View
222
Download
0
Category
Preview:
Citation preview
Secure and Efficient Meteringby Moni Naor and Benny Pinkas
Vincent Collado
Olga Toporovsky
Alex Kogan
Marina Lapkina
Igor Iulis
Introduction• Definition
– Servers serve a large number of clients
– Metering scheme required to count the number of clients that are served by a server
• Motivation– To measure the popularity of web pages in
order to decide on advertisement fees• Must be impartial and accurate
Other Applications
• Interaction between a server and a predefined target audience
• Royalties payments
• Usage based accounting between data networks
Terminology
Server - S
Audit Agency - A
Scenario
Client 1 - C1
Client 2 - C2
Client 3 - C3
Client 4 - C4
Requirements• Security
– server should not be able to inflate the count
– Should be protected from subversive clients
• Efficiency
– Essential to preserve existing communication pattern
– Computation and memory overheads should be minimal
• Accuracy
– Should be as accurate as possible
Requirements• Privacy
– Should not degrade privacy of clients and servers– Should not require servers to store details of
every visit and send them to the audit agency
• Turnover– Measure turnover of clients– Should be possible to tell whether clients who
visit a server during a certain day have also visited in previous days
Metering System
• Naive implementation– Gives each client a certified signature
key– Client is required to sign a
confirmation to each visit– Server can present list of signed
confirmations as proof
Problems• Accurate
– Requires clients to perform public key signature for each visit
• Inefficient– Size of server’s proof is same as number of
visits
– Does not preserve privacy• Audit agency obtains lists with signed
confirmations
Previous Work• Two main methods
– Sampling the activities of group web clients
– Installing an audit module in web sites
• These solutions only offer “lightweight security”– Clients can refrain from helping servers
– Servers can improve their count
– measurement variances can be relatively high
Secret Sharing Schemes
• k-out-of-n secret sharing scheme– Audit agency divides a secret into n
shares (n = number of clients)• When a client visits a server it gives it its
share
– k shares is sufficient to recover the secret
– No k-1 shares disclose any information about the secret
Deficiencies
• Essentially “one-time”
• Robustness– Servers should be able to identify
corrupt shares
• Recovery of secret can be inefficient– Number of visits can be very large
Basic Scheme
• Initialization– A chooses a random bivariate
polynomial P(x,y) over a finite field Zp, of degree k-1 in x and d-1 in y
– A then sends the univariate polynomial QC(y) = P(C,y) to each C
• QC is a restriction of P(x,y) to the line x=C, and is of degree d-1
Basic Scheme
• Regular Operation– When C approaches S in time frame t,
it sends S the value QC(Sο t)
• Proof Generation– After k clients have approached in t, S
has k values, {P(Ci,Sο t)} over (1, k)
– Interpolate and compute P(0,Sο t)– A can verify by evaluating P at (0,Sο t)
Security• Corrupt C can donate his P
– Server can evaluate P at all (C,y)
– Needs one less client to prove k visits
• Corrupt S can donate data from previous clients– Equivalent to k coefficients per t
• P should be replaced at least every d time frames – Against coalitions of servers
Robustness• If a few shares are incorrect, the server
cannot reconstruct the secret• Error correction codes can be used to
reconstruct the secret of a k-out-of-n secret sharing scheme– There must be k + 2t shares, where at most t
of them are corrupt
– May not be sufficient if there are many corrupt clients
Verifiable Secret Sharing (VSS)
• Enables recipients to verify that shares are correct
• Non-interactive VSS schemes– S has to verify each share with A– Uses large multiplicative groups
• So extracting discrete logarithms is hard
– Highly inefficient, thus not suitable for metering
More Efficient Scheme
• A asks C to communicate a value u to S
• C generates values a,b and computes v = au + b mod p
• C sends u,a, and b to S
• S returns u and v– If they don’t match then the
transmission was corrupted
Robust Metering Scheme
• Initialization– Every C receives P and V
• Operation– At t, C sends S the values P(C, Sο t)
and V(C, Sο t)– S evaluates A and B, verifying V = AP
+ B at (C, Sο t)
Anonymity• Initialization
– A generates P and QC(y) of degree u for every C
• Operation– When C visits S at t it sends it the values
QC(h),P(QC(h),h), where h = Sο t
– With k values, the server can interpolate P(x,h) and calculate the proof P(0,h)
Open Problems
• More efficient schemes can be used for limited number of measurements
• Unlimited measurements require public key operations– Less efficient
• Must design private key based systems
Open Problems
• Preset a certain k for each t, – Server proves at least k visits– Acceptable for long-term relationship
between A and S– For other settings it would be
preferable to have a totally dynamic metering scheme
• Measure any number of visits in any granularity
Alternative Solution
• Micropayments– Each visit requires the client to send a
small sum of “money” to the server– Server can prove hits by how large
sum of “money” is
Recommended