Proof of Freshness - Computation Structures Group - MIT

More documents

Recommendations

Info

C Appendix: Analysis of the Log-Based Scheme Security: The following is a sketch of a proof that the log-based scheme is secure if H is a collision resistant hash function and Sign corresponds to a secure signature scheme: 1) We can use the proof of the first part for the tree-based scheme to conclude that collisions of reservation certificates cannot be forged. 2) Suppose that p is a freshness proof and r is a reservation certificate such that, for some scheduling algorithm S, (tm, tj) ← VP (p, i, S, pk) and th ← VR(r, i, d, pk) with tm < th ≤ tj and S(tm, th) = ′′ accept ′′ . Since th ← VR(r, i, d, pk), r contains a signature of the hash of th together with the root of a tree with a node corresponding to i. Since (tm, tj) ← VP (p, i, S, pk), tm < th ≤ tj, and S(tm, th) = ′′ accept ′′ , p contains a signature of the hash of th together with the root of a tree for which none of the nodes correspond to i. Since the signature scheme is assumed to be secure and the update oracle (trusted module) is assumed to only return one signature per time value, the two signatures are equal to one another. This means that the signed roots must be equal to one another as well. Since the two trees are different, this is only possible if a collision of the hash function has been forged. Performance: Let N be the total number of clients. Suppose that, as in the tree-based scheme with time multiplexing, each client uses a scheduling algorithm which assigns periodic time values with period q. So, the expected number of client who are scheduled for the same time value equals N/q. A precise performance analysis leading to the result presented in Theorem 3 is as follows: • We define β as the number of time units needed for the transmission of one atomic piece of data (for example, the value of a node in a tree). We assume that the processing speed of the trusted module is slow compared to the network bandwidth, that is, β ≪ γ. The costs of the computation of an update for a given time value in a verification and reservation protocol is a single atomic operation by the trusted module which takes γ time. In (4) we computed the expected number of clients I who requested a reservation of the same time value (as a function of the expected time T between two time values scheduled for the same client). Notice that the total number of clients who start a complete execution of the verification and reservation protocol equals the total number of clients who reserve a time value. This argument shows that I also equals the expected number of clients who start a complete execution of the verification and reservation protocol at a given time value. This means that at a given time value we expect the transmission of I proofs of freshness as well as I reservation certificates. Let L be the expected number of sequences that constitute the log of a freshness proof. Then, the expected size of the log of a freshness proof is equal to L · log I atomic pieces of data which costs βL · log I time to transmit. The expected size of a reservation certificate is equal to log I atomic pieces of data which costs β · log I time to transmit. Hence, in the log-based scheme T is equal to the period q times γ + I(βL log I) + I(β log I): T = q(γ + β(LI + I) log I) The probability that, for a given client, h scheduled non-reserved time values occur between two scheduled reserved time values is equal to Hence, LI = N q Notice LI + I = N/q such that (1 − (1 − u) T )(1 − u) hT (1 − (1 − u) T ). h≥0 (1 − (1 − u) T ) 2 (1 − u) hT h = N q (1 − u)T . (8) T = qγ + βN log I (9) 16
For the same reason as in the tree-based scheme we require the bound (5). This reduces (4) to I ≈ NuT/q (and reduces (8) to LI ≈ N/q, hence, L ≈ 1/(uT) which is consistent with our intuition that 1/(uT) is approximately equal to the expected time (1 − u)/u between two consecutive requests of devices of the same client divided by T). These approximations combined with (9) yield and hence, dT dq T ≈ qγ + βN log(NuT/q) (10) ≈ γ + βNq ln 2T dT dq 1 dT T − q dq q2 , ≈ γ − βN/(q ln 2) 1 − βN/(T ln 2) . This shows that, if βN/(T ln 2) < 1, then T is minimized for q defined by γ = βN/(q ln 2), that is, q = βN/(γ ln 2). Substituting this value for q in (10) yields T ≈ βN/ ln 2 + βN log(uγT(ln 2)/β) = βN log(euγT(ln 2)/β). (11) Notice that this solution for T is an increasing function in N. So, the restriction T ≤ 1/(2u) of (5) is equivalent to the requirement that N ≤ N ∗ for N ∗ computed as the solution of equation (11) with T = 1/(2u). That is, N ≤ 1/(2uβ log(e(ln 2)γ/(2β))) = 1/(2uβ log(0.94γ/β). (12) Notice that (1 − (1 − u) β ) ≈ uβ is equal to the probability that one of the devices of a given client requests to start the verification and reservation protocol within the amount of time needed for the transmission of one atomic piece of data. From (7) and (12) we infer that the log-based scheme can serve many more clients than the tree-based scheme if β ≪ γ. D Appendix: Analysis of a Hybrid Scheme In order to bound the size of freshness proofs to a constant size in the log-based scheme, we propose a hybrid solution between the log-based and tree-based scheme. The idea is to move nodes into the tree-based scheme if they correspond to clients for which the size of a proof of freshness in the log-based scheme gets too large. As soon as a client reserves a new time value, then the client is moved back to the log-based scheme. A data structure D in the hybrid solution contains both the log-based data structure as well as the tree-based data structure: D = (s[1], T [1], s[2], T [2], . . . , s[tc], T [tc]; tc, T ′ ), where T ′ is a balanced authenticated search tree which not only allows modifications but also insertions and deletions and where (s[1], T [1], s[2], T [2], . . . , s[tc], T [tc]; tc) is exactly the data structure of the log-based scheme in which each signature s[t] = Sign(sk, H(t||Root[t]||Root ′ )) not only signs the root Root[t] of T [t] but also another root Root ′ . In s[t] the value Root ′ represents the root of T ′ at the moment of its appearance at time value t. In particular, Root ′ in s[tc] is equal to the current value of the root of T ′ . Let K be some constant which indicates the worst-case allowable number of atomic pieces of data constituting a single proof of freshness. As in the log-based scheme, the update algorithm U(D, I) increments the current time value and appends to D a new authenticated search tree for I together with a signature of its root. Let tc be the incremented current time value and let k be the largest integer such that log N + tc t=tc−(k−1) 17 log #T [t] ≤ K, (13)
Page 1 and 2: Proof of Freshness: How to efficien
Page 3 and 4: 2 Related Work and Our Contribution
Page 5 and 6: 1) this sequence can be mapped to a
Page 7 and 8: 2. There exists a client i with dev
Page 9 and 10: Notice that the requirements in Def
Page 11 and 12: scheduling algorithm, VP returns (t
Page 13 and 14: We have been looking into implement
Page 15: • We define ui as the probability
Page 19 and 20: [5] M. Bellare and P. Rogaway. The

Proof of Freshness - Computation Structures Group - MIT

Create successful ePaper yourself

Delete template?

Save as template?