Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex...
-
date post
21-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex...
Secure and Efficient Meteringby Moni Naor and Benny Pinkas
Vincent Collado
Olga Toporovsky
Alex Kogan
Marina Lapkina
Igor Iulis
Introduction• Definition
– Servers serve a large number of clients
– Metering scheme required to count the number of clients that are served by a server
• Motivation– To measure the popularity of web pages in
order to decide on advertisement fees• Must be impartial and accurate
Other Applications
• Interaction between a server and a predefined target audience
• Royalties payments
• Usage based accounting between data networks
Terminology
Server - S
Audit Agency - A
Scenario
Client 1 - C1
Client 2 - C2
Client 3 - C3
Client 4 - C4
Requirements• Security
– server should not be able to inflate the count
– Should be protected from subversive clients
• Efficiency
– Essential to preserve existing communication pattern
– Computation and memory overheads should be minimal
• Accuracy
– Should be as accurate as possible
Requirements• Privacy
– Should not degrade privacy of clients and servers– Should not require servers to store details of
every visit and send them to the audit agency
• Turnover– Measure turnover of clients– Should be possible to tell whether clients who
visit a server during a certain day have also visited in previous days
Metering System
• Naive implementation– Gives each client a certified signature
key– Client is required to sign a
confirmation to each visit– Server can present list of signed
confirmations as proof
Problems• Accurate
– Requires clients to perform public key signature for each visit
• Inefficient– Size of server’s proof is same as number of
visits
– Does not preserve privacy• Audit agency obtains lists with signed
confirmations
Previous Work• Two main methods
– Sampling the activities of group web clients
– Installing an audit module in web sites
• These solutions only offer “lightweight security”– Clients can refrain from helping servers
– Servers can improve their count
– measurement variances can be relatively high
Secret Sharing Schemes
• k-out-of-n secret sharing scheme– Audit agency divides a secret into n
shares (n = number of clients)• When a client visits a server it gives it its
share
– k shares is sufficient to recover the secret
– No k-1 shares disclose any information about the secret
Deficiencies
• Essentially “one-time”
• Robustness– Servers should be able to identify
corrupt shares
• Recovery of secret can be inefficient– Number of visits can be very large
Basic Scheme
• Initialization– A chooses a random bivariate
polynomial P(x,y) over a finite field Zp, of degree k-1 in x and d-1 in y
– A then sends the univariate polynomial QC(y) = P(C,y) to each C
• QC is a restriction of P(x,y) to the line x=C, and is of degree d-1
Basic Scheme
• Regular Operation– When C approaches S in time frame t,
it sends S the value QC(Sο t)
• Proof Generation– After k clients have approached in t, S
has k values, {P(Ci,Sο t)} over (1, k)
– Interpolate and compute P(0,Sο t)– A can verify by evaluating P at (0,Sο t)
Security• Corrupt C can donate his P
– Server can evaluate P at all (C,y)
– Needs one less client to prove k visits
• Corrupt S can donate data from previous clients– Equivalent to k coefficients per t
• P should be replaced at least every d time frames – Against coalitions of servers
Robustness• If a few shares are incorrect, the server
cannot reconstruct the secret• Error correction codes can be used to
reconstruct the secret of a k-out-of-n secret sharing scheme– There must be k + 2t shares, where at most t
of them are corrupt
– May not be sufficient if there are many corrupt clients
Verifiable Secret Sharing (VSS)
• Enables recipients to verify that shares are correct
• Non-interactive VSS schemes– S has to verify each share with A– Uses large multiplicative groups
• So extracting discrete logarithms is hard
– Highly inefficient, thus not suitable for metering
More Efficient Scheme
• A asks C to communicate a value u to S
• C generates values a,b and computes v = au + b mod p
• C sends u,a, and b to S
• S returns u and v– If they don’t match then the
transmission was corrupted
Robust Metering Scheme
• Initialization– Every C receives P and V
• Operation– At t, C sends S the values P(C, Sο t)
and V(C, Sο t)– S evaluates A and B, verifying V = AP
+ B at (C, Sο t)
Anonymity• Initialization
– A generates P and QC(y) of degree u for every C
• Operation– When C visits S at t it sends it the values
QC(h),P(QC(h),h), where h = Sο t
– With k values, the server can interpolate P(x,h) and calculate the proof P(0,h)
Open Problems
• More efficient schemes can be used for limited number of measurements
• Unlimited measurements require public key operations– Less efficient
• Must design private key based systems
Open Problems
• Preset a certain k for each t, – Server proves at least k visits– Acceptable for long-term relationship
between A and S– For other settings it would be
preferable to have a totally dynamic metering scheme
• Measure any number of visits in any granularity
Alternative Solution
• Micropayments– Each visit requires the client to send a
small sum of “money” to the server– Server can prove hits by how large
sum of “money” is