Proof of Freshness - Computation Structures Group - MIT
Proof of Freshness - Computation Structures Group - MIT
Proof of Freshness - Computation Structures Group - MIT
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
C Appendix: Analysis <strong>of</strong> the Log-Based Scheme<br />
Security: The following is a sketch <strong>of</strong> a pro<strong>of</strong> that the log-based scheme is secure if H is a collision resistant<br />
hash function and Sign corresponds to a secure signature scheme: 1) We can use the pro<strong>of</strong> <strong>of</strong> the first<br />
part for the tree-based scheme to conclude that collisions <strong>of</strong> reservation certificates cannot be forged. 2) Suppose<br />
that p is a freshness pro<strong>of</strong> and r is a reservation certificate such that, for some scheduling algorithm S,<br />
(tm, tj) ← VP (p, i, S, pk) and th ← VR(r, i, d, pk) with tm < th ≤ tj and S(tm, th) = ′′ accept ′′ . Since<br />
th ← VR(r, i, d, pk), r contains a signature <strong>of</strong> the hash <strong>of</strong> th together with the root <strong>of</strong> a tree with a node corresponding<br />
to i. Since (tm, tj) ← VP (p, i, S, pk), tm < th ≤ tj, and S(tm, th) = ′′ accept ′′ , p contains a signature<br />
<strong>of</strong> the hash <strong>of</strong> th together with the root <strong>of</strong> a tree for which none <strong>of</strong> the nodes correspond to i. Since the signature<br />
scheme is assumed to be secure and the update oracle (trusted module) is assumed to only return one signature<br />
per time value, the two signatures are equal to one another. This means that the signed roots must be equal to one<br />
another as well. Since the two trees are different, this is only possible if a collision <strong>of</strong> the hash function has been<br />
forged.<br />
Performance: Let N be the total number <strong>of</strong> clients. Suppose that, as in the tree-based scheme with time multiplexing,<br />
each client uses a scheduling algorithm which assigns periodic time values with period q. So, the<br />
expected number <strong>of</strong> client who are scheduled for the same time value equals N/q.<br />
A precise performance analysis leading to the result presented in Theorem 3 is as follows:<br />
• We define β as the number <strong>of</strong> time units needed for the transmission <strong>of</strong> one atomic piece <strong>of</strong> data (for<br />
example, the value <strong>of</strong> a node in a tree). We assume that the processing speed <strong>of</strong> the trusted module is slow<br />
compared to the network bandwidth, that is, β ≪ γ.<br />
The costs <strong>of</strong> the computation <strong>of</strong> an update for a given time value in a verification and reservation protocol is a<br />
single atomic operation by the trusted module which takes γ time. In (4) we computed the expected number<br />
<strong>of</strong> clients I who requested a reservation <strong>of</strong> the same time value (as a function <strong>of</strong> the expected time T between<br />
two time values scheduled for the same client). Notice that the total number <strong>of</strong> clients who start a complete<br />
execution <strong>of</strong> the verification and reservation protocol equals the total number <strong>of</strong> clients who reserve a time value.<br />
This argument shows that I also equals the expected number <strong>of</strong> clients who start a complete execution <strong>of</strong> the<br />
verification and reservation protocol at a given time value. This means that at a given time value we expect the<br />
transmission <strong>of</strong> I pro<strong>of</strong>s <strong>of</strong> freshness as well as I reservation certificates.<br />
Let L be the expected number <strong>of</strong> sequences that constitute the log <strong>of</strong> a freshness pro<strong>of</strong>. Then, the expected<br />
size <strong>of</strong> the log <strong>of</strong> a freshness pro<strong>of</strong> is equal to L · log I atomic pieces <strong>of</strong> data which costs βL · log I time to<br />
transmit. The expected size <strong>of</strong> a reservation certificate is equal to log I atomic pieces <strong>of</strong> data which costs β · log I<br />
time to transmit. Hence, in the log-based scheme T is equal to the period q times γ + I(βL log I) + I(β log I):<br />
T = q(γ + β(LI + I) log I)<br />
The probability that, for a given client, h scheduled non-reserved time values occur between two scheduled<br />
reserved time values is equal to<br />
Hence,<br />
LI = N<br />
q<br />
Notice LI + I = N/q such that<br />
(1 − (1 − u) T )(1 − u) hT (1 − (1 − u) T ).<br />
<br />
h≥0<br />
(1 − (1 − u) T ) 2 (1 − u) hT h = N<br />
q (1 − u)T . (8)<br />
T = qγ + βN log I (9)<br />
16