Proof of Freshness - Computation Structures Group - MIT

More documents

Recommendations

Info

where #T [t] indicates the number of nodes in T [t]. We delete the nodes in T ′ which correspond to clients in I (these are the clients who reserve time value tc) and we insert the nodes of T [tc − k] which correspond to clients for which no node in each of the k trees T [tc], T [tc − 1], . . ., T [tc − (k − 1)] exists (the size of the proofs of freshness for these clients gets too large). A reservation certificate on i is as in the log-based scheme with an additional proof that no node in T ′ corresponds to i. A proof of freshness is as in the log-based scheme where the log is truncated up to the first k sequences. If the log is truncated, then a proof of freshness of the tree-based scheme based on T ′ is included. From the definition of k in (13), we conclude that a proof of freshness contains at most K atomic pieces of data. Performance We use the hybrid scheme together with time-multiplexing with period q. Due to the law of large numbers, inequality (13) is approximately equivalent to log(N/q) + k log I ≤ K (14) Let W be the expected size of a tree T ′ at any moment. The probability that no device of a given client requests a reservation for at least k + 1 consecutive scheduled time values is equal to (1 − u) T(k+1) . Hence, W = N q (1 − u)T(k+1) . (15) If W is a small constant, then the performance of the hybrid scheme is dominated by the log-based part of the scheme. Up to a small constant this will lead to the bound (12) on the total number of clients N. The expected size W is small if and only if k ≈ 1 N log uT q . Notice that N/q = γ ln 2/β and 1/(uT) ≈ LI in the log based scheme. So, W is small if and only if See (14), a proof of freshness will contain at most k ≈ LI log(γ/β). log(N/q) + K ≥ k log I ≈ (1 + LI log I) log(γ/β) atomic pieces of data. The expected size of a proof of freshness in the log-based scheme is 1 + LI log I atomic pieces of data. We conclude that the hybrid scheme allows as many clients as in the log-based scheme while restricting the worst-case size of a proof of freshness to log(γ/β) times the expected size of a proof of freshness: Theorem 4 The hybrid scheme with time-multiplexing can serve about as many clients as in the log-based scheme with the advantage that the worst-case size of a proof of freshness is at most log(uγ/uβ) times the expected size of a proof of freshness. References [1] A. Anagnostopoulos, M. Goodrich, and R. Tamassia. Persistent Authenticated Dictionaries and Their Applications. In 4th International Conference on Information Security (ISC), 2001. [2] N. Baric and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In Advanves of Cryptology: Proceedings of Eurocrypt ’97, pages 480–494, 1997. [3] D. Bayer, S. Haber, and W. Stornetta. Improving the Efficiency and Reliability of Digital Time-Stamping. In Sequences II: Methods in Communication, Security, and Computer Science, pages 329–334, 1993. [4] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the First Annual Conference on Computer and Communications Security, 1993. 18
[5] M. Bellare and P. Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Advances in Cryptology - Eurocrypt ’96, pages 399–416, 1996. [6] J. Benaloh and M. de Mare. One-way accumulators: A decentralized alternative to digital signatures. In Advanves of Cryptology: Proceedings of Eurocrypt ’93, pages 274–285, 1993. [7] A. Buldas, P. Laud, and H. Lipmaa. Accountable Certificate Management using Undeniable Attestations. In Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 9–17, 2002. [8] A. Buldas, P. Laud, and H. Lipmaa. Eliminating Counterevidence with Applications to Accountable Certificate Management. Journal of Computer Security, 10:273–296, 2002. [9] A. Buldas, P. Laud, H. Lipmaa, and J. Villemson. Time-stamping with binary linking schemes. In Advances in Cryptology - CRYPTO ’98, pages 486–501, 1998. [10] A. Buldas, H. Lipmaa, and B. Schoenmakers. Optimally efficient accountable time-stamping. In Public Key Cryptography ’2000, pages 293–305, 2000. [11] M. Castro and B. Liskov. Practical byzantine fault tolerance. In Third Symposium on Operating Systems Design and Implementation, February 1999. [12] M. Castro and B. Liskov. Proactive recovery in a byzantine-fault-tolerant system. In Fourth Symposium on Operating Systems Design and Implementation, October 2000. [13] D. Clarke, S. Devadas, M. van Dijk, B. Gassend, and G. E. Suh. Incremental Multiset Hash Functions and their Application to Memory Integrity Checking. In Advances in Cryptology - Asiacrypt 2003 Proceedings, volume 2894 of LNCS. Springer-Verlag, 2003. [14] T. H. Cormen, C. E. Leiserson, and R. L. Rivest. In Introduction to Algorithms. MIT Press/McGraw-Hill, 1990. [15] J.-S. Coron and D. Naccache. Security analysis of the gennaro-halevi-rabin signature scheme. In Advanves of Cryptology: Proceedings of Eurocrypt 2000, pages 91–101, 2000. [16] P. T. Devanbu and S. G. Stubblebine. Stack and queue integrity on hostile platforms. Software Engineering, 28(1):100–108, 2002. [17] D. Eastlake and P. Jones. RFC 3174: US secure hashing algorithm 1 (SHA1), Sept. 2001. [18] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. Journal of Cryptology, 9(1):35–67, 1996. [19] B. Gassend, G. E. Suh, D. Clarke, M. van Dijk, and S. Devadas. Caches and Merkle Trees for Efficient Memory Integrity Verification. In Proceedings of Ninth International Symposium on High Performance Computer Architecture, New-York, February 2003. IEEE. [20] R. Gennaro, S. Halevi, and T. Rabin. Secure hash-and-sign signatures without the random oracle. In Advanves of Cryptology: Proceedings of Eurocrypt ’99, pages 123–139, 1999. [21] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, 1988. [22] M. Goodrich, R. Tamassia, and A. Schwerin. Implementation of an Authenticated Dictionary with Skip Lists and Commutative Hashing. In Proceedings of DARPA Information Survivability Conference and Exposition, pages 68–82, 2001. [23] M. Goodrich, R. Tamassia, and A. Schwerin. An efficient dynamic and distributed cryptographic accumulator. In Proceedings of Inf. Security Conference (ISC), pages 372–388, 2002. [24] S. Haber and W. S. Stornetta. How to Time-Stamp a Digital Document. In CRYPTO ’90: Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology, pages 437–455, 1991. [25] M. Kallahala, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu. Plutus: Scalable Secure File Sharing on Untrusted Storage. In Proceedings of the Second Conference on File and Storage Technologies (FAST 2003), 2003. [26] P. Kocher. On certificate revocation and validation. In Proceedings of Financial Cryptography 1998, pages 172–177, 1998. [27] L. Lamport. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7):558–565, 1978. [28] L. Lamport. How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Transactions on Computers, 28(9):241– 248, 1979. [29] J. Li, M. Krohn, D. Mazières, and D. Shasha. Secure untrusted data repository (SUNDR). In Proceedings of the 6th Symposium on Operating Systems Design and Implementation, 2004. [30] D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proceedings of the 9 th Int’l Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 168–177, November 2000. 19
Page 1 and 2: Proof of Freshness: How to efficien
Page 3 and 4: 2 Related Work and Our Contribution
Page 5 and 6: 1) this sequence can be mapped to a
Page 7 and 8: 2. There exists a client i with dev
Page 9 and 10: Notice that the requirements in Def
Page 11 and 12: scheduling algorithm, VP returns (t
Page 13 and 14: We have been looking into implement
Page 15 and 16: • We define ui as the probability
Page 17: For the same reason as in the tree-

Proof of Freshness - Computation Structures Group - MIT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?