Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex Kogan Marina Lapkina Igor Iulis.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex Kogan Marina Lapkina Igor Iulis."— Presentation transcript:

1

2 Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex Kogan Marina Lapkina Igor Iulis

3 Introduction Definition –Servers serve a large number of clients –Metering scheme required to count the number of clients that are served by a server Motivation –To measure the popularity of web pages in order to decide on advertisement fees Must be impartial and accurate

4 Other Applications Interaction between a server and a predefined target audience Royalties payments Usage based accounting between data networks

5 Terminology Server - S Audit Agency - A Scenario Client 1 - C1 Client 2 - C2 Client 3 - C3 Client 4 - C4

6 Requirements Security –server should not be able to inflate the count –Should be protected from subversive clients Efficiency –Essential to preserve existing communication pattern –Computation and memory overheads should be minimal Accuracy –Should be as accurate as possible

7 Requirements Privacy –Should not degrade privacy of clients and servers –Should not require servers to store details of every visit and send them to the audit agency Turnover –Measure turnover of clients –Should be possible to tell whether clients who visit a server during a certain day have also visited in previous days

8 Metering System Naive implementation –Gives each client a certified signature key –Client is required to sign a confirmation to each visit –Server can present list of signed confirmations as proof

9 Problems Accurate –Requires clients to perform public key signature for each visit Inefficient –Size of server’s proof is same as number of visits –Does not preserve privacy Audit agency obtains lists with signed confirmations

10 Previous Work Two main methods –Sampling the activities of group web clients –Installing an audit module in web sites These solutions only offer “lightweight security” –Clients can refrain from helping servers –Servers can improve their count –measurement variances can be relatively high

11 Secret Sharing Schemes k-out-of-n secret sharing scheme –Audit agency divides a secret into n shares (n = number of clients) When a client visits a server it gives it its share –k shares is sufficient to recover the secret –No k-1 shares disclose any information about the secret

12 Deficiencies Essentially “one-time” Robustness –Servers should be able to identify corrupt shares Recovery of secret can be inefficient –Number of visits can be very large

13 Basic Scheme Initialization –A chooses a random bivariate polynomial P(x,y) over a finite field Z p, of degree k-1 in x and d-1 in y –A then sends the univariate polynomial Q C (y) = P(C,y) to each C Q C is a restriction of P(x,y) to the line x=C, and is of degree d-1

14 Basic Scheme Regular Operation –When C approaches S in time frame t, it sends S the value Q C (S ο t) Proof Generation –After k clients have approached in t, S has k values, {P(C i,S ο t)} over (1, k) –Interpolate and compute P(0,S ο t) –A can verify by evaluating P at (0,S ο t)

15 Security Corrupt C can donate his P –Server can evaluate P at all (C,y) –Needs one less client to prove k visits Corrupt S can donate data from previous clients –Equivalent to k coefficients per t P should be replaced at least every d time frames –Against coalitions of servers

16 Robustness If a few shares are incorrect, the server cannot reconstruct the secret Error correction codes can be used to reconstruct the secret of a k-out-of-n secret sharing scheme –There must be k + 2t shares, where at most t of them are corrupt –May not be sufficient if there are many corrupt clients

17 Verifiable Secret Sharing (VSS) Enables recipients to verify that shares are correct Non-interactive VSS schemes –S has to verify each share with A –Uses large multiplicative groups So extracting discrete logarithms is hard –Highly inefficient, thus not suitable for metering

18 More Efficient Scheme A asks C to communicate a value u to S C generates values a,b and computes v = au + b mod p C sends u,a, and b to S S returns u and v –If they don’t match then the transmission was corrupted

19 Robust Metering Scheme Initialization –Every C receives P and V Operation –At t, C sends S the values P(C, S ο t) and V(C, S ο t) –S evaluates A and B, verifying V = AP + B at (C, S ο t)

20 Anonymity Initialization –A generates P and Q C (y) of degree u for every C Operation –When C visits S at t it sends it the values  Q C (h),P(Q C (h),h) , where h = S ο t –With k values, the server can interpolate P(x,h) and calculate the proof P(0,h)

21 Open Problems More efficient schemes can be used for limited number of measurements Unlimited measurements require public key operations –Less efficient Must design private key based systems

22 Open Problems Preset a certain k for each t, –Server proves at least k visits –Acceptable for long-term relationship between A and S –For other settings it would be preferable to have a totally dynamic metering scheme Measure any number of visits in any granularity

23 Alternative Solution Micropayments –Each visit requires the client to send a small sum of “money” to the server –Server can prove hits by how large sum of “money” is

Download ppt "Secure and Efficient Metering by Moni Naor and Benny Pinkas Vincent Collado Olga Toporovsky Alex Kogan Marina Lapkina Igor Iulis."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Error Control Code.

Error Control Code.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
CNStats © 2008 State of the art solution for recording and analyzing site attendance statistics Why Choosing CNStats ?

CNStats © 2008 State of the art solution for recording and analyzing site attendance statistics Why Choosing CNStats ?
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
1 Intro To Encryption Exercise 12. 2 Problem What may be the problem with a central KDC?

1 Intro To Encryption Exercise Problem What may be the problem with a central KDC?
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google