Download presentation
Presentation is loading. Please wait.
2
Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex Kogan Marina Lapkina Igor Iulis
3
Introduction Definition –Servers serve a large number of clients –Metering scheme required to count the number of clients that are served by a server Motivation –To measure the popularity of web pages in order to decide on advertisement fees Must be impartial and accurate
4
Other Applications Interaction between a server and a predefined target audience Royalties payments Usage based accounting between data networks
5
Terminology Server - S Audit Agency - A Scenario Client 1 - C1 Client 2 - C2 Client 3 - C3 Client 4 - C4
6
Requirements Security –server should not be able to inflate the count –Should be protected from subversive clients Efficiency –Essential to preserve existing communication pattern –Computation and memory overheads should be minimal Accuracy –Should be as accurate as possible
7
Requirements Privacy –Should not degrade privacy of clients and servers –Should not require servers to store details of every visit and send them to the audit agency Turnover –Measure turnover of clients –Should be possible to tell whether clients who visit a server during a certain day have also visited in previous days
8
Metering System Naive implementation –Gives each client a certified signature key –Client is required to sign a confirmation to each visit –Server can present list of signed confirmations as proof
9
Problems Accurate –Requires clients to perform public key signature for each visit Inefficient –Size of server’s proof is same as number of visits –Does not preserve privacy Audit agency obtains lists with signed confirmations
10
Previous Work Two main methods –Sampling the activities of group web clients –Installing an audit module in web sites These solutions only offer “lightweight security” –Clients can refrain from helping servers –Servers can improve their count –measurement variances can be relatively high
11
Secret Sharing Schemes k-out-of-n secret sharing scheme –Audit agency divides a secret into n shares (n = number of clients) When a client visits a server it gives it its share –k shares is sufficient to recover the secret –No k-1 shares disclose any information about the secret
12
Deficiencies Essentially “one-time” Robustness –Servers should be able to identify corrupt shares Recovery of secret can be inefficient –Number of visits can be very large
13
Basic Scheme Initialization –A chooses a random bivariate polynomial P(x,y) over a finite field Z p, of degree k-1 in x and d-1 in y –A then sends the univariate polynomial Q C (y) = P(C,y) to each C Q C is a restriction of P(x,y) to the line x=C, and is of degree d-1
14
Basic Scheme Regular Operation –When C approaches S in time frame t, it sends S the value Q C (S ο t) Proof Generation –After k clients have approached in t, S has k values, {P(C i,S ο t)} over (1, k) –Interpolate and compute P(0,S ο t) –A can verify by evaluating P at (0,S ο t)
15
Security Corrupt C can donate his P –Server can evaluate P at all (C,y) –Needs one less client to prove k visits Corrupt S can donate data from previous clients –Equivalent to k coefficients per t P should be replaced at least every d time frames –Against coalitions of servers
16
Robustness If a few shares are incorrect, the server cannot reconstruct the secret Error correction codes can be used to reconstruct the secret of a k-out-of-n secret sharing scheme –There must be k + 2t shares, where at most t of them are corrupt –May not be sufficient if there are many corrupt clients
17
Verifiable Secret Sharing (VSS) Enables recipients to verify that shares are correct Non-interactive VSS schemes –S has to verify each share with A –Uses large multiplicative groups So extracting discrete logarithms is hard –Highly inefficient, thus not suitable for metering
18
More Efficient Scheme A asks C to communicate a value u to S C generates values a,b and computes v = au + b mod p C sends u,a, and b to S S returns u and v –If they don’t match then the transmission was corrupted
19
Robust Metering Scheme Initialization –Every C receives P and V Operation –At t, C sends S the values P(C, S ο t) and V(C, S ο t) –S evaluates A and B, verifying V = AP + B at (C, S ο t)
20
Anonymity Initialization –A generates P and Q C (y) of degree u for every C Operation –When C visits S at t it sends it the values Q C (h),P(Q C (h),h) , where h = S ο t –With k values, the server can interpolate P(x,h) and calculate the proof P(0,h)
21
Open Problems More efficient schemes can be used for limited number of measurements Unlimited measurements require public key operations –Less efficient Must design private key based systems
22
Open Problems Preset a certain k for each t, –Server proves at least k visits –Acceptable for long-term relationship between A and S –For other settings it would be preferable to have a totally dynamic metering scheme Measure any number of visits in any granularity
23
Alternative Solution Micropayments –Each visit requires the client to send a small sum of “money” to the server –Server can prove hits by how large sum of “money” is
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.