t), V(C, S||t)
Verifies:V = AP+B
Client
Audit Agency
Server
Calculates:V = AP+B
![Page 27: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/27.jpg)
Robustness
C X
Y
S V(x,S||t)
A(C,S||t)*P(C,S||t)+B(S||t)
A(x,y)*P(x,y)+B(y)
![Page 28: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/28.jpg)
Robustness Audit agency must compute V, A and B Server must store A and B for all time frames t Server must compute A and B for each client
that visits Server must check V=AP+B Client must evaluate V for each server and
time frame Additional communication overhead
![Page 29: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/29.jpg)
Increasing Efficiency Divide k into n classes
n = k/k’
n random polynomials: P1(x,y)… Pn(x,y) Map clients randomly to {1,…,n} Client gets respective polynomial Pi(x,y) Client sends class along with Pi(C, S||t) Server only needs k’ clients from a class to
interpolate
![Page 30: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/30.jpg)
Increasing Efficiency
Coupon Collector problem
Given a set of possible outcomes, what isthe expected number of events before theentire set of possible outcomes occurs
![Page 31: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/31.jpg)
Coupon Collector Example 3 toys: A,B,C Probability of obtaining any toy is 1/3 Expected time to collect all 3
= E[waiting time for 1st toy] +E[waiting time for 2nd toy] +E[waiting time for 3rd toy]
= 3/3 + 3/2 + 3/1= 5.5 tries
![Page 32: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/32.jpg)
Increased Efficiency Audit agency must produce multiple
polynomials Audit agency must map clients to
polynomials and store the mapping Server must store the client’s class as well
as Pi(C, S||t) Client must store it’s class with the
polynomial P Probabilistic scheme rather than deterministic
![Page 33: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/33.jpg)
Unlimited Use Scheme
Basic scheme requires replacing Pafter d time frames
Unlimited use scheme parameters– generator g– random value r
![Page 34: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/34.jpg)
Unlimited Use SchemeClient Server
Audit Agency
gr
P(C), gP(C)
grP(C), proofgr
grP(0)
![Page 35: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/35.jpg)
Unlimited Use Scheme
Decisional Diffie-Hellman– Given ga, gb, y, compute if y == gab
Computational Diffie-Hellman– Given g, ga, gb, compute gab
– In this case, the server has g, gr and grP(Ci),where 0< i < k
– If it can calculate grP(0) it can break CDH
![Page 36: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/36.jpg)
Unlimited Use Scheme
Client proof construction– Same as robustness scheme
– Audit agency calculates V(x,y), A(x,y) andB(y) such that when x = C and y = S,
grV = grP(C)AgB mod p
![Page 37: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/37.jpg)
Unlimited Use Scheme
ClientServer
Audit Agency
gr, A, BV, P(C)
V, gP(C)
Verifies:grV = grP(C)AgrB mod p
![Page 38: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/38.jpg)
Unlimited Use Scheme Exponentiation of polynomials is
computationally expensive
Each time frame a new r is used and gr mustbe calculated
Additional communication overhead betweenaudit agency and server
Server must verify grV = grP(C)AgrB mod p
![Page 39: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/39.jpg)
Anonymity
Preserves client privacy over multipletime periods
Instead of P(C,y), have P(Qc(y),y)– Qc(y): random polynomial of degree u
• where y = S||t– Qc(y) changes for each time period
![Page 40: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/40.jpg)
Anonymity
Qc(y)
P(Qc(y),y)
S||t2
S||t1
S||t3
Client C2Client C1
![Page 41: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/41.jpg)
Anonymity
Audit agency must now generate Qc(y)
Clients must store Qc(y)
Clients must calculate Qc(y) for eachvisit
Corrupt audit agencies can cooperatewith servers to track client activity
![Page 42: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/42.jpg)
Variants
![Page 43: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/43.jpg)
Variants: Metering Period
Servers have varying amounts of traffic
Replace timeframe t with challenge h
Allows for variable metering periods
Server now sends h to client when a pageis requested
![Page 44: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/44.jpg)
Variants: Metering Period Servers now send h Servers may try to send false h values
Client Server
h, P(x, h+1)P(C,y)
h, P(C, h+1)
Audit Agency
P(C,h)
P(0,h)
![Page 45: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/45.jpg)
Variants: Client Turnover
Advertising agencies may want todetermine client loyalty
Aids in developing payment schemes
Detects corrupt servers
![Page 46: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/46.jpg)
Variants: Client Turnover Audit agency sends server challenge t with
domain c*k and hash function h with rangec*k
After receiving c*k new clients, server should
find griP(C) such that h(griP(C))= t
![Page 47: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/47.jpg)
Variants: Adaptability
Servers with less traffic may never see kclients for a given time frame
Decrease k to allow more fine grainedmeasurements
If server receives k’<k, ask for k-k’polynomial values to complete interpolation
Server sets k’
![Page 48: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/48.jpg)
Open Problems
Efficient schemes limited usage times Unlimited use schemes inefficient Value for k must be preset
– Cannot tolerate the number of clientschanging
– Even under adaptability scheme, k is stillpreset
![Page 49: Secure and Efficient Metering - JHU Department of Computer Science](https://reader031.fdocuments.net/reader031/viewer/2022020706/61fca4269d50e757a521fb7a/html5/thumbnails/49.jpg)
Questions