Secure and Efficient Meteringby Moni Naor and Benny Pinkas

Vincent Collado

Olga Toporovsky

Alex Kogan

Marina Lapkina

Igor Iulis

Introduction• Definition

– Servers serve a large number of clients

– Metering scheme required to count the number of clients that are served by a server

• Motivation– To measure the popularity of web pages in

order to decide on advertisement fees• Must be impartial and accurate

Other Applications

• Interaction between a server and a predefined target audience

• Royalties payments

• Usage based accounting between data networks

Terminology

Server - S

Audit Agency - A

Scenario

Client 1 - C1

Client 2 - C2

Client 3 - C3

Client 4 - C4

Requirements• Security

– server should not be able to inflate the count

– Should be protected from subversive clients

• Efficiency

– Essential to preserve existing communication pattern

– Computation and memory overheads should be minimal

• Accuracy

– Should be as accurate as possible

Requirements• Privacy

– Should not degrade privacy of clients and servers– Should not require servers to store details of

every visit and send them to the audit agency

• Turnover– Measure turnover of clients– Should be possible to tell whether clients who

visit a server during a certain day have also visited in previous days

Metering System

• Naive implementation– Gives each client a certified signature

key– Client is required to sign a

confirmation to each visit– Server can present list of signed

confirmations as proof

Problems• Accurate

– Requires clients to perform public key signature for each visit

• Inefficient– Size of server’s proof is same as number of

visits

– Does not preserve privacy• Audit agency obtains lists with signed

confirmations

Previous Work• Two main methods

– Sampling the activities of group web clients

– Installing an audit module in web sites

• These solutions only offer “lightweight security”– Clients can refrain from helping servers

– Servers can improve their count

– measurement variances can be relatively high

Secret Sharing Schemes

• k-out-of-n secret sharing scheme– Audit agency divides a secret into n

shares (n = number of clients)• When a client visits a server it gives it its

share

– k shares is sufficient to recover the secret

– No k-1 shares disclose any information about the secret

Deficiencies

• Essentially “one-time”

• Robustness– Servers should be able to identify

corrupt shares

• Recovery of secret can be inefficient– Number of visits can be very large

Basic Scheme

• Initialization– A chooses a random bivariate

polynomial P(x,y) over a finite field Zp, of degree k-1 in x and d-1 in y

– A then sends the univariate polynomial QC(y) = P(C,y) to each C

• QC is a restriction of P(x,y) to the line x=C, and is of degree d-1

Basic Scheme

• Regular Operation– When C approaches S in time frame t,

it sends S the value QC(Sο t)

• Proof Generation– After k clients have approached in t, S

has k values, {P(Ci,Sο t)} over (1, k)

– Interpolate and compute P(0,Sο t)– A can verify by evaluating P at (0,Sο t)

Security• Corrupt C can donate his P

– Server can evaluate P at all (C,y)

– Needs one less client to prove k visits

• Corrupt S can donate data from previous clients– Equivalent to k coefficients per t

• P should be replaced at least every d time frames – Against coalitions of servers

Robustness• If a few shares are incorrect, the server

cannot reconstruct the secret• Error correction codes can be used to

reconstruct the secret of a k-out-of-n secret sharing scheme– There must be k + 2t shares, where at most t

of them are corrupt

– May not be sufficient if there are many corrupt clients

Verifiable Secret Sharing (VSS)

• Enables recipients to verify that shares are correct

• Non-interactive VSS schemes– S has to verify each share with A– Uses large multiplicative groups

• So extracting discrete logarithms is hard

– Highly inefficient, thus not suitable for metering

More Efficient Scheme

• A asks C to communicate a value u to S

• C generates values a,b and computes v = au + b mod p

• C sends u,a, and b to S

• S returns u and v– If they don’t match then the

transmission was corrupted

Robust Metering Scheme

• Initialization– Every C receives P and V

• Operation– At t, C sends S the values P(C, Sο t)

and V(C, Sο t)– S evaluates A and B, verifying V = AP

+ B at (C, Sο t)

Anonymity• Initialization

– A generates P and QC(y) of degree u for every C

• Operation– When C visits S at t it sends it the values

QC(h),P(QC(h),h), where h = Sο t

– With k values, the server can interpolate P(x,h) and calculate the proof P(0,h)

Open Problems

• More efficient schemes can be used for limited number of measurements

• Unlimited measurements require public key operations– Less efficient

• Must design private key based systems

Open Problems

• Preset a certain k for each t, – Server proves at least k visits– Acceptable for long-term relationship

between A and S– For other settings it would be

preferable to have a totally dynamic metering scheme

• Measure any number of visits in any granularity

Alternative Solution

• Micropayments– Each visit requires the client to send a

small sum of “money” to the server– Server can prove hits by how large

sum of “money” is